IntelliRadar: A Comprehensive Platform to Pinpoint Malicious Package Information from Cyber Intelligence

TL;DR

IntelliRadar is a comprehensive platform that leverages web scraping and large language models to detect and compile malicious software packages from unstructured sources, significantly improving early detection and coverage over existing databases.

Contribution

We developed IntelliRadar, a novel platform combining exhaustive web searches and LLMs to identify malicious packages, enhancing detection coverage and timeliness beyond current tools.

Findings

Constructed a database of 34,313 malicious packages with high precision (97.91%).

Identified 7,542 more malicious packages than OSV and 12,684 more than Snyk.

Detected and confirmed 1,981 malicious packages in downstream registries.

Abstract

Malicious packages in public registries pose serious threats to software supply chain security. While current software component analysis (SCA) tools rely on databases like OSV and Snyk to detect these threats, these databases suffer from delayed updates and incomplete coverage. However, they miss intelligence from unstructured sources like social media and developer forums, where new threats are often first reported. This delay extends the lifecycle of malicious packages and increases risks for downstream users. To address this, we developed a novel and comprehensive approach to construct a platform IntelliRadar to collect disclosed malicious package names from unstructured web content. Specifically, by exhaustively searching and snowballing the public sources of malicious package names, and incorporating large language models (LLMs) with domain-specialized Least to Most prompts, IntelliRadar ensures comprehensive collection of historical and current disclosed malicious package names from diverse unstructured sources. As a result, we constructed a comprehensive malicious package database containing 34,313 malicious NPM and PyPI package names. Our evaluation shows that IntelliRadar achieves high performance (97.91% precision) on malicious package intelligence extraction. Compared to existing databases, IntelliRadar identifies 7,542 more malicious package names than OSV and 12,684 more than Snyk. Furthermore, 76.6% of NPM components and 70.3% of PyPI components in IntelliRadar were collected earlier than in Snyk's database. IntelliRadar is also more cost-efficient, with a cost of $0.003 per piece of malicious package intelligence and only $7 per month for continuous monitoring. Furthermore, we identified and received confirmation for 1,981 malicious packages in downstream package manager mirror registries through the IntelliRadar.