Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.opensourcemalware.com/llms.txt

Use this file to discover all available pages before exploring further.

The anomali-feed endpoint emits a STIX 2.1 bundle designed as a direct replacement for the threat-feed → Tines → Anomali pipeline. For each verified threat in the time window, it returns one x-malicious-package Custom Object, one indicator SDO per IOC, and relationship SROs linking them.
Subscription Required: This is a paid endpoint available to Researcher Pro and Enterprise users.
This endpoint has been validated for Anomali ThreatStream and is not guaranteed to be compatible with other TIPs.
Use it to:
  • Replace your Anomali ingest pipeline: Import OSM threat intelligence directly into Anomali ThreatStream without intermediate tooling.
  • Stay current with a rolling window: Poll on a schedule using the hours parameter to ingest only threats verified within your chosen time window.
  • Ingest IOC-level indicators: Receive one STIX indicator SDO per IOC attached to each threat, ready for automated detection and blocking rules.
Endpoint 
GET https://api.opensourcemalware.com/functions/v1/anomali-feed
Required header 
Authorization: Bearer osm_your_token
Alternative: Pass API key as query parameter: ?apikey=osm_your_token
Pro Role Required Requires the ‘pro’ role (admin/editor also qualify). Contact an administrator if you receive a 403.

Query parameters

ecosystem is required. Package registry (npm, pypi, rubygems, etc.) or the special values repositories / domains. hours is optional. Rolling time window in hours. Integer 1–24, defaults to 1. Filters on verified_at = now() - hours.

Bundle shape

Content-Type: application/stix+json;version=2.1 Every bundle contains, in order:
  1. One marking-definition SDO for TLP:WHITE (referenced via object_marking_refs).
  2. For each verified threat in the window: one x-malicious-package Custom Object (STIX 2.1 §11.2). Threats with zero IOCs still appear as a Custom Object with no associated indicators.
  3. For each IOC attached to a threat (mappable types only): one indicator SDO with the appropriate STIX pattern, plus one relationship SRO (related-to) linking the indicator to its Custom Object. The Custom Object also carries an x_object_refs array listing all of its indicator IDs as a redundant association hint for tools that don’t process the SROs.
Every object’s created_by_ref points to the stable OSM producer identity identity--b4a2a0a6-1f4e-4f2c-9c6a-7f1d2c5a0b10. The identity SDO itself is not bundled — including it triggers UUID-conflict errors in Anomali ThreatStream on repeated polls. Consumers that want to resolve the reference can register that identity once in their environment. IOC types wallet_address, file_path, and other are skipped (no clean STIX SCO). All others are mapped as follows:
ioc_typeSTIX pattern
ip_address[ipv4-addr:value = '…']
domain[domain-name:value = '…']
url[url:value = '…']
file_hash_md5[file:hashes.'MD5' = '…']
file_hash_sha1[file:hashes.'SHA-1' = '…']
file_hash_sha256[file:hashes.'SHA-256' = '…']
email_address[email-addr:value = '…']
c2_serverinferred: ipv4-addr / ipv6-addr / domain-name / url
registry_key[windows-registry-key:key = '…']
github_user[url:value = 'https://github.com/…']
github_repo[url:value = 'https://github.com/…']
npm_user[url:value = 'https://www.npmjs.com/~…']
npm_package[url:value = 'https://registry.npmjs.org/…']
pypi_package[url:value = 'https://pypi.org/project/…/']
wallet_address / file_path / otherskipped

Response example

{
  "type": "bundle",
  "id": "bundle--550e8400-e29b-41d4-a716-446655440000",
  "objects": [
    {
      "type": "marking-definition",
      "spec_version": "2.1",
      "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
      "created": "2017-01-20T00:00:00.000Z",
      "definition_type": "tlp",
      "name": "TLP:WHITE",
      "definition": { "tlp": "white" }
    },
    {
      "type": "x-malicious-package",
      "spec_version": "2.1",
      "id": "x-malicious-package--<threat-id>",
      "created_by_ref": "identity--b4a2a0a6-1f4e-4f2c-9c6a-7f1d2c5a0b10",
      "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"],
      "created": "2024-01-15T12:00:00.000Z",
      "modified": "2024-01-15T12:00:00.000Z",
      "name": "npm:evil-package@1.0.0",
      "description": "Contains cryptocurrency mining code",
      "x_registry": "npm",
      "x_package_name": "evil-package",
      "x_version_info": "1.0.0",
      "x_severity_level": "critical",
      "x_status": "verified",
      "x_object_refs": ["indicator--<uuid>"]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--<uuid>",
      "created_by_ref": "identity--b4a2a0a6-1f4e-4f2c-9c6a-7f1d2c5a0b10",
      "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"],
      "created": "2024-01-15T12:00:00.000Z",
      "modified": "2024-01-15T12:00:00.000Z",
      "name": "domain: evil-exfil.xyz",
      "description": "IOC extracted from malicious package 'evil-package' (npm)",
      "indicator_types": ["malicious-activity"],
      "pattern": "[domain-name:value = 'evil-exfil.xyz']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "valid_from": "2024-01-14T22:00:00.000Z",
      "valid_until": "2025-01-14T22:00:00.000Z",
      "confidence": 90,
      "x_ioc_type": "domain",
      "x_ioc_value": "evil-exfil.xyz"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--<uuid>",
      "created_by_ref": "identity--b4a2a0a6-1f4e-4f2c-9c6a-7f1d2c5a0b10",
      "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"],
      "created": "2024-01-15T12:00:00.000Z",
      "modified": "2024-01-15T12:00:00.000Z",
      "relationship_type": "related-to",
      "source_ref": "indicator--<uuid>",
      "target_ref": "x-malicious-package--<threat-id>"
    }
  ]
}

cURL example

curl -H "Authorization: Bearer osm_your_token" \
  "https://api.opensourcemalware.com/functions/v1/anomali-feed?ecosystem=npm&hours=1"

Rate limits

  • Pro users: 180 requests per minute
  • Admin / Editor: 360 requests per minute
  • Per-IP: 500 requests per 15 minutes