Best OSINT GitHub Repositories in 2026
The top GitHub repositories for OSINT — curated lists, automation frameworks, username lookup, email investigation, phone OSINT, and threat intelligence tools. Stars verified April 2026.
GitHub hosts OSINT tooling, community-built and publicly shared. The hard part is figuring out which repos are still alive, historically relevant, or actually useful. Notable ones include OSINT Framework, Recon-ng, and Maltego. OSINT Framework offers a collection of resources for open-source intelligence gathering. Recon-ng provides a full-featured, modular framework. Maltego offers data mining and link analysis. The tooling list goes on with Searchcode, a search engine for open-source code; Spyse, an API and data platform; and IntelX, a search engine.
Curated Resource Lists
OSINT repositories are available here, a good starting point. Some popular ones are awesome-osint, a curated list of OSINT tools and resources; osint-framework, a collection of OSINT tools and resources organized by category; intelx, a search engine for OSINT data with a focus on ease of use. You can find more.
jivoi/awesome-osint — 25,600 stars
The definitive OSINT awesome list, covering search engines, people search, domain and IP tools, email, phone, geolocation, dark web monitoring, company records, imagery, documents, metadata, and training resources. It's the starting point for building a reference library, with hundreds of entries across 40 subcategories. Updated April 2026.
lockfale/OSINT-Framework — 11,100 stars
The GitHub source behind osintframework.com — an interactive, clickable mind map of ~700 OSINT tools organized by category. Useful during investigation planning, it helps quickly identify what tools exist for a specific data type. Actively maintained.
hslatman/awesome-threat-intelligence — 10,000 stars
A curated list of threat intelligence resources: feeds, platforms, standards, and course materials. Oriented toward CTI and SOC use cases rather than pure investigative OSINT. Actively maintained.
Ph055a/OSINT_Collection — 2,300 stars
A markdown-based resource collection organized by topic: people search, corporate records, court records, social media, geolocation, and financial data. Originally maintained for osint.team, it provides practical, actionable references. Archived in August 2024, but still accurate as a reference.
Frameworks & Automation Platforms
For systematic, multi-source investigations, consider these frameworks.
smicallef/spiderfoot — 17,300 stars
A Python-based OSINT automation platform with 200+ modules. It runs concurrent queries against Shodan, Have I Been Pwned, Hunter.io, VirusTotal, WHOIS, social platforms, dark web monitors, and dozens more. Outputs correlation graphs and HTML reports. The closest thing to a full investigation platform in open-source, it's ideal for advanced analysts and threat intel teams.
lanmaster53/recon-ng — 5,500 stars
A Metasploit-style modular reconnaissance framework with a CLI workspace model. Separate modules handle domain enumeration, email harvesting, social media scraping, contact resolution, and reporting. Maintained, with a module marketplace at lanmaster53/recon-ng-marketplace.
intelowlproject/IntelOwl — 4,500 stars
A Docker-based threat intelligence platform aggregating 150+ analyzers. Covers file analysis, IP/domain/URL reputation, and indicators of compromise. Integrates VirusTotal, Shodan, MISP, AbuseIPDB, MalwareBazaar, and more. Actively maintained, with a REST API and web dashboard.
kpcyrd/sn0int — 2,400 stars
A semi-automatic OSINT framework written in Rust with a Lua scripting engine. Uses a package manager model, focusing on passive reconnaissance: certificate transparency, subdomain discovery, social media profiling, geolocation. Designed to minimize detection footprint, it's ideal for advanced technical users.
Username & Identity Lookup
Several tools are available for username and identity lookup. Hunter.io is designed to find professional email addresses; it takes a company domain and generates likely email formats. Verified emails are available for an additional fee.
Pipl is a people search tool that aggregates public records and social media information to create a comprehensive dossier on an individual. The cost of using Pipl varies depending on the search.
WhatTheName offers a search function by name, compiling results from Twitter handles and people search sites. This tool is free to use.
These tools cater to different needs. Hunter is suited for businesses. Pipl is geared towards personal searches. WhatTheName is useful for searching public names; choose the tool that aligns with your specific goal.
sherlock-project/sherlock — 76,700 stars
The most-starred OSINT tool on GitHub. A Python CLI that hunts a username across 400+ social networks simultaneously, returning direct profile URLs for each confirmed match. Fast, accurate, and regularly updated, it's the standard starting point for cross-platform username enumeration.
soxoj/maigret — 19,300 stars
Evolved from Sherlock, it checks 3,000+ sites and extracts linked accounts, cross-references profiles, and builds a dossier with photo links, bio data, and relationship graphs. Supports proxies and Tor, making it ideal for advanced investigators building comprehensive subject profiles.
qeeqbox/social-analyzer — 22,400 stars
An API, CLI, and web app for analyzing username presence across 1,000+ social platforms. It also includes content analysis, detecting language, sentiment, and topics, and extracts profile metadata. More analytical than Sherlock, it goes beyond presence detection to profile content analysis.
Email OSINT
These tools are designed for email OSINT.
megadose/holehe — 10,600 stars
Checks whether an email address is registered on 120+ services using the forgotten-password flow — no login required. Returns which platforms the email is linked to: social media, dating apps, shopping sites, financial services. Pairs well with Have I Been Pwned for breach context.
laramies/theHarvester — 16,000 stars
Mines emails, subdomains, names, IPs, and URLs from public sources, including Google, Bing, DuckDuckGo, Shodan, Hunter.io, and LinkedIn. Pre-installed on Kali Linux, it's primarily an initial reconnaissance tool rather than a deep-dive investigation tool.
Phone OSINT
For phone OSINT, consider this tool.
sundowndev/phoneinfoga — 16,200 stars
A Go-based phone number investigation framework that validates format, identifies carrier and region, and runs scans against NumVerify, Google Search, OVH, and custom scanner modules. REST API and web UI included, it's ideal for structured phone OSINT.
Platform-Specific Tools
These tools are specific to certain platforms.
mxrch/GHunt — 18,600 stars
Given a Google account ID or email, GHunt extracts associated name, profile photo, YouTube channel, Google Maps reviews, Hangouts status, linked calendar events, and public Google Drive files. Uses undocumented Google APIs, making it one of the most powerful tools for subjects who use Google services heavily.
Datalux/Osintgram — 12,600 stars
An interactive CLI shell for Instagram OSINT. Given a username, it extracts followers and following lists, tagged photos, location data from posts, email and phone if public, post metadata, and photo URLs. Requires Instagram login credentials.
jasperan/whatsapp-osint — 1,300 stars
Logs WhatsApp online/offline presence events for any number over time, building activity pattern timelines. Uses Selenium to automate WhatsApp Web, making it ideal for investigators monitoring subject activity patterns under authorized, legal use cases.
Maltego Transform Packs
Transforms for Maltego help you go beyond the user interface. You run them on a graph, and new nodes appear, each one digging deeper.
The available packages include DNS, HTTP, WHOIS, Network. These packages provide various functionalities: DNS resolves hostnames and shows DNS records. HTTP crawls web pages and extracts metadata. WHOIS fetches ownership and contact information. Network maps IP addresses to geolocation data.
You can layer these packages to build a more complete picture. For example, starting with an IP, the DNS transform reveals hostnames. The WHOIS transform on those hostnames gets you the owners. Now you know who's behind an IP.
Some transforms hit APIs, while others scrape. In either case, the output gets piped back into Maltego, creating a new node and more to explore. You can then iterate on this new information.
Transforms speed up investigations by fetching data and reducing manual poking around. With transforms, your graph becomes fuller, and connections and patterns emerge. Sometimes you might miss things using just the UI, but not with transforms.
Maltego's native transforms have limitations. These extra packages do more and extend capability without requiring coding. You just install and load them in Maltego, and they work.
When you integrate these packages, your graph gains more nodes and more insight. These specific packages are verified to work well within Maltego, adding solid reconnaissance capability to your workflow.
megadose/holehe-maltego — 246 stars
Maltego integration for holehe, running email-to-account lookups directly inside Maltego and rendering results as linked entities in the graph.
vognik/maltego-telegram — 438 stars
Maltego transform set for Telegram investigation, extracting channel members, cross-referencing forwarded messages, finding similar channels, retrieving deleted post history, and mapping group relationships. Uses Pyrogram.
Historical Reference
twintproject/twint — 16,400 stars
Twitter scraping without the API — pulled tweets, followers, following, likes, and user data using browser emulation. Archived after Twitter/X locked down API access in 2023, it's worth knowing for its historical significance in shaping social media investigation methodology.
How to Use This List
Some key patterns to note:
- Star count doesn't equal current utility. Twint has 16k stars but doesn't work, while Ph055a/OSINT_Collection is archived but still accurate.
- Frameworks vs. point tools: SpiderFoot and recon-ng can run many point tools as modules. Invest time in one framework rather than maintaining multiple tools.
- Combine tools for coverage: Sherlock → Maigret → holehe → GHunt covers username, platform presence, email-to-accounts, and Google account profiling.
- Use Docker where available: SpiderFoot, IntelOwl, and phoneinfoga offer Docker images, avoiding dependency conflicts and making it easier to maintain multiple tool versions.
Star counts verified April 2026. Activity status based on last GitHub commit. For the full OSINT tool ecosystem, see jivoi/awesome-osint.
Network Recon
Network recon tools find what's exposed. You can't investigate what you can't find.
Shodan
Shodan indexes internet infrastructure, including servers, cameras, routers, industrial control systems. Anything listening on an open port gets catalogued. Banners tell you what's running, version numbers, sometimes config details. The OSINT value is that you know what a target has exposed before you ever send a packet their way. Operators miss things, dev servers get forgotten.
Censys
Censys scans for hosts, services, certificate data too. You query by IP, domain, or certificate. Results show port status, TLS details. This is useful for tracking device exposure, especially when Shodan misses something.
Zoom
Zoom searches by IP range, finds hosts, open ports. It's simple, focused, good for quick checks.
Masscan
Masscan does fast, noisy port scans, sending hundreds of thousands of packets per second. You get hits, not analysis. This is for when speed trumps finesse.
Threat Intelligence
Threat intel platforms track who's attacking. You see patterns, identify threats.
MISP
MISP shares threat data. You contribute, get feeds. MISP normalizes indicators, helps you correlate. It's community-driven, keeps you current.
ThreatConnect
ThreatConnect aggregates threat data. You search, analyze, and act. It integrates with tools, automates response. ThreatConnect is a central hub for threat intel.
AlienVault
AlienVault offers threat data, asset management. You monitor, analyze, detect. It integrates with other tools, scales with your needs.
Tool Comparison
The following table compares the tools: Tool, Focus, Method, Output. Shodan, Internet assets, Indexing, Asset details. Censys, Hosts, services, Scanning, Host, service data. Zoom, IP ranges, Searching, Host, port data. MISP, Threat data, Sharing, Normalized IOCs. ThreatConnect, Threat data, Aggregating, Threat analysis. AlienVault, Threat data, assets, Monitoring, Threat, asset data.
Usage Tips
Use Shodan and Censys for asset discovery. Use MISP and ThreatConnect for threat intel. Zoom and Masscan are good for quick checks.
You pick the tool. Your workflow improves.
Updated April 2026. See also: SpiderFoot Review, Recon-ng Review, Maltego Review, What Is OSINT?.
Censys searches internet infrastructure, including servers, routers, firewalls. Anything with an IP address gets indexed. You query by IP, domain, or certificate. Results show open ports, TLS versions, and certificate details. That's your asset data.
Operators often miss things. Certificates expire, new IPs pop up. Censys finds them. It crawls the internet like a search engine, logging DNS, HTTP, and TLS metadata. You filter by port, protocol, or country.
The Censys API handles 500 requests per day for free. Paid plans start at $100/month. A 30-day free trial is available, so you can test the API before buying. Results come in JSON.
Use Censys for asset discovery, track exposed services, and monitor TLS and certificate changes. You need to know what a target has before you probe it. Censys gives you baseline data.
Censys works with other OSINT tools, such as Recon-ng, Maltego, and SpiderFoot. You integrate it with your workflow. Censys finds targets; you analyze them.
It works.
Related Guides
Domain and IP Investigation with OSINT: A Complete Guide
A practical guide to investigating domains and IP addresses using open source tools — covering WHOIS, DNS history, IP geolocation, ASN analysis, and infrastructure pivoting.
How to Use Shodan: A Beginner's Guide
A practical introduction to Shodan — what it is, how to search it, and how OSINT investigators and security practitioners use it to research internet-facing infrastructure.
How to Use SpiderFoot for Automated OSINT Reconnaissance
Step-by-step guide to running SpiderFoot scans, configuring modules, and reading results without alerting your target.
Last updated 2026-04-02. Techniques and tools change — verify current capabilities with vendors directly.