Skip to main content
The threat-feed endpoint returns verified threats added to the OSM database within a rolling time window. Poll it every hour with hours=1 to never miss a threat.
Subscription Required: This is a paid endpoint available to Researcher Pro and Enterprise users.
Use this endpoint to:
  • Keep blocklists current: Pull newly verified threats on a schedule and automatically update your block rules without manual review.
  • Power automated alerting: Feed new threats into your SIEM, SOAR, or internal alerting pipeline as they are verified.
  • Recover missed threats: Use a larger hours value (up to 24) to catch up after a poller outage without re-ingesting your entire threat history.
Endpoint 
GET https://api.opensourcemalware.com/functions/v1/threat-feed
Required header 
Authorization: Bearer osm_your_token
Alternative: Pass API key as query parameter: ?apikey=osm_your_token
Pro Role Required This endpoint requires a Pro or Enterprise API key. Standard API tokens will receive a 403 Forbidden response.

Query parameters

ecosystem is required. Package ecosystem or threat type. Same values as query-latest: npm, pypi, crates, nuget, maven, go, packagist, rubygems, vscode, openvsx, repositories, domains. hours is optional. Lookback window in hours. Integer between 1 and 24. Default: 1. For example, hours=6 returns all threats verified in the last 6 hours.

Response example

Success (200)

{
  "count": 5,
  "window_hours": 1,
  "ecosystem": "npm",
  "from": "2026-04-11T10:00:00.000Z",
  "to": "2026-04-11T11:00:00.000Z",
  "threats": [
    {
      "id": "uuid",
      "package_name": "malicious-pkg",
      "threat_description": "Contains data exfiltration",
      "severity_level": "critical",
      "registry": "npm",
      "verified_at": "2026-04-11T10:30:00Z",
      "tags": ["infostealer"]
    }
  ]
}

cURL examples

Poll for npm threats in the last hour (default): 
curl -H "Authorization: Bearer osm_your_token" \
  "https://api.opensourcemalware.com/functions/v1/threat-feed?ecosystem=npm"
Get PyPI threats from the last 6 hours: 
curl -H "Authorization: Bearer osm_your_token" \
  "https://api.opensourcemalware.com/functions/v1/threat-feed?ecosystem=pypi&hours=6"
Get all repository threats from the last 24 hours: 
curl -H "Authorization: Bearer osm_your_token" \
  "https://api.opensourcemalware.com/functions/v1/threat-feed?ecosystem=repositories&hours=24"
  • Never miss a threat: Set up a cron job to call this endpoint every hour with hours=1. Each call returns all threats verified since the last poll.
  • Catch-up window: If your poller goes down, use a larger hours value (up to 24) to recover any missed threats.
  • No duplicates: Results are filtered by verified_at timestamp, so overlapping windows will return the same threats — deduplicate by threat id.

STIX format

The OSM API also supports returning threat feed data in STIX (Structured Threat Information Expression) format, making it compatible with threat intelligence platforms and SIEMs that consume STIX bundles. To request STIX output, contact info@osmsecurity.com for access details.
Combine the threat feed with your internal tooling to build automated alerting pipelines. For example, pull the feed on a schedule, diff it against your last known state, and trigger alerts or block-list updates only for new entries. This keeps your security controls current without requiring manual review of every new threat report.