Home All Posts Codacy Now Detects Malicious Packages like Shai-Hulud 2.0

Codacy Now Detects Malicious Packages like Shai-Hulud 2.0

,
In this article:
Subscribe to our blog:

Share:
Kendrick Curtis
3 mins read

In recent weeks, we’ve witnessed a wave of sophisticated supply chain attacks where npm packages were compromised, most notably the Shai-Hulud 2.0 incident, which affected hundreds of packages.

While developers are accustomed to dealing with CVEs (Common Vulnerabilities and Exposures), these new threats are fundamentally different. A traditional CVE usually involves an unintentional weakness introduced into an application via a vulnerable dependency. A malicious package, however, is a weaponized dependency specifically designed to attack the developer and the build environment.

The Shai-Hulud 2.0 attack is a prime example: once installed, it attempts to exfiltrate secrets, delete files, and utilize compromised credentials to laterally infect other codebases it can access.

 

Bringing OpenSSF Data to Codacy

To combat this rising threat, we are integrating the OpenSSF Malicious Packages database directly into Codacy as a new detection rule. This allows you to automatically identify and block packages known to be actively hostile, rather than just vulnerable.

Feature_MaliciousPackage-Blog

How it Works

We have designed this integration to be seamless for our users, ensuring you are protected at different stages of your workflow:

  • For Team Plan Customers: Detection is available at Pull Request time. As soon as a malicious package is introduced in a new PR, Codacy will flag it.

  • For Business Plan Customers: In addition to PR checks, Malicious Package Detection is now part of our daily SCA (Software Composition Analysis) scans across all repositories with the rule enabled, ensuring ongoing protection against newly discovered threats.

 

Getting Started

Given the severity of these threats, we have prioritized immediate coverage by automating the rollout of this rule:

  • Existing repositories: If you already have the Trivy rule 'Critical Insecure Dependency' enabled in your organization's Coding Standards or repository Code Patterns , the Malicious Package detection rule is automatically enabled for those.

  • Newly added repositories: Any newly added repos will have this rule enabled by default unless they follow a Coding Standards that explicitly has this rule turned off.

Our Recommendation: Because malicious packages pose an immediate and severe risk to your codebase and infrastructure, we strongly recommend leaving this rule enabled across all your projects.

 

Try it for yourself
Scan your Pull Requests in minutes. Free 14-day trial, no credit card needed.

Get started

RELATED
BLOG POSTS

19/12/2023
Codacy Named Leader in G2 Fall 2023 Report
We are pleased to announce that Codacy has been named an industry leader in the G2 Fall 2023 Report for Static Code Analysis Tools.
Codacy Platform
06/01/2025
G2 Names Codacy Industry Leader in Winter 2025 Report
We’re happy to announce that Codacy has again been recognized as an industry leader by G2, the trusted B2B software and services review platform.
Company
06/04/2025
Codacy Named a Leader in G2’s Spring 2025 Report for Static Code Analysis
We’re proud to share that Codacy has been recognized once again in G2's Spring 2025 Report, earning high praise across multiple categories—including ...

Automate code
reviews on your commits and pull request

Get Started
Group 13