Malware Detection
The malware rule blocks packages that have been identified as malicious. This rule is active on the Free plan (alongside the vulnerability rule) and is your first line of defense against known supply chain attacks.
What it detects
The rule checks each package version against nproxy's threat intelligence. It flags versions that have any of these alert types:
| Alert type | Description |
|---|---|
malware | Known malicious code (trojans, cryptominers, credential stealers) |
typosquatting | Package name designed to trick developers into installing it |
protestware | Code that intentionally damages systems based on geopolitical criteria |
troll | Packages designed to waste time or cause confusion |
How it works
- When a package is requested, nproxy fetches metadata from the upstream registry
- The proxy queries its threat intelligence API for the package's alerts (results are cached for 24 hours)
- For each version, if any alerts match the malware alert types listed above, that version is flagged
- In block mode, flagged versions are stripped from the packument. In warn mode, they are logged to the audit trail
Configuration
| Setting | Value |
|---|---|
| Default level (Free) | block |
| Default level (Pro) | block |
| Parameters | none |
The malware rule has no configurable parameters. It either checks alerts or it does not.
Fail-open behavior
If the threat intelligence service is unreachable, the rule fails open — packages are allowed through without malware checks. This ensures infrastructure issues never block legitimate work.
Real-world examples
This rule would have caught:
- ua-parser-js (2021) — Account takeover that shipped a cryptominer and credential stealer to 8M weekly downloads
- coa / rc (2021) — 23M combined weekly downloads hijacked via account takeover, deploying a password-stealing trojan
- colors.js / faker.js (2022) — Maintainer intentionally corrupted packages with infinite loops
- node-ipc (2022) — Protestware that detected Russian/Belarusian IPs and overwrote the filesystem
- lottie-player (2024) — Stolen npm token used to inject a crypto wallet drainer
- @solana/web3.js (2024) — Official SDK compromised with private key theft code
Recommended setting
Block for all teams. There is no legitimate reason to install a package that has been flagged as malware. This rule is active on the Free plan (alongside vulnerability detection) because it has the lowest false positive rate and the highest impact.