How do packages get identified as malicious in the first place?
I think a lot of people don’t understand how malicious packages are detected, so let me take a few minutes to explain it.
The reality is that most of the time, it is independent security researchers, like myself, who initially identify that a software package is malicious. In my case, I’ve written a detection engine and corresponding infrastructure to run that engine 24 hours a day, 365 days a year. This means I find a large number of malicious packages, which I then disclose to the relevant parties.
Therefore, a researcher, like myself, will investigate a package and determine that it is definitely malicious. Then one of two things can happen:
Contact NPM directly about a malicious package
A researcher submits the package directly to NPM using their malicious package form. You might think that going to the source of the problem would be best, but reporting malicious packages directly to NPM is typically not the most effective approach.
Ironically, notifying NPM directly is by far the slowest way to get something removed from NPM. For example, I identified that the baby-electron package was malicious in December, 2024. NPM didn’t respond to my submission or take it down until May of 2025!
Tell OSV that a package is malicious
The most effective way to get a package removed is to submit it to OSV. You do this by forking the ossf/maliciouspackages git repository and making your submission via a PR. This is more complicated than just filling out the NPM form, but it works a lot better.
The repository URL is https://github.com/ossf/malicious-packages
What can you do?
If you identify a malicious package, I suggest you submit it via the OSV process I mention above. In my experience it is the fastest way to get a malicious package taken down.
Paul McCarty – @6mile
SourceCodeRed.com Security Research & Trainer