Home/Security
Threat model & methodology

Catches novel malware, not just known CVEs.

Traditional scanners check after install or only match known-CVE lists, which misses novel malware entirely. Upwarden analyzes every version at resolution time — fusing advisory feeds, a code-similarity scanner, and your own scanners into one verdict, and failing closed when it isn't sure.

The threat

The attack lands at resolution time

Trusted packages are compromised every few weeks — via maintainer phishing, account takeover, and malicious releases. The damage is done the moment a package manager resolves a poisoned version, long before any human reviews it.

Malicious new versions

A maintainer is compromised and ships a poisoned release of a package you already trust and depend on.

Compromised maintainers

Phishing and account takeovers turn legitimate accounts into delivery vehicles for malware at install time.

Known-vulnerable releases

Published CVEs keep flowing into builds because nothing stands between the resolver and the registry.

Verdict state machine

Every version is in one of three states

Verdicts resolve through a layered cache — hot cache, durable store, advisory range-match, then default-safe for established versions — so most requests are answered instantly.

SAFE

Served

Included in manifests; artifacts are served normally. The only added latency is a single proxy hop.

BLOCKED

Stripped

Known malicious or vulnerable. Removed from manifests entirely; direct artifact requests are refused with a clear, actionable message.

QUARANTINED

Held & scanned

Newly seen, awaiting analysis. Stripped from manifests (silent rollback) while the scanner runs — then promoted to SAFE or BLOCKED.

The scanner pipeline

How a quarantined version is judged

01

Extract

Pull the artifact (tarball / wheel / crate) and its source files.

02

Chunk

Split code into function- and class-level units via AST parsing.

03

Embed

Encode each chunk with a code-embedding model.

04

Search

Hybrid retrieval over a malware corpus — dense vector similarity fused with keyword scoring (RRF).

05

Verdict

If the closest match exceeds the similarity threshold, block; otherwise mark safe.

Fail closed. On a cache miss the request is briefly held while the scan runs. If no verdict is reached in time, the request fails closed rather than letting an unscanned artifact through — an unanalyzed package never slips past. Scans are eagerly enqueued at manifest-fetch time, so most requests hit a warm verdict.

Detection that holds up

Evaluated, not asserted

Measured on the evaluation set at the default similarity threshold.

91.7%
scanner recall
100%
precision on eval set
95.7%
F1 score
depth — incl. transitive
Layered detection

Three layers, fused into one verdict

Advisory feeds

OSV.dev, the GitHub Advisory Database and RustSec — known malware and CVEs, range-matched and stripped before the client sees the manifest.

Vector / AST similarity

Extracts, chunks and embeds source, then runs hybrid search (pgvector HNSW cosine + keyword, fused via RRF) against a malware corpus — catching novel malware by structural resemblance.

Bring your own scanner

A JWT-signed callback API lets external or commercial scanners submit verdicts — so detection is extensible, not a closed box.

Scope, honestly. Upwarden's detection centers on advisory matching and code-similarity scanning, plus typosquat detection (Team+) via per-tenant edit-distance thresholds. Dedicated dependency-confusion (internal-namespace shadowing) detection is available — you register your organisation's private namespaces and Upwarden blocks public packages that shadow them. Confirm coverage for a specific threat model with us rather than assuming it.

Accountability

Every decision is on the record

Every manifest served, tarball downloaded, and block / quarantine / rewrite decision is recorded with client identity and reason — the source of truth for incident response and compliance.

Enterprise & compliance
  • Explainable blocks. Each decision carries its reason; blocked versions are annotated in search results.
  • Tied to identity. Decisions are attributed to client and tenant — a complete trail administrators can replay.
  • No telemetry. The trail stays inside your perimeter. Nothing about your dependencies leaves your network.
  • Token-safe. Existing credentials pass through to the upstream registry unchanged — Upwarden never mints, stores or rotates them.
Install-client posture

We check the client, not just the package

Endpoint scanners tell you what was installed. Because Upwarden sits in the path, it sees what's trying to install — and can judge the client itself: is it outdated and CVE-exposed, masquerading as something it isn't, or anomalous for your organisation? A class of signal only a proxy that every install crosses can see.

Outdated-client detection

Every install client is cross-referenced against CVE feeds. A stale npm, pip or cargo is a stale CVE exposure — Upwarden flags or blocks clients below the version your policy allows, before they pull a single package.

Masquerading clients

A client that claims to be one tool while behaving like another is a known attacker move. Upwarden catches the mismatch at the point of connection — and it holds across IP rotation and renamed repositories.

Baseline & drift

Upwarden learns your organisation's normal client population and alerts on drift — a sudden shift to raw, unmanaged pulls is visible immediately. A baseline only a multi-tenant proxy can hold.

Honest about limits. Install-client posture raises the cost of attack substantially — it is not a guarantee, and we won't sell it as one. Paired with the audit log and SBOM export, it gives operators a single pane: what was pulled, by which client and developer, on what CVE-affected version.

Enterprise controls

What's available vs on the roadmap

An honest, current map of the governance and security controls. available ships today; roadmap is in active development. We list what's built — not what's aspirational.

Control Status
Single sign-on — SAML + OIDC (org self-serve)available
IP allowlisting (CIDR)available
Org-wide MFA enforcementavailable
Step-up re-auth — password factor today; server-side enforcement on sensitive ops rolling outavailable
Role-based access — capability-level, with per-tenant overridesavailable
Session management — list & revoke active sessionsavailable
Org API-key managementavailable
Audit export — CSV / JSON / NDJSON / OCSFavailable
Audit streaming to SIEM — webhooks & stream targets (gzipped JSONL)available
Owner self-service org erasure — all tiersavailable
Signed Sigstore attestations + enforced provenance verificationavailable
SBOM generation — CycloneDX 1.5 + SPDX 2.3available
Bring-your-own-scanner (JWT-signed callback)available
Detection breadth — 7/7 content-scan ecosystems + Maven bytecodeavailable
Self-hosted in your own perimeter — zero telemetryavailable
EU-hosted cloud — Frankfurt (europe-west3)available
SIEM streaming — self-serve config UI & CEF/OCSF stream formatsroadmap
SBOM scheduled exports & archiveroadmap
Per-region data residency (choose where your data sits)roadmap
Air-gapped operation + one-way global threat-intel feedroadmap

Built to deploy into sovereign, regulated and air-gapped environments. We publish what's shipped and what's planned — and deliberately don't list controls we don't yet provide. Tell us your specific compliance requirements in a demo and we'll be precise about what's available today.

Get started

Put a firewall in front of every install

Self-serve in a minute, or talk to us about your threat model.