Supply Chain IoC (TCF-0701)
ReversingLabs Supply Chain Indicators of Compromise (IoC) Feed service delivers access to large volumes of structured threat intelligence data for malicious Open Source Software (OSS) packages and subsequent reclassifications. It delivers all historical data and maintains a continuous stream with approximately a 1 hour delay for new events.
The service includes two primary event types:
- New Malicious Samples: represents confirmed malicious OSS packages or files
- False Positives: marks previously flagged samples that have been reclassified as non-malicious
The service supports time-based querying (e.g., retrieving data after a specified timestamp) and maintains user-specific cursors for reliable incremental consumption.
The service does not include support for the STIX format. Relative or windowed time queries are handled indirectly through the SDK, and the service does not include client-side UI development or analytics processing.
The feed stores events since 2011-03-29.
General Info about Requests/Responses
- Default response format is XML. Supported formats are JSON and XML.
Supply Chain Indicators of Compromise Pull
The Supply Chain Indicators of Compromise (IoC) service delivers access to large volumes of structured threat intelligence data for malicious Open Source Software (OSS) packages and subsequent reclassifications.
View OpenAPI SpecificationRequest
GET /api/feed/supply_chain/ioc/v1/query/pull
Query parameters
format- The format of the response. Supported values:
json,xml(default). - Optional
- The format of the response. Supported values:
limit- Number of records to return in the response. The maximum and default value is
1000. The response may include a little more than the requested number of records to ensure that all the records with the same timestamp are returned. - Optional
- Number of records to return in the response. The maximum and default value is
Response
The response is a JSON object containing the query parameters and the entries that match the requested query.
last_timestamp: Timestamp of the last entry in the feed- Type: string
time_range.to: End time of the query range- Type: string
time_range.from: Start time of the query range- Type: string
entries[]: Array of supply chain IoC entries- Type: array
event_type: Type of event. Supported values:NEW_MALICIOUS- Type: string
md5: MD5 hash of the package- Type: string
sha1: SHA1 hash of the package- Type: string
sha256: SHA256 hash of the package- Type: string
sha512: SHA512 hash of the package- Type: string
filename: Name of the package file- Type: string
sample_size: Size of the package in bytes- Type: string
source_url: URL where the package was downloaded from- Type: string
identity.purl: Package URL identifier- Type: string
identity.community: Package community (e.g., npm, pypi)- Type: string
identity.namespace: Package namespace- Type: string
identity.package: Package name- Type: string
identity.product: Product name- Type: string
identity.version: Package version- Type: string
identity.artifact: Artifact identifier- Type: string
identity.homepage: Package homepage URL- Type: string
identity.repository: Package repository URL- Type: string
identity.published: Package publication timestamp- Type: string
sample_list[]: List of malicious samples found in the package- Type: array
sample_list[].status: Sample status. Supported values:MALICIOUS- Type: string
sample_list[].threat_name: Name of the detected threat- Type: string
sample_list[].threat_level: Threat level (1-5)- Type: string
sample_list[].md5: MD5 hash of the sample- Type: string
sample_list[].sha1: SHA1 hash of the sample- Type: string
sample_list[].sha256: SHA256 hash of the sample- Type: string
Response example
{
"rl": {
"supply_chain_ioc_feed": {
"last_timestamp": "string",
"time_range": {
"to": "string",
"from": "string"
},
"entries": [
{
"event_type": "NEW_MALICIOUS",
"md5": "99d1bdaaa2e4a198521bc12df599ead0",
"sha1": "aad8d679f15a721ed79454d553e3473f9f0536f1",
"sha256": "e37d30c42c9739dfe153a324885937cbb98ed31760d1ba34d5542b309b2a67b0",
"sha512": "11d11650fdc393da32c9c4733016d51d85b718b6eae4a3d61cb2a95d23700f917abb4b35c75da698fe0a233a924b3a6782ff3ff291377f8f7fa86046f1582a0a",
"filename": "ua-parser-js-0.7.29.tgz",
"sample_size": "57690",
"source_url": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.29.tgz",
"identity": {
"purl": "pkg:npm/ua-parser-js@0.7.29",
"community": "npm",
"package": "ua-parser-js",
"version": "0.7.29",
"homepage": "https://uaparser.dev",
"repository": "https://github.com/faisalman/ua-parser-js",
"published": "2025-10-10T03:51:52+0000"
},
"sample_list": [
{
"status": "MALICIOUS",
"threat_name": "Archive-GZIP.Downloader.SupplyChain",
"threat_level": "3",
"md5": "99d1bdaaa2e4a198521bc12df599ead0",
"sha1": "aad8d679f15a721ed79454d553e3473f9f0536f1",
"sha256": "e37d30c42c9739dfe153a324885937cbb98ed31760d1ba34d5542b309b2a67b0"
},
{
"status": "MALICIOUS",
"threat_name": "Script-BAT.Downloader.SupplyChain",
"threat_level": "3",
"md5": "d98a3013336b755b739d285a58528cbe",
"sha1": "01a2c9815acd76dc827b0325b97b793af3632c18",
"sha256": "f4c800066e56dd32d20299c451fe6a2b60a3563f7f1915f8ca8db9916d810b5c"
},
{
"status": "MALICIOUS",
"threat_name": "Text.Downloader.SupplyChain",
"threat_level": "3",
"sha1": "8b242cf78d082e81b5432c19477ebb80e5cf291a",
"sha256": "82bd9d21a895327a17a7fd55d8c1270402bd0e5cf0443936be90d3738ce24560"
},
{
"status": "MALICIOUS",
"threat_name": "Script-Shell.Downloader.SupplyChain",
"threat_level": "3",
"md5": "13f840772c7c04c7d2f4c202ff957b0c",
"sha1": "69834f154ea070abccb8b08a10fd2da0bcc83543",
"sha256": "21e68b048024ba0cc5a2a94ecbc3a78c626ec7d5d705829a82ea4715131d0509"
},
{
"status": "MALICIOUS",
"threat_name": "Archive-TAR.Downloader.SupplyChain",
"threat_level": "3",
"md5": "9f5e525644662588972117c108b7ac03",
"sha1": "45888251d905bf928db70350717d9451daa60b8c",
"sha256": "44b01b5c634f93f2433e1796e8804c6ae4da966999d7539d5b8d62fe8c33d414"
},
{
"status": "MALICIOUS",
"threat_name": "Script-JS.Downloader.SupplyChain",
"threat_level": "3",
"md5": "a4668a1b3f23b79ef07d1afe0152999e",
"sha1": "1b76d2622ee8729704c56f5f8942a75ab729047b",
"sha256": "e6cba23d350cb1f049266ddf10f872216f193c5279017408b869539df2e73c83"
}
]
}
]
}
}
}
Supply Chain Indicators of Compromise Start
Starts the Supply Chain Indicators of Compromise (IoC) feed session and initializes access to structured threat intelligence data for malicious Open Source Software (OSS) packages.
View OpenAPI SpecificationRequest
PUT /api/feed/supply_chain/ioc/v1/query/start
Response
| Code | Message |
|---|---|
200 | Successfully started |
Supply Chain Indicators of Compromise Time Range
Retrieve feed data starting from a specific time. The Supply Chain Indicators of Compromise (IoC) service delivers access to large volumes of structured threat intelligence data for malicious Open Source Software (OSS) packages and subsequent reclassifications.
View OpenAPI SpecificationRequest
GET /api/feed/supply_chain/ioc/v1/query/{time_format}/{time}
Path parameters
time_format- The format of the time value. Supported values:
utcortimestamp. - Required
- The format of the time value. Supported values:
time- The time value corresponding to the given format.
- Required
Query parameters
format- The format of the response. Supported values:
json,xml(default). - Optional
- The format of the response. Supported values:
limit- The maximum number of results to be retrieved. Supported values: 1 - 1000. Default is 1000.
- Optional
Response
The response is a JSON object containing the query parameters and the entries that match the requested query.
last_timestamp: Timestamp of the last entry in the feed- Type: string
time_range.to: End time of the query range- Type: string
time_range.from: Start time of the query range- Type: string
entries[]: Array of supply chain IoC entries- Type: array
event_type: Type of event. Supported values:NEW_MALICIOUS- Type: string
md5: MD5 hash of the package- Type: string
sha1: SHA1 hash of the package- Type: string
sha256: SHA256 hash of the package- Type: string
sha512: SHA512 hash of the package- Type: string
filename: Name of the package file- Type: string
sample_size: Size of the package in bytes- Type: string
source_url: URL where the package was downloaded from- Type: string
identity.purl: Package URL identifier- Type: string
identity.community: Package community (e.g., npm, pypi)- Type: string
identity.namespace: Package namespace- Type: string
identity.package: Package name- Type: string
identity.product: Product name- Type: string
identity.version: Package version- Type: string
identity.artifact: Artifact identifier- Type: string
identity.homepage: Package homepage URL- Type: string
identity.repository: Package repository URL- Type: string
identity.published: Package publication timestamp- Type: string
sample_list[]: List of malicious samples found in the package- Type: array
sample_list[].status: Sample status. Supported values:MALICIOUS- Type: string
sample_list[].threat_name: Name of the detected threat- Type: string
sample_list[].threat_level: Threat level (1-5)- Type: string
sample_list[].md5: MD5 hash of the sample- Type: string
sample_list[].sha1: SHA1 hash of the sample- Type: string
sample_list[].sha256: SHA256 hash of the sample- Type: string
Response example
{
"rl": {
"supply_chain_ioc_feed": {
"last_timestamp": "string",
"time_range": {
"to": "string",
"from": "string"
},
"entries": [
{
"event_type": "NEW_MALICIOUS",
"md5": "99d1bdaaa2e4a198521bc12df599ead0",
"sha1": "aad8d679f15a721ed79454d553e3473f9f0536f1",
"sha256": "e37d30c42c9739dfe153a324885937cbb98ed31760d1ba34d5542b309b2a67b0",
"sha512": "11d11650fdc393da32c9c4733016d51d85b718b6eae4a3d61cb2a95d23700f917abb4b35c75da698fe0a233a924b3a6782ff3ff291377f8f7fa86046f1582a0a",
"filename": "ua-parser-js-0.7.29.tgz",
"sample_size": "57690",
"source_url": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.29.tgz",
"identity": {
"purl": "pkg:npm/ua-parser-js@0.7.29",
"community": "npm",
"package": "ua-parser-js",
"version": "0.7.29",
"homepage": "https://uaparser.dev",
"repository": "https://github.com/faisalman/ua-parser-js",
"published": "2025-10-10T03:51:52+0000"
},
"sample_list": [
{
"status": "MALICIOUS",
"threat_name": "Archive-GZIP.Downloader.SupplyChain",
"threat_level": "3",
"md5": "99d1bdaaa2e4a198521bc12df599ead0",
"sha1": "aad8d679f15a721ed79454d553e3473f9f0536f1",
"sha256": "e37d30c42c9739dfe153a324885937cbb98ed31760d1ba34d5542b309b2a67b0"
},
{
"status": "MALICIOUS",
"threat_name": "Script-BAT.Downloader.SupplyChain",
"threat_level": "3",
"md5": "d98a3013336b755b739d285a58528cbe",
"sha1": "01a2c9815acd76dc827b0325b97b793af3632c18",
"sha256": "f4c800066e56dd32d20299c451fe6a2b60a3563f7f1915f8ca8db9916d810b5c"
},
{
"status": "MALICIOUS",
"threat_name": "Text.Downloader.SupplyChain",
"threat_level": "3",
"sha1": "8b242cf78d082e81b5432c19477ebb80e5cf291a",
"sha256": "82bd9d21a895327a17a7fd55d8c1270402bd0e5cf0443936be90d3738ce24560"
},
{
"status": "MALICIOUS",
"threat_name": "Script-Shell.Downloader.SupplyChain",
"threat_level": "3",
"md5": "13f840772c7c04c7d2f4c202ff957b0c",
"sha1": "69834f154ea070abccb8b08a10fd2da0bcc83543",
"sha256": "21e68b048024ba0cc5a2a94ecbc3a78c626ec7d5d705829a82ea4715131d0509"
},
{
"status": "MALICIOUS",
"threat_name": "Archive-TAR.Downloader.SupplyChain",
"threat_level": "3",
"md5": "9f5e525644662588972117c108b7ac03",
"sha1": "45888251d905bf928db70350717d9451daa60b8c",
"sha256": "44b01b5c634f93f2433e1796e8804c6ae4da966999d7539d5b8d62fe8c33d414"
},
{
"status": "MALICIOUS",
"threat_name": "Script-JS.Downloader.SupplyChain",
"threat_level": "3",
"md5": "a4668a1b3f23b79ef07d1afe0152999e",
"sha1": "1b76d2622ee8729704c56f5f8942a75ab729047b",
"sha256": "e6cba23d350cb1f049266ddf10f872216f193c5279017408b869539df2e73c83"
}
]
}
]
}
}
}