SITREP - Independent OSINT Channel
AI, technology, mass surveillance, and intelligence — everything you need to know about tomorrow.
Show more📈 Analytical overview of Telegram channel SITREP - Independent OSINT Channel
Channel SITREP - Independent OSINT Channel (@sitreports) in the English language segment is an active participant. Currently, the community unites 23 302 subscribers, ranking 5 674 in the Technologies & Applications category and 1 670 in the USA region.
📊 Audience metrics and dynamics
Since its creation on невідомо, the project has demonstrated rapid growth, gathering an audience of 23 302 subscribers.
According to the latest data from 17 July, 2026, the channel demonstrates stable activity. Although there has been a change in the number of participants by -201 over the last 30 days and by -5 over the last 24 hours, overall reach remains high.
- Verification status: Not verified
- Engagement rate (ER): The average audience engagement rate is 2.80%. Within the first 24 hours after publication, content typically collects 1.87% reactions from the total number of subscribers.
- Post reach: On average, each post receives 652 views. Within the first day, a publication typically gains 436 views.
- Reactions and interaction: The audience actively supports content: the average number of reactions per post is 0.
- Thematic interests: Content is focused on key topics such as narrative, attack, infrastructure, threat, credential.
📝 Description and content policy
The author describes the resource as a platform for expressing subjective opinions:
“AI, technology, mass surveillance, and intelligence — everything you need to know about tomorrow.”
Thanks to the high frequency of updates (latest data received on 18 July, 2026), the channel maintains relevance and a high level of publication reach. Analytics show that the audience actively interacts with content, making it an important point of influence in the Technologies & Applications category.
Data loading in progress...
| Date | Subscriber Growth | Mentions | Channels | |
| 18 July | +2 | |||
| 17 July | +1 | |||
| 16 July | +2 | |||
| 15 July | +4 | |||
| 14 July | +2 | |||
| 13 July | 0 | |||
| 12 July | 0 | |||
| 11 July | +3 | |||
| 10 July | +4 | |||
| 09 July | +1 | |||
| 08 July | +2 | |||
| 07 July | 0 | |||
| 06 July | +1 | |||
| 05 July | 0 | |||
| 04 July | 0 | |||
| 03 July | +1 | |||
| 02 July | +5 | |||
| 01 July | +1 |
| 2 | 📡 Colombia's Ecopetrol says cyberattack stole data tied to 3,300 accounts
Colombia’s state-controlled energy company Ecopetrol says a cyberattack led to the theft of data linked to roughly 3,300 user accounts. The company also stated it cannot guarantee the breach will avoid a material adverse financial impact.
The incident puts cyber risk back at the center of critical energy infrastructure exposure. Even a limited account set can create downstream legal, financial, and operational pressure, especially when the operator publicly acknowledges uncertainty over the eventual impact.
🛰️ Open sources - closed narratives
@sitreports | 348 |
| 3 | 📡 Seven malicious Vite npm packages used blockchain C2 for RAT delivery
Researchers identified seven malicious npm packages posing as Vite-related tools that deployed a remote access trojan and used blockchain infrastructure for command-and-control, embedding attacker instructions in public transactions. The campaign targeted the JavaScript supply chain through package installation and developer trust in routine build dependencies, as detailed in Vite npm packages.
The case shows how software supply chain malware is shifting toward resilient, low-cost C2 that is harder to disrupt than conventional domains or servers. For defenders, the key issue is not only package vetting but tracking unusual post-install behavior and outbound retrieval patterns from development environments.
🛰️ Open sources - closed narratives
@sitreports | 327 |
| 4 | 🔍 OpenSSL “HollowByte” flaw enables server memory freeze via 11-byte TLS requests
A newly detailed OpenSSL issue dubbed HollowByte can reportedly be triggered with TLS requests as small as 11 bytes, causing server memory to freeze. The bug affects a core cryptographic library widely used across internet-facing services.
The operational significance is asymmetry: minimal network input can tie up memory on exposed systems, making the issue relevant for denial-of-service conditions at scale. Any service relying on vulnerable OpenSSL handling should be assessed as potentially exposed until patched or mitigated.
🛰️ Open sources - closed narratives
@sitreports | 321 |
| 5 | 🎭 North Korea-linked operators used SVGs to stage fake coding tests
Researchers tracking OtterCookie-aligned activity say attackers hid malware in SVG flag images delivered through fraudulent coding assignments. The lure combined social engineering with seemingly benign graphics to move payloads inside a developer-style workflow.
The method matters because it blends file-format abuse with recruitment-themed targeting, reducing suspicion in technical hiring channels. For defenders, the takeaway is straightforward: image files and coding-test attachments in interview pipelines now warrant the same scrutiny as scripts, archives, and macro-laced documents.
🛰️ Open sources - closed narratives
@sitreports | 315 |
| 6 | 🔍 UAT-11795 pushes dual backdoors via trojanized installers
Cisco Talos says UAT-11795 has run a large-scale campaign since June 2025, using fake installers for MobaXterm, Zoom, WebEx, DBeaver, and FACEIT to deliver Starland RAT and the memory-resident WLDR implant. The chain uses ClickFix-style lures, HTA execution through mshta.exe, NSIS-packaged payloads, and Telegram bots for rapid victim tracking and data theft. More in UAT-11795.
The operation stands out for breadth and resilience: broad software impersonation supports volume-driven access, while Starland’s wallet and browser targeting points to direct monetization. WLDR adds fileless interactive control, and blockchain-based fallback C2 complicates disruption.
🛰️ Open sources - closed narratives
@sitreports | 320 |
| 7 | 🔍 LegacyHive exposes fresh Windows privilege-escalation path
Researcher Nightmare Eclipse released a proof-of-concept for LegacyHive, a zero-day affecting the Windows User Profile Service on fully patched systems. The flaw has no CVE yet. The published PoC was intentionally constrained and requires additional standard-user credentials, but testing by Will Dormann and Kevin Beaumont indicates the exploit works.
Operationally, successful abuse lets a non-admin modify the classes registry hive and achieve code execution when an administrator logs in. Microsoft says it is investigating, while defenders already have hunting queries for Microsoft Defender for Endpoint.
🛰️ Open sources - closed narratives
@sitreports | 325 |
| 8 | 🤖 NadMesh targets exposed AI services for cloud and Kubernetes credentials
A newly tracked botnet, NadMesh, is scanning internet-facing AI services to harvest cloud keys and Kubernetes tokens. The activity focuses on exposed deployments where embedded credentials can be extracted and reused for access beyond the initial host.
The tradecraft is notable because AI infrastructure is being treated as an entry point to wider cloud environments, not just a standalone target. Credential exposure in these services can turn a single misconfigured endpoint into a path for container, cluster, and cloud-level compromise.
🛰️ Open sources - closed narratives
@sitreports | 331 |
| 9 | 🔍 CISA flags active exploitation of FortiSandbox flaws
CISA added CVE-2026-39808 and CVE-2026-25089 to its Known Exploited Vulnerabilities catalog. Both are critical FortiSandbox OS command injection bugs with CVSS 9.1, affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Fortinet issued fixes in April and June. Defused also reported recent exploitation attempts against both CVEs.
The key operational point is exposure without credentials or user interaction: specially crafted HTTP requests can lead to arbitrary command execution. For US federal civilian agencies, KEV listing triggers mandatory remediation deadlines under Binding Operational Directive 26-04.
🛰️ Open sources - closed narratives
@sitreports | 346 |
| 10 | 🔍 GoldenEyeDog tied to DigiCert breach and code-signing theft
Reporting links a GoldenEyeDog subgroup to the DigiCert incident and the theft of code-signing certificates, extending the actor’s profile from network intrusion into abuse of trust infrastructure. The case outlined by GoldenEyeDog connects compromise activity with certificate misuse, a combination that can support malware signing and reduce immediate detection.
Operationally, certificate theft raises the impact of a breach beyond data exposure. Access to valid signing material can help malicious payloads appear legitimate, complicate triage, and force defenders to focus on revocation, trust-chain review, and retrospective hunting across signed binaries.
🛰️ Open sources - closed narratives
@sitreports | 394 |
| 11 | 📄 Section 702 enters operational grey zone
For the first time in its operational history, FISA Section 702 has lapsed. U.S. intelligence agencies and telecom providers are continuing under grandfathered certifications, but the legal and procedural framework is now in an uncertain interim state.
The immediate effect is not a full collection stop, but rising friction in planning, compliance, and provider coordination. For cyber defense and foreign intelligence workflows, temporary stopgaps increase operational drag and narrow room for routine tasking decisions.
🛰️ Open sources - closed narratives
@sitreports | 567 |
| 12 | 🔍 Two Scattered Spider members sentenced over TfL breach
Two hackers linked to Scattered Spider received 5.5-year prison sentences each for a Transport for London intrusion that caused an estimated £29 million in losses. The case ties financially significant disruption to a loosely organized cybercrime ecosystem already associated with social engineering and identity-focused compromise.
The sentencing is operationally notable because it puts a concrete judicial cost on a major UK public transport cyber incident. It also reinforces how relatively small actor sets can generate outsized financial impact against critical urban infrastructure through access abuse rather than destructive tooling.
🛰️ Open sources - closed narratives
@sitreports | 527 |
| 13 | 🔍 Coca-Cola discloses ransomware disruption at Fairlife
Coca-Cola said a ransomware attack on its Fairlife dairy subsidiary led to unauthorized access to some systems, including production-related systems, and temporarily halted Fairlife product manufacturing across the United States. In its Form 8-K, the company said product quality and safety were not affected, Canadian operations remain online, and the impact assessment is still underway.
The incident shows a direct cyber-to-physical effect: intrusion into production-linked systems was enough to suspend nationwide output. Public disclosure via an SEC filing also indicates the event crossed a corporate materiality threshold for formal reporting, even as attribution, data theft, and extortion details remain undisclosed.
🛰️ Open sources - closed narratives
@sitreports | 468 |
| 14 | 🤖 Shark robot vacuum flaw exposes mass remote control path
A critical vulnerability in internet-connected Shark vacuums allows remote code execution, camera hijack, and motor control. The issue stems from misconfigured AWS IoT Core policies and an Exec_Command field that passes attacker input to the shell. Hardware analysis showed one device key could access broad MQTT traffic; 10.5 million messages from 1.5 million serials were observed in one region, with 673,816 devices confirmed vulnerable.
Operationally, this turns a consumer appliance into a mobile surveillance and network access node. Exposed floor plans, plaintext Wi-Fi credentials, and cross-device topic access sharply increase impact beyond single-device compromise. The flaw remains unpatched after the disclosure window elapsed.
🛰️ Open sources - closed narratives
@sitreports | 443 |
| 15 | 🔍 n8n token exchange flaw enables cross-issuer account access
A newly disclosed authentication flaw in n8n could allow an attacker to log in as users tied to a different identity issuer during token exchange. The issue affects federated login handling and creates a path for unauthorized account access without compromising the target user directly.
Operationally, the flaw targets trust boundaries inside identity workflows rather than endpoint security. For organizations using multiple issuers or federated SSO, the exposure sits at the authentication layer and can undermine tenant separation and user assurance.
🛰️ Open sources - closed narratives
@sitreports | 408 |
| 16 | 🔍 ClickLock uses coercion, not exploits, to break macOS users
ClickLock is a newly tracked macOS infostealer that kills visible processes, suppresses NotificationCenter, and traps victims in repeated password prompts until they enter a valid login credential. Group-IB says it has infected at least 100 systems in 33 countries since May and steals browser data, wallet material, shell history, and macOS auth data while exfiltrating via Telegram.
The key tradecraft is operational coercion: LaunchAgents re-trigger kill loops every 200–210 ms, leaving a narrow detection window and forcing user interaction rather than privilege escalation. That makes process-kill patterns, osascript password dialogs, browser profile access, and Telegram API traffic the most useful detection signals.
🛰️ Open sources - closed narratives
@sitreports | 391 |
| 17 | 🔍 OkoBot expands credential and crypto theft tooling
OkoBot is a malware framework delivering 20+ modules via ClickFix lures and trojanized GitHub repos. Reported functions include browser injection, malicious extension deployment, seed phrase theft against Trezor and Ledger apps, keylogging, clipboard capture, screenshots, and video recording of targeted wallet and password manager windows.
The framework reflects a shift from simple loaders to modular post-compromise collection focused on wallet access and account takeover. Its use of staged delivery, SSH-based component handling, and browser-side persistence increases dwell time and expands theft beyond credentials into direct crypto asset compromise.
🛰️ Open sources - closed narratives
@sitreports | 396 |
| 18 | 🔍 TELEPUZ delivered through ClickFix expands credential and command-access risk
A new TELEPUZ malware campaign is being distributed via ClickFix-style social engineering. The payload is described as capable of stealing data and executing commands on compromised systems, combining collection and remote tasking in a single intrusion path.
Operationally, the use of ClickFix keeps initial access low-cost and user-driven, while TELEPUZ’s command-execution function turns a theft event into an active foothold. That increases the value of each successful compromise by enabling follow-on actions without requiring a separate toolset.
🛰️ Open sources - closed narratives
@sitreports | 376 |
| 19 | 🔍 Claude Chrome extension flaw enables synthetic-click AI actions
A flaw in Anthropic’s Claude for Chrome lets a malicious extension trigger predefined workflows by sending JavaScript-generated clicks the extension treats as legitimate. Claude for Chrome reportedly failed to verify Event.isTrusted, allowing abuse of built-in actions tied to Gmail, Google Docs, Calendar, and Salesforce. Manifold says the issue remains reproducible in v1.0.80.
The key issue is privilege bridging: a separate extension running on claude.ai can leverage Claude’s authenticated access to connected services. The attack is limited to nine predefined tasks rather than arbitrary prompt execution, but impact increases where approval prompts are reduced or disabled.
🛰️ Open sources - closed narratives
@sitreports | 394 |
| 20 | 🔍 SonicWall SMA1000 zero-days used as internal access bridge
SonicWall patched two actively exploited flaws in SMA1000 appliances: CVE-2026-15409, an unauthenticated SSRF in SonicWall WorkPlace /wsproxy that opens WebSocket tunnels to localhost-only services, and CVE-2026-15410, a path traversal in remove_hotfix enabling root-level code execution. Affected versions span 12.4.3-03245 to 12.4.3-03434 and 12.5.0-02283 to 12.5.0-02800.
The chain turns an internet-facing VPN appliance into an unmonitored pivot inside the network. Observed post-compromise activity included credential theft, session and TOTP seed harvesting, and AD logons from appliance IPs without VPN sessions. No workaround exists; mitigation is immediate hotfixing, forensic review, and credential resets.
🛰️ Open sources - closed narratives
@sitreports | 460 |
