Skip to content

Add OpenSSF Malicious Packages importer pipeline #2098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mr-raj12 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add OpenSSF Malicious Packages importer pipeline #2098

mr-raj12 wants to merge 1 commit into from
+336 −0

Conversation

@mr-raj12
Copy link

@mr-raj12 mr-raj12 commented Jan 1, 2026

Summary

Implements V2 importer for the OpenSSF malicious-packages repository to collect advisories for malicious packages.

Supported ecosystems:

  • PyPI (Python)
  • npm (JavaScript/Node.js)
  • Cargo (Rust)
  • RubyGems (Ruby)
  • Maven (Java)
  • NuGet (.NET)
  • Go

Changes:

  • Add openssf_malicious_importer.py pipeline using existing OSV format parser
  • Add unit tests covering PyPI, npm, multi-ecosystem, and unsupported ecosystem handling
  • Register importer in IMPORTERS_REGISTRY

Resolves #2019

Test Plan

  • Unit tests pass (tested via Docker)
  • Importer registered and visible in manage.py import --list
  • Manual verification with mock data in Django shell
  • Unsupported ecosystems handled gracefully

Signed-off-by: Mrityunjay Raj mr.raj.earth@gmail.com

@mr-raj12
Add OpenSSF Malicious Packages importer pipeline (aboutcode-org#2019)
165791c 
Implement V2 importer for the OpenSSF malicious-packages repository
to collect advisories for malicious packages (typosquatting, dependency
confusion, etc.) across npm, PyPI, Cargo, RubyGems, Maven, NuGet, and Go.

- Add openssf_malicious_importer.py pipeline using OSV format parser
- Add comprehensive unit tests
- Register importer in IMPORTERS_REGISTRY

Reference: https://github.com/ossf/malicious-packages

Signed-off-by: Mrityunjay Raj <mr.raj.earth@gmail.com>
@mr-raj12 mr-raj12 force-pushed the add-openssf-malicious-importer branch from 63bbdfa to 165791c Compare January 1, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Collect OSV Malicious packages

1 participant

@mr-raj12