Skip to main content
OpenSourceMalware (OSM) is a community-driven threat intelligence platform that helps security teams, developers, and researchers identify and protect against malicious open-source packages, repositories, domains, and more. Search the database, integrate threat checks into your workflows via the REST API, and contribute verified threat reports to protect the entire ecosystem.

Quick Start

Make your first threat check in minutes using the OSM API.

API Reference

Explore all public endpoints for querying and submitting threat data.

Report a Threat

Learn how to submit high-quality threat reports to the community database.

Community Guidelines

Understand the standards that keep OSM accurate and trustworthy.

Get started in three steps

1

Create an account

Sign in at opensourcemalware.com using your GitHub account or email address. Your profile tracks your contributions and builds your community reputation.
2

Generate an API token

Go to your profile settings and generate an API token. Tokens are prefixed with osm_ and are used to authenticate all API requests.
3

Make your first threat check

Pass your token in the Authorization: Bearer header and query the /check-malicious endpoint to check any package, repository, URL, or domain against the OSM database.

What you can check

OSM covers a wide range of threat types across the open-source supply chain:

Packages

npm, PyPI, Maven, NuGet, VS Code extensions, AI Skills, and more.

Repositories

GitHub and GitLab repositories linked to malicious activity.

Domains & URLs

C2 servers, phishing domains, and malicious URLs.

IPs, Wallets & Containers

Malicious IP addresses, crypto wallets, and container images.