Malicious package detection

Cloudsmith now detects malicious packages using data from OSV.dev and the OpenSSF Malicious Packages project so you can see, stop, and govern open source packages designed to attack your supply chain before they reach your builds or customers.

Malware scanning looks inside a package for known signatures, whereas malicious package detection focuses on packages that are harmful by design — for example, those created to mimic legitimate dependencies or trigger unsafe install behaviors. Together, these capabilities provide broader defense in depth across your repositories.

Here’s how malicious package detection works in Cloudsmith:

  • Trusted data sources: The malicious packages dataset is ingested into Cloudsmith and integrated into Continuous Security.
  • Continuous checks: Packages in your repositories are regularly evaluated against this dataset.
  • Policy-based enforcement: Enterprise Policy Management (EPM) lets you define policies to automatically quarantine or block flagged packages.

This capability is in Early Access, available to Ultra and Enterprise customers. Please contact us to get access today.

📘 Learn more in the docs >> Malicious Packages

Keep up to date with our monthly product bulletin