Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
RUNMalware Database

Every malicious package we've ever found. Searchable. Real-time.

O3's Malware Database is a continuously updated threat intelligence feed of malicious packages, typosquats, compromised maintainers, and indicators of compromise. Search it, integrate it, or let O3 check your stack against it automatically.

Package Intelligence

Every malicious package we've found. Searchable. Updated in real time.

O3's database is a continuously updated threat intelligence feed of malicious packages, typosquats, compromised maintainers, and indicators of compromise — ingested from every major registry before disclosure.

50,000+ malicious packages indexed
npm, PyPI, RubyGems, Go, Maven, NuGet
Behavioral analysis on every new publish
Full incident report + YARA rules per entry
O3 Malware Database — search result
Malicious
node-fetch-polyfillnpm
Discovered 14 May 2026 · Typosquat of node-fetch · 4,312 installs before takedown
Indicators of compromise
SHA-256
a3f8e2c1d4b9071f6e5a8c3d2b1e9f4a7c6d5e8b2a1f3d9c7b6e4a8d2f1c5b3
C2 domain
api.telemetry-cdn.workers.dev
Affected versions
1.0.0–1.2.4 (all malicious)
Behavior
Exfiltrates env vars + SSH keys via postinstall script

Incident report + YARA rules + SIEM-ready IOC export available

Typosquat Detection

One character off can cost everything. We catch it before it enters your lockfile.

O3 maintains a phonetic and edit-distance similarity index against every popular package. Typosquats are detected before they appear in your lockfile — including transitive dependency confusion attacks.

Edit distance ≤ 2 flagged for all popular packages
Phonetic similarity index (sounds-like attacks)
Dependency confusion attacks detected
Namespace squatting on internal package names
O3 Typosquat Detector
3 matches
axios16M weekly downloads
axoisedit dist: 2 · phonetic: 0.94
Malicious: env exfiltration
CRITICAL
ax1osedit dist: 2 · phonetic: 0.87
Suspicious: new account, 0 history
HIGH
axi0sedit dist: 2 · phonetic: 0.85
Suspicious: copied readme, different author
HIGH

Dependency confusion:Internal package 'acme-utils' squatted on npm public registry — higher version number will resolve first.

IOC Feed & SIEM Integration

C2 IPs. Exfiltration domains. YARA rules. Straight to your SIEM.

Indicators of compromise extracted from malicious packages — C2 IPs, exfiltration domains, payload hashes — are available as a structured feed for SIEM integration, firewall rule generation, and threat hunting.

Structured IOC feed (STIX 2.1 / JSON)
Firewall blocklist auto-generated
Splunk + Elastic + Chronicle native connectors
YARA rules for every behavioral signature
O3 IOC Feed — live export
Updated 2m ago
TypeValueSourceAdded
IP
185.220.101.47
C2 server
node-fetch-polyfill
14 May 2026
DOMAIN
api.telemetry-cdn.workers.dev
Exfil endpoint
colors-extra
12 May 2026
HASH
a3f8e2c1...f1c5b3
Payload binary
lodash-utils
10 May 2026
Export:STIX 2.1SplunkElasticFirewall rules
Automatic Stack Monitoring

Your manifest vs 50,000+ malicious packages. Checked continuously. Alerted instantly.

O3 continuously cross-references your project's dependency manifests against the malware database. When a new malicious package entry matches your stack, you get an immediate alert — no manual query required.

Continuous manifest monitoring — every push
New database entry matched against all monitored stacks
Alert in Slack, GitHub, or PagerDuty within 60 seconds
Historical scan of all past manifests on join
O3 Stack Monitor — acme-corp/api
Match found
package.json scanned · 247 dependencies · 3 dev · 12 transitive
Dependency match
[email protected]IN MALWARE DATABASE
Exfiltrates env on import
Added to DB: 12 May 2026
14:34:01Match found in package.json → GitHub PR comment added
14:34:02Slack alert sent to #security-alerts
14:34:03Jira ticket SEC-4471 created

O3 has opened a PR removing colors-extra and replacing with [email protected] (safe). Review and merge to remediate.

Threat intelligence that stays ahead of attackers.

Access O3's continuously updated malware database and stop threats before they reach your pipeline.

FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • O3 runs a continuous ingestion pipeline that monitors every new package publish across npm, PyPI, RubyGems, Go modules, and Maven. Each new publish is automatically submitted to a behavioral sandbox that executes the install scripts, monitors network connections, inspects file system activity, and analyzes the package's code for known malicious patterns. This analysis completes within minutes of publish, long before human researchers or CVE advisories catch up.
  • A typosquat is a malicious package with a name similar to a legitimate, popular package, designed to be installed accidentally when a developer makes a small spelling error. Examples include 'django-user-agents' vs 'django-useragents', or 'lodash' vs 'Iodash' (capital I instead of l). O3 uses phonetic matching, edit distance algorithms, and visual similarity scoring to detect typosquats and flags them before they enter your dependency tree.
  • Yes. O3 provides a REST API that accepts package name, registry, and version as inputs and returns a threat assessment in under 100ms. You can query individual packages or submit a full manifest file for bulk scanning. Official integrations exist for GitHub Actions, GitLab CI, Jenkins, and CircleCI. The API is free for open source projects and low-volume use.
  • O3 covers npm (JavaScript/Node.js), PyPI (Python), RubyGems (Ruby), Go module proxy, and Maven Central (Java). Coverage for Cargo (Rust), NuGet (.NET), and Packagist (PHP) is in active development. Each registry is monitored independently with registry-specific behavioral heuristics.
  • Each entry includes the package name, registry, affected version range, discovery date, malicious behavior classification (credential theft, backdoor, cryptominer, typosquat, etc.), indicators of compromise (C2 domains, IPs, payload hashes), a behavioral summary of what the package does, YARA rules for detection, and a link to the full incident report. IOC data is also available as a structured feed for SIEM and firewall integration.