2026-04-03 RDP #Honeypot IOCs - 1212 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.111.35 - 990
80.94.95.221 - 63
80.66.83.75 - 27

Top ASNs:
AS14061 - 993
AS204428 - 63
AS396982 - 36

Top Accounts:
hello - 990
Administr - 78
test - 39

Top ISPs:
DigitalOcean, LLC - 993
SS-Net - 63
Google LLC - 36

Top Clients:
Unknown - 1212

Top Software:
Unknown - 1212

Top Keyboards:
Unknown - 1212

Top IP Classification:
hosting - 1035
Unknown - 138
mobile - 39

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

2026-04-03 RDP #Honeypot IOCs - 808 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.111.35 - 660
80.94.95.221 - 42
80.66.83.75 - 18

Top ASNs:
AS14061 - 662
AS204428 - 42
AS396982 - 24

Top Accounts:
hello - 660
Administr - 52
test - 26

Top ISPs:
DigitalOcean, LLC - 662
SS-Net - 42
Google LLC - 24

Top Clients:
Unknown - 808

Top Software:
Unknown - 808

Top Keyboards:
Unknown - 808

Top IP Classification:
hosting - 690
Unknown - 92
mobile - 26

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

2026-04-03 RDP #Honeypot IOCs - 404 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
143.198.111.35 - 330
80.94.95.221 - 21
80.66.83.75 - 9

Top ASNs:
AS14061 - 331
AS204428 - 21
AS396982 - 12

Top Accounts:
hello - 330
Administr - 26
test - 13

Top ISPs:
DigitalOcean, LLC - 331
SS-Net - 21
Google LLC - 12

Top Clients:
Unknown - 404

Top Software:
Unknown - 404

Top Keyboards:
Unknown - 404

Top IP Classification:
hosting - 345
Unknown - 46
mobile - 13

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

As likely already posted by others, but still relevant to share regarding the npm package madness:

Potential hardening options for npm which can be configured global and on project level:

npm has an option to ignore scripts: ignore-scripts:
Quote from documentation: ‘not run any pre- or post-scripts’

npm (since cli version 11) has an option to set a minimum release age: min-release-age
Quote from documentation: ‘only versions that were available more than given number of days .. will be installed’

Full official documentation: https://docs.npmjs.com/cli/v11/using-npm/config

Note: I have not tested these options. And keep in mind actors will always adopt to measure taken by defenders.

#npm #DFIR

2026-04-02 RDP #Honeypot IOCs - 768 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
106.51.23.167 - 417
143.198.111.35 - 147
122.165.249.151 - 48

Top ASNs:
AS24309 - 417
AS14061 - 165
AS24560 - 48

Top Accounts:
hello - 633
Administr - 27
142.93.8.59 - 27

Top ISPs:
Atria Convergence Technologies Pvt. Ltd. - 417
DigitalOcean, LLC - 165
BHARTI - 48

Top Clients:
Unknown - 768

Top Software:
Unknown - 768

Top Keyboards:
Unknown - 768

Top IP Classification:
Unknown - 549
hosting & proxy - 147
hosting - 72

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

2026-04-02 RDP #Honeypot IOCs - 512 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
106.51.23.167 - 278
143.198.111.35 - 98
122.165.249.151 - 32

Top ASNs:
AS24309 - 278
AS14061 - 110
AS24560 - 32

Top Accounts:
hello - 422
Administr - 18
142.93.8.59 - 18

Top ISPs:
Atria Convergence Technologies Pvt. Ltd. - 278
DigitalOcean, LLC - 110
BHARTI - 32

Top Clients:
Unknown - 512

Top Software:
Unknown - 512

Top Keyboards:
Unknown - 512

Top IP Classification:
Unknown - 366
hosting & proxy - 98
hosting - 48

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

2026-04-02 RDP #Honeypot IOCs - 256 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
106.51.23.167 - 139
143.198.111.35 - 49
122.165.249.151 - 16

Top ASNs:
AS24309 - 139
AS14061 - 55
AS24560 - 16

Top Accounts:
hello - 211
Administr - 9
142.93.8.59 - 9

Top ISPs:
Atria Convergence Technologies Pvt. Ltd. - 139
DigitalOcean, LLC - 55
BHARTI - 16

Top Clients:
Unknown - 256

Top Software:
Unknown - 256

Top Keyboards:
Unknown - 256

Top IP Classification:
Unknown - 183
hosting & proxy - 49
hosting - 24

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

Just in case anybody else is looking at exported GitHub audit logs...

The JSON export format is fine except that the timestamps are in Unix epoch time with milliseconds. If you'd like that changed to human-readable timestamps: https://github.com/halpomeranz/dfis/blob/master/ghaudit-fix-json-times.pl

JSON is great if you know jq. But my customers prefer CSV output: https://github.com/halpomeranz/dfis/blob/master/ghaudit2csv.sh

#DFIR