GitHub Trends
Project Radar
- Blue team toolromainmarcoux/malicious-domainsDIGITAL Command Language · 99 stars
- Blue team toolromainmarcoux/malicious-outgoing-ipRepo · 27 stars
- Blue team toolZaczero/pihole-phishtankShell · 13 stars
Research DeskLatest update June 12, 202651 research entries
Independent Research Desk
Phishing Tradecraft · Infrastructure · Detection Engineering
PhishPond researches how modern phishing operations are built, run, and detected — campaign evolution, adversary infrastructure, phishing kits, OAuth and device-code abuse, AiTM frameworks, and the detection and validation workflows that catch them.
Recurring Intel
Attack-Side Tradecraft
Campaign tradecraft, lure mechanics, adversary infrastructure, identity pressure, and operator workflows worth modeling.
12 attack-side readsDetection Engineering
Detection engineering, telemetry analysis, reporting workflows, and validation that security teams can operationalize.
29 detection readsAPT Tradecraft
Emerging procedures, tooling, initial-access patterns, and cross-team tradecraft from real-world actor reporting.
10 tradecraft readsGitHub Trends
New Today
Lead Research
The phishing lesson is that attackers do not always need a fresh credential when a trusted app token already has delegated access.
Persistent OAuth grants let third-party apps keep operating after the original login, password reset, or employee lifecycle event has faded from view.
Read more:The Hacker NewsMicrosoft Learn
Live Collection
Finance workflows remain exposed when trust signals come from compromised inboxes.
Read more:The Hacker News
Read more:The Hacker News
Read more:BleepingComputer
Trusted suppliers and developer channels can carry phishing risk past normal filters.
Read more:The Hacker News
Identity and session abuse can turn a single successful lure into account takeover.
Read more:CISA Advisories
Aggregation of lists of malicious domains (phishing) that can be integrated into FortiGate firewalls and other products. Primary language: DIGITAL Command Language. 99 stars.
Open project:GitHub
#blocklist#blocklists#domains-blacklist#domains-list
Aggregation of lists of malicious IP addresses (C2, malware, phishing), to be blocked in the LAN > WAN direction, integrated into firewalls: FortiGate, Palo Alto, pfSense, IPtables 27 stars.
Open project:GitHub
#blocklist#blocklists#c2#firewall
🐟 PhishTank Blocklist for Pi-hole Primary language: Shell. 13 stars.
Open project:GitHub
#blocklist#hosts#phishing#pihole
TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes. 660 stars.
Open project:GitHub
#blueteam#malware#malware-detection#malware-research
Real-time phishing & scam domain blocklist — 130k+ curated threats, 888K+ community, free API, multiple formats Primary language: HTML. 920 stars.
Open project:GitHub
#anti-phishing#blacklist#blocklist#crypto-scam
Coverage Map
Specific campaigns, actor activity, and the lures behind them.
How techniques work end-to-end — walkthroughs and operator workflows.
Adversary infrastructure: kits, AiTM, redirectors, and sending abuse.
Detection engineering, telemetry, validation, and response.
Longer research notes, measurement, and periodic briefs.
Search Tool
Search titles, authors, tags, and body text across the PhishPond research archive.
Showing 7 matching entries.Clear search
Field Analysis
Socket attributes a coordinated supply-chain campaign called TrapDoor to roughly thirty-four packages across npm, PyPI, and Crates.io, with ecosystem-specific execution paths and a new twist: planted .cursorrules and CLAUDE.md files designed to influence the developer's AI coding assistant.
Read more:SocketThe Hacker News
Field Analysis
A reported exploitation wave against Ghost CMS pushed malicious JavaScript onto more than 700 sites, sending visitors into fake verification flows that used ClickFix-style paste-and-run instructions.
Read more:The Hacker NewsMalwarebytes Labs
Field Analysis
GitHub's staged publishing and new npm install-source controls give maintainers practical ways to slow compromised CI/CD paths before a malicious package becomes installable.
Read more:GitHub ChangelogCISA
Field Analysis
Recent actor reporting points to a practical trend line: adversaries are combining selective delivery, user-driven execution, and trusted developer channels.
Read more:The Hacker NewsDark Reading
Field Analysis
The Salesloft Drift incident showed how a trusted integration token can become an access path into customer SaaS data without a fresh user login.
Read more:The Hacker NewsThe Hacker News
Field Analysis
Abuse of legitimate email services such as Amazon SES shows why authentication pass results are not the same thing as sender trust.
Read more:BleepingComputerMicrosoft Security Blog
Field Analysis
Recent package compromises show how developer trust can be abused to harvest credentials and seed downstream phishing risk.
Read more:BleepingComputerCISA