Skip to content

Source index

Feeds and primary sources we consider worth monitoring for future threat coverage.

High-value RSS / update feeds

  • Sonatype Security Research — https://www.sonatype.com/blog/rss.xml (RSS watch; monitor package-registry and ecosystem compromise research such as Atomic Arch AUR orphan-package adoption, malicious npm dependency pivots like atomic-lockfile / js-digest / lockfile-js, Sonatype vulnerability guide entries, and Shai-Hulud / Miasma supply-chain follow-ups)
  • Aikido Security Research — https://www.aikido.dev/blog/index.xml (HTML/RSS watch; monitor developer-machine, AI-toolchain, VS Code / extension, Codex-token, and package supply-chain compromises such as codexui-android OpenAI token theft, poisoned extensions, Laravel-Lang, and Mini Shai-Hulud follow-ups)
  • QiAnXin XLab — https://blog.xlab.qianxin.com/ (HTML watch; monitor large-scale exploitation, botnet, ClickFix/page-poisoning, hosting-control-plane abuse such as Mr_Rot13 cPanel CVE-2026-41940, infrastructure writeups such as Ghost CMS CVE-2026-26980 mass compromise reports, and cybercrime-infrastructure / web-supply-chain reports such as Funnull RingH23 / MacCMS poisoning)
  • Wiz Research — https://www.wiz.io/blog (HTML watch; prior RSS path returned 404 in current checks; monitor TeamPCP/Mini Shai-Hulud package waves including Miasma / @redhat-cloud-services, JINX-0164-style cryptocurrency developer targeting with fake meeting flows, macOS malware, GitHub/source-repository abuse, and post-compromise cloud/GitHub abuse reporting such as TruffleHog validation, ECS Exec / SSM execution, mass repository cloning, and workflow-log deletion)
  • Socket Security Research — https://socket.dev/api/blog/feed.atom and https://socket.dev/blog (Atom/HTML watch; monitor Shai-Hulud/Mini Shai-Hulud variants, registry-response notices such as npm token invalidation, TeamPCP/copycat reporting, enterprise developer-ecosystem compromises such as SAP CAP / Cloud MTA packages, cross-ecosystem Packagist/Composer and GitHub source-repository compromises, DPRK/Contagious Interview developer-targeting dead-drop campaigns such as StegaBin Pastebin/Vercel payload delivery and Famous Chollima Packagist dev-branch loaders, RubyGems abuse such as GemStuffer or BufferZoneCorp-style RubyGems/Go module CI poisoning, Laravel-Lang-style Composer tag rewrites/backdoors, financial/enterprise SDK impersonation such as Sicoob.Sdk NuGet mTLS certificate theft, high-blast-radius package compromises such as Axios pulling plain-crypto-js RAT payloads, Hades-style PyPI wheel startup-hook branches of Miasma / Mini Shai-Hulud using *-setup.pth, Bun, _index.js, .abi3.so native extensions, and split loaders such as langchain-core-mcp, AI-toolchain supply-chain tradecraft such as MCP/coding-assistant poisoning and TrapDoor-style npm/PyPI/Crates.io credential-stealer campaigns, and browser-extension abuse such as Chrome Web Store live-wallpaper ad-fraud / traffic-laundering networks)
  • OX Security Research — https://www.ox.security/blog/ (HTML watch; monitor AI-toolchain and software-supply-chain malware such as Malware-Slop / mouse5212-super-formatter, Claude /mnt/user-data theft, GitHub Contents API exfiltration, leaked actor tokens, Shai-Hulud source-leak copycats such as chalk-tempalte / axois-utils / color-style-utils, TeamPCP follow-ons such as the Telnyx PyPI compromise after LiteLLM, Miasma / @redhat-cloud-services impact notes such as stolen-repository counts, earliest observed infection timing, six-stage loader loops, alternate Miasma : The Spreading Blight spacing, and firedalazer GitHub commit-search C2, MCP / AI-agent supply-chain trust-boundary research such as stdio command-execution configuration exposure, and AI-generated commodity npm malware tradecraft)
  • CrowdStrike Counter Adversary Operations — https://www.crowdstrike.com/en-us/blog/ (HTML watch; monitor developer-targeting botnet and supply-chain disruption reporting such as Glassworm, C2 takedowns, package/extension compromise, and endpoint remediation guidance)
  • Akamai Security Research — https://www.akamai.com/blog/security-research (HTML watch; RSS blocked/unavailable in current checks; monitor active-exploitation and edge/WAF telemetry writeups such as Drupal CVE-2026-9082, exposed-AI-service abuse such as Ollama P2P cryptominer/RAT campaigns, APT exploit-chain analysis such as APT28 LNK / SmartScreen bypass / authentication-coercion findings, and infrastructure/botnet disruption notes)
  • SafeDep Research — https://safedep.io/blog (HTML watch; monitor CI/CD, GitHub repository backdooring, package-registry compromise, Megalodon-style workflow backdoors, crypto/AI-tooling package malware such as Polymarket-themed wallet-drainer npm packages, actively maintained developer-targeting npm RATs such as forge-jsxy and MicrosoftSystem64 / js-logger-pack, Hugging Face / Discord exfiltration, typosquat infostealer campaigns such as faster-axios / turbo-axios Epsilon Stealer, targeted dependency-confusion environment stealers such as the oob.moika.tech campaign, build-config PR injection such as astro.config.mjs blockchain-C2 loaders and horizontal-whitespace diff hiding, and Mini Shai-Hulud / AntV / Miasma-style detection pivots such as payload hashes, orphan GitHub commit delivery, two-wave trusted-publishing abuse, live-latest malicious releases, kitty-monitor, gh-token-monitor, AI-assistant persistence, and source-repository auto-execution through Claude Code / Gemini SessionStart, Cursor alwaysApply, VS Code folderOpen, and npm test launchers)
  • Lumen Black Lotus Labs — https://www.lumen.com/blog/en-us/ (HTML watch; filter for Black Lotus Labs posts covering telecom, routing, botnet, and nation-state infrastructure research such as JDY / KV-botnet SOHO and IoT reconnaissance networks)
  • Snyk Blog / Security Research — https://snyk.io/blog/feed/ (watch Mini Shai-Hulud/TeamPCP follow-ups, registry-scale advisories, package-level vulnerability records, Composer/Packagist incident-response updates such as Laravel-Lang all-version compromise advisories, and AI-agent supply-chain boundary cases such as jqwik 1.10.0 maintainer prompt injection through build/test output)
  • JFrog Security Research — https://research.jfrog.com/ (HTML watch; monitor TeamPCP/Mini Shai-Hulud follow-ups, PyPI import-time compromises such as Xinference and durabletask, optional-dependency GitHub-commit delivery, cloud/Kubernetes lateral-movement payload evolution, malicious developer/AI packages abusing platforms such as Hugging Face for CDN/exfiltration or prompt theft, cryptocurrency-developer package lures such as Solana FakeFix npm/PyPI patched-SDK packages, GitHub issue spam, Telegram C2, fake MEV private-key prompts, and Deno loader persistence, Miasma / @redhat-cloud-services follow-up indicators such as type-only package install hooks, GitHub commit-search C2, camouflage exfil destinations, and AI-scanner prompt-injection / refusal-evasion samples, plus IronWorm-style native Rust npm infostealers with eBPF rootkits, Tor C2, backdated GitHub commits, and trusted-publishing propagation) and JFrog Blog RSS https://jfrog.com/blog/feed/
  • Unit 42 Research — https://unit42.paloaltonetworks.com/feed/ (watch recurring npm threat-landscape updates for Shai-Hulud/Mini Shai-Hulud wave metrics, SLSA/OIDC findings, containment-order warnings, cloud-identity tradecraft such as ROADtools / Entra ID abuse, cloud-control-plane defense-evasion research such as AWS CloudTrail / Google Cloud Logging route, destination, and KMS tampering, high-signal actor updates such as Screening Serpens / MiniUpdate / MiniJunk, collaboration-tool phishing / identity guidance such as Microsoft Teams external-chat abuse and federation hardening, cybercrime-economy updates that add durable TeamPCP / TGR-CRI-1135 monetization context such as LAPSUS$ / Vect extortion partnerships or public Shai-Hulud tooling claims, AI-agent skill supply-chain research such as Behavioral Integrity Verification for OpenClaw registry skills, and macOS malvertising/backdoor evolution such as CL-CRI-1089 Operation FlutterBridge / FlutterShell)
  • Trend Micro Research — https://www.trendmicro.com/en_us/research.html (HTML watch; monitor active-exploitation, AI-augmented intrusion, developer-targeting malware, and Ukraine/Russia-aligned updates such as Void Dokkaebi / Famous Chollima Cython-compiled InvisibleFerret and BeaverTail evolution, WinRAR CVE-2025-8088 reuse by Earth Dahu / Gamaredon and UAC-0226 / SHADOW-EARTH-066, GIFTEDCROOK evolution, managed-software patch blind spots, SHADOW-AETHER agentic-AI tunneling / lateral-movement campaigns in Latin America, and distinct post-exploitation chains sharing a common exploit entry point)
  • ESET WeLiveSecurity / ESET Research — https://www.welivesecurity.com/en/eset-research/ (HTML/RSS watch; monitor actor campaigns, supply-chain attacks against regional software ecosystems, and new malware/tooling such as OceanLotus / APT32 FireAnt MetaKit supply-chain delivery of SPECTRALVIPER, ScarCruft BirdCall Android, FrostyNeighbor/Ghostwriter PicassoLoader chains, GopherWhisper Go tooling, and mobile MaaS/RAT reporting such as BTMOB)
  • Sekoia.io Threat Research — https://blog.sekoia.io/ (HTML watch; monitor Russia-linked espionage, Gamaredon/UAC-0010 malware chains, dead-drop resolver tradecraft, USB/network-share propagation, and durable malware-family taxonomy such as GammaPhish, GammaLoad, GammaWorm, and GammaSteel)
  • Seqrite Labs / APT Team — https://www.seqrite.com/blog/ (HTML watch; monitor targeted espionage writeups with concrete malware chains and infrastructure such as Operation Dragon Weave, RUSTCLOAK, AZUREVEIL, Adaptix C2, Azure Blob Storage dead-drop C2, Czech Republic / Taiwan lures, Operation XENOFISCAL / SideCopy XenoRAT chains, Operation GriefLure Southeast Asia LNK / ftp.exe droppers, and attribution-confidence caveats)
  • Microsoft Security Blog — https://www.microsoft.com/en-us/security/blog/ (HTML watch; RSS may return 403; monitor actor/campaign/tool reporting such as AI-chatbot/search-poisoned utility downloads, AI-brand impersonation phishing and malvertising, ScreenConnect abuse, SimpleRunPE/RuntimeHost GPU cryptojacking, edge-appliance intrusion chains, ransomware tooling such as Storm-2697 / The Gentlemen self-propagating Go encryptor, Claude Code GitHub Action / AI-agent CI/CD trust-boundary cases such as /proc/self/environ Read-tool exposure, and npm supply-chain campaigns such as Miasma / Red Hat npm trusted-publishing abuse, vpmdhaj OpenSearch / Elasticsearch typosquats, or oob.moika.tech dependency-confusion clusters that profile developers, steal environment context, and abuse lifecycle hooks / Bun-runtime loaders)
  • Broadcom / Symantec Threat Intelligence — https://www.security.com/threat-intelligence (HTML watch; monitor incident-response-backed actor tradecraft such as Seedworm / MuddyWater Node.js-orchestrated PowerShell, signed-binary DLL sideloading, ChromElevator browser theft, Deno/Python backdoors such as Dindoor and Fakeset, Rclone-to-Wasabi exfiltration, Backblaze staging, and public file-transfer exfiltration, plus high-consequence tool research such as Fast16 LS-DYNA / AUTODYN nuclear-simulation sabotage)
  • WatchGuard Secplicity / Threat Lab — https://www.watchguard.com/wgrd-security-hub/secplicity-blog (HTML watch; monitor regional malware and fraud operations such as Grandoreiro campaigns using DLL sideloading, WebRTC/STUN/ICE communications camouflage, cloud-service abuse, and anti-analysis checks)
  • Arctic Wolf Labs — https://arcticwolf.com/resources/blog/ (HTML watch; monitor incident-response-backed exploitation, identity-first phishing, and malware-delivery reporting such as Kali365 OAuth device-code PhaaS expansion across Microsoft / Okta / Xerox / MAX Messenger lures, FortiClient EMS CVE-2026-35616 abuse to push EKZ Infostealer through endpoint-management policy and fake Fortinet patch workflows, and PAN-OS GlobalProtect CVE-2026-0257 follow-on intrusion detail such as unauthorized VPN tunnels followed by Impacket-style SMB / NTLM reconnaissance)
  • Kaspersky Securelist — https://securelist.com/ (HTML/RSS watch; monitor supply-chain compromises, signed-binary backdoors, RAT tooling, Windows exploitation writeups such as MiniPlasma Cloud Filter / CVE-2020-17103-adjacent LPE detection, and incident-response reports such as DAEMON Tools Lite CVE-2026-8398 with typosquatted C2, selective backdoor deployment, and QUIC RAT activity; Cloud Atlas updates such as PowerCloud, PowerShower, VBCloud, reverse SSH / ReverseSocks / Tor backup-channel use, and Russia/Belarus government targeting; North Korea/Kimsuky tooling evolution such as PebbleDash / AppleSeed, HelloDoor, HttpMalice, VS Code tunneling, DWAgent, and Cloudflare Quick Tunnel abuse; and durable cybercrime malware campaigns such as piracy-site fake-update SilentCryptoMiner / RAT delivery)
  • WithSecure Labs — https://labs.withsecure.com/publications (HTML watch; monitor Russia-nexus, Ukraine-focused, and AI-assisted campaigns such as GREYVIBE / PhantomMail / PhantomClick / PrincessClub with PhantomRelay, FallSpy, LegionRelay, DAYLIGHT, TEASOUP, and cybercrime-overlap attribution notes)
  • Proofpoint Threat Insight — https://www.proofpoint.com/us/blog/threat-insight (HTML watch; monitor email-threat and actor-cluster reporting such as TA4922 Chinese-speaking cybercrime expansion, localized HR/payroll/tax/invoice lures, ValleyRAT / Winos4.0, Atlas RAT, RomulusLoader, SilentRunLoader, Silver Fox / Void Arachne overlap caveats, and DPRK/developer-targeting repository-phishing clusters such as UNK_DeadDrop using GitHub/GitLab lures, VS Code / Cursor folderOpen tasks, malicious VSIX persistence, Overlord payloads, and cryptocurrency-wallet theft)
  • ReliaQuest Threat Research — https://reliaquest.com/blog/ (HTML watch; monitor incident-response-backed cluster and intrusion reporting such as OP-512 IIS web-shell espionage, cryptographically gated ASP.NET handlers, self-reporting DNS C2, and legacy .NET / IIS behavioral detections)
  • Volexity Threat Research — https://www.volexity.com/blog/ (HTML watch; monitor incident-response-backed actor and appliance coverage such as VerdantBamboo / WARP PANDA / UNC5221 BRICKSTORM operations on Egnyte Storage Sync, pfSense, Synology NAS, MSP, Linux, FreeBSD, and other low-EDR management-plane systems)
  • Sygnia research — https://www.sygnia.co/blog/ (HTML watch; monitor incident-response-backed China-nexus and infrastructure-persistence reporting such as Velvet Ant / Operation Highland authentication-stack backdoors, F5 BIG-IP abuse, Cisco Nexus CVE-2024-20399 / VELVETSHELL, PAM / OpenSSH tampering, segmented-network intrusion paths, and crypto supply-chain containment lessons such as developer endpoint → repo/CI → automation identity → Kubernetes/runtime → secrets → custody/transaction authority chains)
  • Gambit Security research — https://gambit.security/news-resources (HTML watch; monitor recovery-denial and destructive-operation reporting such as Ababil of Minab / MOIS-linked backup, virtualization, and storage destruction campaigns)
  • Hunt.io research — https://hunt.io/blog (HTML watch; monitor exposed attacker-infrastructure recoveries, C2/toolkit leaks, cloud-abuse operations, phishing/smishing infrastructure such as the 19-country government / postal / telecom campaign with 1,628 URLs and a reusable 128-character page hash, managed-service / endpoint-management compromise blast-radius cases such as Quest KACE SMA CVE-2025-32975 exposed-toolkit reporting, Iranian-nexus exposed-C2 operations such as Oman government webshell / Chisel / DotNetNuke targeting, TeamPCP Python toolkit / FIRESCALE fallback reporting, PCPJack-style proxy / SMTP relay infrastructure analysis, and high-blast-radius npm compromise payload analysis such as Axios / plain-crypto-js cross-platform RAT delivery with TA444 / BlueNoroff infrastructure overlaps)
  • SentinelOne SentinelLABS — https://www.sentinelone.com/labs/ (HTML watch; monitor crimeware, cloud-worm, DPRK, ransomware, and actor/tool reporting such as PCPJack credential theft, exposed cloud service propagation, Sliver payloads, and TeamPCP-adjacent artifact removal)
  • Sysdig Threat Research — https://www.sysdig.com/threat-research (HTML watch; monitor cloud-native, container, AI-workflow, and post-exploitation reporting such as marimo CVE-2026-39987 LLM-agent post-exploitation, PraisonAI CVE-2026-44338 same-day endpoint validation, Cloudflare Workers egress fan-out, AWS Secrets Manager pivots, database theft from AI/notebook runtimes, and NATS-as-C2 / KeyHunter credential-harvesting worker infrastructure targeting AWS, AI keys, and code-sandbox secrets)
  • Permiso Security / P0 Labs — https://permiso.io/blog (HTML watch; monitor AI identity, assistant-rendering, and indirect-prompt-injection research such as ChatGPhish page-summarization phishing through live Markdown links, auto-fetched images, spoofed alerts, and QR-code pivots)
  • Tenet Security Threat Labs — https://tenetsecurity.ai/blog/ (HTML watch for AI-agent runtime and MCP trust-boundary research such as Sentry Agentjacking, where public observability events can inject fake remediation instructions that coding agents execute through package-manager or shell tools)
  • Google Cloud / Mandiant Threat Intelligence — https://cloud.google.com/blog/topics/threat-intelligence (HTML/RSS watch; monitor incident-response-backed actor/campaign/tooling, exploited-product writeups such as KnowledgeDeliver CVE-2026-5426 ViewState deserialization, BLUEBEAM / Godzilla, Cobalt Strike follow-on activity, Oracle PeopleSoft CVE-2026-35273 zero-day exploitation by UNC6240 / ShinyHunters, GTIG AI Threat Tracker reporting on AI-assisted vulnerability exploitation, autonomous malware, obfuscated model access, TeamPCP / UNC6780 AI-environment supply-chain abuse, UNC6692 / SNOW malware social-engineering chains using Teams, browser-extension persistence, tunnels, and LSASS theft, and criminal-market ecosystem reporting such as Chinese-language PhaaS real-time OTP interception / wallet-tokenization tradecraft, BlackFile / UNC6671 vishing extortion, UNC3753 / Luna Moth law-firm vishing with RMM and physical-impersonation pivots, AiTM SSO compromise, and SaaS data theft)
  • Google safety / affirmative litigation — https://blog.google/innovation-and-ai/technology/safety-security/ and https://affirmativelitigation.withgoogle.com/ (HTML watch for Google-filed abuse-disruption cases, AI-enabled scam operations, smishing / PhaaS infrastructure such as Outsider Enterprise, and law-enforcement or carrier-coordination details that add durable defender pivots)
  • GitHub Security Blog / Changelog — https://github.blog/security/ and https://github.blog/changelog/ (HTML watch for GitHub platform incident notes, postmortems, and supply-chain security-default changes such as npm v12 script approval / allowScripts, --allow-git, and --allow-remote defaults)
  • Google Chrome Releases — https://chromereleases.googleblog.com/ (HTML/RSS watch for actively exploited Chrome / Chromium client-side zero-days such as V8 CVE-2026-11645 and rollout details for fixed stable builds)
  • Check Point Research / advisories — https://research.checkpoint.com/, https://blog.checkpoint.com/security/, and https://support.checkpoint.com/ (HTML watch for active edge, VPN, firewall, and ransomware-affiliate exploitation reporting such as Remote Access VPN / Mobile Access CVE-2026-50751 IKEv1 authentication bypass and companion SK hotfix guidance; also monitor AI-agent framework research such as LangGraph checkpointer injection / unsafe deserialization chains)
  • Ammar Askar security research — https://blog.ammaraskar.com/ (HTML watch for developer-tooling, VS Code, GitHub.dev, and source-control token-boundary research such as browser IDE OAuth token theft)
  • GMO Flatt Security Research — https://flatt.tech/research/ (HTML watch for AI-agent, Claude Code, GitHub Actions, and repository-permission boundary research such as Claude Code GitHub Action prompt-injection and workflow takeover paths)
  • The Hacker News — https://feeds.feedburner.com/TheHackersNews (monitor active-exploitation reports and secondary pointers to primary actor/tool research that add concrete affected-version, exploit-status, or response guidance, such as LiteSpeed/cPanel CVE-2026-48172, Cisco Catalyst SD-WAN Manager CVE-2026-20245, Lazarus RemotePE coverage, Malware-Slop / Claude user-data npm infostealer pointers to OX Security, WithSecure GREYVIBE pointers, Sysdig marimo LLM-agent post-exploitation pointers, Permiso ChatGPhish AI-summary phishing pointers, and cross-source campaign roundups such as Grandoreiro / BTMOB)
  • Wordfence vulnerability intelligence — https://www.wordfence.com/threat-intel/vulnerabilities and https://www.wordfence.com/blog/category/vulnerabilities/ (HTML watch; monitor active WordPress plugin exploitation with concrete affected versions, exploit telemetry, and mitigation details such as WP Maps Pro CVE-2026-8732 administrator-account creation and Everest Forms Pro CVE-2026-3300 calculation-field RCE)
  • Fox-IT / NCC Group research blog — https://blog.fox-it.com/ (HTML watch; monitor incident-response-backed actor/tool research such as Lazarus RemotePE, DPAPI/environmental-keying loaders, and memory-only RAT tradecraft)
  • Boost Security Labs — https://labs.boostsecurity.io/rss.xml (watch CI/CD supply-chain techniques such as deployment poisoning, TeamPCP follow-ups, GitHub Actions OIDC trust-boundary research such as Sleeper Squats subject-claim delimiter collisions, and trusted-publishing/provenance trust-boundary analysis such as the Miasma / Red Hat throwaway-branch OIDC publication path)
  • watchTowr Labs — https://labs.watchtowr.com/ (HTML watch for fast edge-appliance and security-platform exploit analysis plus detection artifacts, such as Ivanti Sentry CVE-2026-10520 / CVE-2026-10523 pre-auth command-injection and authentication-bypass research and Splunk Enterprise CVE-2026-20253 PostgreSQL Sidecar Service pre-auth file-write-to-RCE analysis)
  • StepSecurity blog — https://www.stepsecurity.io/blog/rss.xml (watch Mini Shai-Hulud / Nx Console follow-ups, Miasma-style @redhat-cloud-services namespace compromises, CI/CD workflow-backdoor campaigns such as Megalodon, JINX-0164-adjacent package compromises such as Velora DEX SDK / MINIRAT, npm native-addon build-path execution such as binding.gyp CI/CD worms, AI-assistant/editor repository reinfections such as Azure/durabletask, source-repository force-push compromises such as Pythagora-io/gpt-pilot, downstream GitHub Actions availability impacts such as Azure/functions-action repository disablement, Composer/GitHub tag-rewrite incidents such as Laravel-Lang, and Hades-style PyPI import-hook waves with graph-ML / bioinformatics package compromise, LLM-analysis prompt-injection evasion, cross-platform runner-memory scraping, SSH/SCP lateral movement, wiper-deterrent persistence, and developer-machine suspicious-file detection pivots such as binding.gyp, injected __init__.py, .vscode/tasks.json, and .claude/setup.mjs)
  • Trail of Bits blog — https://blog.trailofbits.com/feed/ (watch AI-agent skill distribution and scanner-bypass research such as public marketplace poisoning, ClawHub / skills.sh / Cisco skill-scanner bypasses, bytecode/document indirection, prompt-injection framing, and broader AI/ML supply-chain hardening)
  • CleverHans Lab — https://cleverhans.io/latest-research.html (HTML/arXiv watch for adversarial-ML and agentic-security research with operational defender value, such as adaptive computer worms using local open-weight LLMs on compromised hosts)
  • PortSwigger Research — https://portswigger.net/research/rss
  • ProjectDiscovery blog — https://projectdiscovery.io/blog/rss
  • CISA KEV — https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json (promote entries when they add active exploitation evidence, actor linkage, or high-impact platform exposure such as Langflow CVE-2025-34291, PAN-OS GlobalProtect CVE-2026-0257, managed-file-transfer availability attacks such as SolarWinds Serv-U CVE-2026-28318, and Magento / Adobe Commerce extension RCE such as Mirasvit Cache Warmer CVE-2026-45247)
  • GitHub Security Advisories — https://github.com/advisories.atom
  • CERT-UA — https://cert.gov.ua/ (HTML/API watch for Ukraine-focused actor campaigns, UAC cluster reports, malware component names, and indicator bundles; article pages can be queried via /api/articles/byId?id=<article-id>)
  • Europol / Eurojust / FBI IC3 public cyber notices — watch for criminal infrastructure takedowns, seized domains, exit-node indicators, ransomware-enabler service descriptions, and law-enforcement caveats that can update tool/infrastructure pages.
  • NCSC-NL / Dutch Police cyber notices — https://www.ncsc.nl/nieuws and https://www.politie.nl/nieuws (watch Netherlands-hosted criminal infrastructure, botnet takedowns, residential-proxy / IoT-device abuse, hosting-provider disruptions, seized servers, and follow-up victim-notification or indicator releases such as the 17-million-device botnet disruption).

Maintainer / vendor incident posts to watch during active campaigns

  • Nx / nrwl security advisories and issues — https://github.com/nrwl/nx/security/advisories and https://github.com/nrwl/nx/issues
  • Grafana Labs security posts — https://grafana.com/blog/tags/security/
  • PyPI project and malware-report pages for affected packages — use package-specific release history as confirmation for yanked or restored versions.
  • Packagist package pages and maintainer incident notes — watch package metadata/tag movement and unexpected composer-plugin conversions during Mini Shai-Hulud-style cross-ecosystem incidents.
  • LiteSpeed / cPanel security notices — watch vendor advisories and cPanel support notices for actively exploited hosting-control-plane flaws and forced-removal/patch guidance.
  • DAEMON Tools / Disc Soft notices — https://blog.daemon-tools.cc/ and release notes; watch follow-ups to DAEMON Tools Lite CVE-2026-8398, installer integrity claims, rebuild/version guidance, and infrastructure-remediation details.
  • Visual Studio Code release notes / Marketplace security changes — https://code.visualstudio.com/updates/ and https://marketplace.visualstudio.com/VSCode (watch extension-marketplace mitigations, delayed auto-update changes, publisher-trust exceptions, and response details following poisoned-extension incidents such as Nx Console.)

Notes

  • Prefer RSS/Atom over ad hoc web searches.
  • If a feed URL changes, update this page and the monitoring config together.
  • If a source produces repeated noise, lower its priority before removing it.

Active watch topics

  • Shai-Hulud / Mini Shai-Hulud / TeamPCP supply-chain activity — monitor vendor research, affected-package appendices, maintainer postmortems, CISA/GitHub advisories, and registry notices for new package families, propagation methods, persistence paths, infrastructure, and attribution changes.