GitHub now publishes malware advisories in the GitHub Advisory Database
To combat the prevalence of malware in the open source ecosystem, GitHub now publishes malware occurrences in the GitHub Advisory Database. These advisories power Dependabot alerts and remain forever free and usable by the community.

Mistakes are the most common cause of vulnerabilities in open source software, but they are not the only cause. Bad actors also attempt to introduce malicious software, known as malware, into open source. Details about malware can be hard to keep track of because malware is typically taken down and is not eligible for the usual disclosure process where vulnerabilities are assigned a CVE and placed in the National Vulnerability Database (NVD).
GitHub discovers malware through multiple means such as automated scanning, security research, and community discovery. Starting today, after a malicious package is removed, we will also create an advisory to document the malware in the GitHub Advisory Database.
Dependabot alerts for malware advisories
Malware advisories already power Dependabot alerts for impacted GitHub users. If you already use Dependabot, you’re covered with no additional action. To receive alerts on malware advisories and vulnerabilities, you can enable Dependabot by selecting enable all under the “Code security and analysis” tab.

Learn more about GitHub supply chain security solutions
The GitHub Advisory Database publishes security advisories that power GitHub’s supply chain security capabilities, including Dependabot alerts and Dependabot security updates. The data is licensed under a Creative Commons license and has been since the database’s inception, making it forever free and usable by the community. For more information about our supply chain security capabilities, check out the following pages:
- Learn about managing vulnerable dependencies on GitHub
- Visit the GitHub Advisory Database
Tags:
Written by
Related posts

Understand your software’s supply chain with GitHub’s dependency graph
The GitHub dependency graph maps every direct and transitive dependency in your project, so you can identify risks, prioritize fixes, and keep your code secure.

GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them
Use these insights to automate software security (where possible) to keep your projects safe.

Hack the model: Build AI security skills with the GitHub Secure Code Game
Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills.