Skip to main content
Threat reporting is how the OpenSourceMalware community shares information about malicious packages, repositories, and infrastructure. When you submit a report, you contribute directly to a shared database that security teams, developers, and automated tools rely on to block and research threats across the open-source ecosystem. Every verified report you submit adds to your community profile and earns you recognition as a contributor.

Who can submit reports

Any registered user can submit a threat report. Sign in at opensourcemalware.com/auth to get started (please note, you must contact us to sign up via email). Your profile is used to verify your identity and track your contributions over time. Threat reports can be submitted through the web interface at opensourcemalware.com/report or programmatically via the submit-threat API endpoint.
Reports flagged as false positives are tracked on your profile. Take time to confirm a threat is genuinely malicious before submitting.

What you can report

OpenSourceMalware accepts reports across a broad range of resource types. The one rule? All reports must relate to the delivery of malicious open source.

Packages

Malicious packages on npm, PyPI, Maven, NuGet, RubyGems, Packagist, Crates.io, Go Modules, VS Code Marketplace, Open VSX, and AI Skills registries.

Container images

Malicious container images on Docker Hub, GitHub Container Registry (GHCR), Quay, and other registries.

Repositories

GitHub, GitLab, and Bitbucket repositories that contain malicious code or serve as staging infrastructure for payload distribution.

Domains & URLs

Command-and-control (C2) servers, phishing domains, and specific malicious URLs used to deliver payloads or exfiltrate data.

IP addresses

Malicious IP addresses tied to C2 infrastructure, attack sources, and known threat actor networks.

Crypto wallets

Cryptocurrency wallet addresses embedded in malicious payloads as a covert channel to relay commands or exfiltrate data.

What to include in a submission

The submission form collects two categories of information:
  • Required fields that must be present for a report to enter review
  • Recommended fields that significantly improve review speed and accuracy

Required fields

FieldDescription
Report typeThe resource category: package, repository, URL, domain, IP, wallet, or container.
Resource identifierThe package name, full URL, domain, IP address, wallet address, or image reference that identifies the threat.
Threat descriptionA clear explanation of the malicious behavior, written so reviewers and other users can understand the risk.
FieldDescription
SeverityCritical, High, Medium, Low, or Informational.
Affected versionsSpecific versions or ranges where the malicious behavior is present (packages only).
TagsCategorization labels such as backdoor, crypto-stealer, or typosquatting.
Evidence URLsLinks to OSV/GHSA advisories, analysis blog posts, or security reports.
Payload descriptionTechnical details about what the malicious code or behavior actually does.
Publisher informationThe author username, email address, or organization behind the resource.

Updating reports

Anyone can update on any threat record - whether you submitted the original report or it was done by someone else. This is helpful when new information is available about the malicious asset, such as IOCs or threat actor attribution. Updates go through the same approval process as the initial report to ensure data quality remains high. Approved threat record updates also give you points on the Security Researcher Leaderboard (at a lower point value than submitting the report itself).

Next steps

Reporting guidelines

Best practices for writing high-quality reports that pass review the first time.

Verification process

How the community reviews submissions and what happens after you submit.