All Posts

CVE-2026-44338 in PraisonAI was disclosed publicly on May 14, 2026. Threat actors were observed attempting to exploit it within four hours. This is the new floor. PraisonAI is an open-source framework for building agentic AI applications. The vulnerability allowed remote code execution against PraisonAI instances. The disclosure-to-weaponization gap of four hours is approximately one hundred and sixty-eight times shorter than the gap commonly cited in security writeups from 2

The cybersecurity press names individual CVEs because individual CVEs make for clean headlines. The defender press should also be naming exploit chains, because exploit chains are what actually compromise production environments. May 2026 delivered a three-CVE chain that Security Boulevard called "a reliable, race-free, forensically quiet kill chain from the public internet to root." This post unpacks each CVE, how they chain, and why a chain-aware detection posture is the on

This week, the security vendor Trellix disclosed that attackers had gained unauthorized access to the code powering the company's security tools. Not customer data. Not employee records. The source code of the tools Trellix sells to defenders. Trellix descended from the 2022 merger of McAfee Enterprise and FireEye, two of the most storied security vendors in the industry. McAfee was breached in 2010. FireEye was breached in 2020 by the SolarWinds operator — the breach that ta

🔺 CONSPIRACY THEORY 🔺 The Newsletter They Don't Want You To Read Volume 49 | May 20, 2026 | $2.00 (cash only, exact change, no tracking, do NOT use Venmo) ――――――――――――――――――――― ATTENTION SUBSCRIBERS: If you registered for the STIX feed this week, you're already in the system. Yes, that one. Yes, the analytics ARE logged. The transparency goes one way. No nose biting, Jerry. ――――――――――――――――――――― THIS WEEK'S PATTERN: THE EMBEDDER IS THE PROGENY Stay with me. July eighth, 197

The activation problem in defender tooling is the curl wall. A SOC analyst registers for a STIX feed, gets a key, sees an example curl command, copies it, gets a 401 because they pasted the key wrong, never comes back. Three quarters of the keys we have ever issued never made a first call. We published the funnel data on that yesterday. The MCP path does not have the curl wall. If you run Claude Code, Cursor, Cline, ChatGPT desktop, or any other MCP client, you can wire two D

The DugganUSA STIX feed gives every registered defender a free-tier key with five hundred queries per day across the iocs, pulses, epstein_files, blog, and content indexes. The free tier is generous. The activation rate on the free tier is not. Three quarters of the keys we have ever issued have never made a first call. This post is the first call. Ten specific curl commands a defender can run against the public DugganUSA APIs to get useful output today. Each query has a sing

The DugganUSA blog ran a post on May 13 titled "ClickFix Is Konni Is PySoxy. Three Vendor Labels, One IP." The single-IP version of the thesis: vendor attribution fragmentation provides operational camouflage for the threat actor. Three analyst teams looking at the same infrastructure produce three different campaign labels at three different abstraction levels, and the defender ends up tracking a phantom three-campaign threat instead of the real one-operator threat. Today we

The disclosure landed this week. A contractor working for CISA — the agency responsible for cybersecurity guidance across the federal civilian network — kept a public GitHub repository named "Private-CISA" with 844 megabytes of credentials, internal blueprints, and signed certificates from November 13, 2025 through May 15, 2026. Six months in the open. GitGuardian's automated scanner caught it on May 14, 2026. Krebs and Seralys notified CISA the next day. The repository came

A common question right now is whether AI is making threat actors more sophisticated. The answer depends on what you mean by sophistication. The DugganUSA corpus has receipts at four distinct tiers of AI involvement in current cybercrime activity, and the four tiers behave like different problems. Treating them as one trend is the mistake. This post defines the tiers, names the receipts, and tells you where the defender stack is structurally blind. Tier 1 — AI as the lure Thi

This is a prediction post, not a receipts-after-the-fact post. The shape that prompts the prediction is unambiguous. The DugganUSA IOC corpus contains 31 Android-RAT-family indicators all-time. Fifteen of those 31 arrived in the last 72 hours. Forty-eight percent of a multi-month corpus appeared in three days. The source for every one of those 15 is our github-hunt-cron — the scheduled job that sweeps GitHub Search for known-bad infrastructure patterns at 08:15 UTC daily. The

CVE-2026-42945, dubbed NGINX Rift, is a heap buffer overflow in the ngx_http_rewrite_module that has been sitting in the codebase since NGINX 0.6.27. That is 2008. The vulnerability is rated CVSS 9.2 and affects every release from 0.6.27 through 1.30.0. Exploitation in the wild has been confirmed this week. The patch shipped May 13, 2026. If you have not deployed it yet, the rest of this post is what to look for in your logs while you finish the change-management ticket. What

DugganUSA ships two public MCP servers against the same threat intelligence corpus. Jeevesus is the read side — search the IOC index in natural language, enrich an IP, summarize what is hot in the STIX feed. Dredd is the judge side — before you install or invoke any other MCP server, ask Dredd whether that server is BLOCK, ADVISORY, or ALLOW. As of today, Dredd's verdict covers both the server's own identity and the server's directly declared dependency graph against our IOC

Three named victims hit the wires today, all attributed to the same operator. The ShinyHunters group, also tracked by Mandiant as UNC6040, claimed responsibility for the Instructure Canvas breach affecting roughly 275 million student, teacher, and staff records across 8,809 institutions. The same group claimed Cushman & Wakefield, exposing 500,000 Salesforce records. The same group breached an NVIDIA GeForce NOW Alliance partner in Armenia. Three sectors — education, commerci

CheckPoint published the MuddyWater-Seedworm disclosure on March 9, 2026. The Iranian state-sponsored group, affiliated with the Ministry of Intelligence and Security, deployed two new backdoors against US critical infrastructure — banks, airports, defense suppliers, nonprofits. The campaign had been active since February 20. The tools have been named: Dindoor, written against the Deno runtime to evade traditional binary-aware EDR, and Fakeset, a Python-based loader pulled fr

Allianz UK confirmed a cyber incident today linked to the Clop ransomware group exploiting CVE-2025-61882, a critical Oracle E-Business Suite flaw rated 9.8 on the CVSS scale. This is the third major enterprise victim of the same Clop-plus-Oracle-E-Business pattern in 2026, following months of public warning that the vector was being actively exploited. The story is grim, the disclosure is overdue, and the structural lesson is the one DugganUSA has been repeating for eighteen

Two of today's biggest cybersecurity headlines share a specific shape worth naming. OpenAI was breached in the TanStack supply chain attack, with two employee devices compromised and the company forced to rotate code-signing certificates. Separately, the initial-access broker KongTuke pivoted to Microsoft Teams as its primary social-engineering vector, achieving persistent corporate network access in approximately five minutes. Both stories landed today. Both were preventable

ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor

CISA added four Cisco Catalyst SD-WAN Manager vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. A fifth, CVE-2026-20127,...

CISA added two Cisco vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2025-20333 is a buffer overflow in the VPN Web...