Aguara v0.26.0: 228,000 Known-Malicious Packages, Offline

Aguara v0.26.0 expands malicious-package coverage by understanding OSV advisories that affect every version of a package and bounded npm semver ranges.

Until now, aguara check matched advisories that list exact affected versions. Most malicious-package advisories on OSV.dev do not. They say "every version of this package is malicious", because the package was born malicious: a typosquat, a dependency-confusion probe, a credential stealer published under a plausible name. A smaller set carries real npm version bounds, the shape a compromised legitimate package leaves behind. This release imports both.

Around 196,000 npm and 6,400 PyPI packages that were invisible to a check before v0.26.0 now flag at any installed version. The check still runs entirely offline, off the snapshot embedded in the binary, and it still works pre-install, straight off the lockfile of a repo you just cloned:

$ git clone <repo> && cd <repo>
$ aguara check .

CRITICAL  package-lock.json
          --hiljson 9.9.9 is a known compromised npm package (MAL-2022-2)
          Every version of --hiljson is marked malicious.

All-versions advisories match by name

An advisory whose range starts at version 0 with no upper bound needs no version comparison at all. v0.26.0 imports those advisories as a compact set keyed by ecosystem and package name, in every ecosystem Aguara reads: npm, PyPI, Go, crates.io, Packagist, and the rest. If the name appears in your lockfile or installed tree at any version, it flags, carrying the advisory ID and its osv.dev reference.

The snapshot format gains a parallel all_versions section for this. Old binaries ignore it; new binaries accept old snapshots. No format break.

npm bounded ranges use real semver

The smaller set of malicious npm advisories with genuine version boundaries, the "compromised between 1.2.2 and the fixed release" shape, is now evaluated by the semver engine: introduced is inclusive, fixed is exclusive, verified against real OSV records. A version at or past the fix never flags. Range evaluation is npm-only on purpose; the measured residual of bounded malicious ranges outside npm is single digits, and the data killed the idea of building version grammars for the other ecosystems.

The false-positive gate got stricter, not looser

Multiplying coverage by ten is only useful if the new findings are real. During pre-release review we caught generic CVEs, including axios, @angular/core, and playwright advisories, arriving through the keyword channel as malicious range records: their advisory text or reference URLs happened to contain phrases like "credential exfiltration". A keyword false positive on an exact-version record flags a handful of versions. The same false positive on a range flags every version below the bound, which for a package like axios means everyone.

So both range channels require the firm malicious-package signal: the MAL- namespace or an OpenSSF Malicious Packages origin. Keyword-qualified records stay exact-version only, and a regression test locks the gate. Measured cost of the stricter rule: 28 packages, nearly all already covered by MAL records.

What it costs

The embedded snapshot grew from 1.0 to 3.1 MB gzipped inside the binary. Steady-state memory while a check holds the intel is 32.7 MB, measured. Checks stay deterministic and offline; the JSON output contract is unchanged, and so are all rule IDs and severities. 250 cataloged detections.

$ aguara status

Threat intel:
  Embedded (osv): 26,268 records + 202,526 all-versions entries

Full details in the release notes and CHANGELOG. For how the offline intel pipeline works end to end, see Threat intel that works offline.