13,179 of 13,907 disclosed malware samples blocked (sandbox disabled static run). Disclosed malware means previously identified by OSSF / Datadog feeds. Held out post cutoff detection (OSSF index disabled) is materially lower.
94.77% catch on a 17,874 malware corpus.
Combined npm and PyPI result against a published disclosed malware corpus: 13,907 known malicious samples and 3,967 clean packages. See methodology below.
3,952 of 3,967 clean packages passed with no flags. 0.38% combined false positive rate (9 npm, 6 PyPI).
11,319 npm and 6,555 PyPI packages across disclosed malware and clean cohorts.
How We Tested
Every package was scanned with deterministic static detectors, cross signal correlation, and risk scoring. Sandbox routing was disabled for this baseline; corpus scale sandbox enabled run is in progress. Each run is reproducible from the same corpus and the same git SHA.
Where the Packages Came From
Malicious packages come from public threat intelligence feeds. Clean packages come from top download cohorts on npm and PyPI.
DataDog Malicious Packages
Malicious source
Curated dataset of confirmed malicious npm packages with original tarballs preserved. Primary source for static detector evaluation.
OpenSSF Malicious Packages
Malicious source
Community maintained feed cross referencing multiple public reporting channels for broader coverage.
GitHub Advisory Database
Malicious source
GHSA malware advisories from security researchers and automated detection pipelines.
npm + PyPI Top Downloads
Clean baseline
1,967 npm and 2,000 PyPI clean packages sampled from the top of the weekly download distribution. Resampled per release validation cycle.
The malicious sources are deduplicated against each other. The release validation cohort is 9,352 npm and 4,555 PyPI disclosed malware samples. Combined with the matched clean baselines (1,967 npm, 2,000 PyPI sampled from the top of the registry download distribution), the total evaluation corpus is 17,874 packages.
Results by Ecosystem May 2026
Per ecosystem detail for catch rate, clean pass rate, and corpus composition.
95.20%
Catch rate
Caught 8,903 out of 9,352 npm disclosed malware samples
99.56%
Clean pass rate
1,958 out of 1,967 clean packages passed with no flags (0.44% FPR on the npm clean baseline)
11,319
Packages tested
9,352 disclosed malware and 1,967 clean packages evaluated
93.88%
Catch rate
Caught 4,276 out of 4,555 PyPI disclosed malware samples
99.71%
Clean pass rate
1,994 out of 2,000 clean packages passed with no flags (0.29% FPR on the pypi clean baseline)
6,555
Packages tested
4,555 disclosed malware and 2,000 clean packages evaluated
Why npm scores higher than PyPI
The PyPI disclosed malware corpus is dominated by sophisticated wheel binary attacks and yanked version only releases (e.g., the four ultralytics 8.3.41/42/45/46 versions). The npm corpus is heavier on classic typosquats and credential stealer postinstalls that our static detectors catch trivially. The 6.12% PyPI miss rate is concentrated on attacks that need wheel vs source provenance comparison or runtime sandbox observation. Both shipped at the code level, but corpus scale sandbox coverage is still in progress.
The PyPI disclosed malware corpus is dominated by sophisticated wheel binary attacks and yanked version only releases (e.g., the four ultralytics 8.3.41/42/45/46 versions). The npm corpus is heavier on classic typosquats and credential stealer postinstalls that our static detectors catch trivially. The 6.12% PyPI miss rate is concentrated on attacks that need wheel vs source provenance comparison or runtime sandbox observation. Both shipped at the code level, but corpus scale sandbox coverage is still in progress.
Run the same engine on your own dependencies.
Free for individual developers and small teams. No credit card.
Scan your repo free
npm install -g @westbayberry/dg