oM noM// last nom -

// scan public json api

API

Everything the reader UI fetches is also reachable as a public JSON endpoint. No API key, no token, no signup. Use it for dashboards, scripts, alerts, your own dedup, your own reader. JSON in, JSON out.

// basics

Base URL: https://omnomfeeds.com

All responses are application/json; charset=utf-8 except /feed.xml which is RSS 2.0. Methods documented are the supported method; anything else returns 405.

Try one now:

$ curl https://omnomfeeds.com/api/cves/hottest?hours=24&limit=5

Caching: heavy-read endpoints (/api/cves/hottest, /api/landing/stats, /feed.xml) cache 5-10 minutes server-side. Polling more often is fine - you get the cached payload.

// feed data

GET/api/articlespublic

Paginated list of scored articles from every source. Filtering and pagination via query params. Anonymous + free callers get a 30-day window; Pro users get full history.

Param	Type	Default	Notes
min_score	int	0	Floor on the article score (0-100).
limit	int	100	Page size.
offset	int	0	Page offset.
source	string	-	Exact source name match.
source_type	string	-	`rss`, `bluesky`, `mastodon`, `reddit`, `github`, `ioc_feed`.
search	string	-	Substring match across title + summary.
has_iocs	bool	false	Only items tagged with IOCs.
unread	bool	false	Only items the caller hasn't marked read (per-user state needs auth).
show_dupes	bool	false	Include de-duped articles.
since	ISO 8601	-	Articles fetched at or after this timestamp.

GET/api/sourcespublic

All configured news sources and their current health (last fetch, last error, item count).

GET/api/statspublic

Per-source article counts, total / unread / duplicates, top tags. Heavier - use /api/landing/stats for cheap polling.

GET/api/landing/statspublic

Cheap headline numbers for trust strips: articles in 30d, distinct CVEs in 7d, KEV pops in 7d, time since last fetch. 5-min server cache.

GET/feed.xmlpublic

RSS 2.0 of the top 50 articles (score >= 60) in the last 7 days. Item descriptions carry score + KEV / CVE enrichment in brackets. Categories carry the article tag array.

GET/healthzpublic

Liveness probe. {"status":"ok","version":"<commit-sha>","uptime_s":<n>,"hosted_mode":bool}. UptimeRobot-friendly.

// cve enrichment

GET/api/cve/{id}public

Combined NVD + EPSS + KEV + OTX data for a single CVE. Path is the canonical CVE ID, e.g. /api/cve/CVE-2026-12345. Response includes cvss_v3_score, cvss_v3_severity, cwe, published, epss_score, epss_percentile, otx_pulse_count, description.

curl https://omnomfeeds.com/api/cve/CVE-2025-50165

GET/api/cves/hottestpublic

Trending CVEs by mention count across all sources. EPSS overlay attached per row when available. 5-min server cache.

Param	Type	Default	Notes
hours	int 1-336	72	Window size in hours.
limit	int 1-50	10	Max rows.

GET/api/cves/pre-kevpublic

CVEs trending across >= N sources in the last N hours but NOT yet on the CISA KEV catalog. Early-warning view ahead of formal listing.

Param	Type	Default	Notes
hours	int 1-336	72	Lookback window.
min	int	3	Min distinct sources mentioning the CVE.

// actors & malware

GET/api/actors/{slug}public

Curated threat-actor metadata. Slug is the lowercase canonical name (e.g. apt41, lazarus, scattered-spider, lockbit). Response includes display name, aliases, origin attribution where known, recent mention count, and a link to MITRE Groups.

curl https://omnomfeeds.com/api/actors/lockbit

GET/api/malware/{slug}public

Curated malware-family metadata. Slug is the lowercase canonical name (e.g. cobaltstrike, mimikatz, sliver, redline). Same response shape as actors plus a kind field (loader / RAT / stealer / etc.).

// mitre att&ck

GET/api/mitrepublic

Compact technique-ID-to-name map. Used by the reader for chip rendering.

GET/api/mitre/{id}public

Full ATT&CK technique record. ID is the standard T-number e.g. T1059, T1059.001.

GET/api/attack/exportpublic

MITRE ATT&CK Navigator v4.5 layer JSON. Default scope=global is public and returns TTP frequency across all sources for the window. scope=mine is Pro-gated and returns the caller's bookmarked articles' TTPs. Drops straight into attack-navigator.

Param	Type	Default	Notes
scope	string	global	`global` (public) or `mine` (Pro).
days	int 1-180	30	Lookback window for `scope=global`.

curl 'https://omnomfeeds.com/api/attack/export?scope=global&days=14' -o layer.json

// other

GET/api/briefs/patchpublic

Patch Tuesday briefs (Microsoft, Adobe, Oracle, SAP, etc) auto-generated on patch days.

Param	Type	Default	Notes
days	int 1-90	30	How far back to fetch briefs.

GET/api/momentumpublic

Week-over-week growth of tags, MITRE techniques, threat actors. Surfaces things heating up before they hit the trending leaderboard.

GET/api/scoringpublic

The keyword categories + weights that drive article scoring. Useful for understanding why an article scored what it did.

GET/api/worm/moodpublic

Worm sprite mood (hibernating / eating / frenzy) derived from KEV velocity in the last 24h. Frenzy is >= 5 KEV mentions in 24h.

// pro-gated

These exist for completeness. Hit them anonymously and you get a 401; hit them as a free user in hosted mode and you get a 402.

GET/api/cve/{id}/explainpro

3-bullet Claude-Haiku summary of the CVE in plain English. Cached per CVE forever - the first Pro user pays the LLM call, every subsequent reader gets it instantly.

GET/api/attack/export?scope=minepro

ATT&CK Navigator layer for the caller's bookmarked articles instead of global frequency.

GET/api/digestpro

Daily AI intel brief (last 24h). Server-side cached 1h across all Pro users.

GET/api/articles/explain/{id}pro

Per-article "what it is / who needs to care / what to do today" summary. Cached per article id.

GET/api/me/whats-newpro

Personalised "while you were gone" brief - what happened in the gap between the caller's last visit and now. Append ?force=1 to bypass the 24h auto-hide gate.

// errors & limits

Standard HTTP status codes. No envelope around errors - plain JSON like {"error":"reason"}.

Code	Meaning
200	OK
400	Bad request - usually malformed query param.
401	Unauthenticated. Reached a Pro-gated endpoint without a session.
402	Free tier user hit a Pro endpoint.
404	Path or resource doesn't exist.
405	Method not allowed (most endpoints are GET-only).
429	Per-IP rate limit on AI endpoints (20 per minute). `Retry-After` header carries seconds.
503	Backing service (NVD, EPSS, OTX) unreachable for the requested data.

// self-host

Same API, on your own box. Build the binary from github.com/RMS2D/omnomfeeds, or use the one-liner installers in the README. Pro-gated endpoints are open in self-host mode (you ARE the operator); the AI ones need ANTHROPIC_API_KEY or OPENAI_API_KEY in your env.

oM noM Security Feeds·MIT licensed trending cves rss github privacy