Registry-fetch placement, not periodic scanning
Sits in the fetch path between the build and the public registry. Tampered packages never reach the build. Different from periodic SCA scanning, which detects after the fact.
Checkmarx • Application security
Checkmarx Malicious Package Protection
Checkmarx Malicious Package Protection blocks typosquatting, dependency-confusion, and known-malicious package attacks at registry-fetch time, before the build sees them, with a curated threat feed that updates continuously across npm, PyPI, Maven Central, NuGet, Go, and more.
A Merito Malicious Package Protection engagement maps the actual fetch path across CI, developer machines, and artifact proxies, registers internal package namespaces, and wires the checkpoint so supply-chain attacks get blocked at fetch time rather than detected weeks later by SCA.
- Best for
- AppSec leaders concerned about supply-chain attacks at registry-fetch time, Engineering leaders running internal package namespaces alongside public dependencies, DevSecOps architects integrating sourcing-time controls into the build path
- Hosting
- SaaS
- Time to value
- First CI pipeline protected in days. Developer-machine and artifact-proxy coverage live in two to four weeks. Enterprise rollout across the engineering org typically runs three to six months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
Checkmarx Malicious Package Protection in the enterprise stack
Checkmarx Malicious Package Protection is a sourcing-time control inside the Checkmarx One Supply Chain pillar. It sits in the package-fetch path between the developer or CI build and the public registry (npm, PyPI, Maven Central, NuGet, Go modules, Gem, Cargo, Composer) and blocks typosquatting attacks, dependency-confusion attacks, and known-malicious packages before the build resolves them. The placement matters: a tampered package that never reaches the build never executes anywhere.
Typosquatting is the dominant attack pattern. Attackers publish a package with a name one keystroke away from a popular library (lod4sh instead of lodash, requets instead of requests, electron-builder vs electron_builder) and wait for typo-driven installs. Once installed, the malicious package executes on developer machines, CI runners, and eventually production. Periodic SCA scanning catches these after the fact when the CVE database catches up; Malicious Package Protection blocks them at fetch time before the developer notices.
Dependency confusion is the second pattern. When an internal package and a public package share a name, package managers will fetch the public one if it has a higher version number. Attackers publish public packages with the same names as known internal packages and wait for the build to fetch theirs instead. Checkmarx maintains a list of known internal namespaces and blocks public packages that masquerade as them. Programs that have been hit by dependency confusion typically discover it weeks after the breach.
What kills Malicious Package Protection adoption is misplacement. The product needs to sit in the actual fetch path, which means CI build agents, developer machines, and any artifact-proxying layer (Artifactory, Nexus Repository, ProGet) need to route through the Checkmarx checkpoint. Programs that turn it on for CI but skip developer machines miss the attack surface that hits engineering laptops first. Merito's engagement maps the fetch path end-to-end, configures every checkpoint, and validates the coverage before declaring rollout complete.
Ideal use cases
- Blocking typosquatting attacks at npm, PyPI, Maven Central, NuGet, and Go module fetch time
- Preventing dependency-confusion attacks against internal package namespaces
- Sourcing-time control complementing detection-time SCA scanning
- Supply-chain governance for SLSA, NIST SSDF, and EO 14028 compliance
- Hardening CI pipelines and developer machines against malicious package attacks
What it is best at
Where Checkmarx Malicious Package Protection earns its seat
Curated threat feed updated continuously
Checkmarx maintains a real-time feed of typosquatting attacks, dependency-confusion attempts, and known-malicious packages. The feed updates faster than the public CVE database catches up.
Internal namespace protection
Programs that publish internal packages register the namespaces. Public packages that masquerade as internal ones get blocked at fetch time. Dependency-confusion attacks stop working.
Coverage across the package ecosystem
npm, PyPI, Maven Central, NuGet, Go modules, Gem, Cargo, Composer in one product. Programs stop stitching together specialist defenses per ecosystem.
Pairs with proxy-based defenses (Sonatype Repository Firewall, JFrog)
Different placement than proxy-time enforcement. Checkmarx sits at fetch; proxy firewalls sit at the artifact store. Mature programs run both as layered defense.
Core capabilities
Checkmarx Malicious Package Protection capabilities, grouped by outcome
Fetch-time blocking
Where Malicious Package Protection earns its keep against supply-chain attack windows.
Typosquatting detection
Blocks packages with names one keystroke away from popular libraries. Curated feed updates continuously as new typosquatting attempts surface.
Dependency-confusion blocking
Programs register internal package namespaces. Public packages masquerading as internal ones get blocked at fetch time.
Known-malicious package blocking
Blocks packages flagged by the curated Checkmarx threat feed before they reach the build.
Coverage across the package ecosystem
npm, PyPI, Maven Central, NuGet, Go modules, Gem, Cargo, Composer in one engine.
Threat intelligence and feed
What makes the protection real instead of cosmetic.
Curated threat feed
Continuously updated list of typosquatting attempts, dependency-confusion attacks, and malicious packages. Faster than public CVE catalogs.
Behavior-based detection
Static analysis of package contents to flag suspicious behavior (postinstall scripts that contact unexpected hosts, packages that read environment variables they should not need).
Cross-product correlation with SCA
Blocked packages cross-reference with SCA findings for a unified supply-chain view inside Checkmarx One.
Coverage and operations
Making sure the checkpoint actually sits in the fetch path.
CI build agent integration
Hooks into Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket Pipelines so CI fetches route through the checkpoint.
Developer machine integration
IDE and CLI hooks for developers running npm install, pip install, mvn install, and similar from local machines.
Artifact proxy integration
Pairs with Artifactory, Nexus Repository, and ProGet so the proxy layer also enforces fetch-time controls.
Audit logging
Every blocked fetch is logged with package name, version, source, and reason for regulated audit trails.
Where it fits in the stack
How Checkmarx Malicious Package Protection connects to the rest of your landscape
Checkmarx One platform (native)
Native- Checkmarx SCABlocked packages cross-reference with SCA findings for unified supply-chain view.
- Checkmarx Repository HealthSourcing-time scoring of OSS project hygiene complements fetch-time blocking.
- Checkmarx Software Supply Chain SecurityFetch-time blocking flows into the SLSA-aligned supply-chain governance picture.
- Checkmarx Triage and RemediationBlocked packages and related SCA findings cluster on root cause for unified reporting.
CI/CD and package ecosystems (certified)
Certified- npm, PyPI, Maven Central, NuGet, Go, Gem, Cargo, ComposerFetch-time hooks across the major package registries.
- Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket PipelinesCI build-agent integration so pipeline fetches route through the checkpoint.
- Artifactory, Nexus Repository, ProGetArtifact-proxy integration for layered fetch-time enforcement.
- VS Code, IntelliJ, npm CLI, pip CLIDeveloper-machine hooks for IDE and CLI fetches.
Custom integrations
Custom- Internal CI/CD and build systemsFetch-path integration for non-standard CI platforms and bespoke build orchestrators.
- Custom audit and SIEM integrationBlocked-fetch event export into internal SIEM, audit, and risk-management platforms.
- Custom internal-namespace registrationBulk registration of internal package namespaces across the engineering org.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- Moderate
- Typical time to value
- First CI pipeline protected in days. Developer-machine and artifact-proxy coverage live in two to four weeks. Enterprise rollout across the engineering org typically runs three to six months.
- Prerequisites
- Inventory of CI platforms and artifact proxies in the fetch path
- Internal package namespaces registered in Checkmarx for dependency-confusion protection
- Named DevSecOps owner
- Developer-machine deployment plan (IDE plugins or CLI hooks)
- Audit-trail integration plan for regulated programs
- What Merito usually handles
- Malicious Package Protection runs as Checkmarx One SaaS with proxy and CLI hooks for fetch-path placement. Merito handles checkpoint mapping, CI integration, developer-machine rollout, internal-namespace registration, and audit-trail wiring.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- Checkmarx Malicious Package Protection is part of the Checkmarx One Advanced and Enterprise bundles and licensed by application count, repository count, and bundle tier. Pricing depends on developer count, AI-agent seat count, and bundle. Merito holds the partner relationship and scopes the supply-chain control program separately.
- Editions and modules
Checkmarx One Advanced
Adds Malicious Package Protection alongside DAST, API Security, IaC Security, and Repository Health to the Essentials baseline.
Best for: Programs adding sourcing-time supply-chain controls to an existing SCA footprint.
Checkmarx One Enterprise
Advanced plus AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs running supply-chain governance inside a fully consolidated AppSec platform.
- Common expansion areas
- Add Checkmarx Repository Health for sourcing-time OSS project scoring
- Add Checkmarx Software Supply Chain Security for SLSA-aligned build provenance
- Add AI Supply Chain Security for AI/ML model scanning at sourcing time
- Layer Triage and Remediation to cluster supply-chain events with SCA findings
Merito services
How Merito helps you win with Checkmarx Malicious Package Protection
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Malicious Package Protection Implementation
Fetch-path mapping, CI integration, developer-machine rollout, internal-namespace registration, and audit-trail wiring.
Explore service02MAPS Assessment
Supply-chain governance scoping for Malicious Package Protection alongside Sonatype Repository Firewall and JFrog Xray.
Explore service03DevOps Consulting
Fetch-time controls integrated into CI pipelines and artifact proxies.
Explore service04CRAFT Enablement
Developer enablement for sourcing-time controls and internal-namespace discipline.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Malicious Package Protection.
Explore service06Managed Services
Long-term run support including namespace-registration maintenance, fetch-path checkpoint operation, and audit-trail evolution.
Explore service07Training and Enablement
Role-based training for DevSecOps owners, AppSec architects, and developers consuming Malicious Package Protection events.
Explore service08Staff Augmentation
Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.
Explore serviceCheckmarx Malicious Package Protection licensing
License at fetch time. Map the path. Same engagement.
Malicious Package Protection pricing arrives with fetch-path mapping, CI integration, developer-machine rollout, and internal-namespace registration that turn the checkpoint into a working supply-chain control rather than a coverage-gap risk.
Merito point of view
Detection after the fact is not protection. Fetch-time blocking is.
Merito has worked with programs that ran clean SCA reports for months while typosquatting and dependency-confusion attacks were already running on developer laptops. The reason is timing. SCA scans periodically and lights up after the CVE database catches up; by then the malicious package has executed every postinstall script it wanted to. Malicious Package Protection sits at fetch time and blocks the package before the build resolves it. The placement is the point.
Merito recommends Malicious Package Protection specifically when the program publishes internal packages alongside public dependencies (dependency-confusion exposure), when the engineering org is large enough that typosquatting risk is statistically real, and when SCA-only programs have already been audited against attack scenarios. Sonatype Repository Firewall and JFrog Xray are competitive at the proxy layer; Checkmarx is at the fetch layer. Mature programs run both as layered defense.
The pairing with Repository Health is the load-bearing move on sourcing-time governance. Malicious Package Protection blocks known-bad packages; Repository Health scores OSS project hygiene before the dependency enters the tree. Programs running one without the other are filtering downstream risk without screening upstream provenance.
What buyers usually underestimate
- Adopting Malicious Package Protection only on CI and skipping developer machines, missing the laptop attack surface.
- Failing to register internal package namespaces, leaving dependency-confusion attacks exposed.
- Treating Malicious Package Protection as a replacement for SCA rather than a complement.
- Skipping artifact-proxy integration, letting fetches bypass the checkpoint through Artifactory or Nexus.
- Disabling the curated threat feed in favor of static block lists, losing real-time protection against new attacks.
Related from Merito
Continue exploring Checkmarx Malicious Package Protection on Merito
Related solutions
Related services
Related products
- Checkmarx SCADetection-time SCA companion that pairs with fetch-time blocking.
- Checkmarx Repository HealthSourcing-time scoring of OSS project hygiene.
- Checkmarx Software Supply Chain SecuritySLSA-aligned build provenance, signing, and SBOM lifecycle management.
- Checkmarx AI Supply Chain SecurityAI/ML model scanning and AI dependency risk at sourcing time.
- Checkmarx (vendor portfolio)Full Checkmarx One platform across Code, Supply Chain, Cloud, and Agentic AI.
Frequently Asked Questions
Checkmarx Malicious Package Protection FAQs
Consultation request
Talk to Merito about Checkmarx Malicious Package Protection
Share your CI fabric, internal package namespaces, and developer-machine landscape. A Merito Checkmarx specialist follows up within one business day.
Fetch-time placement
Block before the build runs
Sits in the fetch path between the build and the registry. Tampered packages never reach the build.
Internal namespace protection
Stop dependency confusion
Register internal package namespaces. Public packages masquerading as them get blocked at fetch time.
Next step
Block at fetch time, not after the postinstall script runs.
A Merito Malicious Package Protection engagement starts with fetch-path mapping and namespace registration. Detection-time SCA catches issues after they have already executed.