Malicious Packages

JFrog Security Documentation

JFrog Xray
Content Type
User Guide

A software supply chain attack can come in many forms. An attacker can slip malicious code or an entire malicious component into the software. It is one of the easiest methods from a technical perspective and an efficient attacking method that can reach a wide range of consumers. 

There are many packages available with many versions and manually vetting packages is an overhead that an organization cannot handle on its own. Analyzing a package, involves many steps, such as querying repositories and listing project dependencies, and detecting all of the installed third-party software versions in the project.  

This is where Xray’s Malicious Packages can provide an automated solution for detecting these types of packages. It enables you to detect and prevent known malicious packages, and offers mitigation and remediation steps to reduce the risk of using malicious packages.

Xray maintains an internal DB of malicious packages filled with malicious packages data from public advisories and from our internal research team. This DB is constantly updated, on average JFrog Security Research team discovers and reports 2 packages per day and is added to the DB on the same day it was discovered.

Malicious Packages Policies

Policies enable you to create a set of rules, in which each rule defines security criteria, with a corresponding set of automatic actions according to your needs. Policies are enforced when applying them to Watches. To learn more on how to create a Policy, see Creating Xray Policies and Rules.

We recommend creating Policies with Malicious Packages-specific rules with blocking actions to create violations and block the usage of any detected malicious package.You can view issued violations either from Scans List or Watch Violations pages.

Create a Malicious Packages Policy
  1. In the Administration module, under Xray, select Watches & Policies and from the Policies tab click New Policy.

  2. Select the policy type Security.

  3. Add New Rule.

  4. Select the rule type Malicious Packages.

    The Contains Malicious Packages checkbox is selected by default.

  5. Define the automatic actions that determine the automatic response to a detected Policy violation. For more information, see Creating Xray Policies and Rules.

Additional Resources

Learn more about this feature through our blogs and webinars.

Keep track of Malicious Packages that are disclosed by the JFrog Research team.

Malicious Software Packages Blog Series 

Malicious Packages Are a Rising Threat in Software Supply Chain Attacks

Malicious Software Packages Series 1 of 4: Defining software supply chain attacks and learning the critical role that malicious software packages play in them.

Five Examples of Infection Methods Attackers Use to Spread Malicious Packages

Malicious Software Packages Series Part 2 of 4: This is how JFrog’s security researchers found these malicious code attacks.

Common Payloads Attackers Plant in Malicious Software Packages

Malicious Software Packages Series Part 3 of 4: Understanding standard payloads used in malicious software packages and how attackers execute the payloads to serve their needs through various real-life scenarios

Detecting Malicious Packages and How They Obfuscate Their Malicious Code

Malicious Software Packages Series Part 4 of 4: How malicious packages can be avoided and detected, and which obfuscation techniques they use to hide malicious code


Identifying and Avoiding Malicious Packages