A stateless, serverless application deployed on Vercel that queries the Open Source Vulnerabilities (OSV) database on-demand, generating high-performance, Edge-cached RSS 2.0 feeds of recently modified malicious package advisories.
Malware Syndicate provides instant threat intelligence feeds of malicious software packages (carrying the MAL- prefix in the OSV database) published across open-source ecosystems (npm, PyPI, Go, Rust, Maven, etc.).
By leveraging Vercel's Edge CDN caching and HTTP Range Requests, the application operates completely statelessly and on-demand without requiring background polling daemons, cron jobs, or databases, running entirely within Vercel's free serverless thresholds.
- 📰 Standard RSS Feed (
/feed.xml): Designed for security analysts and standard feed readers. Renders a premium, responsive HTML template for each item showing detailed metadata, inline Markdown-rendered advisories, and actionable threat indicators. - 🤖 Raw JSON Feed (
/feed-json.xml): Designed for automated security pipelines, SIEM ingest, and scripting. Sets the advisory summary as the item title and dumps the raw, unescaped OSV JSON schema record directly into the description block.
- 🛡️ Multi-Ecosystem Coverage: Automatically tracks all OSV-supported registries (npm, PyPI, Go, crates.io, RubyGems, Maven, etc.).
- ⚡ Socket.dev Enrichment: Automatically enriches supported ecosystem advisories (npm and PyPI) with direct links to their Socket.dev security profiles for deeper safety analysis.
- 🚨 Technical Threat Indicators: Automatically extracts and displays C2 exfiltration domains and file integrity records (file paths, SHA256 hashes, and TLSH hashes) in a clean tabular view.
- 👥 Credits & References: Documents finding entities (e.g., OpenSSF Package Analysis, Amazon Inspector) and links directly to official advisory reports and packages.
- ⚡ Zero-Latency Edge Caching: Served with
Cache-Control: s-maxage=3600headers. Feeds are stored globally on Vercel's CDN, serving clients in under 10ms. - 📶 Low-Bandwidth Range Requests: Rather than downloading full OSV database archives, the functions fetch only the first 150 KB of the log using HTTP Range headers.
- 🔋 Zero Maintenance: 100% stateless serverless microservices. Revalidations run in the background, consuming less than 0.2% of Vercel's Hobby monthly CPU allowance.
| Layer | Technology | Purpose |
|---|---|---|
| Framework | Vercel Serverless Functions | Stateless Node.js API routing without framework overhead |
| Language | TypeScript 5 | Complete type safety for parsing and models |
| Data Source | OSV GCS Bucket & REST API | Changelog and vulnerability detail queries |
| Caching | Vercel Edge CDN | 1-hour global cache with background stale revalidation |
| Deployment | Vercel | Automatic CI/CD build and deploy cycles |
| Validation | TypeScript Interfaces | Runtime safety for external JSON payloads |
graph TD
Client[RSS Reader / SIEM Client] -->|GET /feed.xml| Edge[Vercel Edge CDN]
Edge -->|Cache HIT < 10ms| Client
Edge -->|Cache MISS / Revalidate| Lambda[Vercel Serverless Function]
Lambda -->|HTTP Range request: bytes=0-150000| OSV_CSV[OSV modified_id.csv]
Lambda -->|Filter MAL- IDs within PULL_INTERVAL| Filter[Filter Engine]
Filter -->|Concurrent REST Queries| OSV_API[api.osv.dev/v1/vulns]
OSV_API -->|Vulnerability Metadata| Enrichment[Enrichment Engine: Socket.dev]
Enrichment -->|Enriched Advisory| Parser[HTML Template & Markdown Engine]
Parser -->|RSS 2.0 XML Document| Edge
The application is configured using Environment Variables:
| Variable | Description | Default | Example |
|---|---|---|---|
PULL_INTERVAL |
The timeframe window to pull modified packages. Supports minutes (m), hours (h), days (d), and weeks (w). |
24h |
15m, 12h, 3d, 1w |
FEED_LIMIT |
The maximum number of malicious package items to return in the feed. | 100 |
50, 250 |
PORT |
Local server port for testing. | 3000 |
8080 |
-
Install dependencies:
npm install
-
Setup environment: Create a
.envfile in the project root:PORT=3000 PULL_INTERVAL=24h FEED_LIMIT=100
-
Build the codebase:
npm run compile
-
Start the local HTTP wrapper server:
node scratch/test-server.js
-
Test the endpoints:
- Standard Feed:
curl -i http://localhost:3000/feed.xml - JSON Feed:
curl -i http://localhost:3000/feed-json.xml
- Standard Feed:
Authenticate with Vercel and deploy directly:
# Link project to Vercel account
vercel --yes
# Set Production Environment Variables
echo -n "24h" | vercel env add PULL_INTERVAL production
echo -n "100" | vercel env add FEED_LIMIT production
# Deploy to Production
vercel --prod --yes- Push this project to a private GitHub repository.
- Link the repository on the Vercel Dashboard.
- Configure the environment variables (
PULL_INTERVALandFEED_LIMIT) in your Project Settings. - Vercel will rebuild and deploy every commit automatically.