Malicious Packages

Trusty uses external sources to identify malicious packages, and explicitly displays a flag for users so that they can avoid downloading them. Additionally, we will lower the overall Trusty score for any package that is known to be malicious.

Below is how we determine whether a package is malicious, based on its ecosystem:

Python (PyPI) packages:

• Malicious packages are flagged based on Datadog’s Malicious Software Packages dataset.

JavaScript (npm) packages:

• Malicious packages are flagged based on the OpenSSF’s Malicious Packages repo.

Java (Maven) packages:

• We are currently investigating methods to flag malicious Maven packages in our system.

Rust (crates) packages:

• We are currently investigating methods to flag malicious crates packages in our system.

Go packages:

• We are currently investigating methods to flag malicious Go packages in our system.