Software Supply Chain Security
Easily integrate malicious package detection across the entire SDLC to prevent the threats of malicious open-source libraries.
SCANNING OVER 800 BILLION LINES OF CODE EACH MONTH
The dramatic rise in open-source malicious packages is increasing the frequency and severity of software supply chain attacks.
Increase in identified malicious packages from 2022 to 2024
Of CISOs are concerned about the dangers of malicious packages
Increase in supply-chain-related breaches between 2023 and 2024
Of companies have experienced a supply chain attack
Malicious packages pose a unique AppSec risk because they can compromise your systems merely by being installed. MPIAPI provides a unique solution to this critical defense challenge.
Available at Every Stage of the SDLC
Incorporate MPIAPI calls at key stages to block malicious packages – for example, before downloads, during CI/CD workflows, or before adding packages to a private artifact registry.
The Largest Malicious Packages Database
With over 410K human-verified malicious packages across 92.8M versions (and counting), Checkmarx leads the industry with the most comprehensive malicious package repository.
Detailed Package Risk Information
Query responses provide package details, a 1–10 risk score (10 = certain malicious), and IoCs such as suspicious files, domains, or IP addresses.
High-Volume REST API
Send up to 1,000 package research requests to the MPIAPI in a single call, including package ID, ecosystem, and version. Responses return within milliseconds.
Learn how leading enterprises use MPIAPI to reduce the risks of malicious packages in their software supply chains.
Request a DemoReduce OSS security threats and improve your overall security posture by blocking malicious or suspicious third-party packages that can put your organization at risk.
Unmatched OSS Risk Visibility
Reduce OSS security threats and strengthen your security posture by blocking malicious or suspicious third-party packages that could put your organization at risk.
Protection Across Your Entire Environment
Leverage the industry’s largest malicious package database, with over 410,000 packages spanning multiple OSS ecosystems, including PyPI, npm, RubyGems, NuGet, and Maven Central.
Turbo-Charged AppSec Research
Rapidly assess third-party packages with detailed intelligence to set security policies, evaluate suspicious components, and balance risk with developer productivity
Technology Agnostic Solution
No matter which tech stack your org is using you can still utilize the MPIAPI
Most AppSec focuses on potential risk – vulnerabilities that threat actors might later exploit. But malicious open-source packages are different; they contain harmful code from the outset, often attacking the moment they are installed. Unlike vulnerabilities that represent potential threats, malicious packages immediately endanger developer workstations, CI/CD environments, and production systems. Therefore, malicious package defense must commence before installation and at other relevant stages of the SDLC.
The threat level to organizations of malicious packages has been rapidly rising over the past few years. The numbers tell a disturbing story: Checkmarx’ AppSec research team has discovered more than 410,000 publicly available malicious packages. A recent Checkmarx survey revealed that 76% of CISOs are concerned about the dangers of malicious packages. The average cost of a software supply chain compromise was $4.63 million, which is 8.3% higher than the average cost of a data breach due to other causes (IBM research). It is imperative that CISOs and AppSec teams place more focus on this critical threat vector.
Traditional security measures fall short when dealing with malicious packages for three primary reasons: Timing (by the time SAST or SCA tools run, malicious packages may have already executed their payloads), scope (developer machines often have more permissive configurations and/or are subject to fewer enterprise security protections), and speed (the rapid pace of package adoption means threats can spread quickly before detection). For these reasons, effective malicious package defense requires a shift from reactive to proactive security: pre-installation checking (verifying packages before they enter any environment), continuous monitoring (regularly scanning existing packages as new threats are discovered), and comprehensive coverage (protection at every stage of the SDLC).
Checkmarx combines proprietary technology with a team of expert security researchers to effectively identify malicious packages. This threat intelligence system performs automated tests to identify suspicious package behaviors, risky OSS code changes, author reputation issues, and additional factors (secrets, code scanning, static analysis, etc.). When a package is flagged as potentially malicious, Checkmarx’s security research team conducts a thorough manual review to confirm its malicious nature (to avoid false positives), before adding it to the malicious package database (and reporting it externally, when appropriate). On average, Checkmarx scans around 2 million OSS packages every month.
A few examples include data exfiltration (stealing sensitive information), harmful file download, network connection to domain address known to be used by attackers, crypto-mining software, repojacking (takes control of the repository of a legitimate package), typosquatting (mimics the name of a popular package, inducing users to inadvertently use this package), chainjacking (stores a package in a renamed GitHub repository), and protestware (software that includes undesirable functionality that aims to protest an issue).
Here is one malicious attack example per year, for each of the past few years (you can Google them for details):
NPM Attack Against qix (2025, Cryptocurrency Stealer)
The most effective way to prevent harm to your organization from malicious packages is to validate third-party packages at every relevant step of the SDLC, starting with the moment developers try to install them on their workstations. Beyond this, it is important to frequently scan all the OSS packages present in your private artifact registries, applications, and container images, and then to remove/update any package versions that may have been flagged as containing malicious or suspicious code.