A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.
Add a tool + workflow that regularly checks (new) malicious packages to see how impactful the report is.
i.e. how many times it is downloaded, how many dependents, etc.
This will be useful for identifying when a high impact package is reported as malicious. This would be useful either if the result is newsworthy, and to protect against problematic false-positives.
Add a tool + workflow that regularly checks (new) malicious packages to see how impactful the report is.
i.e. how many times it is downloaded, how many dependents, etc.
This will be useful for identifying when a high impact package is reported as malicious. This would be useful either if the result is newsworthy, and to protect against problematic false-positives.