darrenpmeyer · March 13, 2025 16:07
diff --git a/0_README.md b/0_README.md
diff --git a/1_package_query.zsh b/1_package_query.zsh
 #!/usr/bin/env /bin/zsh

 ## Before running, `export THREAT_INTEL_API_TOKEN=<YOUR_TOKEN_DATA>`
 ##   Note that this is a different token than your Checkmarx One API token!

 ## This example uses the HTTPie CLI tool

 http https://api.dusti.co/v2/packages \
 Authorization:${THREAT_INTEL_API_TOKEN} \
  '[0][name]=node-ipc'\
  '[0][type]=npm'\
  '[0][version]=9.2.2'
  
diff --git a/2_example_output.json b/2_example_output.json
 [
  {
    "type": "npm",
    "name": "node-ipc",
    "status": "SCANNED",
    "version": "9.2.2",
    "ioc": [
      "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154"
    ],
    "risks": [
      {
        "id": "3fd21b8ebb6337f8b405e084e5f7b8394d10c76a",
        "description": "The malicious payload in this package has the ability to corrupt or destroy files on disk\n### About\n\nFile wiping or file destruction is a type of risk which usually done when attackers wish to cause harm. File destruction can be done in several ways such as:\n- Recursively overwriting all files with random / static content\n- Deleting all files\n- Encrypting all files and deleting the encryption key",
        "title": "Wiper",
        "score": 10
      },
      {
        "id": "7e10f2a9a922871f8cd1098060ce92a20dc6f4b1",
        "description": "This package includes functionality which aims to protest or raise an issue and might include undesired behavior.\n### About\n\nSimilar to a malicious package risk, Protestware risk may include malicious functionality [as seen in past incidents](https://checkmarx.com/blog/protestware-politics-and-open-source-software/). Protestware may contain any of the following:\n- Targeted payload\n- DOS\n- SPAM messages\n- Malicious dependencies",
        "title": "Protestware",
        "score": 5
      },
      {
        "id": "dc877dee62e5a2528e12ce1fdeade0f1c11e197f",
        "description": "This package was manually inspected by a security researcher and flagged as malicious\n### About\n\nClassifying malicious packages is an internal process, analysis is done at scale automatically via multiple engines. Once there's a risk suspicion, this is forwarded to a security researcher for a manual evaluation.\n\nAttackers take advantage of the excessive trust in the open-source ecosystem and launch software supply chain attacks in the form of code packages.   \n\nThe risk of having a package with a malicious payload is high. It's a common behavior for most of the malicious payloads to execute itself automatically upon installing or using the package. \n\n![infographic](https://checkmarx-scs-cdn.s3.amazonaws.com/sca/infographics/malicious-package.png)\n\nWhile some dependency vulnerabilities have the privilege to be kept as known issue due to risk-management, same does not apply in the case of a malicious package, and it should be removed with the highest priority.",
        "title": "Malicious Package",
        "score": 10
      },
      {
        "id": "a411cf63e1757a4ff8f094e296ef450094389807",
        "description": "The Contributor of this package, npm user [riaevangelist](https://www.npmjs.com/~riaevangelist), previously seen corrupting one of his popular package [node-ipc](https://checkmarx.com/blog/protestware-politics-and-open-source-software/) infected with a malicious payload. [Read more](https://checkmarx.com/blog/protestware-politics-and-open-source-software/)\n### About\n\nWe recommend freezing this package's version in your manifest file or consider finding an alternative to this package.\n\nRelying on code from an unreliable contributors could damage the integrity of the code built depends on it. There is a risk this package may be corrupted as well in future versions.",
        "title": "Historical Unreliable User Contribution",
        "score": 4
      }
    ]
  }
 ]
	#!/usr/bin/env /bin/zsh

	## Before running, `export THREAT_INTEL_API_TOKEN=<YOUR_TOKEN_DATA>`
	## Note that this is a different token than your Checkmarx One API token!

	## This example uses the HTTPie CLI tool

	http https://api.dusti.co/v2/packages \
	Authorization:${THREAT_INTEL_API_TOKEN} \
	'[0][name]=node-ipc'\
	'[0][type]=npm'\
	'[0][version]=9.2.2'
	[
	{
	"type": "npm",
	"name": "node-ipc",
	"status": "SCANNED",
	"version": "9.2.2",
	"ioc": [
	"https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154"
	],
	"risks": [
	{
	"id": "3fd21b8ebb6337f8b405e084e5f7b8394d10c76a",
	"description": "The malicious payload in this package has the ability to corrupt or destroy files on disk\n### About\n\nFile wiping or file destruction is a type of risk which usually done when attackers wish to cause harm. File destruction can be done in several ways such as:\n- Recursively overwriting all files with random / static content\n- Deleting all files\n- Encrypting all files and deleting the encryption key",
	"title": "Wiper",
	"score": 10
	},
	{
	"id": "7e10f2a9a922871f8cd1098060ce92a20dc6f4b1",
	"description": "This package includes functionality which aims to protest or raise an issue and might include undesired behavior.\n### About\n\nSimilar to a malicious package risk, Protestware risk may include malicious functionality [as seen in past incidents](https://checkmarx.com/blog/protestware-politics-and-open-source-software/). Protestware may contain any of the following:\n- Targeted payload\n- DOS\n- SPAM messages\n- Malicious dependencies",
	"title": "Protestware",
	"score": 5
	},
	{
	"id": "dc877dee62e5a2528e12ce1fdeade0f1c11e197f",
	"description": "This package was manually inspected by a security researcher and flagged as malicious\n### About\n\nClassifying malicious packages is an internal process, analysis is done at scale automatically via multiple engines. Once there's a risk suspicion, this is forwarded to a security researcher for a manual evaluation.\n\nAttackers take advantage of the excessive trust in the open-source ecosystem and launch software supply chain attacks in the form of code packages. \n\nThe risk of having a package with a malicious payload is high. It's a common behavior for most of the malicious payloads to execute itself automatically upon installing or using the package. \n\n![infographic](https://checkmarx-scs-cdn.s3.amazonaws.com/sca/infographics/malicious-package.png)\n\nWhile some dependency vulnerabilities have the privilege to be kept as known issue due to risk-management, same does not apply in the case of a malicious package, and it should be removed with the highest priority.",
	"title": "Malicious Package",
	"score": 10
	},
	{
	"id": "a411cf63e1757a4ff8f094e296ef450094389807",
	"description": "The Contributor of this package, npm user [riaevangelist](https://www.npmjs.com/~riaevangelist), previously seen corrupting one of his popular package [node-ipc](https://checkmarx.com/blog/protestware-politics-and-open-source-software/) infected with a malicious payload. [Read more](https://checkmarx.com/blog/protestware-politics-and-open-source-software/)\n### About\n\nWe recommend freezing this package's version in your manifest file or consider finding an alternative to this package.\n\nRelying on code from an unreliable contributors could damage the integrity of the code built depends on it. There is a risk this package may be corrupted as well in future versions.",
	"title": "Historical Unreliable User Contribution",
	"score": 4
	}
	]
	}
	]