Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.opensourcemalware.com/llms.txt

Use this file to discover all available pages before exploring further.

The query-latest-stix endpoint returns the same threat data as query-latest but formatted as a STIX 2.1 bundle.
Subscription Required: This is a paid endpoint available to Researcher Pro and Enterprise users.
Use this endpoint to:
  • Ingest OSM data into your TIP: Import verified threat intelligence directly into a Threat Intelligence Platform using the ?format=v2 shape.
  • Automate STIX-based detections: Feed structured STIX indicators into SIEM or SOAR workflows that consume standardized threat intelligence.
  • Maintain up-to-date indicator sets: Poll on a schedule to keep your threat intelligence platform current with the latest verified OSM threats.
Anomali users should refer to the custom Anomali STIX endpoint.
Endpoint 
GET https://api.opensourcemalware.com/functions/v1/query-latest-stix
Required header 
Authorization: Bearer osm_your_token
Alternative: Pass API key as query parameter: ?apikey=osm_your_token
Pro Role Required This endpoint requires your user account to have the ‘pro’ role. Contact an administrator to request access if you receive a 403 error.

STIX 2.1 format

This endpoint returns threat data as a STIX 2.1 bundle. Content-Type: application/stix+json;version=2.1 The format query parameter controls the response shape. Omit it (or pass any value other than v2) to receive the legacy indicator-only bundle. Pass format=v2 to receive a bundle containing an identity, a TLP:WHITE marking-definition, an x-malicious-package Custom Object per threat, an indicator SDO, and a relationship SRO linking them — importable into Anomali ThreatStream as model_type=customtm. All indicators have 100% confidence. Patterns use STIX pattern syntax with CPE notation.

Query parameters

ecosystem is required. Package ecosystem (npm, pypi, rubygems, etc.) format is optional. Pass v2 for the Anomali-ready bundle shape. Omit for the legacy indicator-only bundle.

Response examples

Success (200) — default (legacy)

{
  "type": "bundle",
  "id": "bundle--550e8400-e29b-41d4-a716-446655440000",
  "spec_version": "2.1",
  "objects": [
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--123e4567-e89b-12d3-a456-426614174000",
      "created": "2024-01-15T12:00:00Z",
      "modified": "2024-01-15T12:00:00Z",
      "name": "Malicious Package: evil-package",
      "description": "Contains cryptocurrency mining code",
      "pattern": "[software:name = 'evil-package' AND software:cpe = 'cpe:2.3:a:*:evil-package:*:*:*:*:*:*:*']",
      "pattern_type": "stix",
      "valid_from": "2024-01-15T12:00:00Z",
      "labels": ["malicious-activity", "malicious-package"],
      "confidence": 100,
      "external_references": [
        { "source_name": "OSV", "url": "https://osv.dev/vulnerability/OSV-2024-001" }
      ],
      "x_registry": "npm",
      "x_package_name": "evil-package",
      "x_severity_level": "critical",
      "x_report_type": "package",
      "x_status": "verified",
      "x_publisher": "malicious-user",
      "x_version_info": "1.0.0",
      "x_tags": ["cryptocurrency", "miner"]
    }
  ]
}

Success (200) — ?format=v2 (Anomali-ready)

{
  "type": "bundle",
  "id": "bundle--550e8400-e29b-41d4-a716-446655440000",
  "objects": [
    {
      "type": "identity",
      "spec_version": "2.1",
      "id": "identity--b4a2a0a6-1f4e-4f2c-9c6a-7f1d2c5a0b10",
      "created": "2024-01-15T12:00:00.000Z",
      "modified": "2024-01-15T12:00:00.000Z",
      "name": "OpenSourceMalware",
      "identity_class": "organization",
      "description": "OpenSourceMalware.com — open-source supply-chain threat intelligence feed."
    },
    {
      "type": "marking-definition",
      "spec_version": "2.1",
      "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
      "created": "2017-01-20T00:00:00.000Z",
      "definition_type": "tlp",
      "name": "TLP:WHITE",
      "definition": { "tlp": "white" }
    },
    {
      "type": "x-malicious-package",
      "spec_version": "2.1",
      "id": "x-malicious-package--123e4567-e89b-12d3-a456-426614174000",
      "created_by_ref": "identity--b4a2a0a6-1f4e-4f2c-9c6a-7f1d2c5a0b10",
      "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"],
      "created": "2024-01-15T12:00:00.000Z",
      "modified": "2024-01-15T12:00:00.000Z",
      "name": "npm:evil-package@1.0.0",
      "description": "Contains cryptocurrency mining code",
      "x_registry": "npm",
      "x_package_name": "evil-package",
      "x_severity_level": "critical",
      "x_report_type": "package",
      "x_status": "verified",
      "x_publisher": "malicious-user",
      "x_version_info": "1.0.0",
      "x_payload_description": "Exfiltrates env vars and mines cryptocurrency",
      "x_tags": ["cryptocurrency", "miner"],
      "x_first_seen": "2024-01-15T12:00:00.000Z",
      "external_references": [
        { "source_name": "OSV", "url": "https://osv.dev/vulnerability/OSV-2024-001" }
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--123e4567-e89b-12d3-a456-426614174000",
      "created_by_ref": "identity--b4a2a0a6-1f4e-4f2c-9c6a-7f1d2c5a0b10",
      "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"],
      "created": "2024-01-15T12:00:00.000Z",
      "modified": "2024-01-15T12:00:00.000Z",
      "name": "Malicious Package: evil-package",
      "description": "Contains cryptocurrency mining code",
      "indicator_types": ["malicious-activity"],
      "pattern": "[software:name = 'evil-package' AND software:cpe = 'cpe:2.3:a:*:evil-package:*:*:*:*:*:*:*']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "valid_from": "2024-01-15T12:00:00.000Z",
      "valid_until": "2025-01-15T12:00:00.000Z",
      "confidence": 100,
      "external_references": [
        { "source_name": "OSV", "url": "https://osv.dev/vulnerability/OSV-2024-001" }
      ],
      "x_registry": "npm",
      "x_package_name": "evil-package",
      "x_severity_level": "critical",
      "x_report_type": "package",
      "x_status": "verified",
      "x_publisher": "malicious-user",
      "x_version_info": "1.0.0",
      "x_tags": ["cryptocurrency", "miner"]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7c1d6bf7-4a2e-4b5c-9d1a-3e6f8a0b1c2d",
      "created_by_ref": "identity--b4a2a0a6-1f4e-4f2c-9c6a-7f1d2c5a0b10",
      "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"],
      "created": "2024-01-15T12:00:00.000Z",
      "modified": "2024-01-15T12:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--123e4567-e89b-12d3-a456-426614174000",
      "target_ref": "x-malicious-package--123e4567-e89b-12d3-a456-426614174000"
    }
  ]
}

Error responses

403
{ "error": "Access denied. STIX API access required. Please contact an administrator to request access." }

429
{ "error": "Rate limit exceeded. Maximum 180 requests per minute (pro tier)." }

cURL examples

Default (legacy indicator-only bundle) 
curl -H "Authorization: Bearer osm_your_token" \
  "https://api.opensourcemalware.com/functions/v1/query-latest-stix?ecosystem=npm"
?format=v2 (Anomali ThreatStream compatible) 
curl -H "Authorization: Bearer osm_your_token" \
  "https://api.opensourcemalware.com/functions/v1/query-latest-stix?ecosystem=npm&format=v2"