🚨 Instagram had an exploit that allowed you to use Meta AI to reset passwords to accounts with no MFA on them. The exploit was patched a short time ago.

CVE-2026-1600: The backend accepts user-controlled pricing values without validating them against server-side product data. An attacker could modify the price field in the POST request, causing the server to process a fraudulent or reduced price. Video Credit: youtube.com/@4m3rr0r // X: @4m3rr0r

Small update to this. All of the threat feed endpoints and exports now have the attached fields. This includes API, STIX, and 3.0 Threat Feed... again 2.0 is going away this coming week. In the process of adding the remaining fields I mentioned in the original post, which will take some time. Fields: "forum_section": "forum": "forum_code": "board": "forum_domain": "data_type":

‼️🇫🇷 ShinyHunters announces Council of Europe on their Dark Web Pay or Leak portal Council of Europe is a Strasbourg-based intergovernmental organization focused on human rights, democracy, and the rule of law across Europe. The post states: "Over 297 GB of Council of Europe HR and payroll data (429,000 files) was compromised across the Secretariat, Directorate of Human Resources, Parliamentary Assembly, EDQM, permanent and temporary staff, interpreters, conference services, language booth units, and payroll administration, including 409,000 payslips for 10,000 staff from 2011 to 2026, 14,000 CVs and 3,700 in-house personnel files, 10,700 per-employee document stores, contract and purchase order records, mission travel overpayments, interpreter scheduling and 2026 salary scales, Blue List rosters, absence and illness reports, bank account and URSSAF payroll data, performance evaluations, and payroll exports, covering full names, employee IDs, home addresses, phone numbers, dates of birth, salaries, bank details, tax and social security information, medical and absence records, mission references, and other internal institutional data."

🚨🇸🇦 A threat actor known as lulzintel is advertising a dataset allegedly tied to SMSA Express (smsaexpress.com), a market-leading courier company in Saudi Arabia. The actor claims the compromised data totals 261.40 GB across 124,734,059 unique lines, each said to contain two PII entries for a sender and receiver. Exposed fields allegedly include tracking barcodes, owner, package and weight details, package status, sender and receiver names, contact phone numbers, address lines, cities, declared value and currency, and commodity descriptions. The actor claims to have left messages in the company's system and retained access, taunting that their team was removed without the access being closed. A panel screenshot and JSON sample have been posted as alleged proof, with a one-time sale or escrow arranged via a Session ID. Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing

With GitHub Advisories released on the platform earlier this week... I've opened a new channel on Telegram that provides CVEs in near real time. If you're interested... join: t.me/DWI_CVE_Alerts

😮😬 🚨 TeamPCP has posted a community statement addressing rumors and announcing the end of a partnership with HasanBroker. The actor states that TeamPCP will no longer work with HasanBroker, citing poor treatment of staff and claiming HasanBroker was phished and lost access to his own domains and database, allegedly having to ask TeamPCP to retrieve it from an earlier breach attributed to Xploitrs. The actor frames the post as a "sign of life," denying speculation that the team's spokesperson had been arrested or compromised, and explains that control of the alias would have transferred to another operator had that occurred. The actor invites contact regarding the forum, partnering on operations, or access and data, providing Session and Tox accounts. Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing

For the threat feed I have added a new field called "Forum" which shows the actual forum name. This applies to the following: - Exports on Threat Feed 2.0 and 3.0. 2.0 feed is going away this coming week. - Frontend in the threat details (when you click an alert) for 3.0 only... 2.0 is going away this coming week. - API endpoints related to the threat feed - API exports (JSON, CSV, XML) - Stix 2.1 Feed Export/Bundle for API users. I will give it a day to ensure everything is working properly and then start adding fields related to things like reputation count, post count, join date, etc where applicable. That is a little more work required then this new field update.

🚨🇳🇬 A threat actor known as ki4tane, working with 404 Cyber Crew and Nullsec Nigeria under the banner "opNigeria," claims to have breached the National Institute for Legislative and Democratic Studies (NILDS), associated with Nigeria's National Assembly. The actor lists six accessible databases and details one (nass_nassdb) containing 29 tables spanning legislative activity, committees, bills progression, officers, petitions, and proceedings. The post includes a politically charged message threatening the Nigerian government and references the dead. Alleged proof includes scanned confidential documents from the Presidency's Cabinet Affairs Office, including an operation manual for council documents and tables of agreements, MOUs, and treaties between Nigeria and other countries. Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing

🚨🇫🇷 A threat actor known as misere is distributing a dataset allegedly tied to the Réseau National des Juniors Associations (juniorassociation.org), a French nonprofit network supporting youth-led community initiatives. The actor claims 63,655 users were breached, attributing the compromise to "human stupidity." A posted sample shows fields including association IDs and names, season, role, member names, gender, birth dates, addresses, emails, and phone numbers, with records referencing a CSV file of 63,657 lines. Notably, the data appears to involve minors. Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing

🚨🇫🇷 A threat actor known as ChimeraZ is distributing a dataset allegedly tied to Figaro Immobilier, referencing the French real estate platforms explorimmo.com and immobilierpro.lefigaro.fr. The actor claims to be leaking 183K records in JSON format, totaling 426 MB. Posted samples appear to span several files, including invoice records (99.3K) with client names, addresses, amounts, IBAN/RIB banking details and billing references; company records (43K) with agency details, contact emails and phone numbers, API keys, addresses, and geolocation; and user records (39K) with usernames, names, emails, phone numbers, and agent details. Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing

🚨🇫🇷 A threat actor known as misere is distributing a dataset allegedly tied to Affelnet, the student placement system used by the Académie de Lyon (ac-lyon.fr), a French regional education authority. The actor claims 61,277 users were breached, attributing the compromise to "human stupidity." Affelnet is described as the computerized system that assigns students to public high schools after 9th grade, processing student wishes, academic results, and administrative criteria. Posted samples appear to include student records with names, INE identifiers, birth dates, sex, class, study tracks, language options, scholarship status, home addresses, emails, phone numbers, and detailed parent/guardian contact information. The data is referenced across files including one of 176,597 lines and a user file of 61,277 records. Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing

🛠️ Hetty is an open-source HTTP toolkit built for security research. Designed as an alternative to commercial tools like Burp Suite Pro, it offers powerful features tailored for infosec professionals, penetration testers, & the bug bounty community. github.com/dstotijn/hetty Features: • MITM HTTP proxy with logs and advanced search • Built-in HTTP client for creating, editing, and replaying requests • Intercept requests and responses for review, editing, forwarding, or cancellation • Scope support to keep testing focused • Easy-to-use web-based admin interface • Project-based database storage for better organization

🚨 New LAPSUS$ Group clearnet domain: lapsus[.]bz

Fable/Mythos 5 being shut down, but it barely worked anyways.

Common Dread conversation.

The threat feed hit 100K alerts today and almost 1,000 alerts in a day for the first time. I'm also adding 3 more forums over the weekend, with more coming.

🚨🇫🇷 A threat actor known as misere, working with ChimeraZ, is distributing a dataset allegedly tied to SSTRN (sstrn.fr), a French occupational health service. The actor claims 435,855 users were breached, attributing the compromise to an IDOR vulnerability stemming from no privileged account requirement, no rate limiting, and sequential integer IDs. Posted samples appear to include contact records with names, phone numbers, emails, and company identifiers, as well as medical appointment records with appointment types, locations, dates, and absence reasons. The actor states the data spans 72,197 unique phone numbers, 62,545 unique email addresses, 84,431 organizations, and 355,112 individuals with medical appointment history, covering a 2020–2026 date range. Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing