Malicious Package Issues

what are they? in soos, the malicious package issue type is comprised of a few different variants of potentially malicious packages these include malicious packages a form of malware that is delivered as an open source package these can be published to a package repository and mistakenly installed which allows the attacker to carry out an attack dependency confusions a type of attack where bad actors learn about or guess a company's internal package naming convention and use this knowledge to publish malicious package versions to a public package registry refer to our article about package mask configurations docid\ lqfh 51nlqz7 xwxefwt1 to learn how to configure and protect against dependency substitution attacks dependency typos also known as typosquats, are packages published to public package registries which look very similar to legitimate packages in naming, and appearance (description, links, etc ) often, this can lead to these substituted packages being installed on developer workstations, and potentially even being deployed suspicious packages packages flagged by soos using our proprietary malicious package matching algorithm they appear to be malicious but are missing from the public malicious package feeds how does it affect my code? if these malicious packages are installed and/or deployed it can leave you, or your users, vulnerable to attacks such as remote code execution, data access, compromised systems, and more when the exact version of a malicious package is detected soos will create a critical severity malicious package issue when a package has malicious versions, but the malicious version(s) are not referenced, soos will create an info severity malicious package issue it’s possible to get both severities for different versions, if there is a malicious version and a non malicious version somewhere in the dependency tree what can i do about malicious packages? to address any of the malicious packages, soos recommends confirming if the package is a actully malicious through a manual review and by following the provided reference links if the package is identified as malicious, remove the package immediately and investigate to see if a security breach occurred please also contact the package registry to report the package, if it has not already been reported if you deem the issue to not be malicious and it is the intended package, remove the malicious package issue from your issue list following the creating issue suppressions & attestations docid\ inbrolrzqnfvkihn08fnd workflow