Olivia
Online
Vertigosint
@vertigosint
OSINT & Threat Intel | 🇫🇷 | Threat Intelligence analyst |
Joined February 2019
2K Following
1.7K Followers
2.7K Posts
Pinned Tweet
✍️New blog post on my new site, https://t.co/S5g9t5PF7e! Building on @Unit42_Intel, @datadoghq, @Securonix, @GroupIB_TI, @esthreat findings, I analyzed the #DevPopper/#ContagiousInterview campaign targeting software developers worldwide since Dec 2022: https://t.co/fGYO9EWbbZ
🚨 SECURITY ALERT: The popular PyPI package lightning has been compromised in a supply chain attack.
⚠️ Affected Versions: 2.6.2 and 2.6.3
11,7 millions de comptes concernés. ⚠
On fait le point sur l’incident de sécurité ayant touché l’Agence nationale des titres sécurisés. ⬇
https://t.co/5mtDQYg4NP
Vercel, the cloud popular platform to deploy apps, has been breached 🔥
My quick advice for threat hunters & IR folks: Look in your logs for any comms to *.vercel[.]app sites ⚠️
If you see high comms counts, then there may be a software/app exposure to this breach 🔍
Who to follow
Ginger T
@cqcore
OSINT | OPSEC | Obfuscation | Privacy | Digital Exposure Risks, Enthusiast & Blogger.
Creator of https://t.co/0ZCsIFgs4j (Opinions & tweets are my own)
Aaron Roberts 
@AaronCTI
Founder @PIntelligenceUK, Training @kasescenarios, Owner of #MontyTheCyberCorgi. Webinars/Exec @OSINT_Community 🦋 https://t.co/ndZLVUhk6V
Expose Team
@exp0se_team
Unlocking hidden insights
Got to work on this with the legend @_JohnHammond. A user asked Codex to fix suspicious behaviour on their machine. Codex "solved" it, but the cryptominer kept running.
Plus: How Gen-AI noise is complicating investigations and how SOCs need to evolve.
https://t.co/DnfhV86iA1
Technical report released: The AI-Assisted Breach of Mexico’s
Government Infrastructure
https://t.co/RHvMgoNLh8
The #TeamPCP campaign continues. The telnyx #PyPI package (versions 4.87.1 & 4.87.2) with ~1M monthly downloads was compromised.
What's new this time:
WAV steganography. The payload hides an XOR-obfuscated binary inside audio frames, downloads it from C2 at import time, and persists on Windows via msbuild.exe in Startup. Linux/macOS gets a credential harvester with AES-256 + RSA encryption.
The attackers even pushed a bugfix release (4.87.2) within hours of 4.87.1 failing due to a casing error. Operational iteration, live.
A good reminder of why writing detections around behavioral patterns rather than point-in-time indicators matters. Generic rules from years back still hold against new techniques.
Rune AI, our internal LLM analysis layer, surfaces the same verdict for efficient triage.
IOCs & analysis:
https://t.co/HDapiQ1bfV
https://t.co/6begv9mCeh
Whoa whoa whoa. Everyone CLAM down for a second.
Earlier today someone broke the news that there was a supply chain attack impacting LiteLLM which had over 97 MILLION installs. Initially it was reported the payload was vibe coded which resulted in the payload failing.
HOWEVER, this has been determined to be NOT TRUE. The payload was a SUCCESS. The payload failed in specific edge cases (currently unknown). The Threat Actor(s) managed to exfiltrate data from 500,000 infected machines (approx. 300gb of data).
I have confirmed this from three different sources. The initially news which is spreading all over social media is incorrect and this is actually a very big bamboozle.
They had one short, one opportunity, and did indeed seize it (but only failing in specific and unknown edge cases).
It's all over for LLM-dependency nerds. Also, in a bit of irony, LiteLLM is SOC2 certified by Delve.
This is very big shenanigans for a Tuesday.
TeamPCP got an infostealer into LiteLLM
1.82.7, 1.82.8litellm
c2 is models[.]litellm.[]cloud
Act fast. https://t.co/FDoTMHz4yQ
LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below
⚠️ Update: Three full weeks have passed since #Iran's internet blackout came into effect, with users forced onto the National Information Network.
At hour 504, few circumvention tools work as authorities crack down on satellite and VPN users outside the state-approved whitelist.
🧵 We recently had an incident that involved a MuddyWater hands-on attacker who couldn't spell "administrators"
Full timeline breakdown below. 1/
General Caine on cyber operations against Iran: "The first movers were US CyberCom and US Spacecom, layering non-kinetic effects, disrupting and degrading and blinding Iran's ability to see, communicate, and respond." https://t.co/bNU1rkOKTb
Safran n’a pas été victime d’une cyber-attaque. Les données mentionnées proviennent d’une fuite accidentelle de la part d’un tiers, sans intrusion dans les systèmes de Safran. Cette fuite a été très rapidement contenue et Safran a pris toutes les mesures adéquates. Aucune compromission de nos infrastructures n’a été constatée.
This is bad.
Putty level bad.
https://t.co/3w1C8YiBu8
During the press conference, President Trump said the “lights of Caracas were largely turned off due to a certain expertise that we have” during the strikes on Venezuela. Gen. Caine later noted that Cyber Command was among the US agencies involved in the strikes.
🎁 CONCOURS 🎁
Un PC Gigabyte AERO X16 à gagner ! 🍀
Pour participer :
▪ FOLLOW @LDLC
▪ RT CE TWEET
💻 Le PC en détails
👉 https://t.co/u6FHn61MB9
📢 Joue aussi sur Instagram pour multiplier tes chances. Bonne chance !
🥳TAS à partir du 05/01/2026
Full RCE PoC is now live @ https://t.co/VFu7NxJ3TQ
Credit goes to @maple3142. Great job! Brilliant idea for the root reference. Felt like a CTF challenge indeed. Writing the full breakdown now.
New “LockBit 5.0” leak site
/lockbitapt67g6rwzjbcxnww5efpg4qok6vpfeth7wx3okj52ks4wtad[.]onion
![AlvieriD's tweet photo. New “LockBit 5.0” leak site
/lockbitapt67g6rwzjbcxnww5efpg4qok6vpfeth7wx3okj52ks4wtad[.]onion https://t.co/NjogZ2729Q](https://pbs.twimg.com/media/G7ZnnRPXoAACB2I.jpg)
Pushed a new update to https://t.co/9CqANckHK0 -- it now scans for the RCE payload via reflection. Use the --waf-bypass flag to bypass WAFs, works well for Cloudflare/AWS. Other WAFs might need tinkering with the payload, depending on whether they don't have a max context limit.
Our Security Research team at @SLCyberSec just published a high-fidelity detection mechanism for the Next.js/RSC RCE (CVE-2025-55182 & CVE-2025-66478) - https://t.co/aa62OKXpK2. There are a lot of PoCs on GitHub that are adding noise to the problem; I hope this helps people!
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers