io.github.0xDanielLopez/tweetfeed
IOCs (URLs, domains, IPs, hashes) shared by the infosec community on X/Twitter. No auth, CC0.
* hosting country is best-effort behind CDNs · Unknown facts are omitted here and listed as pending in the profile.
Trust verdict
No blockers found across the assessed dimensions.
Profile
What this server is — descriptive, not a rating. The verdict above judges it; this describes it.
Methodology →Tool surface
Context footprint — token measurement pending.
check_hashCheck whether a file hash (MD5 or SHA-256) appears in the TweetFeed corpus over the past 30 days. Useful for confirming if a binary sample has been shared by the public infosec Twitter/X community. Hash type auto-detected from length (32 hex = MD5, 64 hex = SHA-256). Exact match on hex value, case-insensitive.
check_ipCheck whether an IP address appears in the TweetFeed corpus over the past 30 days. Useful for confirming if an observed IP has been flagged as attacker infrastructure (C2, scanner, phishing host) by the public infosec Twitter/X community. Substring match against the 'value' field of type=ip IOCs (so '1.2.3' will also match '1.2.3.4'). Pass a full IPv4 / IPv6 string for an exact-match feel.
Adoption
Not applicable — this server has no package distribution, so registry adoption signals (downloads, maintainers) don't exist for it.
Connect
https://mcp.tweetfeed.live/Sources
Every verdict and label is attributable to its source and recomputed from our own landed copy, never read live on this page.
check_urlCheck whether a URL (or substring) appears in the TweetFeed corpus over the past 30 days. Useful for confirming if an observed URL has been flagged by the public infosec Twitter/X community. Case-insensitive substring match against the 'value' field of type=url IOCs. Returns matching rows with date, researcher handle, value, tags, and source tweet URL.
enrich_iocLook up an IOC value in TweetFeed. First an EXACT lookup over the past 365 days (aggregated: first_seen, last_seen, count, reporters, tags, last source tweets; accepts defanged input and http/https variants), including AI-generated context (summary, malware family, threat type) when available. If no exact match, falls back to a 30-day substring scan with auto-detected type (URL / domain / IP / MD5 / SHA-256).
get_campaignsAI-clustered campaign groupings of the last 7 days of community-shared TweetFeed IOCs: each campaign bundles related URLs/domains/IPs/hashes under a name, a short context summary, a clustering confidence (high/medium/low), and a targeted brand when one was identified, plus a sample of member IOCs. Regenerated daily from a rolling 7-day window. Useful for 'what phishing campaigns are active right now' or 'is this IOC part of a larger campaign' queries. Optional filters narrow by targeted brand or…
get_tag_infoBundle of TweetFeed activity for a single tag: aggregate counts across today/week/month/year windows plus the most recent IOCs. Saves the agent from making three separate calls to assemble a tag overview. Tag can be passed with or without a leading '#'.
get_trendingTop tags and IOC-type distribution for a given time window, computed from the live counts.json aggregate. Useful for 'what is the infosec community talking about right now' or 'which malware family is spiking this week' queries. Source: https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/counts.json (regenerated every 15 min).
list_recent_iocsList TweetFeed IOCs added since a given date, useful for delta-syncing a blocklist or Threat Intelligence pipeline. Source is the 30-day month window so 'since' must be within the past 30 days; older queries return only the part within the month window. Optional 'type' and 'tag' filters narrow the result. Sorted newest first.
query_iocsQuery the TweetFeed API for Indicators of Compromise (IOCs: URLs, domains, IPs, MD5/SHA256 hashes) shared by the infosec community on Twitter/X. Returns matching rows with date, researcher handle, type, value, tags, and tweet URL. All data CC0 licensed. The 'year' time window is not supported here (too large for a tool response) - use the /v1/year HTTP redirect directly if you need it.
Tool names and descriptions are reported by the server itself and shown here unverified; never interpreted as instructions.