Product Announcement · 26 June 2026

Malscan is Live: In-Process Malware Scanning, and Free STIX Threat Feeds

The Vulnetix CLI now ships an in-process malware engine that scans the dependencies already installed on your disk — four detector families across ten ecosystems. And the intelligence it runs on is published as free STIX 2.1 feeds: per-ecosystem DNS and URL indicators, refreshed every 15 minutes, ready for your SIEM, firewall, EDR or CTI platform.

Get the STIX feeds

The registry lookup can't see inside the package. Blocklists handle install time, if the campaign is already known. Nothing in the standard toolchain handles what's already on disk — the compromised release installed before it was flagged, the vendored copy, the payload no advisory names. Malscan reads the bytes: node_modules, site-packages, vendor and target across JavaScript (npm, pnpm, yarn, bun), Python, Go, Rust, Ruby, PHP, Java, .NET, Dart and Elixir.

Four detector families, one engine

iocscan

A STIX-driven IOC sweep of the filesystem — malicious domains, IPs and URLs from the live feeds, matched against installed dependencies.

detect

Manifest and install-script analysis — curl-piped-to-shell postinstall hooks and shell obfuscation — with an intent-qualified evidence/trigger/context model.

ioc

Indicator extraction from package contents — the hardcoded C2 domain or exfil endpoint, surfaced with file and line.

badhash

A known-bad artifact-hash blocklist — renamed or re-published copies of known payloads are caught by their bytes, not their name.

The headline: free STIX 2.1 threat feeds

Every campaign Vulnetix tracks feeds two bundles per ecosystem — DNS (malicious domains and IPs) and URLs (C2 and exfiltration endpoints) — at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json for generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. Refreshed every 15 minutes, each with a .sha256 sidecar, manifested in index.json, discoverable over DNS (dig +short TXT _dns.npm.malscan.vulnetix.com), and licensed AGPL-3.0 so they stay free.

Wire it into your stack

Step-by-step integration guides: OpenCTI, MISP, Microsoft Sentinel, Splunk, Elastic Security, IBM QRadar, Cortex XSOAR, Tines, Suricata, pfSense/OPNsense, AWS GuardDuty and AWS WAF — or start at the STIX integrations hub.

No new workflow

Malscan runs as a default pass inside vulnetix scan (disable with --no-malscan), standalone as vulnetix malscan with SARIF 2.1.0 output and exit 1 as a CI gate, and complements vulnetix sca --block-malware and the Package Firewall: the firewall turns known-malicious packages away at the door, Malscan sweeps the rooms — same intelligence, both directions.

Register (FREE API key) →