ThreatPkg is a public threat intelligence dashboard for npm, PyPI, Go, Rust (crates.io), Java (Maven), .NET (NuGet), RubyGems, PHP/Laravel (Packagist), and Dart/Flutter (pub.dev): compromised packages, malicious releases, and advisory identifiers (CVE, GHSA, OSV) in one searchable feed. Incidents are ingested on a regular schedule and attributed to the sources below.
Use the threat feed to scan recent incidents, open a package to review reputation and history, or drill into an incident for full context. Content is aggregated from public advisories with outbound links to original publishers—not auto-generated landing pages for every keyword.
Ecosystems we track
ThreatPkg normalizes supply-chain incidents across these registries in one feed. Each ecosystem uses OSV and GitHub advisory mappings where available; filter the live feed or open package reputation pages when a name appears in an incident.
- NPM View feed
JavaScript and Node.js packages on the npm registry—the most common target for typosquats and postinstall malware in open source.
Example package URL: /package/npm/example
- PYPI View feed
Python packages on PyPI, including wheels and sdists referenced in application and ML dependency trees.
Example package URL: /package/pypi/example
- GO View feed
Go modules identified by module path; useful for cloud-native and CLI supply-chain monitoring.
Example package URL: /package/go/example
- CRATES View feed
Rust crates on crates.io with cargo ecosystem advisories from OSV and GitHub.
Example package URL: /package/crates/example
- MAVEN View feed
Java and JVM artifacts published to Maven Central and compatible repositories.
Example package URL: /package/maven/example
- NUGET View feed
.NET packages on NuGet for C#, F#, and other CLR ecosystems.
Example package URL: /package/nuget/example
- RUBYGEMS View feed
Ruby gems on RubyGems.org with linked GHSA/OSV records where published.
Example package URL: /package/rubygems/example
- LARAVEL View feed
PHP packages via Packagist—commonly used for Laravel and Composer dependencies. Incidents link to advisories and affected package names.
Example package URL: /package/packagist/example
- FLUTTER View feed
Dart packages on pub.dev—used by Flutter apps. Track typosquats, compromised releases, and CVE/GHSA identifiers alongside other ecosystems.
Example package URL: /package/pub/example
Data sources & credits
ThreatPkg aggregates public advisories. Advisory text, identifiers, and severity ratings belong to the original publishers. Links below point to each provider.
- OSV
Open Source Vulnerabilities database (npm, PyPI, Go, crates.io, Maven, NuGet, RubyGems, Packagist, Pub).
- GitHub Advisory Database
Security advisories published through GitHub.
About me
Built by Akshara Hegde .