malicious-packages
malicious-packages copied to clipboard
ossf
A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.
Bumps the go-minor-updates group with 1 update: [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go). Updates `cloud.google.com/go/storage` from 1.57.1 to 1.57.2 Release notes Sourced from cloud.google.com/go/storage's releases. storage 1.57.2 1.57.2 (2025-11-14) Features Bug Fixes Handle redirect on...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Hey 👋 I'd like to discuss integrating [my collection](https://github.com/kam193/package-campaigns) of malicious PyPI packages with the OSSF dataset - especially if it makes sense to think about it. The dataset is...
Add a tool + workflow that regularly checks (new) malicious packages to see how impactful the report is. i.e. how many times it is downloaded, how many dependents, etc. This...
Added the CHARTER.md file to start the Malicious Packages upgrade to full OSSF project
## 🔍 Key Findings ### Suspicious Binary Files - **Disguised Binary Executable** detected: - `ok/__init__.cp312-win_amd64.pyd` (2.7MB) - File classified as `application/vnd.microsoft.portable-executable` with extension `.exe` - Loaded at package import time...
This PR adds two PyPI packages, likely created by the same threat actor, that have already been removed by the PyPI security team. These packages are designed for web scraping...
We previously reported these three npm packages and their multiple versions as malicious: - `pap-sdk`: [MAL-2024-11062](https://github.com/ossf/malicious-packages/blob/7b84995ea392098b58a75401c775bc586fba5ebf/osv/malicious/npm/pap-sdk/MAL-2024-11062.json) - `rollup-plugin-hotreload`: [MAL-2024-11081](https://github.com/ossf/malicious-packages/blob/7b84995ea392098b58a75401c775bc586fba5ebf/osv/malicious/npm/rollup-plugin-hotreload/MAL-2024-11081.json) - `soybean-admin-tab`: [MAL-2024-11098](https://github.com/ossf/malicious-packages/blob/7b84995ea392098b58a75401c775bc586fba5ebf/osv/malicious/npm/soybean-admin-tab/MAL-2024-11098.json) When doing our own research it was concluded...
Please help us remove all captivate instance of npm https://github.com/ossf/malicious-packages/tree/main/osv/malicious/npm/%40captivateiq all of the listed there were just a test of security purposes, now there are no public captivateiq repos Please...
