The registry lookup can't see inside the package. Blocklists handle install time, if the campaign is already known. Nothing in the standard toolchain handles what's already on disk — the compromised release installed before it was flagged, the vendored copy, the payload no advisory names. Malscan reads the bytes: node_modules, site-packages, vendor and target across JavaScript (npm, pnpm, yarn, bun), Python, Go, Rust, Ruby, PHP, Java, .NET, Dart and Elixir.
Four detector families, one engine
iocscan
A STIX-driven IOC sweep of the filesystem — malicious domains, IPs and URLs from the live feeds, matched against installed dependencies.
detect
Manifest and install-script analysis — curl-piped-to-shell postinstall hooks and shell obfuscation — with an intent-qualified evidence/trigger/context model.
ioc
Indicator extraction from package contents — the hardcoded C2 domain or exfil endpoint, surfaced with file and line.
badhash
A known-bad artifact-hash blocklist — renamed or re-published copies of known payloads are caught by their bytes, not their name.
The headline: free STIX 2.1 threat feeds
Every campaign Vulnetix tracks feeds two bundles per ecosystem — DNS (malicious domains and IPs) and URLs (C2 and exfiltration endpoints) — at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json for generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. Refreshed every 15 minutes, each with a .sha256 sidecar, manifested in index.json, discoverable over DNS (dig +short TXT _dns.npm.malscan.vulnetix.com), and licensed AGPL-3.0 so they stay free.
Wire it into your stack
Step-by-step integration guides: OpenCTI, MISP, Microsoft Sentinel, Splunk, Elastic Security, IBM QRadar, Cortex XSOAR, Tines, Suricata, pfSense/OPNsense, AWS GuardDuty and AWS WAF — or start at the STIX integrations hub.
No new workflow
Malscan runs as a default pass inside vulnetix scan (disable with --no-malscan), standalone as vulnetix malscan with SARIF 2.1.0 output and exit 1 as a CI gate, and complements vulnetix sca --block-malware and the Package Firewall: the firewall turns known-malicious packages away at the door, Malscan sweeps the rooms — same intelligence, both directions.