The npm blog has been discontinued.
npm Security Insights API Preview Part 2: Malware
This is the second in a series of blog posts we’re running to preview and gather input on the new security insights API we’re developing.
Today’s topic: malware.
For years npm has maintained the most complete corpus of malware published on the npm Registry. We have meticulously curated it, cataloging which files contain the malware payload, integrity hashes, hostnames, IPs, URLs, and other related indicators of compromise (IOC).
Malware Corpus by the Numbers
Let’s take a look at some stats about our historical malware corpus:
- 302 malware packages, 463 individual package versions combinations.
- Top 3 payload locations:
- Most popular infection method: install scripts (> 2X payloads executed at runtime)
- we’re seeing that change as attacks grow more sophisticated
- Obfuscated/encrypted payloads: just 12% of historical samples
What to Look for in the API
Historically we have not redistributed malware once it’s discovered, but that is likely to change soon. This last week, we spent time integrating our malware corpus into the new security insights API that will provide access to use and learn from this data.
What data might be available?
- historical malware package source code
- payload details, such as the location, hash and if it was obfuscated or encrypted
- indicators of compromise such as hostnames, IP addresses, URLs as well as names, locations, hashes of dropped files
Example response from the new insights API
Possible uses of this data?
Update: Signups for the private beta are now closed.