New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details
Socket
Book a DemoSign in
Socket
Book a DemoSign in

ioc-extractor

Package Overview
Dependencies
Maintainers
1
Versions
85
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

ioc-extractor

IoC (Indicator of Compromise) extractor

latest
Source
npmnpm
Version
8.1.5
Version published
Weekly downloads
4.8K
-45.23%
Maintainers
1
Weekly downloads
 
Created
Source

IoC extractor

npm version Node.js CI CodeFactor Coverage Status Documentation

IoC extractor is an npm package for extracting common IoC (Indicator of Compromise) from a block of text.

Note: the package is highly influenced by cacador.

Installation

npm install -g ioc-extractor
# or if you want to use ioc-extractor as a library in your JS/TS project
npm install ioc-extractor

Usage

As a CLI

$ ioc-extractor --help
Usage: ioc-extractor [options]

Options:
  --no-strict            Disable strict option
  --no-refang            Disable refang option
  --no-sort              Disable sort option
  -p, --punycode         Enable punycode option
  -o, --only <types...>  Show only specific IoC types
  -h, --help             display help for command

$ echo "1.1.1.1 8.8.8.8 example.com" | ioc-extractor | jq
{
  "asns": [],
  "btcs": [],
  "cves": [],
  "domains": [
    "example.com"
  ],
  "emails": [],
  "eths": [],
  "gaPubIDs": [],
  "gaTrackIDs": [],
  "ipv4s": [
    "1.1.1.1",
    "8.8.8.8"
  ],
  "ipv6s": [],
  "macAddresses": [],
  "md5s": [],
  "sha1s": [],
  "sha256s": [],
  "sha512s": [],
  "ssdeeps": [],
  "urls": [],
  "xmrs": []
}

$ echo "1.1.1.1 8.8.8.8" | ioc-extractor --only ipv4s | jq
{
  "ipv4s": [
    "1.1.1.1",
    "8.8.8.8"
  ]
}

As a Library

import { extractIOC } from "ioc-extractor";

const input = "1.1.1[.]1 google(.)com f6f8179ac71eaabff12b8c024342109b";
const ioc = extractIOC(input);
console.log(ioc.md5s);
// => ['f6f8179ac71eaabff12b8c024342109b']
console.log(ioc.ipv4s);
// => ['1.1.1.1']
console.log(ioc.domains);
// => ['google.com']

extractIOC takes the following options:

If you want to extract a specific type of IoC, you can use an extract function by IoC type.

import {
  refang,
  extractDomains,
  extractIPv4s,
  extractMD5s,
} from "ioc-extractor";

const input = "1.1.1[.]1 google(.)com f6f8179ac71eaabff12b8c024342109b";
const refanged = refang(input);
// => 1.1.1.1 google.com f6f8179ac71eaabff12b8c024342109b

const ipv4s = extractIPv4s(refanged);
// => ['1.1.1.1']

const domains = extractDomains(refanged);
// => ['google.com']

const md5s = extractMD5s(refanged);
// => ['f6f8179ac71eaabff12b8c024342109b']

Network related extract functions (e.g. extractDomains) can take the following options:

See docs for more details.

Alternatively, if you want to extract a list of specific IoC types at once, you can use partialExtractIOC.

import { partialExtractIOC } from "ioc-extractor";

const input = "1.1.1[.]1 google(.)com f6f8179ac71eaabff12b8c024342109b";
const ioc = partialExtractIOC(input, ["ipv4s", "domains"]);
console.log(ioc);
// => {"ipv4s":["1.1.1.1"],"domains":["google.com"]}

IoC Types

This package supports the following IoCs:

  • Hashes: MD5, SHA1, SHA256, SHA512, SSDEEP
  • Networks: domain, email, IPv4, IPv6, URL, ASN
  • Hardwares: MAC address
  • Utilities: CVE (CVE ID)
  • Cryptocurrencies: BTC (BTC address), ETH (ETH address), XMR (XMR address)
  • Trackers: GA track ID (Google Analytics tracking ID), GA pub ID (Google Adsense Publisher ID)

Refang Techniques

For Networks IoCs, the following refang techniques are supported:

TechniquesDefangedRefanged
. in spaces1.1.1 . 11.1.1.1
. in brackets, parentheses, etc.1.1.1[.]11.1.1.1
dot in brackets, parentheses, etc.example[dot]comexample.com
Back slash before .example\.comexample.com
/ in brackets, parentheses, etc.http://example.com[/]pathhttp://example.com/path
:// in brackets, parentheses, etc.http[://]example.comhttp://example.com
: in brackets, parentheses, etc.http[:]//example.comhttp://example.com
@ in brackets, parentheses, etc.test[@]example.comtest@example.com
at in brackets, parentheses, etc.test[at]example.comtest@example.com
hxxphxxps://example.comhttps://example.com
Partial1.1.1[.11.1.1.1
Any combinationhxxps[:]//test\.example[.)com[/]pathhttps://test.example.com/path

Options

strict

Whether to do strict TLD matching or not. Defaults to true.

refang

Whether to do refang or not. Defaults to false.

punycode

Whether to do Punycode conversion or not. Defaults to false.

sort

Whether to sort values or not. Defaults to true.

Alternatives

Keywords

IoC
Indicator of Compromise

FAQs

Package last updated on 14 Mar 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Don't Kill the Goose That Lays the Golden Eggs

Security News

Don't Kill the Goose That Lays the Golden Eggs

Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.

By Sarah Gooding  -  Apr 10, 2026
Feross on TBPN: How North Korea Hijacked Axios

Security News

Feross on TBPN: How North Korea Hijacked Axios

Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.

By Sarah Gooding  -  Apr 08, 2026