Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
BuildMalware Detection

Malicious packages don't announce themselves. O3 finds them anyway.

O3 maintains a continuously updated database of malicious packages, typosquats, and compromised maintainer accounts. Every dependency you pull gets checked — at install time, build time, and runtime.

Typosquat Detection

Malicious packages don't announce themselves.

Attackers register packages with names one character off from trusted libraries. O3 uses edit-distance analysis and visual similarity scoring to flag packages that are likely intentional lookalikes before you ever install them.

Typosquat ScannerScanning
Suspicious PackageLegitimate PackageSimilarityStatus
node-fetch-utilsnode-fetch
91%
Typosquat
lodahslodash
88%
Typosquat
reaktreact
83%
Typosquat
Behavioral Analysis

Observed running in a sandbox. Caught before you install.

O3 executes packages in an isolated sandbox and observes their behavior — network calls, file system writes, subprocess spawns, environment variable access. A package that opens a reverse shell during installation is caught before it ever runs on your machine.

Sandbox Execution · [email protected]
Malicious behavior detected
🌐Network: POST https://198.51.100.7/collectMALICIOUS
🔐Env access: process.env (all vars read)MALICIOUS
💻Subprocess: sh -c 'base64 ...'SUSPICIOUS
📁File write: /tmp/.cache/x.shSUSPICIOUS
Install Blocking

Blocked before a single line of code runs.

O3 integrates with your package manager as a pre-install hook. If a package is flagged as malicious, the install is blocked before any code runs — before the postinstall script, before the binary, before the require.

Terminal
$ npm install node-fetch-utils
→ Resolving [email protected]...
→ Checking against O3 threat database...
✗ BLOCKED: [email protected]
Reason: Confirmed malicious (typosquat + RCE payload)
CVE: OSV-2024-1847
Did you mean: [email protected]?
npm ERR! Install aborted by O3 Security
Maintainer Intelligence

Compromised accounts. Caught before the push lands.

O3 tracks maintainer account activity across npm, PyPI, and RubyGems. Sudden ownership transfers, unusual login patterns, unexpected new releases from dormant accounts — all escalated before the malicious version reaches your pipeline.

Maintainer Risk MonitorLive
PackageMaintainerStatus
left-padazer
Trusted · 8yr account
colorsMarak
Account anomaly detected
node-ipcRIAEvangelist
BLOCKED · Malicious release

Stop malicious packages before they run.

Connect O3 to your CI pipeline. Every install is checked against live threat intelligence.

FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • O3 uses multiple detection layers. The primary layer is a continuously updated threat intelligence database of packages confirmed to contain malicious code, maintained by O3's threat research team and cross-referenced with public sources. Additional layers include behavioral sandbox execution to catch install-time payloads, static analysis of package code for obfuscated or suspicious patterns, and maintainer account reputation scoring based on account age, publishing history, and cross-registry identity correlation.
  • Typosquatting is when an attacker publishes a malicious package with a name intentionally similar to a popular legitimate package, for example "node-fetch-utils" to impersonate "node-fetch", or "requesets" to impersonate "requests". O3 computes edit distance, visual character similarity (including homoglyph substitutions), and structural name patterns against a database of popular packages and flags any new package with high similarity to a well-known name.
  • Yes. Many package supply chain attacks use npm postinstall or Python setup.py scripts that execute malicious code at install time, before any application code runs. O3 executes packages in an isolated behavioral sandbox before allowing them to install in your environment. Packages that open network connections, write to unexpected filesystem locations, or spawn processes during installation are flagged and blocked.
  • O3 checks packages at all three stages: install time (via integration with npm, pip, gem, and go get as pre-install hooks), build time (as part of CI pipeline scanning), and runtime (by verifying that packages loaded by a running process match their recorded hashes from install time). This layered approach catches attacks that slip past one stage, for example, a package that was clean at install but has been modified on disk by another process.
  • O3 monitors maintainer account activity across npm, PyPI, RubyGems, and other registries. Signals that indicate potential compromise include: transfer of package ownership to a new account, login from a new geographic location before a release, unusually rapid new version publication, new release shortly after the maintainer account added a new email, and discrepancies between the account's historical behavior and recent activity. When these signals fire, O3 escalates all packages owned by that account for manual review.
  • O3 supports npm (JavaScript/TypeScript), PyPI (Python), RubyGems (Ruby), Maven Central (Java), Go Modules (Go), NuGet (.NET), and Cargo (Rust). Coverage for additional registries is added on an ongoing basis based on customer usage and threat intelligence priorities.