VG VersionGopher™ Back to Help Index

Package Risk And Sensitive Artifacts

VersionGopher™ separates package inventory, OSV package advisories, confirmed OSV malicious-package advisories, and sensitive-artifact indicators so operators can act on the right signal without confusing package metadata with executable CVE matches.

Package Risk is not the same thing as Files With CVEs. NVD/CPE matching stays in the CVE lane; npm and PyPI package/version matches are checked against OSV in the package lane.

Package Artifacts

Lockfiles, manifests, installed metadata, and repository config files are recorded as Package Artifact rows. These rows tell you where package-manager evidence exists.

Package Advisories

Exact npm/PyPI package identities such as pkg:pypi/idna@3.13 can be checked against OSV advisories. This may include ordinary vulnerable-package advisories and malicious-package advisories.

Malicious Packages

This filter is narrower. It shows OSV MAL-* advisories for packages OSV identifies as malicious supply-chain attack packages.

Runtime Exposure

A package cache, lockfile, or installed metadata file proves package evidence was present. It does not automatically prove the package was imported, executed, reachable, or exploitable.

OSV Scanner Reports

OSV Scanner JSON can be uploaded through Import just like a VersionGopher output file. VersionGopher records it as external package-risk evidence, preserving OSV package/advisory details without changing the collector.

What The Collector Stores

Package ecosystem, artifact kind, package manager, detection reason, and confidence.
Bounded exact npm/PyPI identity peeks when the artifact is small and structured enough to identify a package name and version.
Path/name evidence for package artifacts that should be visible but are not safe or useful to parse deeply in the collector.
No package-manager execution, dependency resolution, installation, extraction, or broad JSON/YAML parsing.

Sensitive Artifact Filters

The Keys, Wallets, and AI prompt artifact filters are metadata-only review lanes. They are designed to answer "where should an analyst look next" without retaining the sensitive content itself.

Keys: PEM, OpenSSH, and PPK private-key material is detected from strong headers. Key bodies are not stored.
Wallets: Wallet databases, Ethereum keystore paths, selected wallet browser-extension storage markers, and wallet-recovery note names are detected from high-signal path/name context. Seeds and wallet contents are not stored.
AI prompt artifacts: Assistant instruction files such as .cursorrules, CLAUDE.md, and .cursor/rules can be flagged for hidden Unicode, assistant-override wording, credential/webhook references, or package lifecycle-hook references. Prompt bodies and hidden payload text are not stored.

Treat these as triage indicators. A finding can deserve immediate review even when VersionGopher intentionally avoids storing the secret or prompt content.

Operator Workflow

Run or import a current 0.7.0+ collector scan.
Use the Packages filter to see package/repository evidence.
Click Run Package Advisories or Check OSV when exact npm/PyPI identities exist.
Upload OSV Scanner JSON reports when package teams already use OSV tooling and want those results visible in the VersionGopher Package Risk lane.
Use Package Advisories for all OSV package matches and Malicious Packages for OSV MAL-* matches only.
Open the file card to see whether the evidence came from active installed metadata, a lockfile, a cache, or a repository file.
Use the assessment report when the scan needs a buyer, executive, or review-board summary.