ossf/malicious-packages

Go 459 stars

A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

✓ Synced 1h ago Share on X →

README badge: [![ngmi](https://ngmi.review/badge/ossf/malicious-packages.svg)](https://ngmi.review/repo/ossf/malicious-packages)

542 Merged PRs

5 days Avg Merge Time

2m Fastest PR

9 months Slowest PR

      #615
      Global Speed Rank
    

PR Size Analysis

Lines changed (additions + deletions) vs review outcomes. Re-sync to populate data for older PRs.

PRs by size

Avg review time (hrs)

Clean approval rate (%)

Top Reviewers

@calebbrown

414 reviews ✓ 345 approved ↺ 18 blocked

@distractible

76 reviews ✓ 69 approved

@oliverchang

58 reviews ✓ 52 approved

@elitsa-gosst

41 reviews ✓ 41 approved

@slugclub

15 reviews ✓ 15 approved

@awsactran

14 reviews ✓ 4 approved

@maxfisher-g

13 reviews ✓ 12 approved ↺ 1 blocked

@jessmcclintock

11 reviews ✓ 11 approved

@6mile

10 reviews ✓ 2 approved

#10

@PFCM

6 reviews ✓ 5 approved

Recent Merged PRs

#	Title	Author	Time	Reviews	Blocks
#1141	Bump the go-minor-updates group across 1 directory with 3 updates	@dependabot	8.1h	1	✓
#1137	Fix noisy gosec CI checks.	@calebbrown	2.7h	1	✓
#1134	Fix publishing dates and remove open range	@kam193	1 day	1	✓
#1135	Add report for the malpkgv2-0 PyPI package	@behnazh-w	1.8h	1	✓
#1128	Use sed to include the reports in the error message	@calebbrown	32m	1	✓
#1127	Add a workflow to make noise when unmerged reports exist.	@calebbrown	14.9h	1	✓
#1126	Bump the go-minor-updates group with 2 updates	@dependabot	7.9h	1	✓
#1125	Bump actions/checkout from 6.0.1 to 6.0.2 in the actions-minor-updates group	@dependabot	7.9h	1	✓
#1124	added malicious sympy-dev package	@KunalSin9h	9m	1	✓
#1123	Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.94.0 to 1.95.0 in the go-minor-updates group	@dependabot	3 days	1	✓
#1119	Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.93.0 to 1.93.2 in the go-minor-updates group	@dependabot	13 days	1	✓
#1121	Bump github/codeql-action from 4.31.3 to 4.31.9 in the actions-minor-updates group	@dependabot	6 days	1	✓
#1120	Bump actions/upload-artifact from 5.0.0 to 6.0.0	@dependabot	13 days	1	✓
#1117	Bump actions/checkout from 5.0.0 to 6.0.1	@dependabot	20 days	1	✓
#1113	Bump golangci/golangci-lint-action from 8.0.0 to 9.2.0	@dependabot	27 days	1	✓
#1118	Bump the go-minor-updates group with 3 updates	@dependabot	6 days	1	✓
#1112	Bump the actions-minor-updates group with 2 updates	@dependabot	3 days	1	✓
#1114	Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.92.0 to 1.92.1 in the go-minor-updates group	@dependabot	3 days	1	✓
#1111	Force pull-requests to not allow unmergable reports.	@calebbrown	1.4h	1	✓
#1110	Move aside unmergable reports during preprocessing.	@calebbrown	3.5h	1	✓