Skip to main content
Endor Labs detects malware in dependencies by scanning the packages used in the project and recognizing known malicious patterns. Monitoring for known malicious packages: Endor Labs scans dependencies to identify malware by cross-referencing findings with the Open Source Vulnerability (OSV) database and data from the proprietary malware feed. Suspicious code behavior: Endor Labs uses malware detection rules and SAST rules to scan open source package dependencies for suspicious code patterns and behaviors. These rules analyze code structures, detect anomalies, and identify potential threats.

Detect malware findings

Endor Labs provides a set of malware policies designed to identify and manage malicious or suspicious code in your project, ensuring that Endor Labs detects potential security risks early.
  • The OSS finding policy detects malicious code and findings in your project. You can edit the policy to change the severity and template parameters.
  • Configure malware action policy to specify how detected malware findings should be handled automatically, including notifications, blocking actions, and workflow triggers.
  • Configure malware exception policy to exclude malware findings under defined conditions. This filters out false positives and keeps the focus on critical risks.

View malware findings

You can view the malware findings, prioritize them, and take corrective action.
  1. Sign in to Endor Labs and select Projects from the left sidebar.
  2. Select the project for which you want to view the malware.
  3. Select Malware under Code Dependencies to view malware findings. Malware Findings
  4. Select a finding to view detailed information of the malware in the right sidebar. The right sidebar contains the following information:
  • Project: The name of the project where Endor Labs finds the malware, finding policy, categories, and attributes of the project.
  • Risk Details:
    • Explanation of the finding.
    • Reasoning explains why Endor Labs classifies the package as malware.
    • Recommended remediation.
  • Metadata: Contains details such as the vulnerability IDs, ecosystem, package release date, and advisory publication date. Malware Findings Side Panel
  1. Click View Details, then select Dependency Path to view the dependency path. Malware Findings view details

Check for malicious package versions

You can check whether specific package versions are flagged as malicious by querying the Endor Labs malware database. Run the following command to make an API query. The namespace must be oss, and you can pass one or more package versions in the names list. 
endorctl api create -r QueryMalware -n oss -d '{"spec":{"package_version_names":{"names":["<ecosystem>://<package>@<version>"]}}}'
For example, run the following command to check whether the MailBee@12.3.3 package version is malicious. 
endorctl api create -r QueryMalware -n oss -d '{"spec":{"package_version_names":{"names":["nuget://MailBee@12.3.3"]}}}'
The command returns a json response with details about the package version and the reasons for marking it as malicious. 
{
  "meta": {
    "create_time": "2025-09-02T04:40:29.773434484Z",
    "kind": "QueryMalware",
    "name": "malware for ",
    "update_time": "2025-09-02T04:40:29.773434744Z",
    "version": "v1"
  },
  "responses": {
    "values": {
      "nuget://MailBee@12.3.3": {
        "list": {
          "objects": [
            {
              "meta": {
                "create_time": "2025-06-27T07:39:08.576Z",
                "index_data": {
                  "data": [
                    "@ancestor=oss"
                  ],
                  "tenant": "oss"
                },
                "kind": "Malware",
                "name": "Malicious code in MailBee (nuget)",
                "update_time": "2025-09-02T01:41:51.930710821Z",
                "upsert_time": "2025-09-02T01:41:51.930710821Z",
                "version": "v1"
              },
              "spec": {
                "additional_notes": [
                  "\n---\n_-= Per source details. Do not edit below this line.=-_\n"
                ],
                "advisory_last_updated": "2024-06-25T13:30:02Z",
                "advisory_published": "2024-06-25T13:30:02Z",
                "aliases": [
                  "MAL-2024-4540"
                ],
                "cwe_id": "CWE-506",
                "ecosystem": "ECOSYSTEM_NUGET",
                "malware_detected_on": "2024-06-25T13:30:02Z",
                "package_name": "MailBee",
                "purl": "pkg:nuget/MailBee",
                "source": "MALWARE_SOURCE_OSV",
                "status": "MALWARE",
                "summary": "Malicious code in MailBee (nuget)",
                "version": {
                  "osv_id": "MAL-2024-4540",
                  "version": "12.3.3"
                }
              },
              "tenant_meta": {
                "namespace": "oss"
              },
              "uuid": "685e4a9c9787b3b77c7ac0c0"
            }
          ],
          "response": {
            "next_page_id": "685e4a9c9787b3b77c7ac0c0",
            "next_page_token": 1
          }
        }
      }
    }
  },
  "spec": {
    "package_version_names": {
      "names": [
        "nuget://MailBee@12.3.3"
      ]
    }
  },
  "tenant_meta": {
    "namespace": "oss"
  },
  "uuid": "68b6753d19d009449113d065"
}