Package URL Detections
VulnCheck Exploit & Vulnerability Intelligence supports detecting a wide range of concerns for both Open Source Software library packages and Operating System packages.
VulnCheck Exploit & Vulnerability Intelligence supports detecting a wide range of concerns for both Open Source Software library packages and Operating System packages.
The VulnCheck research team is continuously hunting for new and dangerous behavior in the package management ecosystems. VulnCheck Exploit & Vulnerability Intelligence supports the following detection types for querying by Package URLs:
- Vulnerabilities
- Licenses
- Malicious Package
- Abandoned Package
- Hijackable Repository
- Typosquatting
Beyond Vulnerabilities and Licenses, in the following subsections, we will describe what these research attributes mean and what they look like.
Malicious Package
The malicious attribute is used when a package is known to contain malicious content. When possible, VulnCheck attaches a source reference to indicate why we believe the package is malicious.
{
"_benchmark": 0.047808,
"_meta": {
"purl_struct": {
"type": "npm",
"namespace": "",
"name": "aliyundrive",
"version": "6.0.4",
"qualifiers": null,
"subpath": ""
},
"timestamp": "2023-12-01T20:11:54.921991593Z",
"total_documents": 2
},
"data": {
"cves": [],
"research_attributes": {
"is_malicious": true,
"malicious_source": "https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/"
}
}
}
The malicious tag is currently supported by gem, npm, nuget, pypi.
Abandoned Package
The abandoned attribute is for when a package's source repository no longer exists. This is highly indicative that the package will no longer receive any updates.
{
"_benchmark": 0.050773,
"_meta": {
"purl_struct": {
"type": "golang",
"namespace": "github.com/paysuper",
"name": "paysuper-reporter",
"version": "v1.4.2",
"qualifiers": null,
"subpath": ""
},
"timestamp": "2023-12-01T20:08:09.215541236Z",
"total_documents": 1
},
"data": {
"cves": [],
"research_attributes": {
"abandoned": true
}
}
}
The abandoned attribute is currently supported by golang.
Hijackable Repository
The hijackable repository tag is for when a package's source repository is vulnerable to repojacking. This can be a particularly dangerous, because an attacker may be able to introduce malicious code in an update.
{
"_benchmark": 0.040295,
"_meta": {
"purl_struct": {
"type": "golang",
"namespace": "github.com/zerobounty",
"name": "tile38-client",
"version": "v0.10.2",
"qualifiers": null,
"subpath": ""
},
"timestamp": "2023-12-01T20:09:49.124292153Z",
"total_documents": 1
},
"data": {
"cves": [],
"research_attributes": {
"repo_hijackable": true
}
}
}
The hijackable repository tag is currently supported by golang.
Typosquatting
The typosquatting tag is for when the research team observes a package that is a slight mis-typed variation of a popular package. These packages are often malicious or will be updated with malicious content at a later date. The typosquatting tag indicates the repository the package is attempting to squat.
{
"_benchmark": 0.03596,
"_meta": {
"purl_struct": {
"type": "gem",
"namespace": "",
"name": "activmodel",
"version": "5.2.1",
"qualifiers": null,
"subpath": ""
},
"timestamp": "2023-12-01T20:36:40.01706222Z",
"total_documents": 1
},
"data": {
"cves": [],
"research_attributes": {
"squatted_package": "activemodel"
}
}
}
The typosquatting attribute is supported by gem, golang, npm, nuget, and pypi.
Package Manager Support
VulnCheck Exploit & Vulnerability Intelligence supports a wide range of both Open Source Software library package managers and Operating System package managers.
End-of-Life Software
Leverage VulnCheck Exploit & Vulnerability Intelligence's End-of-Life software tracking to know if a host can no longer be patched.
