Back to home

Threat Intelligence Feed

Extension threat intel, piped straight into your SOC.

Everything our analysis pipeline catches - malware pushed in silent updates, vulnerabilities in trusted extensions - published as STIX 2.1 objects over a standard TAXII 2.1 endpoint. If your stack speaks TAXII, it already speaks to us: OpenCTI, MISP, Anomali, or a ten-line script.

What's in the feed

  1. 01Malware variants found in published Chrome Web Store extensions, with the specific versions affected
  2. 02Vulnerabilities in popular extensions before they make the news
  3. 03Severity scoring on every object, so you can filter to what your SOC actually triages
  4. 04STIX relationships linking malware and vulnerabilities to the extensions they affect

This is not a re-packaged blocklist. Every object is backed by our own pipeline - deobfuscation, sandbox execution, network capture - and promoted by a human before it reaches the feed. No noise, no permission-based false positives.

How it works

01

We find it

Our pipeline re-analyses every extension on every version update. When a finding is confirmed - a stealer hidden in an update, a vulnerability in a popular extension - our team promotes it into the feed as STIX 2.1 objects with severity scoring and relationships.

02

You poll it

Point any TAXII 2.1 client at our endpoint and authenticate with your org API key. OpenCTI, MISP, Anomali, and taxii2-client all work out of the box - no custom integration, no webhook plumbing required.

03

You stay in sync

The feed is an append-ordered stream. Your client stores the date-added watermark from each poll and asks for everything since - so you only ever pull what's new, and refreshed intel re-surfaces automatically.

One request to try it

# Pull the latest intel

curl https://app.amibeingpwned.com/taxii2/feed/collections/2f669986-b40b-4423-b720-4396ca6a4b2c/objects/ \

-H "Authorization: Bearer aibp_org_..." \

-H "Accept: application/taxii+json;version=2.1"

Authentication is your org's API key with the cti:read scope - the same key you already use for the REST API. Bearer, Basic, and x-api-key all work, so legacy TAXII clients connect without fuss.

Prefer push? There's a webhook

Not running a TIP? Subscribe to the cti.published webhook event and we POST every new piece of in-scope intel to your endpoint the moment it's promoted - the affected extension ID and version, severity, CWE, and MITRE ATT&CK techniques, ready to route into a SOAR playbook or a Slack channel. Deliveries are HMAC-signed with the same Stripe-style signature scheme as our other webhook events, and when you first subscribe we backfill everything already in scope - so day one starts with the complete picture, not an empty feed.

See the webhook guide for endpoint setup and signature verification.

Scope it to what you care about

  1. 01All intel: everything we promote, across the whole Chrome Web Store
  2. 02Fleet-matched: only intel affecting extensions actually installed across your fleet
  3. 03Severity floor: drop anything below the minimum severity you set

One subscription, every surface: the TAXII feed, the Threat Intel tab in your dashboard, and webhook delivery all respect the same scope and severity settings.

Intel your SIEM can ingest today.

TAXII 2.1 and STIX 2.1, no custom integration work.

Book a callEmail us