MalwareBazaar MCP

What is MalwareBazaar MCP about?

MalwareBazaar MCP is an MCP server that automatically connects to the Malware Bazaar repository, fetches the latest malware samples, metadata, and tag information, and exposes these capabilities through MCP‑compatible tools for seamless integration into security pipelines.

How to use MalwareBazaar MCP?

1. Obtain an API key from https://auth.abuse.ch/user/me.
2. Create a .env file with MALWAREBAZAAR_API_KEY=<APIKEY>.
3. Set up a virtual environment using uv (or any Python venv) and install dependencies from requirements.txt.
4. Add a server entry to the MCP client configuration (see the README for Linux/macOS and Windows examples).
5. Start the server with uv run malwarebazaar_mcp.py.
6. Query the server from an MCP client, e.g., ask for the latest hash or sample details.

Key features of MalwareBazaar MCP

• Real‑time retrieval of up to 10 most recent malware samples (get_recent).
• Detailed metadata lookup for any sample hash (get_info).
• Secure sample download directly from Malware Bazaar (get_file).
• Tag‑based search to list all samples associated with a specific tag (get_taginfo).
• AI‑driven workflow integration, enabling autonomous threat‑intel automation.
• Cross‑platform installation scripts for macOS/Linux and Windows.
• Comprehensive test suite with coverage reporting.

Use cases of MalwareBazaar MCP

• Automated threat‑intel enrichment: feed latest sample data into SOC dashboards or SIEMs.
• Malware research labs: programmatically gather specimens for reverse‑engineering and behavioral analysis.
• Security automation pipelines: trigger alerts or sandbox analyses when new high‑risk samples appear.
• Tag‑centric investigations: explore families or campaigns by querying specific tags.

FAQ from the MalwareBazaar MCP

Q: Do I need a paid Malware Bazaar account?
A: No, a free user API key is sufficient for the provided endpoints.

Q: Can I run the server on a headless Linux box?
A: Yes. Use the Linux/macOS installation steps and start the server with uv run malwarebazaar_mcp.py.

Q: What Python version is required?
A: The project follows the versions specified in requirements.txt; Python 3.9+ is recommended.

Q: How do I add the server to the MCP client?
A: Insert a JSON block under mcpServers in the client’s config file, pointing to the directory and script as shown in the README.

Q: Is there a way to test the implementation?
A: Run python -m unittest discover -s tests and optionally generate coverage reports with the provided commands.

MalwareBazaar_MCP

An AI-driven MCP server that autonomously interfaces with Malware Bazaar, delivering real-time threat intel and sample metadata for authorized cybersecurity research workflows.

MCP Tools

get_recent: Get up to 10 most recent samples from MalwareBazaar.

get_info: Get detailed metadata about a specific malware sample.

get_file: Download a malware sample from MalwareBazaar.

get_taginfo: Get malware samples associated with a specific tag.

Step 1: Create a MalwareBazaar APIKEY

https://auth.abuse.ch/user/me

Step 2: Create .env

MALWAREBAZAAR_API_KEY=<APIKEY>

Step 3a: Create Virtual Env & Install Requirements - MAC/Linux

curl -LsSf https://astral.sh/uv/install.sh | sh
cd MalwareBazaar_MCP
uv init .
uv venv
source .venv/bin/activate
uv pip install -r requirements.txt

Step 3b: Create Virtual Env & Install Requirements - Windows

powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
cd MalwareBazaar_MCP
uv init .
uv venv
.venv\Scripts\activate
uv pip install -r requirements.txt

Step 4a: Add Config to the MCP Client - MAC/Linux

{
    "mcpServers": {
        "malwarebazaar": {
            "description": "Malware Bazaar MCP Server",
            "command": "/Users/XXX/.local/bin/uv",
            "args": [
                "--directory",
                "/Users/XXX/Documents/MalwareBazaar_MCP",
                "run",
                "malwarebazaar_mcp.py"
            ]
        }
    }
}

Step 4b: Add Config to the MCP Client - Windows

{
    "mcpServers": {
        "malwarebazaar": {
            "description": "Malware Bazaar MCP Server",
            "command": "uv",
            "args": [
                "--directory",
                "C:\Users\XXX\Document\MalwareBazaar_MCP",
                "run",
                "malwarebazaar_mcp.py"
            ]
        }
    }
}

Step 5: Run MCP Server

uv run malwarebazaar_mcp.py

Step 6: Run MCP Client & Query

Help me understnad the latest hash from Malware Bazaar.

Step 7: Run Tests

python -m unittest discover -s tests

uv pip install coverage==7.8.0
coverage run --branch -m unittest discover -s tests
coverage report -m
coverage html
open htmlcov/index.html  # MAC
xdg-open htmlcov/index.html  # Linux
start htmlcov\index.html  # Windows
coverage erase

License

Apache License, Version 2.0