VulnCheck Exploit & Vulnerability Intelligence supports detecting a wide range of concerns for both Open Source Software library packages and Operating System packages.
The VulnCheck research team is continuously hunting for new and dangerous behavior in the package management ecosystems. VulnCheck Exploit & Vulnerability Intelligence supports the following detection types for querying by Package URLs:
Beyond Vulnerabilities and Licenses, in the following subsections, we will describe what these research attributes mean and what they look like.
The malicious attribute is used when a package is known to contain malicious content. When possible, VulnCheck attaches a source reference to indicate why we believe the package is malicious.
{
"_benchmark": 0.047808,
"_meta": {
"purl_struct": {
"type": "npm",
"namespace": "",
"name": "aliyundrive",
"version": "6.0.4",
"qualifiers": null,
"subpath": ""
},
"timestamp": "2023-12-01T20:11:54.921991593Z",
"total_documents": 2
},
"data": {
"cves": [],
"research_attributes": {
"is_malicious": true,
"malicious_source": "https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/"
}
}
}
The malicious tag is currently supported by gem, npm, nuget, pypi.
The abandoned attribute is for when a package's source repository no longer exists. This is highly indicative that the package will no longer receive any updates.
{
"_benchmark": 0.050773,
"_meta": {
"purl_struct": {
"type": "golang",
"namespace": "github.com/paysuper",
"name": "paysuper-reporter",
"version": "v1.4.2",
"qualifiers": null,
"subpath": ""
},
"timestamp": "2023-12-01T20:08:09.215541236Z",
"total_documents": 1
},
"data": {
"cves": [],
"research_attributes": {
"abandoned": true
}
}
}
The abandoned attribute is currently supported by golang.
The hijackable repository tag is for when a package's source repository is vulnerable to repojacking. This can be a particularly dangerous, because an attacker may be able to introduce malicious code in an update.
{
"_benchmark": 0.040295,
"_meta": {
"purl_struct": {
"type": "golang",
"namespace": "github.com/zerobounty",
"name": "tile38-client",
"version": "v0.10.2",
"qualifiers": null,
"subpath": ""
},
"timestamp": "2023-12-01T20:09:49.124292153Z",
"total_documents": 1
},
"data": {
"cves": [],
"research_attributes": {
"repo_hijackable": true
}
}
}
The hijackable repository tag is currently supported by golang.
The typosquatting tag is for when the research team observes a package that is a slight mis-typed variation of a popular package. These packages are often malicious or will be updated with malicious content at a later date. The typosquatting tag indicates the repository the package is attempting to squat.
{
"_benchmark": 0.03596,
"_meta": {
"purl_struct": {
"type": "gem",
"namespace": "",
"name": "activmodel",
"version": "5.2.1",
"qualifiers": null,
"subpath": ""
},
"timestamp": "2023-12-01T20:36:40.01706222Z",
"total_documents": 1
},
"data": {
"cves": [],
"research_attributes": {
"squatted_package": "activemodel"
}
}
}
The typosquatting attribute is supported by gem, golang, npm, nuget, and pypi.