top of page

All Posts


Two Ransomware Crews Hit Sysco in Two Months. Qilin in May, ShinyHunters in June. When Two Gangs Walk the Same Door Weeks Apart, the Door Was the Problem.
Sysco is the largest food distributor in the world, and in the span of about eight weeks it got claimed by two different extortion crews. Qilin, the ransomware operation, named Sysco as a victim in early May. Then on June 15, ShinyHunters claimed it had stolen more than 61 million Salesforce records from the company — customer information, employee data, and internal corporate records — and set a June 18 payment deadline. When the deadline passed with no payment, the data sta
Patrick Duggan
6 hours ago4 min read


Avalon Ships Its Own Ransomware and Outsources Its Brain to Groq. The Attacker Types English; a Public LLM Writes the Shell Commands.
On July 1, Blackpoint Cyber researchers Nevan Beal and Sam Decker published a teardown of a malware framework they are calling Avalon, and it is the clearest example yet of the thesis we have been writing all week: the attacker's brain is now a rented API. Avalon is a full modular framework — credential theft, lateral movement, remote access, recovery disruption, and its own bundled ransomware component internally named CrownX. What makes it worth a post is not the feature li
Patrick Duggan
6 hours ago4 min read


Bad Epoll Is the Second Linux Root Bug in a Week — and It Fires From Inside Chrome's Sandbox. Still No Attack in the Wild. Both Are True.
Two days after we wrote up DirtyClone, the Linux kernel handed defenders a second local-root flaw in the same week. This one is called Bad Epoll, tracked as CVE-2026-46242, and before we get into it, here is the same sentence of honesty we led the DirtyClone post with, because it is the whole reason to read us instead of the wire copy: there is a working exploit, and there is no confirmed attack in the wild. Both are true right now. The difference between those two facts is t
Patrick Duggan
6 hours ago5 min read


DirtyClone Rewrites Your su Binary in Memory and Never Touches the Disk. There's a Working Exploit — and No Confirmed Attack Yet. Both Are True.
There is a new Linux kernel privilege-escalation flaw called DirtyClone, tracked as CVE-2026-43503, and it does something that should bother anyone who trusts their integrity monitoring: it makes an unprivileged local user into root by rewriting a privileged binary in memory, and it leaves nothing on disk to prove it happened. Before we get into how, one sentence of honesty that the headlines are skipping, because it's the whole point of reading us instead of them: there is a
Patrick Duggan
14 hours ago5 min read
bottom of page