OSS Security Feed
The OSS Security Feed is an open intelligence resource that tracks compromised or suspicious npm package releases and maintainers in a single, searchable interface. It gives developers and security teams a real-time view of malicious packages before those packages reach their pipelines or developer machines.
What It Shows
Each entry in the feed represents a package version that StepSecurity has analyzed and flagged. For every entry, you can see:
Package name and version — the exact release that was assessed
Risk level — either
Critical RiskorSafe, derived from automated analysisDetection summary — a plain-language description of what the package does and why it was flagged
Behavior tags — labels such as
install-script,obfuscated-code,typosquatting,credential-theft, andremote-code-executionthat categorize the threat type at a glanceTime of detection — how recently the package was flagged
Risk Levels
Critical Risk
The package is definitively malicious or contains behavior strongly consistent with a supply chain attack. Do not install.
Safe
The package was analyzed and no malicious behavior was detected at the time of assessment.
Risk assessments reflect conditions at the time of analysis. A Safe rating for an older version does not guarantee the current version is safe.
Reading an Analysis Report
Clicking any feed entry opens a full analysis report. Here is what each section means.
Header
Shows the package name, version, registry, risk score, and scan timestamp. A score of 0.0 indicates a definitively malicious package with no redeeming characteristics.
AI Verdict
A concise conclusion from StepSecurity's analysis engine covering the attack technique, likely intent, and recommendation. A status of rejected means the package failed analysis and poses immediate risk. When paired with critical severity, the threat is confirmed rather than suspected.
Package Summary
Describes what the package claims to be versus what it actually does, and identifies the primary use case. For malicious packages, this section will explicitly state there is no legitimate use case and explain the deception mechanism used.
Suspicious Flags
Categorical tags summarizing detected behaviors. Common flags include:
install-script
Code runs automatically during npm install
obfuscated-code
Source is deliberately obscured to hide behavior
typosquatting
Package name mimics a popular legitimate package
hidden-functionality
Package performs undocumented actions
remote-code-execution
Code is fetched from external URLs and executed at runtime
credential-theft
Targets secrets, tokens, keys, or environment variables
binary-replacement
A legitimate system binary is replaced with a malicious wrapper
Findings
For Safe packages, this section is replaced by a No security findings notice, confirming that no malicious behavior was detected for that version. The AI Verdict will show Recommended and the score will be high (e.g., 9.5/10).
For flagged packages, this is the most detailed section of the report. Each finding includes:
Severity —
critical,high, ormediumFinding type — a short classifier such as
obfuscationorinstall-script-execDescription and impact — what was found and what could happen if the package is installed
Code snippet — the exact file and line that triggered the finding
CWE reference — the relevant Common Weakness Enumeration identifier
Remediation — the recommended action
A single package may have multiple findings at different severity levels.
Acting on a Critical Risk Finding
If a package in your dependency tree appears in the feed with a Critical Risk rating follow the Responding to a Compromised npm Package guide for a full incident response walkthrough.
Last updated
Was this helpful?