---
title: "Managing Malicious Packages with Cloudsmith EPM"
description: "Learn how Cloudsmith EPM uses OpenSSF's malicious package project to detect and block malware in open source packages."
canonical_url: "https://cloudsmith.com/blog/managing-open-source-vulnerabilities-epm"
last_updated: "2025-08-15T10:59:56.049Z"
---
# Managing Malicious Packages with Cloudsmith EPM

Cloudsmith’s Enterprise Policy Management (EPM) now supports the Open Source Vulnerability ([**OSV**](https://google.github.io/osv.dev/data/)) database as an additional data source, so users can define [**malicious package**](https://cloudsmith.com/blog/malicious-package-detection-in-cloudsmith) policies. OSV.dev is a distributed vulnerability database specifically for open source software (OSS) packages, including dependencies. The open, precise, and distributed vulnerability information for OSS projects from OSV complements EPM’s existing vulnerability data from Common Vulnerability Scoring System ([**CVSS**](https://www.first.org/cvss/)) and Exploit Prediction Scoring System ([**EPSS**](https://cloudsmith.com/blog/cloudsmith-introduces-epss-scoring-in-enterprise-policy-management-epm)) sources.



### How does OSV work?

The OSV database was originally developed by Google, and is fully open source. It consolidates data from multiple vulnerability repositories that follow the OSV schema, such as [**GitHub Advisory**](https://github.com/github/advisory-database) database, Python Packaging Advisory Database ([**PyPA**](https://github.com/pypa/advisory-database)), [**RustSec Advisory**](https://github.com/RustSec/advisory-db) database, and the Global Security ([**GSD**](https://github.com/cloudsecurityalliance/gsd-database)) database. This includes the [**OpenSSF Malicious Packages**](https://github.com/ossf/malicious-packages) data source.



OSV offers a straightforward API that allows clients to look up vulnerabilities based on either a specific commit hash or a package version. All records adhere to the [**OpenSSF OSV**](https://ossf.github.io/osv-schema/) specification, which was created through collaboration with open-source communities. This schema provides a standard approach, for both human- and machine-readable format for detailing vulnerabilities, ensuring they can be accurately linked to exact package versions and commits.



### Creating a Malicious Package policy in Cloudsmith

Let’s look at an example of Cloudsmith EPM policy. This one serves as a malware detection gate. EPM runs **after** the Cloudsmith security scan completes during package synchronisation, making scan results available as `input.v0`. In this case, the policy code loops over the `input.v0.osv` array, which is the OSV malware data from the scan. For each vulnerability object, it checks, “does the ID start with the string **MAL-** ?” If yes, it adds that `vulnerability.id` to the `malicious_packages` list.



```json
{
  "_key": "558112728397",
  "_type": "code",
  "code": "package cloudsmith\ndefault match := false\n\nmatch if count(malicious_packages) > 0\n\nmalicious_packages := [vulnerability.id |\n\tsome vulnerability in input.v0.osv\n\tstartswith(vulnerability.id, \"MAL-\")\n]",
  "filename": null,
  "language": "rego",
  "markDefs": null
}
```



So what does this policy do in practice? It flags any package that has been reported as known malicious as part of the OpenSSF Malicious Packages project. "**MAL-**" is used specifically in vulnerability feeds to indicate malware-related findings. Once a match is found, Cloudsmith will execute the [**defined actions**](https://docs.cloudsmith.com/artifact-management#package-actions) for this policy, such as to quarantine, tag, or block package promotion.



### Testing the policy

BleepingComputers [**published**](https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/) a blog post in July 2025 about a set of npm linter packages, including **eslint-plugin-react_editor**, that were hijacked via phishing to drop malware. Looking up eslint-plugin-react_editor within the OSV database we can see there’s already a matching entry with the ID **[MAL-2025-6812](https://osv.dev/vulnerability/MAL-2025-6812). **Each malware ID comes with an associated [**Github source**](https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-plugin-react_editor/MAL-2025-6812.json) that provides all the surrounding context for policy decisions. We are using a free string search for “MAL-” to capture malware IDs.



For npm packages, you can use `npm pack` or `npm view` to get the tarball URL:





```json
{
  "_key": "88c652b111ae",
  "_type": "code",
  "code": "PACKAGE_NAME=\"eslint-plugin-react_editor\"\nPACKAGE_VERSION=\"71.71.72\"\nTARBALL_URL=$(npm view ${PACKAGE_NAME}@${PACKAGE_VERSION} dist.tarball)",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```



In this scenario, we downloaded the tarball in a sandbox environment:



```json
{
  "_key": "7dee31517097",
  "_type": "code",
  "code": "curl -O $TARBALL_URL\nls | grep eslint-plugin-react_editor-71.71.72.tgz",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```



We pushed the `.tgz` tarball to Cloudsmith without installing it locally, which is safer when testing the malicious package.



```json
{
  "_key": "4bad67b780a3",
  "_type": "code",
  "code": "cloudsmith push npm $CLOUDSMITH_ORG/$CLOUDSMITH_REPO eslint-plugin-react_editor-71.71.72.tgz",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```

```json
{
  "_key": "3f8f93b1fb89",
  "_type": "image",
  "alt": "Package Quarantined in the CLI",
  "asset": {
    "_createdAt": "2025-08-19T09:11:32Z",
    "_id": "image-004bb38f81d6d1be7d6a0a7d00ea90cbe90abc9a-1988x1482-png",
    "_rev": "8ztm3cRdTD7y7Mmk83pIDL",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-08-19T09:11:32Z",
    "assetId": "004bb38f81d6d1be7d6a0a7d00ea90cbe90abc9a",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "V14oNR~q%gtRogM}NGWUbaa~t6oeV[agjuxvt8oyWTWA",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.3414304993252362,
        "height": 1482,
        "width": 1988
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAABYlAAAWJQFJUiTwAAAB2UlEQVR4nJWU2XKjMBBF+ZJxYhuzg8UqBDIGvDvL/P/PnCnhpDIPWZyHW6p+ObrdtyUrzHYYRflIXIyI6kCU7/BFT5j2+GLLwlPMVtVdsoLihF+OuLnCSSWOUNhRw8JvWPqKha94cOT9wKi+EDV7AtXgVRWOkCzDG8ho7t1kXL7X311grdWRbHMm3xwRasQTHXbYYAcNy6B9k6lb7LCdnD+69ZdQS8gDeXMhVxeSYo8bdxPgf4c3wA3yri8dxsWBdXUkLnYEWU8getykw4k1TrTBDvUEvHuGYXkmLHd4ucZNFa5oWcUfbZrz0f1FKH5xxCu22GnFMslZRCWPfsWDU721dx9o9pHyjrDa4uUtrmhYxSaMn9P8EijHC3K4Irsrpb4g5JEwG/GS7ZTqb+Y3M0A1nGnHJ/Twih7+oroXUnkiynYE6TClblblnoRnBljrA0qfaPSVdvNMrZ/I6hNJuScyyac9q0hPULNGPzm29PCM7l/Q/StN90KlL6TqQCJHgqLDMXNNmqn9+R3P0Kq7Z0p9pWhPiHpPIgeiqsMvGpxMYosCx6zTWjMPGmbG4bs+gVthvsVLNat1zTKpWAk5AeykZh6VzKOCZSyxY8U8UMzMz+PV/PE+B/4DIQzQqP+fCswAAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1c2434",
          "foreground": "#fff",
          "population": 61.55,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#041428",
          "foreground": "#fff",
          "population": 0.02,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1c2434",
          "foreground": "#fff",
          "population": 61.55,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#a8abba",
          "foreground": "#000",
          "population": 0.09,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#86b6f2",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#777d8d",
          "foreground": "#fff",
          "population": 2.11,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1773e7",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot 2025-08-19 at 09.57.44.png",
    "path": "images/rafvlnhi/production/004bb38f81d6d1be7d6a0a7d00ea90cbe90abc9a-1988x1482.png",
    "sha1hash": "004bb38f81d6d1be7d6a0a7d00ea90cbe90abc9a",
    "size": 349382,
    "uploadId": "ePiHQyv3LhvDkaQ4fBR5cxmVv9aelYLY",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/004bb38f81d6d1be7d6a0a7d00ea90cbe90abc9a-1988x1482.png"
  },
  "caption": "Package Quarantined in the CLI",
  "link": {
    "_type": "link",
    "href": "https://docs.cloudsmith.com/artifact-management/package-quarantine",
    "linkType": "href",
    "openInNewTab": true
  },
  "markDefs": null
}
```



**Remember:** We are detecting based on malware, not on vulnerabilities. In this case there is no CVSS vulnerability data associated with the package, however, the package is still quarantined and tagged for Malware due to the malware findings from the Malicious Packages project.



```json
{
  "_key": "76e65c524f49",
  "_type": "image",
  "alt": "Package Quarantined in the Web UI",
  "asset": {
    "_createdAt": "2025-08-19T09:12:08Z",
    "_id": "image-cdb449ade21d72e11296b5264873ac71b90b3e54-1988x1482-png",
    "_rev": "rXFx7vJUsmlaA6iqc3HqhD",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-08-19T09:12:08Z",
    "assetId": "cdb449ade21d72e11296b5264873ac71b90b3e54",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "V4S$r+bvj?~pkB_3aeIoWXRk9Yofa}j[oe^+IVof%Lxt",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.3414304993252362,
        "height": 1482,
        "width": 1988
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAABYlAAAWJQFJUiTwAAABr0lEQVR4nI1Ui47cIAzk/3+z2na7TVtdEjC2ganGbPZyUdXeSrPGAYbxA9LbtuP78gu3+4Iv3x643X/g62PB7bHgvvzEuu+oqk8Y1BxqtPbyqznWXPD4/YbEj3sRrHsGyWkPbLlA1eCtoQU6Wn+idTj95zeS7qUiTWeeFBuPDX1uMG8w9/D7GBgEEJZk5h/3JXXKzcgicG+xkD/+c0GuNdRK1RfxnB8hYi0FuUjM9SA0j9D2LJGX3k+EraPUGvNZKqRaKA6VYxLuRQJMHQUFIRfnUlGVCgYogmgdp7AJpuF9nmPz/gL9xFO3IthyRVGfOfGpxNqIRd5HkH8GSa2FdLOZfK0FUjaICIQHsIpjgJkgxgX9BPrpKD1zwnGpii0L1qzYxaF+VBefQjpyxNJTTdEWRHsxZPGp0lsUKzbh30hczAqxMdUbREmks1BPGy1js9f+q9BaCzIiyM0i7DN4CDuAa9kFRxP/TXWaJAxt3hbaIopChRfig5yKiei983VkY7+HPAlLZcgz3CtZEF7GrwdC+Wg47/K8k2Rnc7IXc+UBs1BX8JH48I0FZVOHbfgDgVeauSXd9TUAAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#3e474b",
          "foreground": "#fff",
          "population": 0.07,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#715813",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7c878d",
          "foreground": "#fff",
          "population": 0.31,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#d4c4ad",
          "foreground": "#000",
          "population": 0.01,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#f8efd6",
          "foreground": "#000",
          "population": 0.12,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7c878d",
          "foreground": "#fff",
          "population": 0.31,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#d9aa25",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot 2025-08-19 at 09.58.17.png",
    "path": "images/rafvlnhi/production/cdb449ade21d72e11296b5264873ac71b90b3e54-1988x1482.png",
    "sha1hash": "cdb449ade21d72e11296b5264873ac71b90b3e54",
    "size": 247048,
    "uploadId": "KFfZ4AU8Skmzm7x6VyvcI8giE7t6PdJE",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/cdb449ade21d72e11296b5264873ac71b90b3e54-1988x1482.png"
  },
  "caption": "Package Quarantined in the Web UI",
  "link": {
    "_type": "link",
    "href": null,
    "openInNewTab": false
  },
  "markDefs": null
}
```



EPM’s [**Decision Logs**](https://help.cloudsmith.io/docs/getting-started-with-enterprise-policy-management#checking-decision-logs) explain how the package was quarantined with the relevant malware information. Here’s a command you could use to return information specific to OSV findings:



```json
{
  "_key": "f6fec887d098",
  "_type": "code",
  "code": "curl -sS \\\n  -H \"Accept: application/json\" \\\n  -H \"X-Api-Key: $CLOUDSMITH_API_KEY\" \\\n  \"https://api.cloudsmith.io/v2/workspaces/$CLOUDSMITH_ORG/policies/decision_logs/?policy=$SLUG_PERM\" |\njq '\n  .results[]\n  | (.policy_input.v0.osv // [])\n  | .[]\n  | {\n      id,\n      summary,\n      affected,\n      source: ((.affected // []) | map(.database_specific.source?) | unique | join(\", \")),\n      details\n    }\n'",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```



```json
{
  "_key": "06a00975f6e8",
  "_type": "image",
  "alt": "Cloudsmith Decision Log Filtered for Malware Context",
  "asset": {
    "_createdAt": "2025-08-19T09:12:37Z",
    "_id": "image-3cd4766105b7652cb7964918bd0c3f07da1aff60-1988x1482-png",
    "_rev": "8ztm3cRdTD7y7Mmk83pQCp",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-08-19T09:12:37Z",
    "assetId": "3cd4766105b7652cb7964918bd0c3f07da1aff60",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "V03]4V%}x_yEtAj3j]j]jcj]aff5j=j=j=j3kDj^j]j]",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.3414304993252362,
        "height": 1482,
        "width": 1988
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAABYlAAAWJQFJUiTwAAABaklEQVR4nJ2S6XKDIBSFfZOoILhrFFCnjW3S5v0f6XQAiUvppJMfZ2AucLjLFyTVDFq+IcoGnPhG7DUFrL2BtTNINSHMB4SZRJgpRKlC6DN+8lnA2i+k/TfY+QJSDYgKiShflCmE6UGbmM88oPUVmbiD9zNIPSAqJcJc4eQM+CJjsMb03pshrT7AuxuS5g1xsWbwcg+TakbSzIjLaVeizvCUDgfZmD3X/VSPCkzG3PRwBm0nkFqC1D1iI4G4Eqb8nXSskuuZ67deC90qiYB1F9BuBGkFSNMbGVPvI2HXbTxfpQkJ2PkK1s2gzYSoULuL24n6tOOWux7WV/BOY6P7OC64LGbPDL1DqT+RirvJklQKcSGM0a/fffJPecXGlKyz+wPaf2FDa43NBaQczZSMjiW7/VZH8B/YdO9IzhNIIy0ubsp1bzEpBeLSrhYbi1TsJr2RwSaVI3ivQNvFcOHQGLjLDg0Pd1bqUdkPYuDCoaCGf7YAAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2f3454",
          "foreground": "#fff",
          "population": 0.03,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#0c2444",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2f3454",
          "foreground": "#fff",
          "population": 0.03,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#164482",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#8eb6eb",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#62708c",
          "foreground": "#fff",
          "population": 0.02,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2672d8",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot 2025-08-19 at 09.57.31.png",
    "path": "images/rafvlnhi/production/3cd4766105b7652cb7964918bd0c3f07da1aff60-1988x1482.png",
    "sha1hash": "3cd4766105b7652cb7964918bd0c3f07da1aff60",
    "size": 288674,
    "uploadId": "dcndJUDsAQQinCWMePwctyifrJtZUwEi",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/3cd4766105b7652cb7964918bd0c3f07da1aff60-1988x1482.png"
  },
  "caption": "Cloudsmith Decision Log Filtered for Malware Context",
  "link": {
    "_type": "link",
    "href": "https://docs.cloudsmith.com/supply-chain-security/epm#decision-logs",
    "linkType": "href",
    "openInNewTab": true
  },
  "markDefs": null
}
```



Removing the** [jq](https://jqlang.org/)** filter, you get the entire output of the Cloudsmith EPM decision logs. Within these logs, you’ll see:



- `started_at/ended_at`: Times the policy evaluation started and ended.
- `policy_input`: The exact data used to evaluate the policy.
- `policy_output`: The results (**match** or **not**, the partial rule states).
- `actions`: Which actions were actually invoked on the package.



### Protect Yourself Against Malicious Packages!

By integrating OSV as a data source, Cloudsmith EPM gains access to vulnerability intelligence that directly maps to specific OSS package versions and commits. These [**malicious package**](https://cloudsmith.com/blog/malicious-package-detection-in-cloudsmith) policies complement the existing CVSS and EPSS coverage by filling critical gaps, particularly in cases where a package may not register a conventional CVSS vulnerability score but is still compromised, such as with malware-flagged releases.



With OSV’s standardised schema and rich ecosystem of upstream sources, EPM will detect and act on threats that might otherwise slip through traditional scoring-based detection, extending its ability to quarantine, block, or tag malicious packages before they impact production environments.
