Package Risk And Sensitive Artifacts
VersionGopher™ separates package inventory, OSV package advisories, confirmed OSV malicious-package advisories, and sensitive-artifact indicators so operators can act on the right signal without confusing package metadata with executable CVE matches.
Lockfiles, manifests, installed metadata, and repository config files
are recorded as Package Artifact rows. These rows tell you
where package-manager evidence exists.
Exact npm/PyPI package identities such as pkg:pypi/idna@3.13
can be checked against OSV advisories by a platform admin. This may
include ordinary vulnerable-package advisories and malicious-package
advisories.
This filter is narrower. It shows OSV MAL-* advisories
for packages OSV identifies as malicious supply-chain attack packages.
A package cache, lockfile, or installed metadata file proves package evidence was present. It does not automatically prove the package was imported, executed, reachable, or exploitable.
OSV Scanner JSON can be uploaded through Import just like a VersionGopher output file. VersionGopher records it as external package-risk evidence, preserving OSV package/advisory details without changing the collector.
What The Collector Stores
- Package ecosystem, artifact kind, package manager, detection reason, and confidence.
- Bounded exact npm/PyPI identity peeks when the artifact is small and structured enough to identify a package name and version.
- Path/name evidence for package artifacts that should be visible but are not safe or useful to parse deeply in the collector.
- No package-manager execution, dependency resolution, installation, extraction, or broad JSON/YAML parsing.
Sensitive Artifact Filters
The Keys, Wallets, and AI prompt artifact filters are metadata-only review lanes. They are designed to answer "where should an analyst look next" without retaining the sensitive content itself.
- Keys: PEM, OpenSSH, and PPK private-key material is detected from strong headers. Key bodies are not stored.
- Wallets: Wallet databases, Ethereum keystore paths, selected wallet browser-extension storage markers, and wallet-recovery note names are detected from high-signal path/name context. Seeds and wallet contents are not stored.
- AI prompt artifacts: Assistant instruction files such as
.cursorrules,CLAUDE.md, and.cursor/rulescan be flagged for hidden Unicode, assistant-override wording, credential/webhook references, or package lifecycle-hook references. Prompt bodies and hidden payload text are not stored.
Operator Workflow
- Run or import a current 0.7.1+ collector scan.
- Use the Packages filter to see package/repository evidence.
- Use the dashboard status card to see whether stored package-advisory matches exist for the current scope.
- Let the scheduled feed job keep the PG18 OSV package vulnerability catalog current; platform admins can also refresh that catalog on demand from Settings.
- Ask a platform admin to run the bounded OSV check when exact npm/PyPI identities exist and the stored package-advisory status is missing or stale.
- Upload OSV Scanner JSON reports when package teams already use OSV tooling and want those results visible in the VersionGopher Package Risk lane.
- Use Package Advisories for all OSV package matches and Malicious Packages for OSV
MAL-*matches only. - Open the file card to see whether the evidence came from active installed metadata, a lockfile, a cache, or a repository file.
- Use the assessment report when the scan needs a buyer, executive, or review-board summary.