Skip to content

Source index

Feeds and primary sources we consider worth monitoring for future threat coverage.

High-value RSS / update feeds

  • Aikido Security Research — https://www.aikido.dev/blog/index.xml
  • QiAnXin XLab — https://blog.xlab.qianxin.com/ (HTML watch; monitor large-scale exploitation, botnet, ClickFix/page-poisoning, hosting-control-plane abuse such as Mr_Rot13 cPanel CVE-2026-41940, infrastructure writeups such as Ghost CMS CVE-2026-26980 mass compromise reports, and cybercrime-infrastructure / web-supply-chain reports such as Funnull RingH23 / MacCMS poisoning)
  • Wiz Research — https://www.wiz.io/blog (HTML watch; prior RSS path returned 404 in current checks; monitor TeamPCP/Mini Shai-Hulud package waves and post-compromise cloud/GitHub abuse reporting such as TruffleHog validation, ECS Exec / SSM execution, mass repository cloning, and workflow-log deletion)
  • Socket Security Research — https://socket.dev/blog (HTML watch; prior RSS paths returned 404/403 in current checks; watch Shai-Hulud/Mini Shai-Hulud variants, registry-response notices such as npm token invalidation, TeamPCP/copycat reporting, enterprise developer-ecosystem compromises such as SAP CAP / Cloud MTA packages, cross-ecosystem Packagist/Composer and GitHub source-repository compromises, RubyGems abuse such as GemStuffer or BufferZoneCorp-style RubyGems/Go module CI poisoning, Laravel-Lang-style Composer tag rewrites/backdoors, and AI-toolchain supply-chain tradecraft such as MCP/coding-assistant poisoning and TrapDoor-style npm/PyPI/Crates.io credential-stealer campaigns)
  • Akamai Security Research — https://www.akamai.com/blog/security-research (HTML watch; RSS blocked/unavailable in current checks; monitor active-exploitation and edge/WAF telemetry writeups such as Drupal CVE-2026-9082, exposed-AI-service abuse such as Ollama P2P cryptominer/RAT campaigns, APT exploit-chain analysis such as APT28 LNK / SmartScreen bypass / authentication-coercion findings, and infrastructure/botnet disruption notes)
  • SafeDep Research — https://safedep.io/blog (HTML watch; monitor CI/CD, GitHub repository backdooring, package-registry compromise, Megalodon-style workflow backdoors, crypto/AI-tooling package malware such as Polymarket-themed wallet-drainer npm packages, and Mini Shai-Hulud / AntV-style detection pivots such as payload hashes, orphan GitHub commit delivery, kitty-monitor, gh-token-monitor, and AI-assistant persistence)
  • Lumen Black Lotus Labs — https://www.lumen.com/blog/en-us/ (HTML watch; filter for Black Lotus Labs posts covering telecom, routing, botnet, and nation-state infrastructure research)
  • Snyk Blog / Security Research — https://snyk.io/blog/feed/ (watch Mini Shai-Hulud/TeamPCP follow-ups, registry-scale advisories, package-level vulnerability records, and Composer/Packagist incident-response updates such as Laravel-Lang all-version compromise advisories)
  • JFrog Security Research — https://research.jfrog.com/ (HTML watch; monitor TeamPCP/Mini Shai-Hulud follow-ups, PyPI import-time compromises such as Xinference and durabletask, optional-dependency GitHub-commit delivery, cloud/Kubernetes lateral-movement payload evolution, and malicious developer/AI packages abusing platforms such as Hugging Face for CDN/exfiltration or prompt theft) and JFrog Blog RSS https://jfrog.com/blog/feed/
  • Unit 42 Research — https://unit42.paloaltonetworks.com/feed/ (watch recurring npm threat-landscape updates for Shai-Hulud/Mini Shai-Hulud wave metrics, SLSA/OIDC findings, containment-order warnings, cloud-identity tradecraft such as ROADtools / Entra ID abuse, and high-signal actor updates such as Screening Serpens / MiniUpdate / MiniJunk)
  • ESET WeLiveSecurity / ESET Research — https://www.welivesecurity.com/en/eset-research/ (HTML/RSS watch; monitor actor campaigns, supply-chain attacks against regional software ecosystems, and new malware/tooling such as ScarCruft BirdCall Android or GopherWhisper Go tooling)
  • Microsoft Security Blog — https://www.microsoft.com/en-us/security/blog/ (HTML watch; RSS may return 403)
  • Broadcom / Symantec Threat Intelligence — https://www.security.com/threat-intelligence (HTML watch; monitor incident-response-backed actor tradecraft such as Seedworm / MuddyWater Node.js-orchestrated PowerShell, signed-binary DLL sideloading, ChromElevator browser theft, and public file-transfer exfiltration)
  • Gambit Security research — https://gambit.security/news-resources (HTML watch; monitor recovery-denial and destructive-operation reporting such as Ababil of Minab / MOIS-linked backup, virtualization, and storage destruction campaigns)
  • Google Cloud / Mandiant Threat Intelligence — https://cloud.google.com/blog/topics/threat-intelligence (HTML watch; monitor incident-response-backed actor/campaign/tooling and exploited-product writeups such as KnowledgeDeliver CVE-2026-5426 ViewState deserialization, BLUEBEAM / Godzilla, Cobalt Strike follow-on activity, and GTIG AI Threat Tracker reporting on AI-assisted vulnerability exploitation, autonomous malware, obfuscated model access, and TeamPCP / UNC6780 AI-environment supply-chain abuse)
  • GitHub Security Blog — https://github.blog/security/ (HTML watch for GitHub platform incident notes and postmortems)
  • The Hacker News — https://feeds.feedburner.com/TheHackersNews (monitor active-exploitation reports and secondary pointers to primary actor/tool research that add concrete affected-version, exploit-status, or response guidance, such as LiteSpeed/cPanel CVE-2026-48172 and Lazarus RemotePE coverage)
  • Fox-IT / NCC Group research blog — https://blog.fox-it.com/ (HTML watch; monitor incident-response-backed actor/tool research such as Lazarus RemotePE, DPAPI/environmental-keying loaders, and memory-only RAT tradecraft)
  • Boost Security Labs — https://labs.boostsecurity.io/rss.xml (watch CI/CD supply-chain techniques such as deployment poisoning and TeamPCP follow-ups)
  • StepSecurity blog — https://www.stepsecurity.io/blog/rss.xml (watch Mini Shai-Hulud / Nx Console follow-ups, CI/CD workflow-backdoor campaigns such as Megalodon, and Composer/GitHub tag-rewrite incidents such as Laravel-Lang)
  • Trail of Bits blog — https://blog.trailofbits.com/feed/
  • PortSwigger Research — https://portswigger.net/research/rss
  • ProjectDiscovery blog — https://projectdiscovery.io/blog/rss
  • CISA KEV — https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json (promote entries when they add active exploitation evidence, actor linkage, or high-impact platform exposure such as Langflow CVE-2025-34291)
  • GitHub Security Advisories — https://github.com/advisories.atom
  • CERT-UA — https://cert.gov.ua/ (HTML/API watch for Ukraine-focused actor campaigns, UAC cluster reports, malware component names, and indicator bundles; article pages can be queried via /api/articles/byId?id=<article-id>)
  • Europol / Eurojust / FBI IC3 public cyber notices — watch for criminal infrastructure takedowns, seized domains, exit-node indicators, ransomware-enabler service descriptions, and law-enforcement caveats that can update tool/infrastructure pages.

Maintainer / vendor incident posts to watch during active campaigns

  • Nx / nrwl security advisories and issues — https://github.com/nrwl/nx/security/advisories and https://github.com/nrwl/nx/issues
  • Grafana Labs security posts — https://grafana.com/blog/tags/security/
  • PyPI project and malware-report pages for affected packages — use package-specific release history as confirmation for yanked or restored versions.
  • Packagist package pages and maintainer incident notes — watch package metadata/tag movement and unexpected composer-plugin conversions during Mini Shai-Hulud-style cross-ecosystem incidents.
  • LiteSpeed / cPanel security notices — watch vendor advisories and cPanel support notices for actively exploited hosting-control-plane flaws and forced-removal/patch guidance.

Notes

  • Prefer RSS/Atom over ad hoc web searches.
  • If a feed URL changes, update this page and the monitoring config together.
  • If a source produces repeated noise, lower its priority before removing it.

Active watch topics

  • Shai-Hulud / Mini Shai-Hulud / TeamPCP supply-chain activity — monitor vendor research, affected-package appendices, maintainer postmortems, CISA/GitHub advisories, and registry notices for new package families, propagation methods, persistence paths, infrastructure, and attribution changes.