How Malware Early Warning works

How MEW works

This service begins with continuously scanning public registries to detect suspicious packages as soon as they are published. Once a potential threat is identified, it is automatically quarantined, preventing it from entering your development environment or the broader software supply chain.

The quarantined package is then reviewed by Xygeni's security engineers to verify the threat. If the threat is confirmed, it is communicated to the public registry for further validation and public disclosure. This multi-layered verification process ensures that only verified threats are acted upon, minimizing false positives and ensuring accurate threat detection.

MEW Notifications

The Malware Early Warning service also includes immediate notifications to affected users. These notifications are sent through various channels such as email, messaging platforms, and webhooks, ensuring the customers are promptly informed of any threats. This rapid response capability allows you to mitigate risks immediately and protect your software projects from potential harm.

In addition to notification and quarantine, the Early Warning service provides a detailed process for handling detected threats. This includes confirming the threat with the public registry, safely disposing of the malicious package, and publicly disclosing the threat to inform the wider community.

How MEW protects you during CI/CD

Malware Early Warning provides robust mechanisms to protect the software development lifecycle from integrating malicious code into the application.

The process begins when a developer introduces a new dependency into the project. The risk appears if there is no version pinning to ensure that an exact dependency version is specified and used in the build process. If the version is unpinned, Xygeni will raise risk (see Xygeni CI/CD Scan) , indicating that any component update will be integrated immediately into the application, which might introduce vulnerabilities or malware.

In this scenario, the build pipeline continues successfully with the safe component version. However, if a new malicious version of the component is released, Malware Early Warning kicks into action.

A continuous scan of public registries detects new packages and updates of existing ones. Xygeni detects the new version of the component, analyzes it, and detects suspicious code, so it notifies the customer immediately about the detected malware evidence and advances in the process. Furthermore, it marks the component version as malware and puts it in quarantine to protect the SDLC infrastructure and build and delivery processes.

The security checks (see Guardrails) in the CI/CD pipelines detect the component as malicious. They can implement mechanisms to block the build process to ensure only secure dependencies are used. This preemptive action stops the deployment of compromised dependencies, avoiding not only infections but also rework to remove and correct this critical issue.

Additionally, this technology can be integrated with private registries to implement a blacklisting mechanism that blocks even the availability of the malicious components in the organization.

Continuous monitoring, real-time threat detection, and immediate blocking mechanisms collectively ensure the integrity and security of the software supply chain, protecting the organization's software applications and the security of the final users.

Last updated