Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.opensourcemalware.com/llms.txt

Use this file to discover all available pages before exploring further.

The threat-data endpoint returns the full threat record for a verified threat, including all associated IOCs. Pass a threat_id from a check-malicious response to retrieve the complete intelligence for that threat.
Subscription Required: This is a paid endpoint available to Researcher Pro and Enterprise users.
Use this endpoint to:
  • Retrieve IOCs for blocking and detection: Pull all indicators associated with a threat to feed into your firewall rules, SIEM detections, or EDR policies.
  • Enrich threat reports: Get the full threat description, severity, tags, and IOC list for a package flagged during dependency scanning.
  • Power automated response: Integrate into incident response workflows to automatically retrieve and act on threat intelligence when a malicious resource is detected.
Endpoint 
GET https://api.opensourcemalware.com/functions/v1/threat-data
Required header 
Authorization: Bearer osm_your_token
Pro or Enterprise required This endpoint is restricted to users with Pro or Enterprise roles. Standard API tokens will receive a 403 Forbidden response.

Query parameters

threat_id is required. UUID of the threat to retrieve (e.g. from a check-malicious response).

Response examples

Success (200)

{
  "threat_id": "uuid-here",
  "package_name": "coredxloader",
  "registry": "pypi",
  "report_type": "package",
  "severity_level": "critical",
  "threat_description": "Malicious package that...",
  "osm_url": "https://opensourcemalware.com/pypi/coredxloader",
  "iocs": [
    {
      "ioc_type": "domain",
      "value": "evil.com",
      "confidence_level": "high",
      "description": "C2 callback"
    },
    {
      "ioc_type": "c2_server",
      "value": "1.2.3.4:8080",
      "confidence_level": "medium",
      "description": null
    }
  ],
  "ioc_count": 2
}

Error responses

401
{ "error": "Invalid or inactive API token" }

403
{ "error": "Access denied. This endpoint requires Pro access." }

404
{ "error": "Threat not found or not in verified/modified status." }

429
{ "error": "Rate limit exceeded." }

cURL example

curl -X GET "https://api.opensourcemalware.com/functions/v1/threat-data?threat_id=YOUR_THREAT_UUID" \
  -H "Authorization: Bearer osm_your_token"

Typical workflow

  1. Use check-malicious to check if a package/resource is malicious and get the threat_id from the response
  2. Pass the threat_id to threat-data to retrieve the full threat description and all IOCs
  3. Use the IOCs for automated blocking, detection rules, or threat hunting in your environment
For a complete working example, see the Check and enrich threats guide.