Skip to main content

Malware Defense Evaluate API

Sonatype's Malware Defense Evaluation API enables on-demand malware checks for software artifacts. Detect and classify threats; quickly, automatically, and anywhere in your development pipelines.

This API leverages Sonatype's comprehensive threat intelligence to accurately pinpoint malicious components, even those embedded deep within dependencies. By integrating this API, organizations may proactively prevent malware from entering their software supply chain, reducing the risk of costly breaches and reputational damage. It streamlines security workflows by focusing on the immediate threats to your organization, enabling rapid response to secure development environment.

Component Evaluation

Evaluate a list of components for malware using a single request.

POST api/v2/malware-defense/evaluate

This request requires a request body element containing the format and an array of components identifiers. The identifiers may include the truncated SHA1 hash of the component, the packageURL, or both.

{
  "format": "string",
  "components": [
    {
      "hash": "string",
      "packageUrl": "string"
    }
  ]
}

A maximum of 100 components may be sent in a single request.

curl -X POST 'http://localhost:8072/api/v2/malware-defense/evaluate' \
  -H 'Content-Type: application/json' \
  -a admin:admin123 \  
  -d '{"format":"maven", "components":[{"hash":"a13168d8f7c3b9c9a899","packageUrl":"pkg:maven/org.sonatype/maven-policy-demo@1.1.0?type=jar"}]}'

Example Response

{
  "componentList": [
    {
      "hash": "a13168d8f7c3b9c9a899",
      "packageUrl": "pkg:maven/org.sonatype/maven-policy-demo@1.1.0?type=jar",
      "isMalicious": true,
      "matchState": "exact",
      "malwareCategories": [
        {
          "attackVector": "trojan",
          "threatTypes":[
            "secrets_exfiltration",
            "backdoor"
          ]
        }
      ]
    }
  ]
}
  • attackVector

    Malware attack vectors are the methods or pathways that cybercriminals use to deliver malware (malicious software) to a target system or network. These vectors exploit vulnerabilities in software, hardware, or human behavior to gain unauthorized access and install harmful programs.

  • threatTypes

    The malware threat types array refer to the various categories of malicious software, each designed with specific harmful objectives.

Malware Attack Vectors

How the malware tries to get onto a victim’s system.

  • Trojan

    Any malware that was developed under the guise of a unique legitimate package. In other words, it is not impersonating another package.

    trojan

  • Brandjack

    Any malware that is meant to be confused for another existing legitimate package. For example, this includes both typosquatting and namespace confusion.

    brandjack

  • Hijack

    Any malware that was introduced into a pre-existing legitimate package. Most notable examples are when a developer account or build pipeline is compromised and malicious code is injected into the codebase and then a new malicious version is released to a repository. Packages where a developer decides to “go rogue” like in a protestware situation would fall into this category.

    hijack

See Taxonomy of Attacks on Open-Source Software Supply Chains

Malware Threat Types

What the malware does once it’s on your system

  • Crypto Miner

    Uses victim's processing power for attackers gain.

    crypto_miner 

  • Host Information Exfiltration

    Takes info from victim machine and transfers it to an external location controlled by the attacker.

    host_information_exfiltration

  • Secrets Exfiltration

    Targets secrets such as credentials, logs, and user tokens.

    secrets_exfiltration

  • Dropper

    Grabs an executable and puts it on your system.

    dropper

  • Data Corruption

    Deletes or modifies files or settings on the infected system.

    data_corruption

  • Repository Abuser

    Uses the package manager in an unintended and abusive way.

    repository_abuser

  • Backdoor

    Opens an ongoing or future way for someone to connect to the affected system.

    backdoor

  • Removed

    Security holdings – packages that have been removed from the repository for malware or violations of Terms of Service.

    removed

  • Obfuscated Code

    Heavily obfuscated such that we can't tell what it does and has other suspicious indicators.

    objuscated_code

  • Potentially Unwanted Application (PUA)

    Packages you’re not going to want on your system, but don’t actually do anything malicious.

    potentially_unwanted_application