Detonation-derived indicators from confirmed-malicious npm, PyPI, RubyGems and Composer packages: C2/exfil domains, IPs, URLs, and payload SHA-256 hashes, each mapped to ATT&CK TTPs. Indicators are classified — only true positives are published; research canaries (Burp Collaborator / interactsh / webhook.site), IP-recon endpoints, and shared infra (Discord/GitHub) are excluded as noise. TLP:CLEAR.
All formats are served straight from this site — no account or repo needed.
Pull them on a cron and honor ETag / If-Modified-Since to fetch only when
the feed changes:
| Format | URL | For |
|---|---|---|
| CSV | https://wormsign.io/feed/indicators.csv | SIEM / spreadsheet |
| JSON | https://wormsign.io/feed/indicators.json | scripts / automation |
| STIX 2.1 | https://wormsign.io/feed/feed.stix.json.gz | TIP platforms (gzipped — curl … | gunzip) |
| blocklist | https://wormsign.io/feed/blocklist.txt | pi-hole / DNS / edge |
curl -s https://wormsign.io/feed/blocklist.txt
Add that URL as a pi-hole adlist, or pull it on a cron into your resolver's blocklist. Only block-safe + block (rec.) hosts are included in the blocklist; hunt-only indicators are CSV/JSON/STIX-only.
block-safe no legitimate collateral — safe to auto-block.
block (rec.) block after a quick verify.
hunt-only investigate; do not auto-block (shared/ambiguous infra).
Confirmed-malicious packages are detonated in a network-isolated sandbox (egress
denied-and-logged), revealing the host they try to reach even when the C2 is dead. Observed
hosts are classified; only the suspicious tier (unknown domains, raw IPs, tunnels,
function-URL C2, DNS-exfil) plus payload file hashes are published. Each indicator carries its
evidence (wild = seen at detonation, code = seen in package source).