Protecting yourself against malicious open-source packages

This Checkmarx advisory describes the risk of malicious open-source packages (using the 'Shai-Hulud' supply-chain malware as an example) that can execute on install, steal developer and cloud credentials, and propagate via repositories and CI. It argues that traditional SCA is often too late to prevent harms and recommends three core defenses — a centrally managed package manager proxy, proactive installation-time checks (dry-runs and malicious-package APIs), and continuous monitoring/SCA with malicious-package protection — plus policies like delayed availability of new package versions to reduce risk.