When a quiz or security exam asks which of the following is an example of malicious code, the answer is any software written to harm, disrupt, or gain unauthorized access to a system — that includes viruses, worms, trojans, ransomware, spyware, adware, rootkits, and logic bombs. If a multiple-choice question lists those alongside benign options like "a spreadsheet" or "a signed OS update," the malicious ones are the picks. But knowing what is an example of malicious code matters far more in practice than on a test, because these categories describe the real ways code turns against the systems that run it.
What "malicious code" actually means
Malicious code (often called malware) is any code intentionally designed to cause an unwanted effect: stealing data, damaging files, taking control of a device, spreading to other systems, or denying legitimate users access. The defining trait is intent. A buggy program that crashes is not malicious; a program written to encrypt your files and demand payment is. The line is purpose, not behavior alone.
It helps to separate malicious code from the broader idea of a "threat." A phishing email is a delivery mechanism; the attachment it carries may contain malicious code. A misconfigured server is a vulnerability; malicious code is what an attacker runs after exploiting it. Malicious code is the payload — the thing that does the damage once it executes.
The main categories, with what makes each distinct
Viruses attach themselves to a legitimate file or program and require that host to run in order to activate and spread. Open the infected document, run the infected executable, and the virus code executes alongside it, then tries to attach itself to more files.
Worms are self-propagating. Unlike a virus, a worm does not need a host file or a user action — it spreads across networks on its own by exploiting vulnerabilities. WannaCry in 2017 is the textbook worm: it moved machine to machine automatically and encrypted data on each, spreading globally within hours.
Trojans disguise themselves as something useful. The user installs what looks like a legitimate tool, and hidden malicious functionality runs alongside the advertised one. Trojans do not self-replicate; they rely on deception to get invited in.
Ransomware encrypts a victim's files (or locks the whole system) and demands payment for the key. It is the category that turned malware into an organized criminal industry, and it frequently arrives via trojans or worms as the delivery step.
Spyware and adware quietly collect information — keystrokes, browsing habits, credentials — or inject unwanted advertising. Keyloggers are a spyware subtype focused on capturing what you type, including passwords.
Rootkits burrow deep into the operating system to hide the presence of other malicious code, giving an attacker persistent, concealed control that survives reboots and evades ordinary detection.
Logic bombs sit dormant until a trigger condition is met — a specific date, a user's account being deleted, a file count crossing a threshold — then execute their payload. They are frequently planted by insiders because the trigger delays the damage past the point of suspicion.
Malicious code in the software supply chain
The categories above describe classic malware, but the delivery vector that has grown fastest is the software supply chain. Instead of tricking an end user, attackers plant malicious code inside a package, library, or build tool that thousands of developers install and run automatically.
The mechanics are worth understanding because they defeat the usual "don't open suspicious attachments" advice. When you run npm install or pip install, packages can execute setup scripts on your machine before any of your own code runs. A compromised package can drop a keylogger, exfiltrate the credentials sitting in your CI environment, or inject a backdoor into the artifact you are about to ship. The 2021 ua-parser-js compromise did exactly this: a hijacked release ran a script that installed a cryptominer and a password stealer on every machine that installed it. The 2025 chalk/debug incident pushed malicious versions of packages with billions of weekly downloads.
This matters because a developer's laptop and CI runner are high-value targets — they hold source code, cloud credentials, and publishing tokens. Malicious code delivered through a dependency reaches all of that without a single user clicking a bad link.
How to defend against malicious code
Defense is layered, and the right layer depends on how the code arrives.
For traditional malware: keep operating systems and applications patched (worms exploit known, unpatched flaws), run endpoint protection that detects known signatures and anomalous behavior, restrict user privileges so a compromise cannot escalate, and maintain offline backups so ransomware cannot hold your only copy hostage.
For supply-chain malicious code: pin exact dependency versions with a lockfile, constrain install-time scripts, and continuously scan your dependency tree against advisory databases. This is where software composition analysis earns its place; our SCA overview explains how it inventories every package and flags known-bad ones. An SCA tool such as Safeguard can also detect behavioral anomalies in a package version — a surprise network call, an obfuscated payload — that match the patterns of the ua-parser-js and chalk compromises before they land in a build.
Across both: the principle is least privilege and defense in depth. No single control catches everything, so you stack detection, prevention, and recovery. For a deeper look at what these programs actually do once they run, see our companion post on what is a possible effect of malicious code.
FAQ
What is the simplest example of malicious code?
A computer virus is the classic example: code that attaches to a legitimate file, runs when that file runs, and copies itself into other files. On a multiple-choice question, any listed virus, worm, trojan, ransomware, or spyware is a correct example of malicious code.
Is a trojan a virus?
No. A trojan disguises itself as legitimate software and relies on the user installing it, but it does not self-replicate. A virus attaches to a host file and spreads by copying itself. They are distinct categories of malicious code, though a trojan can carry a virus as its payload.
Can malicious code come from trusted software?
Yes, through the supply chain. If a legitimate package or dependency is compromised, the malicious version arrives under a trusted name and runs automatically when installed. This is why continuously scanning dependencies, not just avoiding suspicious downloads, is essential.
What is the difference between a worm and a virus?
A virus needs a host file and a user action to spread; a worm self-propagates across networks by exploiting vulnerabilities, with no host file and no user interaction required. Worms therefore spread far faster, as WannaCry demonstrated in 2017.