Malware Defense Evaluate API
Sonatype's Malware Defense Evaluation API enables on-demand malware checks for software artifacts. Detect and classify threats; quickly, automatically, and anywhere in your development pipelines.
This API leverages Sonatype's comprehensive threat intelligence to accurately pinpoint malicious components, even those embedded deep within dependencies. By integrating this API, organizations may proactively prevent malware from entering their software supply chain, reducing the risk of costly breaches and reputational damage. It streamlines security workflows by focusing on the immediate threats to your organization, enabling rapid response to secure development environment.
Component Evaluation
Evaluate a list of components for malware using a single request.
POST api/v2/malware-defense/evaluate
This request requires a request body element containing the format and an array of components identifiers. The identifiers may include the truncated SHA1 hash of the component, the packageURL, or both.
{
"format": "string",
"components": [
{
"hash": "string",
"packageUrl": "string"
}
]
}Truncate SHA1 Hash
PackageURL
A maximum of 100 components may be sent in a single request.
curl -X POST 'http://localhost:8072/api/v2/malware-defense/evaluate' \
-H 'Content-Type: application/json' \
-a admin:admin123 \
-d '{"format":"maven", "components":[{"hash":"a13168d8f7c3b9c9a899","packageUrl":"pkg:maven/org.sonatype/maven-policy-demo@1.1.0?type=jar"}]}'{
"componentList": [
{
"hash": "a13168d8f7c3b9c9a899",
"packageUrl": "pkg:maven/org.sonatype/maven-policy-demo@1.1.0?type=jar",
"isMalicious": true,
"matchState": "exact",
"malwareCategories": [
{
"attackVector": "trojan",
"threatTypes": null
}
]
}
]
}How the malware tries to get onto a victim’s system
Trojan
Any malware that was developed under the guise of a unique legitimate package. In other words, it is not impersonating another package.
Brandjack
Any malware that is meant to be confused for another existing legitimate package. For example, this includes both typosquatting and namespace confusion.
Hijack
Any malware that was introduced into a pre-existing legitimate package. Most notable examples are when a developer account or build pipeline is compromised and malicious code is injected into the codebase and then a new malicious version is released to a repository. Packages where a developer decides to “go rogue” like in a protestware situation would fall into this category.
See Taxonomy of Attacks on Open-Source Software Supply Chains
What the malware does once it’s on your system
Crypto Miner:
Uses victim's processing power for attackers gain
Data Exfiltration
Takes info from victim machine
Dropper
Grabs an executable and puts it on your system
Tamperware
Deletes or modifies files or settings on the infected system
Repository Abuser
Uses the package manager in an unintended and abusive way
Backdoor
Opens an ongoing or future way for someone to connect to the affected system
Removed
Security holdings – packages that have been removed from the repository for malware or violations of Terms of Service
Obfuscated Code
Heavily obfuscated such that we can't tell what it does and has other suspicious indicators
PUA
Packages you’re not going to want on your system, but don’t actually do anything malicious.