Skip to content

shivamsaraswat/PkgSafe

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

🛡️ PkgSafe

A simple web tool to check if an open source package contains malware.

🔗 Live Demo: https://charming-frangollo-27a49b.netlify.app/

✨ What it does

PkgSafe checks packages against OSV.dev (Google's Open Source Vulnerability database) to identify known malicious packages. It specifically looks for packages flagged with MAL- identifiers from the OpenSSF Malicious Packages repository.

📦 Supported Ecosystems

  • 🟨 npm (JavaScript)
  • 🐍 PyPI (Python)
  • 🔵 Go
  • ☕ Maven (Java)
  • 🦀 crates.io (Rust)
  • 🟣 NuGet (.NET)
  • 💎 RubyGems (Ruby)

🔍 How it works

  1. Enter a package name and optionally a version
  2. Select the package ecosystem
  3. Click "Check Package"
  4. The tool queries the OSV.dev API for malware reports
  5. Results show if the package is flagged as malicious

📊 Data Source

All data comes from OSV.dev, which aggregates malware reports from:

  • OpenSSF Malicious Packages Repository
  • GitHub Security Advisories
  • And other trusted sources

🧪 Example Malicious Packages

Test the tool with these known malicious packages:

Ecosystem Package Type
PyPI httpad Spyware
npm colorsss Token stealer

⚠️ Limitations

  • A clean result doesn't guarantee safety
  • Only detects packages already reported to OSV.dev
  • Always review package code and maintainers before use

📄 License

MIT

About

A simple web tool to check if an open source package contains malware.

Topics

Resources

License

Stars

Watchers

Forks

Contributors

Languages