IntelliRadar: A Comprehensive Platform to Pinpoint Malicious Package Information from Cyber Intelligence
Wenbo Guo, Chengwei Liu, Limin Wang, Yiran Zhang, Jiahui Wu, Zhengzi Xu, Yang Liu
TL;DR
IntelliRadar tackles the delay and incompleteness of malicious package intelligence by combining exhaustive source identification, LLM-enabled extraction with chain-of-thought reasoning, and voting-based aggregation to build a comprehensive, timely database of malicious NPM and PyPI packages. The framework identifies 24 intelligence sources, collects over $50{,}000$ pages, and yields $34{,}313$ confirmed malicious package names with a precision of $97.4\%$, significantly expanding coverage beyond OSV and Snyk. It demonstrates strong timeliness, with up to $73.9\%$ of intel published before OSV and $76.6\%$ before Snyk, and achieves cost-efficiency of around $0.003$ per item and $7$ USD per month for monitoring. The resulting data support earlier warnings to downstream mirrors and offer a practical, scalable approach to strengthening open-source software supply chain security.
Abstract
Malicious packages in public registries pose serious threats to software supply chain security. While current software component analysis (SCA) tools rely on databases like OSV and Snyk to detect these threats, these databases suffer from delayed updates and incomplete coverage. However, they miss intelligence from unstructured sources like social media and developer forums, where new threats are often first reported. This delay extends the lifecycle of malicious packages and increases risks for downstream users. To address this, we developed a novel and comprehensive approach to construct a platform IntelliRadar to collect disclosed malicious package names from unstructured web content. Specifically, by exhaustively searching and snowballing the public sources of malicious package names, and incorporating large language models (LLMs) with domain-specialized Least to Most prompts, IntelliRadar ensures comprehensive collection of historical and current disclosed malicious package names from diverse unstructured sources. As a result, we constructed a comprehensive malicious package database containing 34,313 malicious NPM and PyPI package names. Our evaluation shows that IntelliRadar achieves high performance (97.91% precision) on malicious package intelligence extraction. Compared to existing databases, IntelliRadar identifies 7,542 more malicious package names than OSV and 12,684 more than Snyk. Furthermore, 76.6% of NPM components and 70.3% of PyPI components in IntelliRadar were collected earlier than in Snyk's database. IntelliRadar is also more cost-efficient, with a cost of $0.003 per piece of malicious package intelligence and only $7 per month for continuous monitoring. Furthermore, we identified and received confirmation for 1,981 malicious packages in downstream package manager mirror registries through the IntelliRadar.