Vulnerabilities in open source software are primarily caused by mistakes, but malicious actors can also introduce malware, which is typically removed and not included in the standard disclosure process like the National Vulnerability Database. GitHub employs automated scanning, security research, and community input to detect such malware, and now documents these incidents in the GitHub Advisory Database after removal. This database supports GitHub’s supply chain security features, including Dependabot alerts, which notify users of malware and vulnerabilities. Users can enable these alerts under the "Code security and analysis" tab. The GitHub Advisory Database, providing security advisories that enhance GitHub's supply chain security solutions, has been freely available and licensed under Creative Commons, ensuring ongoing community access and use.