Home All Posts Codacy Now Detects Malicious Packages like Shai-Hulud 2.0

Codacy Now Detects Malicious Packages like Shai-Hulud 2.0

,
In this article:
Subscribe to our blog:

Share:
Kendrick Curtis
3 mins read

In recent weeks, we’ve witnessed a wave of sophisticated supply chain attacks where npm packages were compromised, most notably the Shai-Hulud 2.0 incident, which affected hundreds of packages.

While developers are accustomed to dealing with CVEs (Common Vulnerabilities and Exposures), these new threats are fundamentally different. A traditional CVE usually involves an unintentional weakness introduced into an application via a vulnerable dependency. A malicious package, however, is a weaponized dependency specifically designed to attack the developer and the build environment.

The Shai-Hulud 2.0 attack is a prime example: once installed, it attempts to exfiltrate secrets, delete files, and utilize compromised credentials to laterally infect other codebases it can access.

 

Bringing OpenSSF Data to Codacy

To combat this rising threat, we are integrating the OpenSSF Malicious Packages database directly into Codacy as a new detection rule. This allows you to automatically identify and block packages known to be actively hostile, rather than just vulnerable.

Feature_MaliciousPackage-Blog

How it Works

We have designed this integration to be seamless for our users, ensuring you are protected at different stages of your workflow:

  • For Team Plan Customers: Detection is available at Pull Request time. As soon as a malicious package is introduced in a new PR, Codacy will flag it.

  • For Business Plan Customers: In addition to PR checks, Malicious Package Detection is now part of our daily SCA (Software Composition Analysis) scans across all repositories with the rule enabled, ensuring ongoing protection against newly discovered threats.

 

Getting Started

Given the severity of these threats, we have prioritized immediate coverage by automating the rollout of this rule:

  • Existing repositories: If you already have the Trivy rule 'Critical Insecure Dependency' enabled in your organization's Coding Standards or repository Code Patterns , the Malicious Package detection rule is automatically enabled for those.

  • Newly added repositories: Any newly added repos will have this rule enabled by default unless they follow a Coding Standards that explicitly has this rule turned off.

Our Recommendation: Because malicious packages pose an immediate and severe risk to your codebase and infrastructure, we strongly recommend leaving this rule enabled across all your projects.

 

Try it for yourself
Scan your Pull Requests in minutes. Free 14-day trial, no credit card needed.

Get started

RELATED
BLOG POSTS

Codacy Platform
08/08/2016
Reading & Understanding Codacy’s Reporting Feature
This blog post on Codacy’s reporting feature was originally written by Dishant Khanna. Dishant is a student at the Bharati Vidyapeeth’s College of...
Company
06/07/2022
G2 nominated Codacy as a High Performer in the Summer 2022 Report
Our users have spoken! We’re happy to announce that Codacy has been named a High Performer in G2’s Summer 2022 Report for Static Code Analysis Tools....
Codacy Platform , New Features
10/10/2025
Codacy Integrates OSSF Scorecard for True Supply Chain Confidence
In modern software development, we run on open-source. It’s the engine of innovation, allowing teams to build faster, smarter, and more efficiently....

Automate code
reviews on your commits and pull request

Get Started
Group 13