Who can submit reports
Any registered OSM user can submit a threat report. Sign in with your GitHub account or email at opensourcemalware.com/auth to get started. Your profile is used to verify your identity and track your contributions over time.Reports flagged as false positives are tracked on your profile. Take time to confirm a threat is genuinely malicious before submitting.
What you can report
OSM accepts reports across a broad range of resource types:Packages
npm, PyPI, Maven, NuGet, VS Code extensions, and AI Skills.
Repositories
GitHub and GitLab repositories linked to malicious activity.
URLs & domains
Malicious URLs and domains, including phishing and C2 infrastructure.
IP addresses
Command-and-control (C2) servers and other malicious IP addresses.
Crypto wallets
Wallets associated with theft, scams, or ransomware payments.
Containers
Malicious images from Docker Hub, GitHub Container Registry (GHCR), and Quay.
What to include in a submission
The submission form collects two categories of information: required fields that must be present for a report to enter review, and recommended fields that significantly improve review speed and accuracy.Required fields
| Field | Description |
|---|---|
| Report type | The resource category: package, repository, URL, domain, IP, wallet, or container. |
| Resource identifier | The package name, full URL, domain, IP address, wallet address, or image reference that identifies the threat. |
| Threat description | A clear explanation of the malicious behavior, written so reviewers and other users can understand the risk. |
Recommended fields
| Field | Description |
|---|---|
| Severity | Critical, High, Medium, Low, or Informational. |
| Affected versions | Specific versions or ranges where the malicious behavior is present (packages only). |
| Tags | Categorization labels such as backdoor, crypto-stealer, or typosquatting. |
| Evidence URLs | Links to OSV/GHSA advisories, analysis blog posts, or security reports. |
| Payload description | Technical details about what the malicious code or behavior actually does. |
| Publisher information | The author username, email address, or organization behind the resource. |
Next steps
Reporting guidelines
Best practices for writing high-quality reports that pass review the first time.
Verification process
How the community reviews submissions and what happens after you submit.