v3nomtech/V3nom-Intel

# VENOM/INTEL **Signature:** `CYbErXV3nOm` ## Table of contents - [What it is](#what-it-is) - [Feature tour](#feature-tour) - [Live data sources](#live-data-sources) - [Architecture](#architecture) - [How it works — request flow](#how-it-works--request-flow) - [File map (what every file does)](#file-map-what-every-file-does) - [Local preview](#local-preview) - [Refreshing local snapshots](#refreshing-local-snapshots) - [Deploy to Netlify](#deploy-to-netlify) - [How CORS is handled](#how-cors-is-handled) - [Caching strategy](#caching-strategy) - [Customization](#customization) - [Privacy & legal](#privacy--legal) - [Tech stack](#tech-stack) ## What it is - the latest CVEs with EPSS exploit-probability scores - the CISA Known Exploited Vulnerabilities (KEV) catalog - a derived **Active Exploitation Tracker** that ranks "patch this first" using KEV ∩ EPSS ∩ ransomware usage - an animated **Global Threat Map** plotting live C2 servers on a Leaflet map - recent malware IOCs, malicious URLs, active botnet C2 IPs - recent public data breaches - aggregated infosec news + exploit publication feeds - an **IOC reputation lookup** (paste an IP, domain, URL, hash, or CVE-ID) - a curated OSINT directory (researchers and orgs worth following) - live charts: severity distribution, KEV-over-time, top vendors, malware families, C2 by country, EPSS top 15 Everything updates automatically every 15 minutes (also on-demand via the per-section Refresh button or the top-bar **Refresh all**). ## Feature tour | Section | What it shows | How it's built | |---|---|---| | **Hero / stats strip** | 8 live counters: CVEs (7d), KEV total, Critical (7d), KEV (30d), C2 countries, active IOCs, active C2, news (24h) | `updateStats()` + `countUp()` ease-out animation | | **🎯 Active Exploitation Tracker** | Ranks every KEV CVE by a priority score: ransomware = +100, overdue = +60, freshness ≤ 30d = +40, EPSS ≥ 0.5 = +30. Chips filter by ransomware / overdue / fresh / high-EPSS | `buildExploitList()` joins KEV + EPSS, sorts by score | | **🌐 Global Threat Map** | Leaflet dark-tile map (CARTO). Plots Feodo Tracker C2 IPs by country centroid. Pulsing markers (low/mid/high tiers), live attack feed (animated curved arcs), popup with top malware per country | `renderThreatMap()` + `COUNTRY_CENTROIDS` lookup table + `curvedPath()` bezier helper | | **Quick tools — IOC lookup** | Paste IPv4/v6, domain, URL, MD5/SHA1/SHA256, or CVE-ID. Auto-detects type, cross-references the in-memory threat feeds, calls CIRCL for CVEs, calls URLhaus host API for domains/IPs | `IOC.detect()` + `IOC.lookup()` | | **Threat metrics charts** | CVE severity doughnut, KEV-by-month bars (12mo), top vendors, top malware families (ThreatFox), C2 by country | Chart.js 4 | | **CISA KEV** | Sortable table of all KEV vulnerabilities; filter box | `fetchKEV()` → local snapshot → live → proxy chain | | **Latest CVEs (NVD)** | Card grid of last 7 days of NVD CVEs with EPSS badges and product chips. Filter by severity and product/vendor | `fetchCVEs()` + `enrichEPSS()` | | **ThreatFox IOCs** | Recent malware IOCs from abuse.ch | `fetchThreatFox()` | | **URLhaus URLs** | Recent malicious URLs (phishing, payload delivery, C2 panels) with cross-check links to VirusTotal & MalwareBazaar | `fetchURLhaus()` | | **Feodo Tracker C2** | Table of active botnet C2 IPs (IP:port, malware family, country, ASN, first-seen, status) | `fetchFeodo()` | | **Recent data breaches** | XposedOrNot breach feed: name, records, industry, date | `fetchBreaches()` | | **Infosec news wire** | Aggregated RSS from Krebs, Bleeping, The Hacker News, SANS ISC, Dark Reading, The Register, Schneier | `fetchRssSet()` + `parseRss()` | | **Exploit feeds** | Exploit-DB, PacketStorm, GitHub Security Advisories | Same RSS pipeline | | **OSINT directory** | Curated cards for CISA, CERT-In, vx-underground, MalwareHunterTeam, Krebs, Beaumont, MSTIC, Google TAG, etc., with X / blog / Nitter links | `renderOsint()` over `CONFIG.OSINT_ACCOUNTS` | | **Top-bar global search** | Searches across CVE, KEV, news, and exploits in one box | `globalSearch()` | | **JSON export** | ⬇ JSON button dumps the entire in-memory `STATE` snapshot to a download | `exportAll()` | | **Star / favorite** | ★ on a CVE card persists to `localStorage` | `getStars()` / `toggleStar()` | | **Status pills + diagnostics panel** | Every section has a pill (loading / ok / cached / error). Click **Show diagnostics** for a per-feed timeline | `setStatus()` + `renderDiagnostic()` | ## Live data sources All sources are public, no API keys required. | Source | What it provides | Endpoint | |---|---|---| | **NIST NVD** | Latest CVEs (7-day window) | `services.nvd.nist.gov/rest/json/cves/2.0` | | **CISA KEV** | Known Exploited Vulnerabilities catalog | `cisa.gov/.../known_exploited_vulnerabilities.json` | | **FIRST EPSS** | Exploit Prediction Scoring System — probability a CVE will be exploited in the next 30 days | `api.first.org/data/v1/epss` | | **CIRCL CVE-Search** | CVE detail lookup (CORS-friendly) | `cve.circl.lu/api/cve/...` | | **URLhaus (abuse.ch)** | Malicious URLs | `urlhaus.abuse.ch/downloads/json_online/` | | **ThreatFox (abuse.ch)** | Recent malware IOCs | `threatfox.abuse.ch/export/json/recent/` | | **Feodo Tracker (abuse.ch)** | Active botnet C2 IPs (Emotet, Dridex, TrickBot, QakBot, etc.) | `feodotracker.abuse.ch/downloads/ipblocklist.json` | | **XposedOrNot** | Data breach catalog | `api.xposedornot.com/v1/breaches` | | **RSS feeds** | News & exploit publications | Krebs, Bleeping, THN, SANS, Dark Reading, Register, Schneier, Exploit-DB, PacketStorm, GitHub Advisories | ## Architecture ┌─────────────────────────────────────────────────────────────────────┐ │ BROWSER (index.html) │ │ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ js/app.js (IIFE — single ~1670-line module) │ │ │ │ │ │ │ │ CONFIG ─── URLs, RSS list, OSINT accounts, TTLs │ │ │ │ STATE ─── { cves, kev, news, exploits, urlhaus, │ │ │ │ threatfox, feodo, breach, exploitItems } │ │ │ │ │ │ │ │ fetch layer: timedFetch → proxyFetch → cache │ │ │ │ render layer: renderXxx() + Chart.js + Leaflet │ │ │ │ orchestration: refreshAll() → critical path + onIdle() │ │ │ └─────────────────────────────────────────────────────────────┘ │ └────────────┬────────────────────────────────────────────────────────┘ │ ┌─────────┼────────────────────────────────────────────┐ ▼ ▼ ▼ [CORS-OK] [Same-origin snapshots] [Proxy chain] NVD, EPSS, /data/kev.json 1. /.netlify/functions/proxy (whitelisted hosts) CIRCL /data/feodo.json 2. api.allorigins.win/raw /data/urlhaus.json 3. corsproxy.io /data/threatfox.json 4. api.codetabs.com/v1/proxy /data/breaches.json (refreshed by update-data.sh) The site is intentionally **dependency-free at runtime** except for three CDN-hosted libraries pulled with SRI hashes: - **Chart.js 4.4.1** — all charts - **Leaflet 1.9.4** — global threat map - **Google Fonts** (Inter + JetBrains Mono) — typography There is no npm install step, no bundler, no framework. `js/app.js` is one self-contained IIFE. ## How it works — request flow 1. Sets the year + a random build ID. 2. Wires the IntersectionObserver-based scroll reveal animation. 3. Starts the UTC clock. 4. Renders the OSINT cards (synchronous, from `CONFIG.OSINT_ACCOUNTS`). 5. Wires events (filters, search, refresh buttons, IOC lookup, star toggles). 6. Calls `refreshAll()`. 7. Schedules `refreshAll()` to re-run every 15 minutes. `refreshAll()` is the orchestrator: // 1. Hydrate from localStorage cache (instant first paint) ['cves','kev','news','exploits','urlhaus','threatfox','feodo','breach'] .forEach(k => { const c = cache.get(k); if (c) STATE[k] = c; }); // 2. Re-render everything we have cached // 3. Critical path (above-the-fold): KEV + Feodo + CVE in parallel const critical = Promise.all([refreshKEV(), refreshFeodo(), refreshCVE()]); // 4. Below-the-fold deferred to requestIdleCallback onIdle(() => { refreshNews(); refreshExploits(); refreshURLhaus(); refreshThreatFox(); refreshBreaches(); }); Each `fetchXxx()` follows a 3-tier fallback (`tryLocalThenRemote()`): 1. **Local snapshot** (`data/*.json`) — same-origin, no CORS issues, always works. 2. **Direct remote** — works for CORS-friendly endpoints (NVD, EPSS, CIRCL). 3. **Proxy chain** (`proxyFetch`) — tries the Netlify function first, then three public CORS proxies in sequence. Every fetch is wrapped in `timedFetch()` with a 20-second AbortController timeout, and every successful response is written to `localStorage` with a 30-minute TTL. The diagnostics panel (`Show diagnostics` button in Quick tools) shows the per-feed status pill, source ("live" / "local snapshot" / "live (proxied)" / "cached"), and time since last update. ### Active Exploitation Tracker scoring `buildExploitList()` combines the KEV catalog with EPSS scores from the CVE feed and computes a priority score for each vulnerability: score = 0 if knownRansomwareCampaignUse === "Known" → score += 100 if dueDate is past → score += 60 if dateAdded within last 30 days → score += 40 if EPSS >= 0.5 → score += 30 + round(epss * 30) score += max(0, 30 - ageDays) // freshness boost Cards are sorted descending and tagged with the chips that triggered (🦠 Ransomware, ⏰ Overdue, 🆕 fresh, 📈 EPSS%). The four summary cards at the top count items in each bucket. ### Global Threat Map Built on Leaflet with the CARTO dark-no-labels tile set. The `COUNTRY_CENTROIDS` table maps ISO-2 country codes to `[lat, lon]` centroids. For each country with active C2s: - A pulsing `divIcon` is layered for visual heartbeat (CSS animation, sized by `sqrt(count)`). - A clickable `circleMarker` shows the count, top malware families, and ASN samples in its popup. - The "Live attack feed" sidebar animates curved bezier arcs (`curvedPath()`) from a random origin to a C2 endpoint, prepending each event to the feed. ### IOC reputation lookup `IOC.detect()` is a regex switchboard that classifies the input: ^[a-f0-9]{32}$ → md5 ^[a-f0-9]{40}$ → sha1 ^[a-f0-9]{64}$ → sha256 ^\d{1,3}(\.\d{1,3}){3}$ → ipv4 ^[a-fA-F0-9:]+$ with ":" → ipv6 ^https?:// → url ^[\w.-]+\.[a-z]{2,}$ → domain ^CVE-\d{4}-\d{4,}$ → cve Then `IOC.lookup()`: - For CVEs: hits CIRCL CVE-Search directly (CORS-friendly). - For everything else: cross-references the already-loaded URLhaus / ThreatFox / Feodo arrays in memory (zero-cost local matches), then issues a live POST to the URLhaus host endpoint via the Netlify proxy. - Renders a verdict card plus quick cross-check links to AbuseIPDB, VirusTotal, Shodan, OTX, urlscan.io, MalwareBazaar, etc. ## File map (what every file does) threat-intel-site/ ├── index.html # Single-page HTML shell ├── css/ │ └── style.css # ~1500 lines of dark-mode UI (CSS vars, no framework) ├── js/ │ └── app.js # ~1670 lines — all logic, all rendering ├── data/ # Same-origin JSON snapshots (CORS bypass) │ ├── kev.json # CISA KEV catalog (~1.5 MB) │ ├── feodo.json # Feodo Tracker C2 list (~2 KB) │ ├── threatfox.json # Recent ThreatFox IOCs (~2 MB) │ ├── urlhaus.json # Recent URLhaus URLs (~70 KB) │ └── breaches.json # XposedOrNot breach catalog (~575 KB) ├── netlify/ │ └── functions/ │ └── proxy.js # Whitelisted CORS proxy (Netlify function) ├── netlify.toml # Netlify build + headers + cache rules ├── _redirects # SPA fallback (/* → /index.html 200) ├── update-data.sh # Cron-able script to refresh data/*.json └── README.md # You are here ### `index.html` The HTML shell. ~420 lines. Defines every section and every empty container that `js/app.js` later fills: - `

` topbar — brand, global search input, anchor nav, UTC clock, **Refresh all**, **⬇ JSON** buttons. - `

` — title, tag pills, CTA buttons, 8-stat strip. - `

` — Active Exploitation Tracker with summary cards, filter chips, grid, and 3 charts. - `

` — Leaflet container, top-attack-origins sidebar, live attack feed. - `

` — IOC lookup form, diagnostics panel. - `

` — 5 chart canvases. - `

` — KEV table. - `

` — CVE card grid + severity/product filters. - `

` — ThreatFox grid. - `

` — URLhaus grid. - `

` — Feodo Tracker table. - `

` — breach grid. - `

` — news grid. - `

` — exploit feeds grid. - `

` — OSINT directory grid (populated from `CONFIG.OSINT_ACCOUNTS`). - `

` — attribution lists for every data source. - `