abusech-sdk
v1.0.0
Published
JavaScript/TypeScript SDK for abuse.ch APIs — MalwareBazaar (1.5M+ malware samples), URLhaus (3M+ malicious URLs), ThreatFox (IOC sharing). Works on Bun, Node.js, Deno, Cloudflare Workers.
Maintainers
Readme
abuse.ch SDK
JavaScript/TypeScript client for abuse.ch APIs — the largest open-source malware threat intelligence platform. 1.5M+ malware samples, 3M+ malicious URLs, IOC sharing.
| API | Module | Status |
|-----|--------|--------|
| MalwareBazaar | abusech-sdk/malwarebazaar | ✅ 25 methods |
| URLhaus | abusech-sdk/urlhaus | 🔜 planned |
| ThreatFox | abusech-sdk/threatfox | 🔜 planned |
Zero dependencies. Works on Bun, Node.js, Deno, Cloudflare Workers.
bun add abusech-sdk
# Register at https://auth.abuse.ch/ for free API key
export ABUSE_CH_KEY=your-keyQuick Start
import { MalwareBazaar } from 'abusech-sdk/malwarebazaar';
const mb = new MalwareBazaar(process.env.ABUSE_CH_KEY);
// Latest tagged malware (24h)
const detections = await mb.recentDetections({ hours: 24, limit: 50 });
// Sample metadata by hash
const info = await mb.searchByHash('46faab8ab153fae...');
console.log(info.signature, info.file_type, info.tags);
// Download a sample (zip, password: "infected")
const bytes = await mb.downloadSample('46faab8ab153fae...');
await Bun.write('/tmp/malware.zip', bytes);
// Search Shai-Hulud samples
const shai = await mb.searchByTag('Shai-Hulud', 100);
// Fuzzy hash search
const byImphash = await mb.searchByImphash('f34d5f2d4577ed6d');CLI
bun src/cli.js hash 46faab8ab153fae...
bun src/cli.js download 46faab8ab153fae... ./malware.zip
bun src/cli.js recent 24 50
bun src/cli.js tag Shai-Hulud 100
bun src/cli.js sig TrickBot 50
bun src/cli.js type elf 20API Reference — MalwareBazaar
Constructor
const mb = new MalwareBazaar(apiKey, {
baseUrl: 'https://mb-api.abuse.ch/api/v1/', // default
timeoutMs: 60000, // AbortController timeout
fetch: customFetch, // for CF Workers
});Core (2 methods)
| Method | Description |
|--------|-------------|
| searchByHash(hash) | SHA256/SHA1/MD5 → full metadata + vendor intel |
| downloadSample(sha256) | Raw zip bytes (PW: infected) |
Listings (2)
| Method | Description |
|--------|-------------|
| recentDetections({hours, limit}) | Tagged malware (last N hours) |
| recentAdditions(selector?) | Latest uploads |
Search by Metadata (4)
| Method | Query |
|--------|-------|
| searchByTag(tag, limit) | get_taginfo |
| searchBySignature(sig, limit) | get_siginfo |
| searchByFileType(type, limit) | get_file_type |
| searchByClamAV(sig, limit) | get_clamavinfo |
Fuzzy Hashes (5)
| Method | Hash Type |
|--------|-----------|
| searchByImphash(h, limit) | PE imports hash |
| searchByTLSH(h, limit) | Trend Micro TLSH |
| searchByTelfhash(h, limit) | ELF hash |
| searchByGimphash(h, limit) | Go binary hash |
| searchByDhashIcon(h, limit) | PE icon dhash |
YARA & Certificates (4)
| Method | Query |
|--------|-------|
| searchByYARA(rule, limit) | YARA rule hits |
| searchByCertificateIssuer(cn, limit) | Signing cert issuer |
| searchByCertificateSubject(cn, limit) | Signing cert subject |
| searchByCertificateSerial(sn, limit) | Signing cert serial |
Write Operations (3)
| Method | Description |
|--------|-------------|
| uploadSample(bytes, opts) | Upload + metadata (multipart) |
| updateEntry(sha256, fields) | Update tags/signature |
| addComment(sha256, comment) | Add analyst comment |
Blocklist (1)
| Method | Description |
|--------|-------------|
| getCSCB() | Code Signing Certificate Blocklist |
License
MIT © gutem
