Skip to main content
Use the /check-malicious endpoint to send a single GET request with a report_type and a resource_identifier, and the API tells you whether that resource appears in the OSM threat database. The endpoint covers all supported resource types — packages, repositories, URLs, domains, IP addresses, cryptocurrency wallets, and container images — through one unified interface. Endpoint 
GET https://api.opensourcemalware.com/functions/v1/check-malicious
Required header 
Authorization: Bearer osm_your_token

Query parameters

report_type
string
required
The category of resource to check. Accepted values: package, repository, url, domain, ip, wallet, container.
resource_identifier
string
required
The specific resource to look up. What you pass here depends on the report_type — for example, a package name, a full repository URL, a domain, an IP address, or a wallet address.
ecosystem
string
For package and container report types, specify the ecosystem or registry. For packages: npm, pypi, maven, nuget, vscode, skills. For containers: dockerhub, ghcr, quay.
version
string
For package report types, the specific version to check. If omitted, the API checks the package across all known versions.

Response fields

Malicious resource found

When the resource is in the OSM threat database, the response includes a details object with the full threat record.
malicious
boolean
required
true when the resource is found in the malicious database.
report_type
string
required
The report type you queried (echoed from the request).
resource_identifier
string
required
The resource identifier you queried (echoed from the request).
ecosystem
string
The ecosystem, if applicable (echoed from the request).
threat_count
number
required
The number of verified threat reports associated with this resource.
details
object
required
The full threat record for the most relevant verified report.

Resource not found

When the resource is not in the OSM database, the API still returns HTTP 200 with "malicious": false.
malicious
boolean
required
false when the resource is not found in the malicious database.
report_type
string
required
Echoed from the request.
resource_identifier
string
required
Echoed from the request.
ecosystem
string
Echoed from the request, if provided.
message
string
required
A plain-language explanation, e.g. "Resource not found in malicious database".

Report types

Check packages by name across supported ecosystems: npm, PyPI, Maven, NuGet, VS Code extensions, and AI Skills. Use the ecosystem parameter to scope the lookup. Use the version parameter to check a specific release.
report_type=package&resource_identifier=my-package&ecosystem=npm
report_type=package&resource_identifier=my-package&ecosystem=pypi&version=1.2.3
Check GitHub or GitLab repositories linked to malicious activity. The resource_identifier must be the full repository URL including https://.
report_type=repository&resource_identifier=https://github.com/attacker/malware-repo
Check a specific URL for malicious content — phishing pages, malware delivery endpoints, and similar threats.
report_type=url&resource_identifier=https://phishing-site.com/login
Check domains associated with command-and-control (C2) infrastructure, phishing campaigns, or other malicious activity. Pass only the domain, without a protocol or path.
report_type=domain&resource_identifier=c2-server.malware.net
Check IP addresses associated with C2 infrastructure, attack sources, or other malicious network activity.
report_type=ip&resource_identifier=192.168.1.100
Check cryptocurrency wallet addresses that have been linked to ransomware payments, extortion campaigns, or other attacks.
report_type=wallet&resource_identifier=0x1234567890abcdef1234567890abcdef12345678
Check container images from Docker Hub, GitHub Container Registry (GHCR), or Quay for known malicious payloads such as cryptominers or backdoors. Use the ecosystem parameter to specify the registry (dockerhub, ghcr, quay).
report_type=container&resource_identifier=malicious/cryptominer&ecosystem=dockerhub

cURL examples

curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=package&resource_identifier=malicious-pkg&ecosystem=npm" \
  -H "Authorization: Bearer osm_your_token"

Response examples

Malicious resource found

{
  "malicious": true,
  "report_type": "package",
  "resource_identifier": "evil-pkg",
  "ecosystem": "npm",
  "threat_count": 1,
  "details": {
    "id": "uuid-here",
    "status": "verified",
    "severity_level": "critical",
    "description": "Data exfiltration",
    "tags": ["infostealer"],
    "first_seen": "2025-01-05T12:00:00Z",
    "last_seen": "2025-01-10T08:30:00Z"
  }
}

Resource not found

{
  "malicious": false,
  "report_type": "package",
  "resource_identifier": "safe-pkg",
  "ecosystem": "npm",
  "message": "Resource not found in malicious database"
}