A simple web tool to check if an open source package contains malware.
🔗 Live Demo: https://charming-frangollo-27a49b.netlify.app/
PkgSafe checks packages against OSV.dev (Google's Open Source Vulnerability database) to identify known malicious packages. It specifically looks for packages flagged with MAL- identifiers from the OpenSSF Malicious Packages repository.
- 🟨 npm (JavaScript)
- 🐍 PyPI (Python)
- 🔵 Go
- ☕ Maven (Java)
- 🦀 crates.io (Rust)
- 🟣 NuGet (.NET)
- 💎 RubyGems (Ruby)
- Enter a package name and optionally a version
- Select the package ecosystem
- Click "Check Package"
- The tool queries the OSV.dev API for malware reports
- Results show if the package is flagged as malicious
All data comes from OSV.dev, which aggregates malware reports from:
- OpenSSF Malicious Packages Repository
- GitHub Security Advisories
- And other trusted sources
Test the tool with these known malicious packages:
| Ecosystem | Package | Type |
|---|---|---|
| PyPI | httpad |
Spyware |
| npm | colorsss |
Token stealer |
- A clean result doesn't guarantee safety
- Only detects packages already reported to OSV.dev
- Always review package code and maintainers before use
MIT