Skip to main content
We believe that everyone should have access to information about malicious open source. That’s why we maintain a completely free feed and API that include a threat description, payload, and version details, and evidence. OpenSourceMalware helps you identify malicious resources across the open-source supply chain. Whether you’re a security engineer scanning dependencies in CI/CD, a developer vetting a third-party package, or a researcher tracking attack infrastructure, we provide a queryable database of verified threats backed by community reports and expert review.

Supported asset types

OpenSourceMalware tracks threats across a broad range of asset types in one unified database. The one rule? All assets relate to the delivery of malicious open source.

Packages

Malicious packages on npm, PyPI, Maven, NuGet, RubyGems, Packagist, Crates.io, Go Modules, VS Code Marketplace, Open VSX, and AI Skills registries.

Container images

Malicious container images on Docker Hub, GitHub Container Registry (GHCR), Quay, and other registries.

Repositories

GitHub, GitLab, and Bitbucket repositories that contain malicious code or serve as staging infrastructure for payload distribution.

Domains & URLs

Command-and-control (C2) servers, phishing domains, and specific malicious URLs used to deliver payloads or exfiltrate data.

IP addresses

Malicious IP addresses tied to C2 infrastructure, attack sources, and known threat actor networks.

Crypto wallets

Cryptocurrency wallet addresses embedded in malicious payloads as a covert channel to relay commands or exfiltrate data.

How it works

OpenSourceMalware is built on a community-driven verification pipeline. When a threat is reported, it’s reviewed and validated before being published to the database. Every entry you query reflects a verified signal, not unvetted noise.
  1. Community reports — anyone user can submit a threat report for a package, repository, URL, domain, IP, wallet, or container image.
  2. Verification — select community members and maintainers review reports for accuracy and quality before they are accepted.
  3. Published to the database — verified threats are added to the database with metadata including severity, tags, and timestamps.
  4. Queryable via API — you can check any resource against the database in real time using the REST API.

Ways to use OpenSourceMalware

OpenSourceMalware is useful across a range of security and development roles:
  • Security teams integrating automated threat checks into CI/CD pipelines, dependency scanners, or SIEM workflows
  • Developers who want to verify a package or repository before adding it as a dependency
  • Researchers tracking malware campaigns, attack infrastructure, or supply-chain threats
You’re welcome to use free or licensed OpenSourceMalware data for non-commercial purposes. Here are some great examples of acceptable usage!

Enhance your research

  • Study malware trends, threat actors, campaigns, or attack techniques
  • Academic or independent security research

Protect your organization

  • Use threat records to investigate whether your organization has been exposed to a known threat
  • Check whether a software package is malicious before using it in your own projects
  • Build an internal platform to serve internal customers (e.g. analysts)
  • Feed data into your internal tools, processes, or pipelines to help your security team work more effectively
  • Respond to a security incident inside your own organization
  • Produce internal reports, briefings, or executive summaries (including sharing those with leadership, legal counsel, or your cyber insurer in connection with an incident)
Using the API to power these activities is encouraged, including automated lookups as part of your security workflows. Large-scale or bulk API use to sweep your own environment retroactively (for example, during an active incident) is also permitted for internal use. Read the Terms of Use for more info on acceptable and unacceptable use.

Where to go next

Quickstart

Make your first API threat check in under 5 minutes.

API overview

Explore all endpoints for querying and submitting threat data.

Report a threat

Learn how to submit high-quality threat reports to the community database.

Community guidelines

Understand the standards that keep OSM accurate and trustworthy.