Official intelligence summary

HAIJA INTEL REPORT

Generated 21/05/2026, 09:13. Pipeline: Europe/Belgrade. Regular sources favor exploit, blog, red-team, and attack-path content. CVE items only stay with exploit signal.
Total items15
Regular sources9
Tweets / X6
Threshold0.62
You can save this report in your browser with the favorite button. If you need a shared favorite list, use the CLI helper.

Tweets / X

6 items
@SpecterOps avatar
SpecterOps @SpecterOps
20 May, 01:24 · core
0.46
Detection starts with understanding how attacks actually work. Join our Tradecraft Analysis course at #BHUSA & learn how to analyze Windows attack techniques across multiple abstraction layers & the artifacts they leave behind. Early bird ends May 22: https:// ghst.ly/4uii3Ua
tweet media
open on X
@h4x0r_dz avatar
h4x0r_dz @h4x0r_dz
20 May, 14:48 · core
0.42
It is interesting that the GitHub team didn't share the name of the malicious VS Code Extensions why ???????????????????????
open on X
@h4x0r_dz avatar
h4x0r_dz @h4x0r_dz
20 May, 13:13 · core
0.42
Does the SIEM work here? Github knew for hours, they delayed telling you and they wont be honest in the future. what an amazing run, its been an honor to play around with the cats over the past few months. #teamPCP #github
tweet media
open on X
@h4x0r_dz avatar
h4x0r_dz @h4x0r_dz
20 May, 13:11 · core
0.42
Access tokens should be used with IP whitelisting to reduce the risk of this type of attacks Github knew for hours, they delayed telling you and they wont be honest in the future. what an amazing run, its been an honor to play around with the cats over the past few months. #teamP
tweet media
open on X
@h4x0r_dz avatar
h4x0r_dz @h4x0r_dz
20 May, 06:16 · core
0.42
GitHub got hacked We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositorie
open on X
@Bugcrowd avatar
Bugcrowd @Bugcrowd
20 May, 23:34 · secondary
0.41
Verizon DBIR 2026 found that exploiting software vulnerabilities has overtaken stolen credentials as the top initial access method for the first time in the report’s 19-year history. For security teams, that changes things. As Trey Ford, Bugcrowd’s Chief Strategy and Trust
tweet media
open on X

Regular sources

9 items
1.00general · 20 May, 19:48microsoft.comResearch

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

Compromised @antv npm packages deploy the Mini Shai-Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm instal…

primary
1.00general · 20 May, 16:37securityweek.com

AI-Powered App Attacks Are Faster, More Frequent and Harder to Stop

Digital.ai’s latest threat report warns that agentic AI has erased the distinction between emerging and primary targets, enabling attackers to strike mobile apps within …

primary
1.00general · 20 May, 16:36thehackernews.comWild exploit

Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

Microsoft on Tuesday said it disrupted a malware-signing-as-a-service (MSaaS) operation that weaponized the company's Artifact Signing system to deliver malicious code a…

primary
1.00general · 20 May, 16:10helpnetsecurity.com

Verizon DBIR: Vulnerability exploitation is the dominant initial access vector

Vulnerability exploitation has overtaken stolen credentials as the most common way attackers gain initial access to target networks, according to the 2026 Verizon Data B…

primary
1.00general · 20 May, 15:00huntress.comTradecraftResearch

Inside the RaaS Ecosystem: Operators, Affiliates & Attack Tradecraft | Huntress

The ransomware name on the ransom note doesn't tell the full story. See how RaaS affiliates drive initial access, persistence, and exfiltration and what defenders should…

primary
1.00general · 20 May, 12:52bleepingcomputer.comPoCTradecraft

Exploit released for new PinTheft Arch Linux root escalation flaw

PinTheft, a recently patched Linux privilege escalation vulnerability, now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain ro…

primary
0.93general · 20 May, 23:36bleepingcomputer.com

Ukraine identifies infostealer operator tied to 28,000 stolen accounts

The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware ope…

primary
0.92exploit · 20 May, 12:454 mentionsseclists.org

Re: PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method

Posted by gabriel . corona on May 20 If that is the case, PCManFM is certainly equally impacted by the sandbox escape scenario. Regards, Gabriel | Posted by Aaron Rainbolt on May 19 This issue was mentioned in the "On the issue of MIME handlers that execute arbitrary code" thread [1], and was brought up three years… | Posted by gabriel . corona on May 20 I am not sure I am following that argument … When I am calling "$file-manager $some-path", I should be expecting to actually open up…

seclists.org/oss-sec/2026/q2/623seclists.org/oss-sec/2026/q2/616seclists.org/oss-sec/2026/q2/622
primary · linked · linked · linked