Between Monday April 20 and Friday April 24, CISA added 13 vulnerabilities to the Known Exploited Vulnerabilities catalog. That is a high-cadence week. The federal patching deadlines are now stacked between April 23 and May 4. If you are a US federal agency, the calendar is already past due on some of these. If you are everyone else, the active-exploitation flag is the part that matters and the vendor names tell the story. Here is the full list, in the order CISA published th

ADT confirmed a data breach this weekend. ShinyHunters claim 10 million records. ADT detected unauthorized access on April 20, terminated the intrusion the same day, and started an investigation. Five days earlier, on April 19, we published a post titled "ShinyHunters Claims Vercel. The Real ShinyHunters Says It Wasn't Them. We Checked." That post made one bet: somebody is using the ShinyHunters name without paying for the franchise. Here is what we have on the ADT incident a

CrowdStrike published an urgent advisory for CVE-2026-40050 this week. CVSS 9.8. Critical. Unauthenticated. A remote attacker can read arbitrary files from a LogScale Self-Hosted server's filesystem with no credentials at all, by hitting an exposed cluster API endpoint. They patched it in 1.235.1, 1.234.1, 1.233.1, and 1.228.2 LTS. SaaS customers were quietly protected by network-layer blocks before the public could see the advisory. LogScale is the same product CrowdStrike a

Mustang Panda（木马熊猫）换目标了。不再是蒙古的 NGO。这次是你——那个在搜索 "claude code download" 的开发者。 我们的 IOC 索引里目前坐着 82 个与 Claude 相关的指标。其中 29 个是过去 30 天内落地的。其中六个在 4 月 17 日通过一条路径串起来了——install-claude.com 释放了一个 IClickFix 加载器，配合一组 GitHub 仓库，托管着一个 PlugX 植入程序。从点击到首次 C2 回连：22 秒。 Mustang Panda 的对手档案写的是"以 PlugX 恶意软件瞄准非政府组织"。正确，但不完整。他们现在做的是伪造面向开发者的 AI 工具——仿冒 Claude，仿冒 Claude Code，仿冒 MCP 服务器。这个战术转向不是新闻稿里宣布的。它是我们在自家采集里翻出来的。 下面是他们此刻正在跑的东西。 2026 年 4 月 17 日 —— install-claude.com（IClickFix C2，置信度 90%）。github.com/Xian

If your SOC runs IBM QRadar, this is how you hook our STIX/TAXII feed into it. Fifteen minutes, two paths, neither involves calling an IBM sales engineer. I am not going to explain why you should run QRadar or why you shouldn't. If you're here, you already have it. Let's get the feed working. Step 1: Get an API key Go to analytics.dugganusa.com/stix/register and fill in the form. Free tier gives you 25 queries per day and is fine for testing. Pro tier at $99 per month is what

In the last thirty-six hours, four different nation-state threat actors — China, North Korea, Russia, and Iran — each executed a different supply chain attack against a different trusted dev-tool or software vendor. One week, four flags, one playbook. The door is developer trust of upstream. The attackers walk through it until someone closes it. For the six months I've been writing about Pattern 38 through 52, the thesis has been the same: the weakest link in enterprise secur

On April 19 I published a piece arguing that the Vercel breach wasn't a phishing attack. It was an AI supply chain compromise — a Context.ai OAuth token that held access to Vercel's Google Workspace, pivoted laterally by whoever compromised the AI vendor first. I wrote that the actual entry vector was trust, not social engineering. Vercel confirmed it today, April 23. Four days later. The public narrative is now the thing I wrote on my couch on Saturday. This is the week the

Mustang Panda has a new target. It isn't Mongolian NGOs anymore. It's you — the developer searching for "claude install" at 11pm on a Wednesday. 82 Claude-themed indicators are sitting in our IOC index. 29 of them landed in the last 30 days. Six different malware families are using the Anthropic brand as bait — IClickFix, ClearFake, SmartLoader, Unknown Stealer, and two unlabeled droppers. Malwarebytes did the primary sandbox work on April 13 — a fake Claude Pro installer ZIP

We scanned five Minnesota-headquartered companies from the public internet. No tools beyond dig, curl, and openssl. No authentication. No exploitation. Just the things any attacker sees before they start. The results are not what you would expect. The Scorecard We checked seven controls that every company should have deployed in 2026: HSTS (force HTTPS), X-Frame-Options (prevent clickjacking), X-Content-Type-Options (prevent MIME sniffing), Content-Security-Policy (control sc

Check Point Research published a DFIR report this month that cracked open a live command-and-control server linked to a Gentlemen affiliate. 1,570 corporate victims on one C2 box. 320+ publicly claimed. Growth rivaling early LockBit 3. The fastest-scaling RaaS operation of 2026. The report gave us two C2 IPs: a Cobalt Strike beacon on Hetzner in Frankfurt, and a SystemBC proxy on Clouvider in Ashburn. Twenty-seven file hashes. A leak site onion address. Two Tox IDs. Good repo

CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities catalog on April 6th. The federal remediation deadline was April 9th. That was twelve days ago. There are now four independent weaponized proof-of-concept exploits on GitHub. The newest one dropped yesterday. CVE-2026-35616 is an improper access control vulnerability in Fortinet FortiClient EMS. The exploit bypasses the API certificate chain validation, allowing an unauthenticated attacker to forge certificates

OX Security dropped a disclosure on April 15th. Anthropic's Model Context Protocol — the STDIO transport that connects AI models to tools — has a configuration-to-command-execution path baked into the SDK. Python. TypeScript. Java. Rust. All of them. 150 million downloads affected. 200,000 servers exposed. Anthropic's response: "expected behavior." Expected behavior. Remote code execution is expected behavior. The CVE chain reads like a casualty list. MCP Inspector. LibreChat

Six months ago DugganUSA was a guy with a STIX feed and a blog. Today we shipped the Tor Infrastructure Attribution Framework, updated 12 integration repositories, and found a 50-relay operator cluster sharing infrastructure with Interlock ransomware. On a Monday. Before lunch. Here is every way you can consume our threat intelligence right now. VS Code Extension (v0.3.0 — live on the Marketplace). Select any IP, domain, hash, CVE, or .onion address in your code. Right-click.

We built a Tor Infrastructure Attribution Framework this morning. Indexed 10,269 relays from the live consensus. Cross-referenced every relay IP against our 1,086,742 IOCs. Then we found Quetzalcoatl. 50 Tor exit relays. All of them exit nodes. Seven countries. Seven ASNs. One nickname. 782,000 units of consensus bandwidth. The second-largest relay operator we indexed by node count, and every single relay is purpose-built for exit traffic. The primary hosting provider is 1337

Earlier today we published our investigation into the Vercel breach, tracking ShinyHunters-pattern phishing domains and finding vercel-sso.com staged seven months before the announcement. That was the wrong thread. The root cause just dropped. Vercel CEO Guillermo Rauch confirmed it: an employee was compromised through Context.ai, a third-party AI platform. Context.ai had a Google Workspace OAuth app. That app was separately compromised. The attacker used the OAuth token to p

Someone posted on BreachForums today claiming to be ShinyHunters, offering Vercel's internal data for $2 million. Source code. NPM tokens. GitHub tokens. 580 employee records. A screenshot of an internal Enterprise dashboard. Vercel confirmed a breach. "Unauthorized access to certain internal Vercel systems." Law enforcement notified. IR firm engaged. Then the twist: actual ShinyHunters-affiliated threat actors told BleepingComputer they had nothing to do with it. So who's we

This week, someone bought 30 WordPress plugins on Flippa for six figures, planted a PHP deserialization backdoor in all of them, and activated it on a Saturday. 800,000 websites. One attacker. Zero alerts from your vendor. It was the weekend. That same weekend, the Smart Slider 3 Pro update channel was compromised. Nextend's servers pushed a fully weaponized remote access toolkit to every site that auto-updated. Rogue admin accounts. Backdoors that execute system commands via

Three stories broke this week that are actually one story. The thread connecting them is the gap — the window between when a vulnerability becomes known and when defenders can act on it. Every organization lives in that gap. The question is how wide yours is. Story One: Nightmare-Eclipse Huntress SOC published findings on a trio of Windows Defender zero-days being chained together in the wild under the collective name Nightmare-Eclipse. Three separate privilege escalation fla

The threat intelligence market is $14.6 billion and growing. CrowdStrike charges $25 per endpoint per month. Recorded Future starts at $100,000 per year. Mandiant's pricing page says "contact sales," which is the enterprise way of saying "more than you want to spend." Ninety-five percent of organizations on earth cannot afford those prices. The small hospitals, the school districts, the municipalities, the startups, the managed service providers serving a hundred SMBs — they

There are 1,080,000 indicators of compromise in our database right now. IPs running Cobalt Strike C2 servers. Domains serving STX RAT payloads. SHA256 hashes of ransomware samples. CVE IDs with weaponized proof-of-concept code live on GitHub. As of today, all of them are searchable from inside your VS Code editor without opening a browser. The DugganUSA Threat Intel Scanner is live on the VS Code Marketplace. Install it. Open a file. Every IP, domain, hash, and CVE in your co