0xDanielLopez/TweetFeed — Gitpedia

<div align="center"> <h1 align="center">TweetFeed</h1> <h3 align="center">Feeds of IOCs posted by the community on Twitter/X</h3> <p align="center"> <b> <a href="https://tweetfeed.live">TweetFeed.live</a>   |    <a href="https://tweetfeed.live/docs/">Docs</a>   |    <a href="https://tweetfeed.featurebase.app/">Feedback</a> </b> </p>

TweetFeed.live

</div>

Everything in the dynamic blocks below (date, type counters, top tags, top reporters, output example) is regenerated by the pipeline every 15 minutes. Hand-written sections are stable.

:heart: Support the project

If you like the project, please consider:

Giving it a star :star:
Invite to a coffee :coffee:

:page_facing_up: Data collected

<div align="center"> <h3>CSV feeds</h3> <table> <thead> </thead> <tbody> <tr> <th colspan=4>2026-06-27 08:00:22 (UTC)</th> </tr> <tr> <th>Today</th> <th>Last 7 days</th> <th>Last 30 days</th> <th>Last 365 days</th> </tr> <tr> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/today.csv">Today</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/week.csv">Week</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/month.csv">Month</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/year.csv">Year</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv">raw</a>)</td> </tr> </tbody> </table> <h3>Other formats</h3> <table> <thead> <tr> <th>Format</th> <th>URL</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><b>RSS 2.0</b></td> <td><a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/rss.xml">rss.xml</a></td> <td>Today's IOCs (regenerated every 15 min)</td> </tr> <tr> <td><b>MISP</b></td> <td><a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/misp/manifest.json">misp/manifest.json</a></td> <td>4 events (today / week / month / year). Add as a feed in MISP via <i>Sync Actions → Feeds → Add</i>.</td> </tr> <tr> <td><b>STIX 2.1</b></td> <td><a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/stix/manifest.json">stix/manifest.json</a></td> <td>Bundles for today / week / month</td> </tr> </tbody> </table> </div> <div align="center"> <h3>Output example</h3> <p><b>CSV schema</b></p> <pre><code>date, user, type, value, tags, tweet_url</code></pre>

<sub>Live samples: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/today.csv">today.csv</a></sub>

</div>

:gear: Programmatic access

<div align="center"> <table> <thead> <tr> <th>Surface</th> <th>URL</th> <th>Use case</th> </tr> </thead> <tbody> <tr> <td><b>REST API</b></td> <td><a href="https://api.tweetfeed.live/v1">api.tweetfeed.live</a></td> <td>JSON, no auth, CORS enabled. <code>/v1/{today,week,month,year}[/{type}[/{tag}]]</code></td> </tr> <tr> <td><b>MCP server</b></td> <td><a href="https://mcp.tweetfeed.live">mcp.tweetfeed.live</a></td> <td>JSON-RPC 2.0 endpoint exposing 8 tools (<code>query_iocs</code>, <code>check_url</code>, <code>check_ip</code>, <code>check_hash</code>, <code>list_recent_iocs</code>, <code>get_tag_info</code>, <code>get_trending</code>, <code>enrich_ioc</code>) for Claude / AI agents</td> </tr> </tbody> </table>

See <a href="https://tweetfeed.live/agents/">tweetfeed.live/agents/</a> for the copy-paste MCP config and full tool reference.

</div>

:bar_chart: Some statistics

<div align="center"> <h3>Types</h3>

Type	Today	Week	Month	Year
:link: URLs	3	463	5404	54831
:globe_with_meridians: Domains	3	374	4732	39305
:triangular_flag_on_post: IPs	0	106	683	13124
:1234: SHA256	3	112	589	1874
:1234: MD5	0	40	177	2612

</div>

<div align="center"> <h3>Top 10 tags <sub>(by year activity, refreshed every 15 min)</sub></h3>

Tag	Today	Week	Month	Year
#phishing	6	465	2968	36526
#C2	0	34	336	18309
#Kimsuky	0	4	4918	12988
#DPRK	0	0	4900	11333
#scam	0	11	526	6764
#CobaltStrike	0	2	13	4771
#malware	0	51	310	2471
#Interactsh	0	0	0	1792
#APT	0	32	198	1705
#Remcos	0	1	30	1423

The full catalog of 120 tags with per-tag landing pages and CSV exports lives at tweetfeed.live/tags/.

</div>

<div align="center"> <h3>Top Reporters (today)</h3>

Number	User	IOCs
#1	Q8CyberTi	4
#2	bomccss	3
#3	masaomi346	2
#4	-	0
#5	-	0
#6	-	0
#7	-	0
#8	-	0
#9	-	0
#10	-	0

</div>

:question: How it works?

Search tweets that contain certain tags or that are posted by certain infosec people.

Tags being searched

(case-insensitive matching, top 10 by year activity, refreshed every 15 min)

#phishing, #C2, #Kimsuky, #DPRK, #scam, #CobaltStrike, #malware,
#Interactsh, #APT, #Remcos

The full list of 120 tags lives at tweetfeed.live/tags/.

Also search Tweets posted by

(these are trusted folks that sometimes don't use tags)

<big><pre>
TweetFeed list
</pre></big>

:mag: Use TweetFeed in your stack

TweetFeed publishes the same data in CSV / JSON / RSS / MISP / STIX so you can wire it into whichever SIEM, EDR, or TIP you already run. Examples below default to year.csv (1-year window); swap to month.csv / week.csv / today.csv to keep the dataset smaller.

<details> <summary><b>Microsoft Defender XDR / Sentinel</b>  <sub>(KQL via <code>externaldata</code>)</sub></summary> <br>

1. Match SHA256 hashes against the yearly feed

kusto
let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'sha256'
    | extend SHA256 = tostring(report[3])
    | where SHA256 !in(SHA256_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project SHA256, Tag, Tweet
);
union (
    TweetFeed
    | join (
        DeviceProcessEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceFileEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceImageLoadEvents
        | where Timestamp > MaxAge
    ) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet

2. Match IP addresses against the monthly feed

kusto
let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'ip'
    | extend RemoteIP = tostring(report[3])
    | where RemoteIP !in(IPaddress_whitelist)
    | where not(ipv4_is_private(RemoteIP))
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteIP, Tag, Tweet
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet

3. Match URLs and domains against the weekly feed

kusto
let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type in('url','domain')
    | extend RemoteUrl = tostring(report[3])
    | where RemoteUrl !in(domain_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteUrl, Tag, Tweet
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet

The same KQL works in Microsoft Sentinel if you replace DeviceProcessEvents / DeviceNetworkEvents with the equivalent Sentinel tables (SecurityEvent, CommonSecurityLog, etc.).

</details> <details> <summary><b>Splunk</b>  <sub>(SPL with <code>inputlookup</code> after CSV import, or <code>rest</code> for ad-hoc fetch)</sub></summary> <br>

Schedule a recurring CSV import via the Add-on Builder or the inputs.conf REST modular input. Then:

spl
index=firewall earliest=-30d
| join dest_ip [
    | inputlookup tweetfeed_iocs.csv
    | where Type="ip"
    | rename Value AS dest_ip
    | fields dest_ip, Tags, Tweet
]
| stats count by src_ip, dest_ip, Tags

For proxy / DNS logs vs. URLs and domains:

spl
index=proxy sourcetype=zscaler earliest=-7d
| join url [
    | inputlookup tweetfeed_iocs.csv
    | where Type IN ("url","domain")
    | rename Value AS url
    | fields url, Tags, Tweet
]
| table _time, src, dest, url, Tags, Tweet

For process-execution hashes:

spl
index=endpoint sourcetype=Sysmon EventCode=1 earliest=-30d
| eval hash=lower(Hashes)
| join hash [
    | inputlookup tweetfeed_iocs.csv
    | where Type IN ("sha256","md5")
    | rename Value AS hash
    | fields hash, Tags, Tweet
]
| table _time, host, Image, hash, Tags, Tweet

</details> <details> <summary><b>Elastic Security / OpenSearch</b>  <sub>(Filebeat <code>threatintel</code> module + indicator-match rule)</sub></summary> <br>

Add the MISP feed to your filebeat.yml:

yaml
- module: threatintel
  misp:
    enabled: true
    var.url: "https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/misp/manifest.json"
    var.interval: 15m

Then create an indicator-match rule mapping your data to the threat fields:

Source field	Threat field
`destination.ip`	`threat.indicator.ip`
`url.full`	`threat.indicator.url.full`
`dns.question.name`	`threat.indicator.url.domain`
`file.hash.sha256`	`threat.indicator.file.hash.sha256`
`file.hash.md5`	`threat.indicator.file.hash.md5`

Tags + tweet URLs are preserved as enrichment fields on each match (threat.indicator.description, threat.indicator.reference).

For OpenSearch the same approach works via the Security Analytics threat intel framework using the STIX bundles at stix/manifest.json.

</details> <details> <summary><b>MISP / OpenCTI / TheHive</b>  <sub>(threat intel platforms)</sub></summary> <br>

TIP	How to add TweetFeed
MISP	Sync Actions → Feeds → Add with URL `https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/misp/manifest.json` (4 events: today / week / month / year, regenerated every 15 min).
OpenCTI	Use the official tweetfeed connector.
TheHive 5	Import the STIX bundles at `https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/stix/manifest.json` via the MISP-Hive connector or directly through the API.

</details> <details> <summary><b>CLI / scripting</b>  <sub>(curl + jq, Python)</sub></summary> <br>

Pull today's phishing URLs:

bash
curl -s 'https://api.tweetfeed.live/v1/today/phishing/url' | jq -r '.[].value'

Cross-check a hash against the year window:

bash
HASH=XXX  # any SHA256 you want to look up
curl -s 'https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv' \
  | awk -F, -v h="$HASH" '$3=="sha256" && $4==h'

Pandas one-liner — top 20 IPs reported in the last year:

python
import pandas as pd
df = pd.read_csv('https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv',
                 names=['date','user','type','value','tags','tweet'])
print(df[df.type == 'ip'].groupby('value').size().sort_values(ascending=False).head(20))

For interactive querying via Claude / AI agents, see Programmatic access above (the MCP server exposes the same data with built-in query helpers).

</details>

:robot: Agent-ready surface

TweetFeed is built for consumption by AI agents and LLM-based tooling:

/.well-known/agent-skills/index.json - skill discovery (RFC v0.2.0)
/.well-known/mcp/server-card.json - MCP server card (SEP-1649 draft)
/llms.txt - llms.txt index
/agents/ - human-readable overview with copy-paste MCP config

Plug the MCP endpoint above into Claude Desktop / Claude Code / any MCP-aware client to query feeds in natural language.

:balance_scale: License

The data feeds (CSV, JSON, RSS, MISP, STIX) and the public API responses are released under CC0 1.0 Universal - no rights reserved, reuse freely, no attribution required.

A primer on how to put this data to work in detection workflows lives at tweetfeed.live/docs/.

:bust_in_silhouette: Author

Daniel López

:pushpin: Disclaimer

Please note that all the data is collected from Twitter/X and sorted/served here as it is on best effort.

I have tried to tune as much as possible the searches trying to collect only valuable info. However please consider making your own analysis before taking any action related to these IOCs.

Anyway feel free to reach me out or to provide any kind of feedback regarding any contribution or suggestion.

<hr>

<b>By the community, for the community.</b>