Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.opensourcemalware.com/llms.txt

Use this file to discover all available pages before exploring further.

The OpenSourceMalware homepage at opensourcemalware.com displays the live threat feed, with the most recently verified threats at the top. You can search and filter this feed to find specific threats or narrow results to what’s relevant to your environment.

Filters

Four filters are available, and they can be combined. Type narrows results to a specific asset category. Options are: Packages, Repositories, URLs, Domains, IP Addresses, Crypto Wallets, and Container Images. Ecosystem appears when Packages is selected as the type. Options are: npm, PyPI, Maven, NuGet, RubyGems, Packagist, Crates.io, Go Modules, Open VSX, VS Code Marketplace, and AI Skills. Status filters by verification state. Options are: Verified, Pending, False Positive, and Resolved. Sort controls the order of results. Options are: Newest, Oldest, Most Downloaded, and Most IOCs. Most Downloaded is a useful signal for assessing the potential blast radius of a threat — higher download counts indicate a more widely used asset. The search field accepts an asset name or a tag.
  • Name search: The name must be exact to return results. If you are unsure of the full name, use * as a wildcard — for example, mini* will match any asset name beginning with “mini”.
  • Tag search: Prefix your search term with # to search by tag. For example, #contagious-interview returns all threats tagged with that campaign.
Search and filters work together. You can run a keyword search while filters are active to narrow results further.

Threat Records

Each threat has its own webpage that can be accessed by clicking View Details from the search results on the homepage, or by navigating directly to its URL (for example, opensourcemalware.com/pypi/lightning). The record’s UUID appears at the top and can be used to query the threat directly via the API. Also at the top of the record are the asset name, type, ecosystem, weekly and total download counts (for packages), severity, and verification status. It also shows who reported the threat, when it was reported, and when it was verified.

Threat description

A plain-language summary of what the threat does and why it was flagged.

Payload details

A detailed technical breakdown of the malicious behavior, including file names, execution chains, capabilities, and IOCs identified by the reporter. You must be signed in to view payload details.

Package details and timeline

The affected version or version range, the date the threat was reported, and the date it was verified.

Threat actor information

The registry username associated with the malicious resource and a count of other malicious packages attributed to the same user.
Subscription Required: This is a paid feature available to Researcher Pro and Enterprise users.

Threat graph visualization

An interactive graph showing relationships between the threat and other resources in the OSM database that share IOCs. The graph displays connected nodes across ecosystems and IOC types, and shows how many other threats are linked via shared infrastructure.
Subscription Required: This is a paid feature available to Researcher Pro and Enterprise users.

Indicators of Compromise

A structured list of IOCs extracted from the threat, including URLs, file hashes, IP addresses, domains, and other indicators. Each IOC shows its type, value, severity, and how it was sourced (for example, auto-extracted from payload description).
Subscription Required: This is a paid feature available to Researcher Pro and Enterprise users.

Evidence and references

Links to external sources supporting the threat report, such as blog posts, security advisories, or registry pages.

Tags

Various tags are used so you can see how the threat record fits into larger trends and patterns. Clicking a tag runs a search for other threats sharing that tag.