🚨 CYBER INTELLIGENCE ALERT: 🇺🇸 [UNCONFIRMED / CRITICAL] EXPOSURE OF INTERNAL INFRASTRUCTURE AND SOURCE CODE — DYNATRACE [STATUS: UNCONFIRMED / SAMPLES VISIBLE BUT UNCONFIRMED, INFRASTRUCTURE] A post has been detected on underground forums by the self-identified threat actor "xpl0itrs" (identified in the screenshots), who claims to have exfiltrated the entire internal repository structure of Dynatrace, a leading global SaaS monitoring and observability platform. Access was allegedly obtained by compromising a developer's Personal Access Token (PAT). Threat Actor: xpl0itrs Declared Compromise Vector: Exfiltration via Developer PAT (Personal Access Token). Scope of the alleged compromise: 246 Git repositories, with an approximate uncompressed size of 14 GB. 📂 Analysis of the Material and Evidence According to the published manifesto and the visual evidence provided in the images, the leak would expose the company's critical underlying architecture: Infrastructure and CI/CD Topology: ArgoCD configurations (including administrator tokens), Terraform modules, Vault endpoints with secret paths, AWS and GCP KMS infrastructure, and Kubernetes cluster management tools. Secret Management and Integrity: Exposure of the Sigstore signing infrastructure, JWT authentication paths, and signing certificates for Windows/Linux binaries. PII Evidence (Images 15 and 16): The screenshots show the leak of configuration files in YAML format that expose the organizational structure. Internal team names and the personal information of 1,066 employees, including full names, GitHub usernames, and corporate emails, have been exposed under the @dynatrace(.)com domain. This has not been confirmed, but the attacker has provided samples. The alert is being monitored and analyzed. ⚠️ Security and Systemic Risk Considerations Dynatrace's profile, whose main clients are Fortune 500 companies (including banks and institutions in the global financial network), increases the criticality of this incident. Supply Chain Attack Risk: The exposure of deployment pipelines (CI/CD) and development signing material (Sigstore/TUF) could allow malicious actors to understand how Dynatrace deploys updates, opening the door to malicious code injection into high-level corporate and financial client environments. 🛡️ Recommended Actions (Urgent) Mass Credential Rotation: Proactively initiate the revocation of all GitHub Personal Access Tokens (PATs), ArgoCD tokens, Vault-mounted secrets, and AWS/GCP service account credentials mentioned in the manifest. Integrity Audit: Verify the signatures of containers and recent software artifacts generated in the CI/CD pipelines to rule out any unauthorized modifications or source code poisoning. VECERT TOOLS Strategic Monitoring Tools & Intelligence Platform: 🌐 analyzer.vecert.io Security Verification & Monitoring: 🛡️ monitor.vecert.io #CyberSecurity 🔐 #Dynatrace 🇺🇸 #SourceCodeLeak #SupplyChain #DevSecOps ⚙️ #PII #ThreatIntelligence 📊 #VECERT 🏢 #UnderInvestigation ⚠️

🚨 CYBER INTELLIGENCE ALERT: ALLEGED SUPPLY CHAIN AND SOURCE CODE COMPROMISE — SISPLAN SISTEMAS 🇧🇷 [STATUS: UNCONFIRMED] Through continuous monitoring of breached platforms, the threat actor identified as sta6 has been detected advertising the sale of a complete data dump and source code belonging to Sisplan Sistemas. This Brazilian company, headquartered in Indaial/SC, is a software development house that provides enterprise resource planning (ERP) platforms to the textile and apparel sector in Brazil. 🎯 Affected Entity: Sisplan Sistemas (ERP provider for the textile industry, with integrations to Nuvemshop and Sisplan Mobile). 👤 Threat Actor: sta6 📂 Volume and Time Range: Files dating from 2022 to mid-April 2026. 📊 TECHNICAL BREAKDOWN OF EXFILTRATED ASSETS The package marketed by the attacker goes beyond a traditional data breach, as it exposes the logical core and operational information of the ERP platform and its enterprise clients: 💻 Complete Source Code and Configuration (API & Backend): Exfiltration of the entire API source code and web pages (.html, .css, .php). The actor encourages buyers to use this code to "find vulnerabilities, create backdoors on the platform, or clone the infrastructure for phishing." Critical configuration files, including web store updaters and parameters for local and cloud APIs. 🧾 Tax, Financial, and Banking Data (NF-e): Disclosure of Electronic Tax Notes (NF-e), which include commercial invoices, full names, and tax identification numbers of individuals and companies (CPF and CNPJ). Financial Risk: The actor highlights that the documents may contain banking information linked to Sicredi (Cooperative Credit System). 🔑 Operator Credentials and Internal Telemetry: Worker account tables containing usernames, passwords, and real names. Internal system logs detailing a complete operational audit: which worker performed which action, from which PC, and at what time. 🛡️ MITIGATIONS AND EMERGENCY TECHNICAL RECOMMENDATIONS 🛑 Preventive Isolation for Sisplan Clients: All companies in the manufacturing and retail sectors in Brazil utilizing Sisplan modules (Production, POS, Human Resources) are urged to temporarily isolate their ERP servers from direct internet access and to audit their e-commerce integrations (Nuvemshop). 🔒 Credential and API Token Rotation: Immediately invalidate and regenerate all system user passwords, as well as authentication tokens for local and web APIs that communicate with the Sisplan ecosystem, as current configuration files have been compromised. ⚡ MONITORING AND ASSESSMENT 🌐 Intelligence System: analyzer.vecert.io 🛡️ Quickly assess your website's security at: monitor.vecert.io/ #CyberSecurity #SupplyChainAttack #Brazil #ERPLeak #SisplanSistemas #SourceCodeLeak #NFe #CNPJ #ThreatIntelligence #CyberAlert #VECERT #Infosec #DataBreach

🇮🇹 A threat actor is claiming to be selling the complete source code of SayDigital, an Italian Odoo ERP partner and cloud platform provider, allegedly including more than 300 repositories tied to enterprise ERP, automation, and cloud deployment systems. According to the underground post, the alleged leak includes: • 308 repositories • 2.1 GB of source code • enterprise Odoo addons • cloud deployment infrastructure • accounting modules • automation playbooks • migration tooling • OpenStack-based cloud components • Ansible automation scripts The actor specifically references: • Odoo ERP enterprise modules • multi-tenant cloud deployment systems • infrastructure automation tooling • accounting and MRP integrations • cloud orchestration frameworks If authentic, this would represent a potentially significant enterprise software supply-chain exposure. ERP ecosystems are among the most sensitive enterprise environments because they frequently integrate directly with: • accounting systems • payroll operations • procurement workflows • inventory management • CRM platforms • manufacturing systems • financial reporting • cloud infrastructure Source code exposure involving ERP providers can create risks extending far beyond the vendor itself. Potential implications include: • discovery of hardcoded credentials • cloud deployment weaknesses • authentication bypass research • insecure automation logic • API secret exposure • tenant isolation issues • infrastructure mapping • privilege escalation paths • supply-chain exploitation opportunities Another particularly important detail: the post references OpenStack and Ansible automation environments. Infrastructure automation repositories frequently contain: • deployment secrets • SSH keys • API tokens • infrastructure-as-code templates • cloud orchestration logic • staging credentials • internal network references Historically, automation and DevOps repositories have become high-value targets because they often provide visibility into: • production infrastructure • cloud topology • backup systems • deployment pipelines • internal orchestration workflows The mention of “multi-tenant cloud deployment” is especially significant because weaknesses in shared enterprise environments may potentially impact: • multiple customers • isolated tenant environments • managed infrastructure • hosted ERP deployments Threat actors increasingly target ERP and enterprise consulting ecosystems because compromise of one provider may create access paths into: • downstream customers • managed cloud environments • financial systems • enterprise integrations • third-party vendors Organizations using Odoo or managed ERP environments should immediately review: • repository access logs • infrastructure secrets • cloud orchestration credentials • Ansible vault security • CI/CD pipelines • API integrations • SSH key management • multi-tenant segmentation controls • administrator access patterns Security teams should also prioritize: • secret rotation • infrastructure integrity reviews • dependency validation • cloud audit logging • automation pipeline hardening Another important operational trend: threat actors are increasingly monetizing enterprise DevOps and automation repositories because infrastructure-as-code exposure can dramatically reduce the effort required for: • lateral movement • environment replication • persistence establishment • cloud exploitation • supply-chain targeting At this stage, the claims remain unverified. However, alleged exposure involving ERP infrastructure, automation tooling, and cloud deployment systems should be treated seriously due to the potential downstream impact across enterprise environments. 🇮🇹 #DDW #Intelligence #Italy #CyberSecurity #DarkWeb #SourceCodeLeak #ERP #Odoo #CloudSecurity #DevOps #Ansible #ThreatIntelligence #SupplyChain #InfoSec

🇮🇹 A threat actor is claiming to be selling the complete source code of Bit2Win, an enterprise CPQ/CRM platform integrated into the Salesforce ecosystem, allegedly including nearly 800 repositories and references to multiple high-profile enterprise customers. According to the underground post, the alleged leak includes: • 797 repositories • 6.4 GB of source code • full GitHub organization dumps • all branches and repositories • categorized internal projects • enterprise configuration references The actor specifically claims the exposure involves: • Salesforce ecosystem integrations • enterprise CPQ infrastructure • CRM-related business logic • multi-tenant enterprise deployments The post also references major enterprise customers allegedly identified within source configurations, including organizations in: • sports • aerospace • telecom • energy • payments • retail • cryptocurrency If authentic, this would represent a potentially significant supply-chain exposure. CPQ (Configure, Price, Quote) platforms occupy highly sensitive positions inside enterprise ecosystems because they often integrate directly with: • CRM systems • customer databases • pricing engines • contract workflows • financial systems • ERP environments • sales operations • customer onboarding systems Source code exposure involving enterprise SaaS platforms can create risks extending far beyond the vendor itself. Potential downstream implications include: • discovery of hardcoded secrets • API token exposure • authentication bypass research • Salesforce integration weaknesses • tenant separation issues • business logic abuse • supply-chain exploitation opportunities • customer environment targeting Another critical concern: the actor claims access to “all branches” and “full GitHub organization dumps.” That language may suggest exposure of: • development branches • abandoned projects • internal tooling • staging environments • CI/CD workflows • infrastructure-as-code repositories • deployment scripts • internal documentation Historically, non-production repositories frequently contain: • forgotten credentials • deprecated secrets • test certificates • debug endpoints • internal URLs • temporary admin tooling Another operationally important detail: the leak allegedly includes “source configs” tied to enterprise customers. Even configuration-only exposure can potentially reveal: • infrastructure naming conventions • API endpoints • internal integrations • tenant structures • partner ecosystems • deployment architectures Threat actors increasingly target enterprise SaaS vendors because compromising one vendor can create visibility into: • multiple customers • interconnected infrastructure • supply-chain trust relationships • authentication ecosystems Organizations relying on enterprise CPQ or Salesforce-integrated platforms should immediately review: • OAuth integrations • API secrets • Salesforce connected apps • CI/CD access • GitHub organization permissions • branch protection policies • infrastructure secrets • repository exposure monitoring • developer access logs They should also conduct: • secret rotation • token invalidation • repository integrity reviews • dependency auditing • third-party risk assessments The mention of customers across telecom, payments, crypto, and energy sectors is especially important because those industries represent high-value targets for both financially motivated and state-aligned threat actors. At this stage, the claims remain unverified. However, alleged exposure involving a large enterprise SaaS codebase integrated into the Salesforce ecosystem should be treated seriously due to the potential supply-chain implications across multiple sectors. 🇮🇹 #DDW #Intelligence #Italy #CyberSecurity #DarkWeb #SourceCodeLeak #SupplyChain #Salesforce #CPQ #CRM #ThreatIntelligence #CyberThreats #DataBreach #InfoSec

🇬🇪 A threat actor is claiming to have leaked the full source code of Georgian gambling technology provider SmartSoft Gaming, along with alleged payment infrastructure components tied to FastPay.ge. According to the underground post, the exposed material allegedly includes: • full SmartSoft Gaming source code • payment provider source code • database initialization scripts • internal dependencies and build components • backend platform logic The actor specifically claims the codebase required dependency fixes to compile, suggesting the leak may contain: • partial development environments • proprietary frameworks • internal package references • deployment artifacts SmartSoft Gaming operates in the online casino and iGaming ecosystem — a sector that is highly attractive to threat actors due to: • financial transaction flows • payment integrations • digital wallets • customer PII • anti-fraud systems • gaming algorithms • affiliate ecosystems • licensing infrastructure If authentic, source code exposure creates risks far beyond intellectual property theft. Potential downstream risks include: • discovery of hardcoded credentials • exposed API keys • payment gateway weaknesses • authentication flaws • insecure cryptographic implementations • hidden admin functionality • infrastructure mapping • exploit development • supply-chain attacks against partners and operators The mention of FastPay.ge is especially significant because payment providers sit in a highly sensitive trust boundary between: • merchants • gaming operators • financial institutions • end users Exposure involving payment-related systems can potentially increase risks related to: • transaction manipulation • fraud operations • account takeover • payment bypass logic • KYC abuse • wallet exploitation • laundering mechanisms • financial API abuse Another important aspect: source code leaks frequently become long-term operational threats. Even after infrastructure is patched, leaked code can continue enabling: • vulnerability research by threat actors • zero-day discovery • reverse engineering of business logic • persistent targeting of customers and partners The gambling and iGaming sector has increasingly become a cybercrime target because these platforms combine: • real-money ecosystems • international payment flows • high transaction volume • complex third-party integrations • cryptocurrency exposure • global customer bases Threat actors view them as high-value environments for both monetization and extortion. Organizations connected to gaming and payment ecosystems should immediately review: • credential exposure • CI/CD environments • repository access logs • API secrets • payment integrations • source code repositories • developer accounts • privileged access tokens • cloud storage permissions • third-party dependency security Any exposed codebase should also trigger: • secret rotation • certificate replacement • infrastructure review • software integrity validation • dependency auditing At this stage, the claims remain unverified. However, alleged source code exposure involving both gaming infrastructure and payment systems represents a potentially serious supply-chain and financial security concern. 🇬🇪 #DDW #Intelligence #Georgia #CyberSecurity #DarkWeb #DataBreach #SourceCodeLeak #iGaming #Casino #Fintech #ThreatIntelligence #CyberThreats #PaymentSecurity

🎰 A threat actor is advertising the alleged sale of the full source code for “Peter & Sons,” a well-known iGaming and casino game development studio, for between $25,000 and $30,000 on an underground forum. According to the post, the seller claims the package includes: • full source code • more than 60 casino games • frontend/game engine stack • associated gaming infrastructure components The actor references technologies including: • HTML5 • JavaScript • Next.js • Phaser Engine The post also references partnerships and integrations with major iGaming ecosystem providers including: • Relax Gaming • Yggdrasil • Playtech • IGT • EveryMatrix • Hub88 • Groove • Light & Wonder • BetConstruct If authentic, this would represent a potentially serious supply chain risk within the online gambling and gaming ecosystem. Source code exposure in the iGaming industry is particularly sensitive because these environments often contain: • proprietary game logic • RNG implementations • payment workflows • API integrations • wallet systems • authentication mechanisms • anti-fraud controls • affiliate systems • licensing compliance components One of the biggest concerns in incidents like this is not only intellectual property theft, but also: • hidden vulnerabilities inside the codebase • hardcoded credentials • exposed API keys • insecure admin functionality • undocumented internal tooling • reusable attack chains across partner environments The mention of multiple major ecosystem partners is important because modern iGaming operates as a highly interconnected supply chain. A compromise involving one vendor can potentially create downstream exposure risks involving: • casino operators • white-label platforms • payment systems • affiliate ecosystems • player wallets • promotional systems • third-party integrations Another critical issue: source code leaks frequently accelerate vulnerability weaponization. Threat actors can: • reverse engineer backend logic • identify insecure API endpoints • discover authentication weaknesses • analyze business logic flaws • build targeted exploits • automate fraud operations The inclusion of “Next.js” is also notable given the increasing attention attackers are placing on: • JavaScript ecosystems • CI/CD pipelines • npm dependency chains • frontend supply chain attacks • exposed environment variables • cloud deployment secrets The underground pricing is relatively significant compared to many standard database leaks, which may indicate the actor believes the material has: • operational value • resale potential • exploit development opportunities • competitive intelligence value • extortion leverage Another important risk: casino and iGaming ecosystems process enormous volumes of: • financial transactions • KYC workflows • payment card interactions • anti-money laundering processes • regulatory reporting data A source code compromise in these environments could potentially have implications beyond IP theft, especially if internal integrations or secrets are exposed. Organizations in the gaming and gambling ecosystem should prioritize: • immediate credential rotation • source code integrity validation • CI/CD environment reviews • API key audits • dependency chain analysis • infrastructure secret scanning • dark web monitoring • partner ecosystem communication • software bill of materials (SBOM) validation • accelerated vulnerability hunting At this stage, the claims remain unverified until independently confirmed. However, source code exposure involving large interconnected iGaming ecosystems can create elevated downstream risks affecting both operators and technology partners. 🎰 #DDW #Intelligence #CyberSecurity #DarkWeb #ThreatIntelligence #SourceCodeLeak #iGaming #CasinoSecurity #SupplyChainSecurity #OSINT #DataBreach #NextJS

🇫🇷 A threat actor has published claims of a breach involving the French training platform “Move Up Formation,” alleging exposure of both database contents and source code. What makes this incident particularly concerning is not just the database leak itself, but the combination of: • customer/client data • internal application source code • potential admin access references • possible Stripe-related administrative exposure • website defacement claims This is a pattern we are increasingly seeing across underground forums: attackers no longer monetize only stolen data — they weaponize the entire operational stack. According to the post, the alleged leak includes: • customer information • emails • phone numbers • training requests/messages • SQL database dumps • application source code archives If validated, source code exposure significantly raises the severity because it can enable: • deeper infrastructure mapping • credential discovery • hardcoded secret extraction • API abuse • authentication bypass research • downstream attacks against connected services One detail defenders should pay attention to: the actor publicly referenced administrative login details and OTP bypass implications. Even if partially fabricated or exaggerated, this type of disclosure creates immediate risk because opportunistic actors rapidly test: • credential reuse • exposed admin panels • password resets • MFA bypass weaknesses • Stripe/admin integrations • forgotten staging environments Another important operational lesson: many organizations still underestimate the impact of source code compromise. In reality, source code leaks often provide attackers with: • architectural intelligence • hidden endpoints • third-party integrations • environment variables • cloud storage references • business logic vulnerabilities • internal documentation • deployment configurations And once source code enters underground ecosystems, it frequently becomes a long-term resource for: future exploitation, supply chain abuse, or credential harvesting. The mention of website defacement also suggests this may not have been purely financially motivated. Modern cybercriminal ecosystems increasingly blend: • extortion • reputation attacks • ideological signaling • public humiliation tactics • underground credibility building Organizations handling customer onboarding, education, SaaS, or payment workflows should treat this as a reminder to prioritize: • secrets management • MFA hardening • secure CI/CD pipelines • regular credential rotation • code repository monitoring • exposed admin portal discovery • external attack surface management • Stripe/payment integration security reviews Most importantly: source code repositories should never contain: • production credentials • API secrets • plaintext admin references • deployment keys • backup configurations because those become immediate force multipliers after compromise. As always, claims posted on underground forums should be considered unverified until independently validated. However, the combination of: database source code admin references typically represents a substantially higher operational risk than standard credential or customer-data leaks alone. 🇫🇷 #DDW #Intelligence #CyberSecurity #DataLeak #SourceCodeLeak #DarkWeb #ThreatIntelligence #France #CyberCrime #Infosec

🚨 CYBER INTELLIGENCE ALERT: SOURCE CODE SALE ANNOUNCEMENT — GITHUB INC. 🌐 ⚠️ ACTOR "TEAMPCP" CLAIMS TO POSSESS ~4,000 PRIVATE AND INTERNAL REPOSITORIES The threat actor identified under the alias TeamPCP (on remnant clandestine platforms) has posted a commercial advertisement for the sale of alleged core source code and internal organizational structure of GitHub (github. com). The attacker claims that the offering is not a ransom, but an exclusive direct sale. 🎯 Affected Entity: GitHub Inc. 👤 Threat Actor: TeamPCP 📂 Volume Claimed: Approximately ~4,000 packaged private code repositories. ⚠️ Verification Status: NOT CONFIRMED BY THE COMPANY / NO SAMPLES COMPILED. While the actor included a link on Limewire with the alleged directory listing and a screenshot showing logical names of official corporate compressed files (e.g., github-copilot.tar.gz, github-enterprise-server, red-team.tar.gz), the full authenticity of the file contents and the code's validity have not been independently assessed or confirmed. 📊 ANALYSIS OF THE MANIFESTO AND VISIBLE COMPONENTS (REPOSITORIES) Despite maintaining the "Unconfirmed" status, the technical listing of the compressed packages exhibits an internal naming convention that closely matches GitHub's actual architecture: 🤖 Artificial Intelligence and Core Tools: raycast-github-copilot.tar.gz and chiedo-copilot-cli-skills.tar.gz: Integration modules and capabilities of the AI ​​development assistant. github-enterprise-server-release-notifier.tar.gz: Code associated with the on-premises versions of the service. 🛡️ Security and Networking Infrastructure: github-security-risk-reporting.tar.gz, red-team.tar.gz, and github-ui-xss-hardening-research.tar.gz: Repositories for vulnerability management, risk reporting, and mitigation patches against Cross-Site Scripting (XSS) attacks in the graphical user interface. 📈 Telemetry and Global Operations: Compressions that segment regional operations, such as github-india.tar.gz, and logical channels for internal communication, such as repo-custom-claims-chatops.tar.gz. 🛡️ MITIGATION AND PREVENTIVE TECHNICAL RECOMMENDATIONS 🛑 Blocking and Monitoring Contact Channels: Register the Session and Tox IDs shared in the announcement within intelligence systems to track interactions or attempts at secondary file distribution. 🔒 Token and Key Leakage Audits: Organizations integrating their development workflows with GitHub are urged to perform rotations of their API keys, Personal Access Tokens (PATs), and OAuth credentials to mitigate risks in case of cross-platform access. ⚡ MONITORING AND EVALUATION 🌐 Intelligence System: analyzer.vecert.io 🛡️ Quickly assess your website's security with: monitor.vecert.io/ #CyberSecurity #GitHub #SourceCodeLeak #TeamPCP #BreachForums #PrivateRepos #Copilot #Infosec #ThreatIntelligence #CyberAlert #VECERT #IntelThreat

🇪🇨 A threat actor is advertising the alleged exposure of source code tied to a CRM platform used by Seguros La Union, claiming the application was developed in PHP and deployed internally within the organization. Unlike ordinary database leaks, source code exposure presents a substantially higher long-term security risk because it can provide attackers with: • Internal application logic • Authentication workflows • API structures • Database connection details • Hardcoded credentials or secrets • Session handling mechanisms • Business process mappings • Third-party integration details Insurance-sector platforms are particularly attractive targets due to the volume of: • Personally identifiable information (PII) • Financial records • Claims data • Policyholder information • Internal operational workflows If authentic, the exposure could enable: • Rapid vulnerability discovery • Exploit chain development • Credential harvesting • Authentication bypass attempts • Supply chain abuse • Further intrusion operations against production environments Source code leaks frequently accelerate: • Reverse engineering efforts • Zero-day discovery • Automated exploitation tooling • Privilege escalation research • Persistence mechanism development The fact that the alleged CRM platform was implemented in PHP is operationally relevant because attackers commonly analyze exposed PHP applications for: • SQL injection opportunities • Insecure file upload functionality • Weak session management • Remote code execution vectors • Misconfigured authentication controls • Exposed admin interfaces Even older or partial code repositories can remain highly valuable for adversaries because organizations often: • Reuse code components • Maintain legacy endpoints • Retain unchanged credentials or tokens • Replicate insecure architecture patterns across environments Organizations facing suspected source code exposure should immediately: • Rotate all secrets and credentials • Audit authentication systems • Review API exposure • Conduct secure code review • Hunt for backdoors or unauthorized modifications • Validate third-party dependencies • Monitor underground forums for exploit development activity This incident highlights the increasing trend of cybercriminals targeting not only data, but also: • Intellectual property • Proprietary applications • Internal tooling • Development environments • CI/CD infrastructure #DDW #Intelligence #CyberSecurity #DarkWeb #SourceCodeLeak #ThreatIntelligence #InsuranceSecurity #AppSec #PHP #OSINT

🚨 CYBER INTELLIGENCE ALERT: ALLEGED SOURCE CODE COMPROMISE - SEGUROS LA UNIÓN 🇪🇨 [STATUS: BACKUP FILES OBSERVED IN SAMPLE IMAGES/ NO OFFICIAL CONFIRMATION] The threat actor identified by the alias V0lt4r0x has announced the exfiltration and publication of the complete source code of the CRM/Intranet system of the insurance company Seguros La Unión in Ecuador. The leaked batch exposes the internal structure of the application based on the Group-Office environment. Critically, the publication includes the system's root configuration file, exposing production credentials in plain text for the corporation's data stores and messaging relays. 🎯 Affected Entity: Seguros La Unión (Ecuador) 👤 Threat Actor: V0lt4r0x 📂 Compromised Assets: PHP source code repository for the CRM software (intranetlaunion) and the critical configuration file config. php. ⚠️ Status: . Visual evidence shows the complete production backend directory tree (controller, modules, views, vendor), as well as lines of code from the configuration file that point to real servers and databases under the geographic region configuration (America/Guayaquil). 📊 TECHNICAL ANALYSIS OF EXPOSED CREDENTIALS Analysis of the captured config.php file from the corporate intranet reveals a complete breach of critical authentication factors: 📧 Mail Server Compromise (SMTP Relay): 🗄️ Relational Database Compromise: Engine/Port: MySQL/MariaDB 🛡️ URGENT MITIGATIONS AND TECHNICAL RECOMMENDATIONS 🛑 Immediate Rotation of Network Credentials: The Seguros La Unión infrastructure and security team is urged to urgently change the password for the admin email account on the corporate mail server 🔒 Database Lock and Reset: Change the root user password for the production database and temporarily disable any communication or tunneling that exposes port 3306 to uncontrolled external interfaces. 🔍 Domain Reputation Monitoring: Monitor outgoing email logs and the behavior of institutional IPs to detect mass message bounces or spam blacklist alerts. ⚡ MONITORING AND EVALUATION 🌐 Intelligence System: analyzer.vecert.io 🛡️ Quickly assess your website's security with: monitor.vecert.io/ #CyberSecurity #Ecuador #SegurosLaUnion #SourceCodeLeak #CRM #SMTPLeak #DatabaseCompromise #GroupOffice #ThreatIntelligence #CyberAlert #VECERT #Infosec

🚨 INTELLIGENCE ALERT: ALLEGED MASSIVE THEFT OF SOURCE CODE AND DATA - ELI LILLY 🧪 ⚠️ EXFILTRATION OF 1,200 REPOSITORIES (80GB) AND 40GB OF SENSITIVE MEDICAL DOCUMENTS [STATUS: CRITICAL THREAT / UNDER INVESTIGATION, UNCONFIRMED] The threat group identified as TeamPCP has put a massive volume of exfiltrated information from the multinational pharmaceutical company Eli Lilly up for sale. The attackers claim to have maintained access for over a month following an "incomplete penetration test" and are now seeking to monetize the assets before they are fully revoked. 🎯 Affected Entity: Eli Lilly and Company. 👤 Threat Actor: TeamPCP 📂 Exfiltrated Assets: Over 1,200 code repositories (80GB compressed) and 40GB of documents from the Veeva Vault. 📊 ANALYSIS OF THE EXPOSED INFORMATION The breach compromises the company's core operations and scientific capabilities: Research and Development (R&D): Drug research tools and programs. Computational biology systems and internal AI agents. Clinical Operations and Patients: Patient enrollment systems. Clinical monitoring tools and data from the Veeva Vault (industry standard for regulatory and clinical trial data). Infrastructure and Manufacturing: Manufacturing systems and medical devices. Complete mapping of the company's DevOps, facilitating future targeted attacks. Institutional SDK implementations. 🛡️ IMPACT AND RECOMMENDATIONS 🛑 Risk of Industrial Espionage: The sale of this code allows competitors or state actors to replicate manufacturing processes or advanced biotechnology research. ⚠️ Privacy Compromise (HIPAA/GDPR): The exfiltration of patient data from the Veeva Vault represents a very serious violation of international health privacy laws. 🔒 Infrastructure Security: Eli Lilly must conduct a full sweep of its DevOps infrastructure and rotate all API keys, service secrets, and credentials embedded in the exfiltrated code. ⚡ MONITORING AND EVALUATION 🌐 Intelligence System: analyzer.vecert.io 🛡️ Quickly evaluate your website's security with: monitor.vecert.io/ #CyberSecurity #EliLilly #DataBreach #SourceCodeLeak #BiotechSecurity #VeevaVault #TeamPCP #CyberAlert #VECERT #Infosec

🇫🇷 🚨 Alleged Mistral AI Breach Exposes Internal Repositories and Source Code 🚨 A threat group operating under the name “TeamPCP” claims to have breached Mistral AI and obtained approximately 5GB of internal source code and repository data. According to the listing on an underground forum, the dataset allegedly contains around 450 private repositories associated with both Mistral AI and “Mistral Solutions.” The actor claims the repositories include internal projects related to: - AI model training and fine-tuning - Inference and model delivery systems - Benchmarking environments - Dashboard and platform infrastructure - Security evaluation tooling - Customer-facing AI agents - Experimental and future AI initiatives The post references multiple archive names allegedly included in the leak, such as: - mistral-inference-internal.tar.gz - mistral-inference-private.tar.gz - mistral-lawyer-internal.tar.gz - mistral_finance_agent.tar.gz - mistral-compute-poc.tar.gz - mistral-fabric.tar.gz - finetuning-feedback.tar.gz - mistral-finetune-internal.tar.gz - cma-customer-care-internal.tar.gz - mistral-common-internal.tar.gz - chatbot-security-evaluation.tar.gz - kyc-doc-agent.tar.gz - dashboard.tar.gz - devstral-cloud.tar.gz - finance.tar.gz - typhoon.tar.gz - turbine.tar.gz - mistral-surge.tar.gz - mistral-solutions.tar.gz - surge-validators.tar.gz - website-v3.tar.gz - xformers.tar.gz - piper-segmentation.tar.gz - pfizer-rfp-2025.tar.gz The actor is demanding a $25,000 “Buy It Now” payment and claims the data will be sold to a single buyer only. The post further threatens to release the repositories publicly within a week if no buyer is found. If authentic, exposure of internal AI repositories and infrastructure code could present significant risks, including intellectual property theft, model replication attempts, infrastructure targeting, API abuse, and supply-chain security concerns involving AI deployment pipelines. At the time of reporting, there has been no independent verification confirming the authenticity of the alleged breach or the scope of the claimed repositories. #DarkWeb #SourceCodeLeak #ArtificialIntelligence #ThreatIntelligence

🌎 A threat actor on an underground forum is claiming to be selling the source code of a banking system allegedly used across multiple Latin American countries. According to the post: • The project is referred to as “Sistema Bancario Softbank” • The alleged source code is written in C# • The platform is claimed to be implemented in: • Panama 🇵🇦 • Peru 🇵🇪 • Colombia 🇨🇴 • Ecuador 🇪🇨 The actor also shared screenshots appearing to show attached project files and directories, alongside contact information through Session. At this time: • The claims remain unverified • No official confirmation has been issued by any impacted organizations • The authenticity and operational relevance of the alleged source code are unknown If legitimate, exposure of banking platform source code could create elevated risks including: • Identification of hardcoded credentials or secrets • Discovery of authentication weaknesses • Reverse engineering of business logic • Exploitation of API vulnerabilities • Supply chain compromise risks • Fraud targeting financial institutions using the platform Source code leaks involving financial systems are particularly sensitive because they may enable: • Faster vulnerability discovery by threat actors • Development of tailored exploits • Infrastructure mapping and lateral movement planning • More convincing phishing and impersonation campaigns Financial institutions and technology providers potentially connected to the ecosystem should: • Review whether internally developed or third-party systems match the referenced software • Audit repositories and exposed development infrastructure • Rotate secrets, API keys, and certificates if necessary • Monitor underground channels for additional leaks or samples • Review access logs tied to development environments and CI/CD systems • Validate software integrity across production environments While the post references a “banking system,” it is still unclear whether the alleged material represents: • Production source code • Legacy code • Partial repositories • Demo environments • Decompiled components • Or fabricated data intended to attract buyers This is a developing situation. #LATAM #Banking #DDW #Intelligence #CyberSecurity #DarkWeb #SourceCodeLeak #FinancialSector #ThreatIntelligence #InfoSec #BankingSecurity

🚨 CYBERINTEL ALERT: THREAT ACTOR PUBLISHES ALLEGED SOURCE CODE FOR “SOFTBANK” BANKING SYSTEM USED IN LATAM 🇵🇦🇵🇪🇨🇴🇪🇨💳🔐 [STATUS: UNCONFIRMED / SOURCE CODE EXPOSURE] VECERT Intelligence has detected a new post on underground forums in which a threat actor claims to possess the alleged complete source code for a banking system named “Softbank,” purportedly implemented in multiple Latin American countries. 🏢 Allegedly Affected Target: “Softbank” – A banking platform/system developed in C#. 👤 Threat Actor: “V0lt4r0x”. 📅 Date of Discovery: May 11, 2026. 🌎 Allegedly Related Countries: Panama 🇵🇦 Peru 🇵🇪 Colombia 🇨🇴 Ecuador 🇪🇨 📂 Description of the Alleged Leak: The actor claims to possess: Complete source code written in C#. Components of a banking platform implemented in LATAM. Multiple financial and administrative modules. The system's internal structure and associated documentation. The published evidence reveals directories and components related to: Auditing. Clients. Credit. Accounts Receivable/Payable. Electronic Invoicing. Compliance. Accounting. Investments. Anti-Money Laundering (AML). Financial Operations. WPF modules and executable packages. References to executables, update utilities, and internal technical documentation are also visible. 📊 Technical Analysis of the Evidence (VECERT Intelligence) The exposure of banking source code represents a critical risk for any financial organization or fintech firm utilizing platforms derived from—or integrated with—this software. The primary potential risks include: 🔓 Exposure of internal banking logic. 🧩 Discovery of hardcoded vulnerabilities. 🔑 Possible exposure of credentials, tokens, or sensitive configurations. ⚙️ Reverse engineering of financial modules. 💳 Risk of exploitation targeting integrated entities in LATAM. 🏦 Potential impact on billing, accounts receivable, compliance, and financial operations systems. The published screenshots display development structures that appear authentic and organized by functional modules, suggesting access to internal development or distribution environments. ⚠️ Verification Status The authenticity, integrity, and full scope of the alleged source code have NOT been independently verified. The information originates exclusively from underground publications. 🛡️ Cyber ​​Defense Recommendations 🔒 Audit repositories and development pipelines. ⚙️ Review hardcoded credentials and embedded keys. 🧩 Validate the integrity of modules deployed in production. 🔍 Implement monitoring for Indicators of Compromise (IoCs) associated with the leak. 🛡️ Conduct SAST/DAST analysis on critical financial components. 📢 Evaluate the immediate rotation of secrets and privileged access credentials. Monitor: analyzer.vecert.io #CyberSecurity #ThreatIntel #BankingSecurity #SourceCodeLeak #LATAM #FinancialSector #DarkWeb #ThreatHunting #InfoSec #CyberAlert 💳🔐🚨

🚨 CRITICAL CYBERINTEL ALERT: SALE OF COMPLETE BACKEND INFRASTRUCTURE – ECOMMPAY 🌍💳🔓 The sale of the complete backend infrastructure (2026 version) belonging to ECOMMPAY—a global Payment Service Provider (PSP)—has been detected. Threat actor "mritcat" claims to possess the entire architecture, source code, and databases responsible for managing the financial transaction lifecycle across more than 50 regions, including Mexico, Colombia, Argentina, and Brazil. 🏢 Affected Entity: ECOMMPAY (Worldwide Payment Provider). 👤 Threat Actor: mritcat. 📂 Leak Volume: 40 GB (1,577,127 files and 384,966 folders). 📅 Publication Date: May 5, 2026. 📊 Breach Scope (Code, Finance, and Architecture) Infrastructure: Over 100 microservices and packages, the core PSP architecture, and 600 global payment integrations. Complete Transactional Lifecycle: Code for payment initiation, 3DS (secure authentication) flows, payment processing, refunds, callback events, and dashboards. Sensitive Data: Core databases containing all tables, audit logs (ledgers), billing records, commission data, and settlement information. Geographic Scope: Impacts operations across Africa, Asia, Europe, Latin America (Mexico, Colombia, Argentina, Brazil), and the Cryptocurrency sector. 🛡️ Immediate Response Recommendations 🔒 Code Integrity Audit: ECOMMPAY must conduct a comprehensive review of its code repositories and deploy a new security architecture to neutralize the exposed logic. 🔑 Rotation of Secrets and API Keys: It is imperative to rotate all access keys, certificates, and integration secrets associated with the banks and external processors referenced within the 600 affected modules. Monitor: analyzer.vecert.io #CyberSecurity #Fintech #Ecommpay #DataBreach #SourceCodeLeak #PaymentProvider #CyberFraud #VECERT #mritcat #InfoSec 🌍🛡️⚠️🚨💳

🚨 CRITICAL CYBER THREAT ALERT: TOTAL INFRASTRUCTURE AND DATA COMPROMISE – ÉCOLE DE PSYCHOLOGUES PRATICIENS (FRANCE) 🇫🇷🎓📡🔓 A massive exfiltration of data and source code belonging to the École de Psychologues Praticiens (Psycho-Prat) in France has been detected. Threat actor "Spirigatito" has published a 55 GB repository that compromises the academic, personal, and technical integrity of the institution. 🏢 Affected Entity: École de Psychologues Praticiens (Psycho-Prat). 👤 Threat Actor: Spirigatito. 📂 Leak Volume: 55 GB of data distributed across more than 85,000 files. 📅 Publication Date: May 3, 2026. 📊 Breach Scope (PII, PHI, and Infrastructure) The leak is exhaustive and encompasses every level of the organization: Student Information (11,447 documents): Exposure of national ID cards, passports, IBANs (banking details), diplomas, and admission applications, in addition to the complete database. Biometric and Visual Records: 10,506 photos of students and faculty members. Account Security: Access to all Psycho-Prat accounts and connection records (logs). Intellectual Property: The complete source code for the platform, totaling 85,424 files. 🛡️ Immediate Response Recommendations 🔒 Global Credential Reset: The institution must force a password reset for all users and deactivate any active sessions based on the leaked logs. 🔑 Banking Monitoring: Students and faculty members are urged to notify their banks regarding the potential exposure of their IBANs. Monitor: analyzer.vecert.io #CyberSecurity #France #PsychoPrat #DataBreach #Identidad #IBAN #SourceCodeLeak #VECERT #Spirigatito #InfoSec 🇫🇷🛡️⚠️🚨🎓

🚨 CYBERINTEL ALERT: TOTAL BREACH AT OPERATIONS SUPPORT COMPANY (OSC) – INFRASTRUCTURE COMPROMISE 🇸🇦🛡️🔓 A massive data exfiltration and a deep compromise of the infrastructure belonging to Operations Support Company (OSC) have been detected. The threat actor NormalLeVrai (linked to recent leaks in the region) has published the company's database and is offering privileged access to its server and critical assets for sale. 🏢 Affected Entity: Operations Support Company (OSC). 👤 Threat Actor: NormalLeVrai 🛠️ Access Level: Total compromise of cPanel, granting administrative control over the server, files, and web configurations. 📂 Leak Volume: 172,272 data rows. 📅 Publication Date: May 3, 2026. 📊 Breach Scope (Infrastructure and PII) Evidence provided by the attacker confirms persistent and multifaceted access: cPanel Access: The attacker possesses control over the backend of the osc.sa website, allowing for the manipulation of server infrastructure. Defacement: The official website was defaced as proof of the system's vulnerability. Email System: Control over—and an offer to sell—four corporate email accounts, including the ability to export messages. Intellectual Property: Access to the complete source code for the company's applications and portal. Database: Exfiltration of over 172k records, currently available for free download. 🛡️ Immediate Response Recommendations 🔒 cPanel Recovery: Immediately change cPanel access credentials and review all recently created administrator accounts. 🔑 Email Account Reset: Disable and reset the passwords for all corporate email accounts, and enable Multi-Factor Authentication (MFA). Monitor: analyzer.vecert.io #CyberSecurity #OSC #DataBreach #cPanelAccess #SaudiArabia #Defacement #SourceCodeLeak #VECERT #NormalLeVrai #InfoSec 🇸🇦🛡️⚠️🚨🏛️

🎮 A threat actor is claiming to have leaked the source code for the legacy “osu!stable” client, along with components allegedly related to the osu! website infrastructure. According to the underground post, the leaked material allegedly includes the 2016 osu! stable client source code, website source files, database schema data, and PHP/nginx configuration files. The actor claims the content originated from a Discord-related leak involving an old community server. The claims have not been independently verified. #DDW #osu #Gaming #SourceCodeLeak #CyberSecurity #DataLeak #DarkWeb #ThreatIntel

🚨 CRITICAL CYBERINTELLIGENCE ALERT: TOTAL INFRASTRUCTURE AND DATA COMPROMISE – FACO PARIS (FRANCE) 🇫🇷🎓💻🔓 A massive and systemic data leak has been detected affecting the FACO Paris Faculty of Law and Economics. Threat actor "Spirigatito" has published a 12 GB archive containing not only private information regarding the academic community but also the institution's core technological assets. 🏢 Affected Entity: FACO Paris (France). 👤 Threat Actor: Spirigatito. 📂 Leak Volume: 12 GB. 📅 Publication Date: May 1, 2026. 📊 Scope of the Breach (PII, IP, and Financial Data) The data exposure is comprehensive and spans multiple dimensions of the institution: Student Information: Compromise of 11,447 documents, including scans of national ID cards, passports, bank account numbers (IBANs), diplomas, and admission applications. Biometric Records: A total of 1,243 photographs of students and faculty members. Intellectual Property: Exfiltration of 3,212 academic course documents. Access Security: Compromise of all user accounts and connection logs within the platform. Technological Assets: Leak of FACO Paris's complete source code, totaling 27,346 files. 🛡️ Immediate Response Recommendations 🔒 Mass Credential Rotation: FACO Paris is urged to invalidate all current passwords and active sessions on its platform. 🔑 Source Code Audit: Conduct a forensic analysis of the leaked code to identify any backdoors or critical vulnerabilities that require immediate patching. Monitor: analyzer.vecert.io #CyberSecurity #France #FACOParis #DataBreach #SourceCodeLeak #IBAN #PII #VECERT #InfoSec #UnVerified 🇫🇷🛡️⚠️🚨🎓

🚨 CRITICAL CYBERINTEL ALERT: TOTAL COMPROMISE OF THAILAND'S ACADEMIC INFRASTRUCTURE – THAI.AC 🇹🇭🎓🛡️ A massive data leak has been detected affecting THAI.AC (Thailand Academic Network), the central infrastructure supporting hundreds of educational institutions and universities across Thailand. Threat actor "Cat#23" has published the complete source code and database access credentials for over 1,200 linked entities. 🏢 Affected Entity: THAI.AC (Thailand Academic Network). 👤 Threat Actor: Cat#23. 📂 Leak Volume: 3.7 GB (Combined data). 📅 Publication Date: April 29, 2026. ⚠️ Exploited Vulnerability: Exposed .git directory and massive Access Control failures (Broken Access Control). 📊 Breach Scope (PII and Credentials) The leak is catastrophic as it exposes the "keys" to the entire academic network: Source Code: The complete backend code (PHP), enabling other attackers to discover new vulnerabilities without limitation. Plaintext Credentials: Over 1,200 configuration files containing database usernames and passwords for individual schools and universities. Personal Data (PII): Names, mobile phone numbers, institutional email addresses (.ac.th domains), and administrative records for thousands of individuals. Main Database: A 1.3 GB manual backup containing raw, sensitive information. 🛡️ Immediate Response Recommendations 🔒 Secure Critical Directories: It is imperative that THAI.AC reconfigure its web servers to block public access to hidden folders such as .git and .env. 🔑 Mass Password Rotation: All 1,200 affected institutions must immediately change their SQL database passwords and rotate any encryption keys exposed in the source code. Monitor: analyzer.vecert.io #CyberSecurity #Thailand #ThaiAC #DataBreach #Education #SourceCodeLeak #GitExposure #InfoSec #VECERT 🇹🇭🛡️⚠️🚨🎓