Skip to main content
The /threat-feed endpoint returns a stream of recently verified threat records from the OSM database. Instead of checking individual resources one at a time, you can pull the latest verified threats in bulk and use them to power automated alerting, keep your blocklists current, or enrich your existing security tooling. The feed reflects the community-verified state of the database — only threats that have passed the OSM verification process appear here. Endpoint 
GET https://api.opensourcemalware.com/functions/v1/threat-feed
Required header 
Authorization: Bearer osm_your_token

cURL example

curl -X GET "https://api.opensourcemalware.com/functions/v1/threat-feed" \
  -H "Authorization: Bearer osm_your_token"

Response format

The endpoint returns a JSON array of threat objects. Each object follows the same shape as the details block returned by /check-malicious, with additional top-level fields identifying the resource type and identifier. 
[
  {
    "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "status": "verified",
    "severity_level": "critical",
    "report_type": "package",
    "resource_identifier": "evil-pkg",
    "ecosystem": "npm",
    "description": "Exfiltrates environment variables and sends them to an external server on install.",
    "tags": ["infostealer", "supply-chain"],
    "first_seen": "2025-01-05T12:00:00Z",
    "last_seen": "2025-01-10T08:30:00Z"
  },
  {
    "id": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
    "status": "verified",
    "severity_level": "high",
    "report_type": "domain",
    "resource_identifier": "c2-server.malware.net",
    "ecosystem": null,
    "description": "Active command-and-control domain used by a credential-stealing campaign targeting developers.",
    "tags": ["c2", "credential-theft"],
    "first_seen": "2025-02-14T09:15:00Z",
    "last_seen": "2025-03-01T17:45:00Z"
  },
  {
    "id": "c3d4e5f6-a7b8-9012-cdef-123456789012",
    "status": "verified",
    "severity_level": "medium",
    "report_type": "container",
    "resource_identifier": "malicious/cryptominer",
    "ecosystem": "dockerhub",
    "description": "Container image that deploys an XMRig cryptominer on startup.",
    "tags": ["cryptominer"],
    "first_seen": "2025-03-10T06:00:00Z",
    "last_seen": "2025-03-22T11:20:00Z"
  }
]

STIX format

The OSM API also supports returning threat feed data in STIX (Structured Threat Information Expression) format, making it compatible with threat intelligence platforms and SIEMs that consume STIX bundles. To request STIX output, contact info@osmsecurity.com for access details.
Combine the threat feed with your internal tooling to build automated alerting pipelines. For example, pull the feed on a schedule, diff it against your last known state, and trigger alerts or block-list updates only for new entries. This keeps your security controls current without requiring manual review of every new threat report.