Malicious Package Detection

CodeStax scans your dependencies for known malicious packages and suspicious naming patterns that may indicate supply chain attacks.

What It Detects

Known Malicious Packages

CodeStax integrates with global threat intelligence databases to check your dependencies against known malicious packages. These are tracked under known malicious package advisories and include packages that contain malware, exfiltrate data, or execute unauthorized code during installation.

Typosquatting and Suspicious Naming Patterns

Advanced detection algorithms identify typosquatting, dependency confusion, and known malicious packages.

Risk Levels

Checking for Malicious Packages

Malicious package detection is available via the API endpoint. You can query the API to check your dependencies:

1. Call the malicious package check API endpoint for your repository
2. Review any packages flagged as Dangerous or Suspicious in the response
3. Inspect the detection reason and advisory details
4. Take action — remove, replace, or verify the package

How to Respond to Alerts

1. Dangerous — Remove the package immediately and audit your project for signs of compromise
2. Suspicious — Verify the package is legitimate by checking its registry page, maintainer, and download count
3. Safe — No action needed

Popular Packages Monitored for Typosquatting

CodeStax maintains a watchlist of high-value packages commonly targeted by typosquatting attacks, including lodash, express, react, axios, requests, flask, django, numpy, and pandas.

Best Practices

1. Review Dangerous alerts immediately — These indicate confirmed malware in your dependency tree
2. Audit Suspicious packages — A flagged package may be legitimate but deserves a second look
3. Use lock files — Lock files prevent unexpected package substitution during installs
4. Enable SCA scans on every PR — Catch malicious packages before they reach your main branch