The Two Types of Software Risk: Accidental vs. Intentional Threats
By Paul McCarty
When we talk about software security, most organizations focus on one type of risk: accidental vulnerabilities. This software risk is introduced when software engineers accidentally add vulnerabilities to their source code and/or configurations. These vulnerabilities later surface in their applications when researchers or criminals discover and responsibly disclose. If researchers find the vulnerabilities first they are often published as CVEs so the rest of the world knows about the vulnerability and how to hopefully, fix it. This is the world of CVSS scores, patch management, and vulnerability scanning that has dominated application security for years.
But there's a second, equally dangerous type of risk that many engineering teams overlook entirely: intentionally malicious packages. These aren't mistakes or oversights—they're purposefully crafted threats designed to steal credentials, exfiltrate data, or compromise your infrastructure.
Understanding Accidental Vulnerabilities
Accidental vulnerabilities are security flaws that developers inadvertently introduce into their code. Think of the Heartbleed bug in OpenSSL or the Log4Shell vulnerability—these were mistakes, not malicious acts. Security teams have built entire programs around managing these risks:
Typically, these vulnerabilities are only exploitable about 5-10% of the time, and that’s why having “reachability” is so important. Reachability tells you what vulnerabilities are actually attackable in an application. The Safety platform has built our reachability product to help organizations focus on the real issues in their code, and remove the false positives.
The Hidden Threat: Intentionally Malicious Packages
Intentionally malicious packages represent a completely different threat model. These are packages published to npm, PyPI, or other package repositories with the explicit purpose of compromising systems. They come in two primary forms:
Endpoint-Targeted Malware
This type of malicious package targets the developer's machine or the CI/CD pipeline itself. While PyPI has implemented some protections against install scripts, NPM on the other hand will happily let you put anything you want in these properties.
These install scripts are jokingly referred to as “remote code execution by design” or “RCE by design”. Using pre-install or post-install scripts, these packages can:
Application-Targeted Malware
This more subtle approach embeds malicious functionality within the package's normal operation. The package might work exactly as advertised, but with an additional malicious payload:
Why Traditional Security Tools Fall Short
Most application security tools are designed exclusively for accidental vulnerabilities: Traditional application security tools only scan for known CVEs in public databases, can't distinguish between vulnerable code and malicious code, provide no protection against zero-day malicious packages, and offer no real-time blocking capabilities.
This leaves a massive blind spot in most organizations security posture. While you're diligently patching known vulnerabilities, malicious packages can slip right past your defenses.
How Safety Addresses Both Threats
The Safety platform is uniquely designed to protect against both accidental vulnerabilities and intentionally malicious packages.
For Accidental Vulnerabilities: Superior Intelligence
Safety maintains a proprietary vulnerability database with 4x more vulnerabilities than public CVE sources—18,728 vulnerabilities compared to just 4,682 public CVEs. This means you're protected from threats before they become public knowledge.
Safety has built the industries best malicious package detection technology, code named “SafetyHax”. This detection engine runs 24/7 every day identifying new malicious package threats and automatically protecting our customers.
One of the best ways that we do this is with our Safety Firewall. This technology provides the only real-time protection against malicious packages at installation time:
pip install suspicious-package, Safety Firewall analyzes the package in real-time. If malicious code is detected—whether it's a crypto-stealer in a post-install script or a credential exfiltration function—the installation is blocked automatically.Comprehensive Coverage Across Your SDLC
While it's crucial to help our customers "shift left" by protecting developers' laptops and workstations, it's equally important to protect every stage of the software development lifecycle:
Modern software security requires protection against both accidental vulnerabilities and intentional threats. Focusing on one while ignoring the other leaves critical gaps in your security posture.
Traditional vulnerability scanning addresses accidental risks—but only after the fact. Real-time protection against malicious packages prevents threats before they can compromise your systems.
The Safety platform is the only solution that addresses both threat types comprehensively, with superior vulnerability intelligence and real-time malicious package detection. In under 60 seconds, you can deploy enterprise-grade protection across your entire software supply chain.
Don't wait for a supply chain attack to expose your blind spots. The question isn't whether you'll face both types of threats—it's whether you'll be protected when they arrive.
Start your free trial or schedule a demo to see how Safety protects against both accidental and intentional software risks.

Paul McCarty - Head of Research, Safety
You can find me on LinkedIn and BlueSky.