Documentation Index
Fetch the complete documentation index at: https://docs.opensourcemalware.com/llms.txt
Use this file to discover all available pages before exploring further.
OpenSourceMalware tracks threats across three categories of asset types in a single unified database. Every asset type is queryable through the same check-malicious endpoint and appears in the threat feed, search results, and threat graph visualizations.
Got an idea for something we should support? Contact us to make a request. Malicious artifacts
Artifacts are active components that get installed or executed in a development or CI/CD environment. They contain malicious code that runs when a dependency is installed, a package is imported, a project is opened, or a pipeline runs.
Packages are the most common threat vector in the open-source supply chain. OSM tracks malicious packages across npm, PyPI, Maven, NuGet, RubyGems, Packagist, Crates.io, Go Modules, VS Code Marketplace, Open VSX, and AI Skills registries.
Container images are malicious images distributed through container registries that execute harmful payloads such as cryptominers, backdoors, or credential stealers when deployed. OSM tracks container threats across Docker Hub, GitHub Container Registry (GHCR), and Quay.
Attacker infrastructure
Infrastructure assets are what malware communicates with to receive commands, pull payloads, or exfiltrate stolen data. Identifying and blocking attacker infrastructure is a critical layer of defense: a malicious package may be removed from a registry, but the infrastructure behind it often persists and gets reused across campaigns.
Domains include command-and-control (C2) servers, phishing domains, and exfiltration endpoints tied to malware campaigns.
URLs are specific malicious endpoints such as payload delivery URLs, phishing pages, or exfiltration targets where the full path matters, not just the domain.
IP addresses are C2 servers, attack sources, and known malicious hosts associated with threat actor infrastructure.
Crypto wallets are cryptocurrency addresses used to obscure attacker communications and move funds in ways that are difficult to trace. In open-source malware campaigns, wallet addresses are embedded in malicious payloads as a covert channel, a technique known as blockchain steganography or “ether hiding,” where data encoded in transaction fields is used to relay commands or exfiltrate information without triggering traditional network-based detection.
Repositories
Repositories occupy a unique position: they can function as both artifact and infrastructure. A malicious repository may contain code that executes directly, or it may serve as a staging ground for hosting and distributing payloads that other packages download at runtime. OSM tracks malicious repositories on GitHub, GitLab, and Bitbucket.
