{"id":94688,"date":"2026-03-17T14:51:29","date_gmt":"2026-03-17T21:51:29","guid":{"rendered":"https:\/\/github.blog\/changelog\/2026-03-19-dependabot-now-detects-malware-in-npm-dependencies"},"modified":"2026-03-19T14:56:43","modified_gmt":"2026-03-19T21:56:43","slug":"dependabot-now-detects-malware-in-npm-dependencies","status":"publish","type":[3522],"link":"https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies","title":{"rendered":"Dependabot now detects malware in npm dependencies"},"content":{"rendered":"<!DOCTYPE html PUBLIC \"-\/\/W3C\/\/DTD HTML 4.0 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/REC-html40\/loose.dtd\">\n<html><body><p>You can now receive Dependabot alerts when your repositories depend on npm packages with known malicious versions. When you enable malware alerting, Dependabot matches your npm dependencies against malware advisories in the GitHub Advisory Database.<\/p>\n<h2 id=\"how-it-works\" id=\"how-it-works\" ><a class=\"heading-link\" href=\"#how-it-works\">How it works<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<ul>\n<li><strong>Opt-in enablement<\/strong>: Enable malware alerting via a new toggle in your repository, organization, or enterprise security settings alongside your existing Dependabot alerts configuration. You can also enforce malware alerting through security configurations.\n<\/li>\n<li>\n<p><strong>Separated from traditional alerts<\/strong>: Malware alerts appear as a distinct subcategory within Dependabot alerts, keeping them clearly separated from CVE-based vulnerability alerts so you can triage each category on its own terms.<\/p>\n<\/li>\n<li>\n<p><strong>Configurable alert rules<\/strong>: New Dependabot rule options let you fine-tune malware alerting by:<\/p>\n<ul>\n<li>Malware type (malicious version vs. entire malicious package)<\/li>\n<li>Ecosystem<\/li>\n<li>Package scope or name patterns<\/li>\n<li>Bulk dismiss and reopen actions via multi-select filters<\/li>\n<\/ul>\n<\/li>\n<li><strong>Backfill on enablement<\/strong>: When you turn on malware alerting, Dependabot backfills alerts for any existing malware advisories that match your dependencies, so you get immediate visibility into your current risk.\n<\/li>\n<\/ul>\n<p>In 2022, we <a href=\"https:\/\/github.blog\/changelog\/2022-07-01-dependabot-alerts-paused-for-malware-advisories\/\">paused malware alerting<\/a> due to false-positive noise from public and private packages sharing names. We&rsquo;ve redesigned the experience with opt-in controls, auto-triage rules that alert only on malware versions by default, and clear separation from CVE-based alerts to give you malware visibility without the noise. You may still see false positives if a private package shares a name with a known malicious public package. We recommend configuring <a href=\"https:\/\/docs.github.com\/code-security\/concepts\/supply-chain-security\/about-dependabot-auto-triage-rules\">Dependabot rules<\/a> to reduce false positives if you use private packages.<\/p>\n<h2 id=\"ecosystem-coverage\" id=\"ecosystem-coverage\" ><a class=\"heading-link\" href=\"#ecosystem-coverage\">Ecosystem coverage<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>Today, malware alerting covers the <strong>npm<\/strong> ecosystem, powered by advisories from the <a href=\"https:\/\/github.com\/advisories\">GitHub Advisory Database<\/a>. We&rsquo;re actively working to expand coverage to additional ecosystems through integration with feeds like the <a href=\"https:\/\/openssf.org\/\">OpenSSF Malware Streams<\/a> project.<\/p>\n<h2 id=\"getting-started\" id=\"getting-started\" ><a class=\"heading-link\" href=\"#getting-started\">Getting started<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<ol>\n<li>Navigate to your repository or organization <strong>Settings &rarr; Code security &rarr; Dependabot<\/strong>.<\/li>\n<li>Enable <strong>Malware alerts<\/strong> under the &ldquo;Dependabot alerts&rdquo; section.<\/li>\n<li>Optionally, configure Dependabot alert rules to customize which malware alerts you receive. This is especially important if your organization uses private registries.<\/li>\n<\/ol>\n<p>Learn more about <a href=\"https:\/\/gh.io\/dependabot-malware\">malware alerts for Dependabot<\/a>.<\/p>\n<\/body><\/html>\n","protected":false},"excerpt":{"rendered":"<p>You can now receive Dependabot alerts when your repositories depend on npm packages with known malicious versions. When you enable malware alerting, Dependabot matches your npm dependencies against malware advisories&hellip;<\/p>\n","protected":false},"author":2106,"featured_media":0,"template":"","meta":{"_gh_post_show_toc":"","_gh_post_is_no_robots":"","_gh_post_is_featured":"","_gh_post_is_excluded":"","_gh_post_is_unlisted":"","_gh_post_related_link_1":"","_gh_post_related_link_2":"","_gh_post_related_link_3":"","_gh_post_sq_img":"","_gh_post_sq_img_id":"","_gh_post_cta_title":"","_gh_post_cta_text":"","_gh_post_cta_link":"","_gh_post_cta_button":"","_gh_post_recirc_hide":"","_gh_post_recirc_col_1":"","_gh_post_recirc_col_2":"","_gh_post_recirc_col_3":"","_gh_post_recirc_col_4":"","_featured_video":"","_gh_post_additional_query_params":"","footnotes":"","_links_to":"","_links_to_target":"","primary_cta":"","primary_cta_url":"","secondary_cta":"","secondary_cta_url":""},"label":[3630],"group":[3810],"coauthors":[3100],"class_list":["post-94688","changelog","type-changelog","status-publish","hentry","changelog-type-improvements","changelog-label-supply-chain-security","changelog-group-03-2026"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Dependabot now detects malware in npm dependencies - GitHub Changelog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Dependabot now detects malware in npm dependencies \u00b7 GitHub Changelog\" \/>\n<meta property=\"og:description\" content=\"You can now receive Dependabot alerts when your repositories depend on npm packages with known malicious versions. When you enable malware alerting, Dependabot matches your npm dependencies against malware advisories&hellip;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\/\" \/>\n<meta property=\"og:site_name\" content=\"The GitHub Blog\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-19T21:56:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2026\/03\/560556856-2150e08e-6af6-4d7d-9f42-3b752eaa857d.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"Allison\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\\\/\",\"name\":\"Dependabot now detects malware in npm dependencies - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"datePublished\":\"2026-03-17T21:51:29+00:00\",\"dateModified\":\"2026-03-19T21:56:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/changelog\\\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Changelogs\",\"item\":\"https:\\\/\\\/github.blog\\\/changelog\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Dependabot now detects malware in npm dependencies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Dependabot now detects malware in npm dependencies - GitHub Changelog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\/","og_locale":"en_US","og_type":"article","og_title":"Dependabot now detects malware in npm dependencies \u00b7 GitHub Changelog","og_description":"You can now receive Dependabot alerts when your repositories depend on npm packages with known malicious versions. When you enable malware alerting, Dependabot matches your npm dependencies against malware advisories&hellip;","og_url":"https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\/","og_site_name":"The GitHub Blog","article_modified_time":"2026-03-19T21:56:43+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/github.blog\/wp-content\/uploads\/2026\/03\/560556856-2150e08e-6af6-4d7d-9f42-3b752eaa857d.jpeg","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes","Written by":"Allison"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\/","url":"https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\/","name":"Dependabot now detects malware in npm dependencies - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"datePublished":"2026-03-17T21:51:29+00:00","dateModified":"2026-03-19T21:56:43+00:00","breadcrumb":{"@id":"https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/changelog\/2026-03-17-dependabot-now-detects-malware-in-npm-dependencies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"Changelogs","item":"https:\/\/github.blog\/changelog\/"},{"@type":"ListItem","position":3,"name":"Dependabot now detects malware in npm dependencies"}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/changelogs\/94688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/changelogs"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/changelog"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/2106"}],"version-history":[{"count":1,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/changelogs\/94688\/revisions"}],"predecessor-version":[{"id":94690,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/changelogs\/94688\/revisions\/94690"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=94688"}],"wp:term":[{"taxonomy":"changelog-type","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/type?post=94688"},{"taxonomy":"changelog-label","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/label?post=94688"},{"taxonomy":"changelog-group","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/group?post=94688"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=94688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}