XRAY: Detecting and Blocking Download of Malicious Packages by Xray

XRAY: Detecting and Blocking Download of Malicious Packages by Xray
Products
JFrog_Xray
Content Type
User_Guide
AuthorFullName__c
Shashwath Rai
articleNumber
000006554
FirstPublishedDate
2025-09-15T07:27:49Z
lastModifiedDate
2025-09-15
VersionNumber
1
How Xray Detects Malicious Code

JFrog Xray identifies malicious packages using a combination of automated scanners, JFrog research team validation, and external threat intelligence sources. Each package is scored for maliciousness, and if confirmed, it’s added to Xray’s database so it can be detected and blocked as per policy definitions in your environment.
For more details, refer to: JFrog Malicious Package Detection.

Blocking Malicious Packages download with Xray

To actively block malicious packages from being downloaded, you need to:
Step 1: Add the required repositories for indexed resources. Navigate to Administration -> Xray settings -> Indexed resources
Step 2: Go to Watches & Policies under Xray on the home page, create a Security Policy, and click Next.

User-added image 

Step 3: Add a rule, set the type to Malicious packages, and enable both Block Download and Block Unscanned Artifacts.

User-added image 

Step 4: Save the policy, then create a Watch with the target repositories and attach the above created policy.
Now, JFrog Xray will be able to scan artifacts and block downloads if any malicious packages are detected during the corresponding pipeline executions.

Alternative Solution: 

If you already know the malicious package name or path and looking to block at Artifactory level, then you can block it directly using exclude patterns at the repository level. This prevents users from downloading the specified package.
For example, you can configure an exclude pattern like below:
**/backslash-0.2.1.tgz
This will block access to that specific package. You can apply multiple patterns if needed. For detailed instructions, refer to How to Use Include/Exclude Patterns.

Identifying Already Downloaded Packages

If you are looking for validation of the respective malicious packages which are already downloaded i.e. before blocking was enabled, then we can make use of the Artifactory of logs to fetch more information about which pipelines or users downloaded packages.
We can retrieve the repository, package path, and the username of the person who downloaded from artifactory-access.log or artifactory-request.log. 
Example: artifactory-access.log

2025-09-10T10:13:21.098Z [02d4bf9b046dc957] [ACCEPTED DOWNLOAD] test-npm-local:npmproj/-/backslash-0.2.1.tgz for client: admin / xx.xx.x.9 [token]
 Example: we can also track downloads using the artifactory-request.log:

2025-09-10T10:13:21.098Z|02d4bf9b046dc957|xx.xx.x.9|admin|GET|/test-npm-local:npmproj/-/backslash-0.2.1.tgz|200|-1|1035|13|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36