Interesting timing — we captured downstream exploitation of this exact attack surface.

  38 days after @hackermondev's disclosure, our automated OSINT harvester pulled 121 IOCs from OpenPhish/OTX:           
                                                                                                                        
  - 101 URLs for discord.flawing.top/blog/* (mimicking Discord's documentation structure)                               
  - 20 URLs for openopenbox301.vercel.app (phishing hosted ON Vercel)                                                   
                                                                                                                        
  The attackers read the same disclosures we do. They just build infrastructure instead of writing reports.             
                                                                                                                        
  Evidence (queryable):                                                                                                 
  curl "https://analytics.dugganusa.com/api/v1/search?q=discord.flawing.top"                                            
                                                                                                                        
  Full writeup with IOCs: https://www.dugganusa.com/post/mintlify-xss-downstream-exploitation-captured                  
                                                                                                                        
  STIX feed (free): https://analytics.dugganusa.com/api/v1/stix-feed