Skip to main content
The OpenSourceMalware APIs give you programmatic access to the community-driven threat intelligence database. All requests go over HTTPS and return JSON.
Regardless of your subscription tier, no user may harvest or stockpile data beyond what the API is designed to provide. This includes the use of automated tools (bots, scrapers, crawlers).

Base URL

All API endpoints are served from the following base URL: 
https://api.opensourcemalware.com/functions/v1/

Authentication

Every request must include a Bearer token in the Authorization header: 
Authorization: Bearer osm_your_token
You generate tokens from your profile settings on opensourcemalware.com. Tokens are prefixed with osm_. See Authentication for full details.
API tokens are generated from your profile settings. Go to Settings → API Tokens → Generate Token to create one.

Rate limits

Request limits are enforced per token, per minute. If you exceed your limit, the API returns 429 Too Many Requests. See Rate limits for limits and strategies to handle this.

Available endpoints

Free APIs

GET /check-malicious

Check whether a package, repository, URL, domain, IP, wallet, or container image is flagged as malicious.

GET /query-latest

Retrieve the 100 most recent verified threat reports from any supported ecosystem or threat category.

POST /submit-threat

Submit a new threat report about an asset you confirmed to be malicious.

PUT /modify-threat-report

Update an existing threat report with new information, additional evidence, or corrected metadata.

GET /threat-feed

Poll for verified threat reports added within a time window.

GET /query-by-username

Find all verified threats associated with a specific publisher or username.

GET /threat-data

Retrieve full threat metadata and all associated Indicators of Compromise for a specific threat UUID.

GET /query-latest-stix

Retrieve the 100 most recent verified threats as a STIX 2.1 bundle for ingestion into a TIP.

GET /anomali-feed

A rolling-window STIX 2.1 bundle purpose-built for Anomali ThreatStream, with IOC-level indicators and relationship SROs.

Response format

All endpoints return JSON. A successful check that finds a malicious resource returns "malicious": true with a details object containing the full threat record. A resource that is not in the database returns "malicious": false with an explanatory message field. 
{
  "malicious": true,
  "report_type": "package",
  "resource_identifier": "evil-pkg",
  "ecosystem": "npm",
  "threat_count": 1,
  "details": {
    "id": "uuid-here",
    "status": "verified",
    "severity_level": "critical",
    "description": "Data exfiltration",
    "tags": ["infostealer"],
    "first_seen": "2025-01-05T12:00:00Z",
    "last_seen": "2025-01-10T08:30:00Z"
  }
}