Automated Malware Detection

Detect dependencies identified as malicious by cross-referencing your packages against known malware reports, and gate them out of your builds.

3 min readUpdated Jul 9, 2026

Enterprise feature

Included at no additional cost for FOSSA enterprise customers, and enabled automatically when the Quality feature is on. If your organization does not have Quality enabled, contact your FOSSA account team to turn it on.

Overview

Automated malware detection finds dependencies that have been identified as malicious, so you can catch supply-chain compromises before they reach production. Unlike a vulnerability, which is an unintentional security flaw, malware is code published with intent to harm, for example a hijacked package release or a typosquatted lookalike.

FOSSA flags malicious dependencies as a Quality issue and can fail your CI/CD checks when one is found, acting as a hard gate against compromised packages entering your codebase.

Note

Malware detection surfaces as a quality issue and is configured through your quality policy, even though it addresses a security concern. For known security flaws (CVEs), see Reviewing security issues.

How it works

Every time FOSSA analyzes a project, the quality scanner cross-references each direct and transitive dependency against known malware reports drawn from multiple data sources. When a package version matches a report, FOSSA raises a Malware quality issue for it. Because the underlying data is updated continuously, a dependency can be flagged on a later scan even if an earlier scan was clean.

A malware issue carries the report that identified it:

FieldDescription
NameThe malware report's title
DescriptionDetails of why the package is considered malicious
Read moreA link to the full upstream report

Enabling malware detection

Malware detection is a rule on your quality policy and runs as part of quality scanning. For enterprise organizations with quality enabled, it is turned on automatically.

  1. 1

    Turn on quality scanning

    Enable the quality scanner so FOSSA evaluates your dependencies. Organization-level defaults live at Organization Settings > Projects > Issues; you can override them per project at Project Settings > Issue Policies. See Quality Scanning.

  2. 2

    Enable the Malware Detection rule

    On the quality policy applied to your projects, enable Malware Detection. This rule "detects dependencies identified as malicious by cross-referencing packages against known malware reports."

    Quality policy Risk Intelligence section with the Malware Detection rule enabled
  3. 3

    Gate your builds (optional)

    Turn on Fail CI/CD checks for the quality scanner so a detected malicious dependency fails the project's status check and fossa test, blocking the change from merging.

Reviewing malware issues

Malicious dependencies appear alongside your other findings in the Issues tab:

  1. Open the Issues tab and select the Quality issue category.
  2. In the Issue Type filter, select Malware.
  3. Open an issue to see the malware report's name, description, and a link to read more.
Issues tab listing a dependency flagged with a Malware badge and Malicious Dependency Identified
Malware issue details showing the report name, description, and a Read more link

A flagged dependency also shows a Malicious Dependency banner in its details drawer on the project's dependencies view, linking directly to the issue.

To resolve a malware issue, remove or replace the affected dependency. See Reviewing Quality Issues for triage workflows shared across quality issue types.

How it differs from vulnerability detection

Automated malware detectionVulnerability detection
What it findsPackages published with malicious intent (supply-chain attacks)Known security flaws (CVEs) in legitimate packages
Issue categoryQualitySecurity
SourceKnown malware reportsVulnerability data sources
Typical responseRemove or replace the package immediatelyTriage by severity and reachability, then remediate

Further reading

© 2026 FOSSA, Inc.support@fossa.com