Checkmarx Releases Supply Chain Threat Intelligence
January 31, 2023

Checkmarx announced the immediate availability of Supply Chain Threat Intelligence, which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, malicious behavior and more.

Based on proprietary research by Checkmarx Labs, Supply Chain Threat Intelligence offers:

- Identification of malicious packages by attack type such as dependency confusion, typosquatting, chainjacking and more

- Analysis of contributor reputation through identification of anomalous activity within open source packages

- Intelligence on the malicious behavior of packages, including static and dynamic analysis to understand how the code runs

- A data lake that allows the ongoing analysis of packages long after they have been deleted from package managers, with over one million packages scanned per month

"In 2022, Checkmarx researchers exposed some of the most prolific open source attack groups, including RED-LILI and Lofygang," said Checkmarx CEO Emmanuel Benzaquen.

Checkmarx Supply Chain Threat Intelligence is delivered as an application programming interface (API) that is simple to integrate into many dashboards and development environments. Users obtain a unique token from Checkmarx, send in a package name and version and receive threat intelligence on the package.

The API helps developers and security professionals:

- Quickly and easily identify potential threats in open source packages

- Better understand the threat actor's decision-making process

- Perform bulk queries to efficiently receive intel on large numbers of packages at once

- Stay ahead of cyber threats with real-time updates and alerts on new and emerging risks

- Gain valuable insights and context on detected threats to inform security decisions

"Our Checkmarx Labs supply chain security team discovered 150,878 unique malicious packages in 2022 alone," said Erez Yalon, VP of Security Research at Checkmarx. "We're seeing attackers continue to strike and publish malicious packages even after they've been reported. They simply create new sock-puppet accounts and nothing stops them from doing so. Their relentless malicious behavior and the increasing velocity of new malicious package releases have led us to share our threat intelligence to help keep the open source ecosystem safe."

Share this

Industry News

April 02, 2025

Kong announced the launch of the latest version of Kong AI Gateway, which introduces new features to provide the AI security and governance guardrails needed to make GenAI and Agentic AI production-ready.

April 02, 2025

Traefik Labs announced significant enhancements to its AI Gateway platform along with new developer tools designed to streamline enterprise AI adoption and API development.

April 02, 2025

Zencoder released its next-generation AI coding and unit testing agents, designed to accelerate software development for professional engineers.

April 02, 2025

Windsurf (formerly Codeium) and Netlify announced a new technology partnership that brings seamless, one-click deployment directly into the developer's integrated development environment (IDE.)

April 02, 2025

Opsera raised $20M in Series B funding.

April 02, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, is making significant updates to its certification offerings.

April 01, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the Golden Kubestronaut program, a distinguished recognition for professionals who have demonstrated the highest level of expertise in Kubernetes, cloud native technologies, and Linux administration.

April 01, 2025

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade internal developer portal based on the Backstage project.

April 01, 2025

Platform9 announced that Private Cloud Director Community Edition is generally available.

March 31, 2025

Sonatype expanded support for software development in Rust via the Cargo registry to the entire Sonatype product suite.

March 31, 2025

CloudBolt Software announced its acquisition of StormForge, a provider of machine learning-powered Kubernetes resource optimization.

March 31, 2025

Mirantis announced the k0rdent Application Catalog – with 19 validated infrastructure and software integrations that empower platform engineers to accelerate the delivery of cloud-native and AI workloads wherever the\y need to be deployed.

March 31, 2025

Traefik Labs announced its Kubernetes-native API Management product suite is now available on the Oracle Cloud Marketplace.

March 27, 2025

webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.

March 27, 2025

Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.