Threat Detection

Coordinated Burst Detection

Automated supply chain attacks flood registries with dozens of malicious packages in minutes. Hextrap detects this unnatural publishing velocity and flags all packages in the burst.

Get Protected Read the Docs

How Mass Publishing Attacks Work

Modern supply chain attacks are increasingly automated. Instead of publishing a single malicious package and hoping someone installs it, attackers use scripts to publish dozens or hundreds of packages in rapid succession. Each package targets a different popular library name with slight variations, maximizing the chance that at least one will catch a developer's typo.

These attacks often appear as waves: 10-50 packages from the same author (or set of newly-created accounts) within a 30-minute window. The packages typically share the same malicious payload with only the package name changed.

How Hextrap Detects Coordinated Bursts

Hextrap monitors the publishing velocity of every author across all three registries:

  • Author velocity: 5+ packages from the same author within a 30-minute window triggers the signal
  • Typosquat clustering: 3+ suspected typosquat packages appearing in the same time window, even from different authors
  • Payload similarity: Packages in a burst that share identical or near-identical source code patterns

When a burst is detected, all packages in the cluster are flagged with the COORDINATED_BURST signal. This catches packages that might individually pass other checks but are suspicious as a group.

Real-World Impact

Some of the largest supply chain attacks have used this technique:

  • npm typosquat campaigns: Attackers have published 40+ typosquats of popular packages in a single session, each containing the same credential-stealing payload
  • PyPI flooding: Automated scripts that generate hundreds of packages targeting different internal company names for dependency confusion attacks
  • Coordinated multi-registry attacks: Publishing the same malicious package across PyPI, npm, and Go simultaneously to maximize reach

By detecting the burst pattern rather than analyzing each package in isolation, Hextrap can flag the entire campaign even if individual packages are crafted to avoid other detection signals.

HIGH Severity
Signal Type
COORDINATED_BURST
Detection Phase
Phase 1 (Inline)
Registries
PyPI, npm, Go
Method
Publishing velocity analysis
Threshold
5+ packages / 30 min (same author)

Real-World Example

Author: mal-actor-2024
Published in 12 minutes:
  - reqeusts      (typosquat)
  - requestes     (typosquat)
  - r3quests      (typosquat)
  - request5      (typosquat)
  - requestz      (typosquat)
  - requst        (typosquat)
  - requsts       (typosquat)
  - requ3sts      (typosquat)

Signal: COORDINATED_BURST (HIGH)

Detect Automated Attack Campaigns

Velocity-based detection catches what single-package analysis misses

Get Started See All Threat Signals