Skip to main content
Use the check-malicious endpoint to send a single GET request with a report_type and a resource_identifier, and the API tells you whether that resource appears in the OSM threat database. The endpoint covers all supported resource types through one unified interface. Use this endpoint to:
  • Investigate a suspected threat: During an active incident or hunt, look up any resource to instantly confirm whether it’s in the database and get more info about it.
  • Enrich threat intelligence workflows: Integrate real-time malicious resource lookups into your SIEM, SOAR, or TIP to automatically flag known-bad indicators as they surface.
  • Monitor exposure across your environment: Check whether resources already in use in your organization have been flagged since you last reviewed them.
  • Vet assets before they’re installed: Query before accepting a package or extension suggested by an AI coding assistant.
  • Scan dependencies in CI/CD: Catch malicious packages before they reach production by querying OSM as part of your build pipeline.
Endpoint 
GET https://api.opensourcemalware.com/functions/v1/check-malicious
Required header 
Authorization: Bearer osm_your_token

Query parameters

ParameterRequiredDescription
report_typeRequiredpackage | container | repository | url | domain | ip | wallet |
resource_identifierRequiredThe resource to check (package name, URL, domain, etc.)
ecosystemOptionalFor packages: npm, pypi, maven, nuget, vscode, skills, etc.
versionOptionalSpecific package or container version to check

Response examples

Malicious resource found

{
  "malicious": true,
  "report_type": "package",
  "resource_identifier": "tns-py",
  "ecosystem": "pypi",
  "version": null,
  "osm_url": "https://opensourcemalware.com/pypi/tns-py",
  "last_scanned_at": "2026-04-28T07:04:53.788+00:00",
  "scan_result": false,
  "scan_severity": null,
  "scan_count": 2,
  "threat_count": 1,
  "details": {
    "threat_id": "e47dba4d-45fa-4764-a6ef-3399f381714f",
    "severity_level": "high",
    "description": "This package pretends to be a utility that helps you load environment variables from .env files and system environment, then sending them to a specified API endpoint.  But its a wolf in sheeps clothing as it really exfiltrates environment variables to an attacker-controlled url.",
    "version_info": "all"
  }

Resource not found

{
  "malicious": false,
  "report_type": "package",
  "resource_identifier": "safe-pkg",
  "ecosystem": "npm",
  "message": "Resource not found in malicious database"
}

Report types with cURL examples

Packages

Check packages by name across supported ecosystems: npm, PyPI, Maven, NuGet, VS Code extensions, and AI Skills. Use the ecosystem parameter to scope the lookup. Use the version parameter to check a specific release. 
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=package&resource_identifier=malicious-pkg&ecosystem=npm" \
  -H "Authorization: Bearer osm_your_token"

Container Images

Check container images from Docker Hub, GitHub Container Registry (GHCR), or Quay for known malicious payloads such as cryptominers or backdoors. Use the ecosystem parameter to specify the registry (dockerhub, ghcr, quay). 
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=container&resource_identifier=malicious/cryptominer&ecosystem=dockerhub" \
  -H "Authorization: Bearer osm_your_token"

Repositories

Check GitHub or GitLab repositories linked to malicious activity. The resource_identifier must be the full repository URL including https://. 
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=repository&resource_identifier=https://github.com/attacker/malware-repo" \
  -H "Authorization: Bearer osm_your_token"

URLs

Check a specific URL for malicious content (phishing pages, malware delivery endpoints, and similar threats). 
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=url&resource_identifier=https://phishing-site.com/login" \
  -H "Authorization: Bearer osm_your_token"

Domains

Check domains associated with command-and-control (C2) infrastructure, phishing campaigns, or other malicious activity. Pass only the domain, without a protocol or path. 
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=domain&resource_identifier=c2-server.malware.net" \
  -H "Authorization: Bearer osm_your_token"

IP Addresses

Check IP addresses associated with C2 infrastructure, attack sources, or other malicious network activity. 
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=ip&resource_identifier=192.168.1.100" \
  -H "Authorization: Bearer osm_your_token"

Crypto Wallets

Check cryptocurrency wallet addresses that have been linked to ransomware payments, extortion campaigns, or other attacks. 
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=wallet&resource_identifier=0x1234567890abcdef1234567890abcdef12345678" \
  -H "Authorization: Bearer osm_your_token"

Using check-malicious with AI coding assistants

AI coding assistants like Claude, GitHub Copilot, and Cursor suggest and install open-source dependencies as part of their workflow, often without any malicious resource checking. Since these tools generate and execute package installation commands directly, a malicious package recommendation gets installed as fast as a legitimate one. Before accepting a dependency suggestion from an AI coding assistant, run a quick check against the OSM database. Pass the package name and ecosystem to /check-malicious and confirm the response returns "malicious": false before installing. 
curl -X GET "https://api.opensourcemalware.com/functions/v1/check-malicious?report_type=package&resource_identifier=suggested-package&ecosystem=npm" \
  -H "Authorization: Bearer osm_your_token"
This is particularly important in agentic coding environments where the assistant is operating with more autonomy, writing code, resolving dependencies, and running commands with less human review at each step. The faster the assistant moves, the more important it is to have checks in the loop. You can also build this check into your workflow by wrapping your package manager commands in a simple script that queries OSM before allowing an install to proceed, giving you a lightweight safeguard without changing how you work with your AI tools.