Skip to main content
The /submit-threat endpoint lets you submit threat reports programmatically without using the OSM web interface. This is useful for automating your reporting workflow — for example, when your internal tooling detects a suspicious package and you want to flag it to the OSM community immediately. Submitted reports enter the community verification process and are only published after passing review. Endpoint 
POST https://api.opensourcemalware.com/functions/v1/submit-threat
Required header 
Authorization: Bearer osm_your_token

Request body

Send a JSON body with the following fields:
report_type
string
required
The category of resource you are reporting. Accepted values: package, repository, url, domain, ip, wallet, container.
resource_identifier
string
required
The identifier for the resource — for example, a package name, a full repository URL (including https://), a domain, an IP address, or a wallet address.
ecosystem
string
For package report types, the package registry: npm, pypi, maven, nuget, vscode, skills. For container report types: dockerhub, ghcr, quay.
description
string
required
A clear description of the threat behavior. Explain what the resource does and why it is malicious. The more specific and evidence-backed your description, the faster the verification process.
severity_level
string
Your assessment of the threat severity. Accepted values: critical, high, medium, low, informational. If omitted, the verification team will assign a severity during review.
tags
string[]
An array of category tags that describe the threat behavior, for example: ["infostealer", "supply-chain"]. Tags help with filtering and discovery.
evidence_urls
string[]
An array of URLs pointing to supporting evidence — blog posts, security advisories, GitHub issues, VirusTotal reports, and similar sources. Strong evidence accelerates verification.
affected_versions
string
The specific version or version range affected, if applicable. For example: "1.2.3", ">=1.0.0 <2.0.0", or "all".

cURL example

curl -X POST "https://api.opensourcemalware.com/functions/v1/submit-threat" \
  -H "Authorization: Bearer osm_your_token" \
  -H "Content-Type: application/json" \
  -d '{
    "report_type": "package",
    "resource_identifier": "malicious-pkg",
    "ecosystem": "npm",
    "description": "This package exfiltrates environment variables to an external server during the postinstall lifecycle hook.",
    "severity_level": "critical",
    "tags": ["infostealer", "supply-chain"],
    "evidence_urls": [
      "https://github.com/example/security-research/issues/42"
    ],
    "affected_versions": ">=1.0.0"
  }'

Success response

A successful submission returns HTTP 200 with a confirmation object including the new report’s ID: 
{
  "success": true,
  "message": "Threat report submitted successfully and is pending community verification.",
  "report_id": "d4e5f6a7-b8c9-0123-defa-234567890123"
}
Submitted reports go through the OSM community verification process before they are published to the database. This review ensures data quality and prevents false positives. You can track the status of your submissions from your profile on opensourcemalware.com.
For guidance on writing high-quality threat reports — including what evidence to include and how to describe threat behavior — see the reporting guidelines.