Skip to main content
The OpenSourceMalware (OSM) APIs give you programmatic access to the community-driven threat intelligence database. You can check any package, repository, URL, domain, IP address, cryptocurrency wallet, or container image against verified threat data — and submit new reports directly from your tooling. All requests go over HTTPS and return JSON.

Base URL

All API endpoints are served from the following base URL: 
https://api.opensourcemalware.com/functions/v1/

Authentication

Every request must include a Bearer token in the Authorization header: 
Authorization: Bearer osm_your_token
You generate tokens from your profile settings on opensourcemalware.com. Tokens are prefixed with osm_. See Authentication for full details.
API tokens are generated from your profile settings. Go to Settings → API Tokens → Generate Token to create one.

Rate limits

Request limits are enforced per token, per minute. If you exceed your limit, the API returns 429 Too Many Requests. See Rate limits for limits and strategies to handle this.

Available endpoints

Free APIs

GET /check-malicious

Check whether a package, repository, URL, domain, IP, wallet, or container image is flagged as malicious in the OSM database.

GET /threat-feed

Query the stream of recently verified threats. Useful for keeping security tools current and powering automated alerting pipelines.

POST /submit-threat

Submit a new threat report programmatically. Submitted reports enter the community verification process before publication.
Paid APIs

Response format

All endpoints return JSON. A successful check that finds a malicious resource returns "malicious": true with a details object containing the full threat record. A resource that is not in the database returns "malicious": false with an explanatory message field. 
{
  "malicious": true,
  "report_type": "package",
  "resource_identifier": "evil-pkg",
  "ecosystem": "npm",
  "threat_count": 1,
  "details": {
    "id": "uuid-here",
    "status": "verified",
    "severity_level": "critical",
    "description": "Data exfiltration",
    "tags": ["infostealer"],
    "first_seen": "2025-01-05T12:00:00Z",
    "last_seen": "2025-01-10T08:30:00Z"
  }
}