Official intelligence summary

HAIJA INTEL REPORT

Generated 27/04/2026, 09:09. Pipeline: Europe/Belgrade. Regular sources favor exploit, blog, red-team, and attack-path content. CVE items only stay with exploit signal.
Total items15
Regular sources6
Tweets / X9
Threshold0.62
You can save this report in your browser with the favorite button. If you need a shared favorite list, use the CLI helper.

Tweets / X

9 items
MR
mrgretzky @mrgretzky
24 Apr, 11:35 · core
0.72
Last week we published three independent phishing research projects CDP, Passkey Phishing, and ConsentFix, alongside the internal @MalDevAcademy @mrd0x tools for each. It’s been great getting messages like this and seei…
open on X
_D
_dirkjan @_dirkjan
24 Apr, 23:33 · core
0.50
More talks for the @WEareTROOPERS #TROOPERS26 AD & Entra ID Security Track accepted, featuring @kidtronnix , @LeGuideDuSecOps , @_dirkjan , @DrAzureAD , @al3x_n3ff & others
open on X
TH
TheDFIRReport @TheDFIRReport
24 Apr, 14:02 · core
0.46
"The scanner relies on an acquirer file containing targets and a lease file defining the exploit type. These files show the operator obtaining target feeds from ZIP archives hosted on cs2[.]ip[.]thc[.]org, assigning the…
open on X
@_RastaMouse avatar
_RastaMouse @_RastaMouse
24 Apr, 19:18 · core
0.37
This also impacts sites that rely on ad revenue to stay up. What's gonna happen when all the original sources dry up and no new content is being posted? This is what's happening to YouTube. This is one of my most popular videos. It's how to fix a UEFI bootloader. As you can see t
tweet mediatweet media
open on X
@Unit42_Intel avatar
Unit42_Intel @Unit42_Intel
25 Apr, 00:00 · secondary
0.36
Shai-Hulud changed npm supply chain attacks. Adversaries now use wormable propagation, infrastructure persistence and multi-stage payloads. Coordinated campaigns weaponize dev tooling (Docker, GitHub, VS Code, npm). Read the full analysis for our insights. https:// bit.ly/4cwtCk3
tweet media
open on X
@Unit42_Intel avatar
Unit42_Intel @Unit42_Intel
24 Apr, 20:36 · secondary
0.36
V2 of the #Kali365 PhaaS toolkit has emerged with dedicated OAuth and AI-based lure generation, seeing widespread abuse. This kit is distributed via Telegram and has features like a domain marketplace, Cloudflare worker hosting and keyword searching: https:// bit.ly/3QupSXM
tweet mediatweet media
open on X
@_xpn_ avatar
_xpn_ @_xpn_
26 Apr, 13:45 · core
0.31
Love Claude Code channels for push-events. Here I hooked up a GitHub Action to an example repo containing SwiftBelt. The aim was to test YARA rules during every build, but if any fired, task Claude to evade any detections, then submit a PR with updates. Seeing it play out is
tweet media
open on X
@Unit42_Intel avatar
Unit42_Intel @Unit42_Intel
24 Apr, 23:30 · secondary
0.31
Our research reveals "Agent God Mode" in Amazon Bedrock AgentCore. Overly broad IAM permissions allow privilege escalation across AWS accounts. A compromised agent can access memories and extract sensitive data via a multi-stage attack. Read our analysis: https:// bit.ly/4mssGAM
tweet media
open on X
@SpecterOps avatar
SpecterOps @SpecterOps
24 Apr, 21:36 · core
0.31
It’s #BloodHoundBasics day w/ @Jonas_B_K ! DYK BloodHound pathfinding can uncover hybrid attack paths? In this example, we trace a path from Domain Users in AD to a GitHub Secret, through Okta. Learn how OpenGraph extensions make this possible: https:// ghst.ly/4dmfACv
tweet media
open on X

Regular sources

6 items
1.00exploit · 25 Apr, 13:10seclists.orgTradecraft

bubblewrap CVE-2026-41163: Privilege escalation if setuid root, via ptrace

Posted by Simon McVittie on Apr 25 https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp Vulnerable: bubblewrap >= 0.11.0 if installed setuid …

github.com/containers/bubblewrap/security…
primary · linked
1.00general · 24 Apr, 20:13bleepingcomputer.comAttack path

Microsoft to roll out Entra passkeys on Windows in late April

Microsoft will roll out passkey support for phishing-resistant passwordless authentication to Microsoft Entra‑protected resources from Windows devices starting late Apri…

primary
1.00general · 24 Apr, 14:27helpnetsecurity.comWild exploit

Indirect prompt injection is taking hold in the wild

The open web is slowly but surely filling up with “traps” designed for LLM-powered AI agents. The technique, known as indirect prompt injection (IPI), involves hiding (m…

primary
1.00general · 24 Apr, 11:29thehackernews.comTradecraft

Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2

Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent …

primary
1.00general · 24 Apr, 09:24thehackernews.comWild exploit

LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models (LLMs), has come under active exploitatio…

primary