Mistakes are the most common cause of vulnerabilities in open source software, but they are not the only cause. Bad actors also attempt to introduce malicious software, known as malware, into open source. Details about malware can be hard to keep track of because malware is typically taken down and is not eligible for the usual disclosure process where vulnerabilities are assigned a CVE and placed in the National Vulnerability Database (NVD).
GitHub discovers malware through multiple means such as automated scanning, security research, and community discovery. Starting today, after a malicious package is removed, we will also create an advisory to document the malware in the GitHub Advisory Database.
Malware advisories already power Dependabot alerts for impacted GitHub users. If you already use Dependabot, you’re covered with no additional action. To receive alerts on malware advisories and vulnerabilities, you can enable Dependabot by selecting enable all under the “Code security and analysis” tab.
The GitHub Advisory Database publishes security advisories that power GitHub’s supply chain security capabilities, including Dependabot alerts and Dependabot security updates. The data is licensed under a Creative Commons license and has been since the database’s inception, making it forever free and usable by the community. For more information about our supply chain security capabilities, check out the following pages: