> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Open Source Malware

> Connect the Open Source Malware threat feed to RAD Security for malicious package intelligence.

# Open Source Malware Integration Setup

This guide walks you through connecting the [Open Source Malware](https://opensourcemalware.com) threat feed to RAD Security so that newly published malicious packages (npm, PyPI, and other ecosystems) flow into your workspace as threat indicators.

Open Source Malware curates intelligence on packages, domains, and repositories that have been observed delivering malware in open source ecosystems. With this integration RAD Security continuously pulls the latest indicators on a schedule and surfaces matches against the workloads, dependencies, and runtime activity it already sees.

## Prerequisites

Before you begin, ensure you have:

<Check>
  * An Open Source Malware account with an API token
  * Access to a RAD Security workspace with integration permissions
</Check>

<Info>
  If you do not yet have an Open Source Malware account, sign up at [opensourcemalware.com](https://opensourcemalware.com) and request API access.
</Info>

***

## Step 1: Generate an Open Source Malware API Token

<Steps>
  <Step title="Sign in to Open Source Malware">
    Sign in to your Open Source Malware account at [https://opensourcemalware.com](https://opensourcemalware.com).
  </Step>

  <Step title="Create an API Token">
    1. Navigate to your **Account** or **API** settings
    2. Click **Create API token**
    3. Give the token a recognizable name (e.g. `RAD Security`)
    4. Copy the token value

    <Warning>
      The token is typically shown only once. Store it in a password manager or secrets vault before leaving the page.
    </Warning>
  </Step>
</Steps>

***

## Step 2: Configure in RAD Security

In your RAD Security workspace, add a new **Open Source Malware** integration with the following parameter:

| Parameter     | Description                       | Example        |
| ------------- | --------------------------------- | -------------- |
| **API Token** | The API token generated in Step 1 | `osm_live_...` |

When you save the integration RAD Security verifies the token by calling the Open Source Malware API and immediately schedules the recurring threat feed pull.

***

## Verify Integration

1. Navigate to **Data Sources → Integrations** in RAD Security
2. Locate your **Open Source Malware** integration
3. Confirm the connection status shows as **Connected**
4. After the first sync window, open **Threat Vectors / Threat Feeds** and filter for the Open Source Malware source to see ingested indicators

<Check>
  Your Open Source Malware integration is now active. RAD Security will continue to pull new malicious package indicators on its sync interval.
</Check>

## What Data is Synced

<AccordionGroup>
  <Accordion title="Malicious Package Indicators" icon="box">
    * Package name, ecosystem (npm, PyPI, etc.), and affected version range
    * Threat classification, severity, and confidence
    * Discovery date and last-seen timestamp
    * Source URL on opensourcemalware.com
  </Accordion>

  <Accordion title="Associated Indicators" icon="diagram-project">
    * Related malicious domains, repositories, and URLs
    * Hashes and identifiers for detected payloads
    * Tags describing the campaign or technique
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="Dependency Risk" icon="sitemap">
    Detect when your repositories or running containers consume packages that match a known malicious indicator.
  </Card>

  <Card title="Supply Chain Threats" icon="shield-virus">
    Block or alert on workloads that pull a newly disclosed malicious package soon after it is published.
  </Card>

  <Card title="Threat Hunting" icon="binoculars">
    Pivot on shared indicators (domains, repos, hashes) to discover related activity across your environment.
  </Card>

  <Card title="Incident Triage" icon="bell">
    Enrich incidents with curated open source malware context so responders can quickly judge severity.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Verification fails with 401 Unauthorized" icon="triangle-exclamation">
    **Possible causes:**

    * API token was copied incorrectly (extra spaces or truncated value)
    * Token was revoked or rotated in Open Source Malware

    **Solution:**

    * Re-copy the token from the Open Source Malware UI
    * Generate a new token if the previous one was revoked, and update the RAD Security integration
  </Accordion>

  <Accordion title="No indicators appear after the first sync" icon="database-slash">
    **Possible causes:**

    * The first scheduled poll has not yet run
    * The API token is valid but does not have access to the relevant ecosystem feeds

    **Solution:**

    * Wait for at least one sync interval to complete
    * Check the integration's **Last sync** timestamp in RAD Security
    * Contact Open Source Malware support if you expect access to feeds that are not appearing
  </Accordion>

  <Accordion title="Rotating the API Token" icon="rotate">
    1. Generate a new token in Open Source Malware
    2. Edit the integration in RAD Security and replace the **API Token** value
    3. Save — RAD Security re-verifies on save
    4. Revoke the old token in Open Source Malware
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Dedicated Token" icon="user-gear">
    Use a token created specifically for the RAD Security integration so it can be rotated and audited independently.
  </Card>

  <Card title="Rotate Regularly" icon="rotate">
    Rotate the API token on a schedule that matches your security policy (e.g. every 90 days).
  </Card>

  <Card title="Secret Storage" icon="lock">
    Store the API token in a secrets manager. Never commit it to source control or share it in chat.
  </Card>

  <Card title="Monitor Sync Health" icon="chart-line">
    Watch the integration's **Last sync** status — a stale sync usually means the token has expired or has been revoked.
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="Data Sources" icon="database" href="/rad-security/integrations/data-sources">
    Explore all available data sources
  </Card>

  <Card title="Vulnerabilities" icon="shield-halved" href="/rad-security/integrations/vulnerabilities/overview">
    Combine open source malware indicators with vulnerability scanners
  </Card>

  <Card title="Workspace" icon="chart-line" href="/rad-security/platform/workspace">
    Triage threat feed findings alongside other security signals
  </Card>

  <Card title="Engineering Integrations" icon="code-branch" href="/rad-security/integrations/engineering/overview">
    Connect engineering platforms to map indicators to your repositories
  </Card>
</CardGroup>