Exploit And Vulnerability Intelligence

Package URL Detections

VulnCheck Exploit & Vulnerability Intelligence supports detecting a wide range of concerns for both Open Source Software library packages and Operating System packages.

VulnCheck Exploit & Vulnerability Intelligence supports detecting a wide range of concerns for both Open Source Software library packages and Operating System packages.

The VulnCheck research team is continuously hunting for new and dangerous behavior in the package management ecosystems. VulnCheck Exploit & Vulnerability Intelligence supports the following detection types for querying by Package URLs:

  1. Vulnerabilities
  2. Licenses
  3. Malicious Package
  4. Abandoned Package
  5. Hijackable Repository
  6. Typosquatting

Beyond Vulnerabilities and Licenses, in the following subsections, we will describe what these research attributes mean and what they look like.

Malicious Package

The malicious attribute is used when a package is known to contain malicious content. When possible, VulnCheck attaches a source reference to indicate why we believe the package is malicious.

{
 "_benchmark": 0.047808,
 "_meta": {
   "purl_struct": {
     "type": "npm",
     "namespace": "",
     "name": "aliyundrive",
     "version": "6.0.4",
     "qualifiers": null,
     "subpath": ""
   },
   "timestamp": "2023-12-01T20:11:54.921991593Z",
   "total_documents": 2
 },
 "data": {
   "cves": [],
   "research_attributes": {
     "is_malicious": true,
     "malicious_source": "https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/"
   }
 }
}

The malicious tag is currently supported by gem, npm, nuget, pypi.

Abandoned Package

The abandoned attribute is for when a package's source repository no longer exists. This is highly indicative that the package will no longer receive any updates.

{
 "_benchmark": 0.050773,
 "_meta": {
   "purl_struct": {
     "type": "golang",
     "namespace": "github.com/paysuper",
     "name": "paysuper-reporter",
     "version": "v1.4.2",
     "qualifiers": null,
     "subpath": ""
   },
   "timestamp": "2023-12-01T20:08:09.215541236Z",
   "total_documents": 1
 },
 "data": {
   "cves": [],
   "research_attributes": {
     "abandoned": true
   }
 }
}

The abandoned attribute is currently supported by golang.

Hijackable Repository

The hijackable repository tag is for when a package's source repository is vulnerable to repojacking. This can be a particularly dangerous, because an attacker may be able to introduce malicious code in an update.

{
 "_benchmark": 0.040295,
 "_meta": {
   "purl_struct": {
     "type": "golang",
     "namespace": "github.com/zerobounty",
     "name": "tile38-client",
     "version": "v0.10.2",
     "qualifiers": null,
     "subpath": ""
   },
   "timestamp": "2023-12-01T20:09:49.124292153Z",
   "total_documents": 1
 },
 "data": {
   "cves": [],
   "research_attributes": {
     "repo_hijackable": true
   }
 }
}

The hijackable repository tag is currently supported by golang.

Typosquatting

The typosquatting tag is for when the research team observes a package that is a slight mis-typed variation of a popular package. These packages are often malicious or will be updated with malicious content at a later date. The typosquatting tag indicates the repository the package is attempting to squat.

{
 "_benchmark": 0.03596,
 "_meta": {
   "purl_struct": {
     "type": "gem",
     "namespace": "",
     "name": "activmodel",
     "version": "5.2.1",
     "qualifiers": null,
     "subpath": ""
   },
   "timestamp": "2023-12-01T20:36:40.01706222Z",
   "total_documents": 1
 },
 "data": {
   "cves": [],
   "research_attributes": {
     "squatted_package": "activemodel"
   }
 }
}

The typosquatting attribute is supported by gem, golang, npm, nuget, and pypi.