A practical guide to using the OpenSSF Malicious Packages repository and OSV API to detect malicious open source packages in npm and PyPI ecosystems. Covers querying the OSV API by package name and ecosystem, building a custom Kubernetes pod scanner in Python, using osv-scanner with CycloneDX SBOMs, and integrating scans into CI/CD via GitHub Actions. Also recommends best practices like committing package-lock.json, using npm ci, and setting a min-release-age flag to avoid consuming newly published malicious packages.
Sort: