The activation problem in defender tooling is the curl wall. A SOC analyst registers for a STIX feed, gets a key, sees an example curl command, copies it, gets a 401 because they pasted the key wrong, never comes back. Three quarters of the keys we have ever issued never made a first call. We published the funnel data on that yesterday. The MCP path does not have the curl wall. If you run Claude Code, Cursor, Cline, ChatGPT desktop, or any other MCP client, you can wire two D

The DugganUSA STIX feed gives every registered defender a free-tier key with five hundred queries per day across the iocs, pulses, epstein_files, blog, and content indexes. The free tier is generous. The activation rate on the free tier is not. Three quarters of the keys we have ever issued have never made a first call. This post is the first call. Ten specific curl commands a defender can run against the public DugganUSA APIs to get useful output today. Each query has a sing

The DugganUSA blog ran a post on May 13 titled "ClickFix Is Konni Is PySoxy. Three Vendor Labels, One IP." The single-IP version of the thesis: vendor attribution fragmentation provides operational camouflage for the threat actor. Three analyst teams looking at the same infrastructure produce three different campaign labels at three different abstraction levels, and the defender ends up tracking a phantom three-campaign threat instead of the real one-operator threat. Today we

The disclosure landed this week. A contractor working for CISA — the agency responsible for cybersecurity guidance across the federal civilian network — kept a public GitHub repository named "Private-CISA" with 844 megabytes of credentials, internal blueprints, and signed certificates from November 13, 2025 through May 15, 2026. Six months in the open. GitGuardian's automated scanner caught it on May 14, 2026. Krebs and Seralys notified CISA the next day. The repository came

A common question right now is whether AI is making threat actors more sophisticated. The answer depends on what you mean by sophistication. The DugganUSA corpus has receipts at four distinct tiers of AI involvement in current cybercrime activity, and the four tiers behave like different problems. Treating them as one trend is the mistake. This post defines the tiers, names the receipts, and tells you where the defender stack is structurally blind. Tier 1 — AI as the lure Thi

This is a prediction post, not a receipts-after-the-fact post. The shape that prompts the prediction is unambiguous. The DugganUSA IOC corpus contains 31 Android-RAT-family indicators all-time. Fifteen of those 31 arrived in the last 72 hours. Forty-eight percent of a multi-month corpus appeared in three days. The source for every one of those 15 is our github-hunt-cron — the scheduled job that sweeps GitHub Search for known-bad infrastructure patterns at 08:15 UTC daily. The

CVE-2026-42945, dubbed NGINX Rift, is a heap buffer overflow in the ngx_http_rewrite_module that has been sitting in the codebase since NGINX 0.6.27. That is 2008. The vulnerability is rated CVSS 9.2 and affects every release from 0.6.27 through 1.30.0. Exploitation in the wild has been confirmed this week. The patch shipped May 13, 2026. If you have not deployed it yet, the rest of this post is what to look for in your logs while you finish the change-management ticket. What

DugganUSA ships two public MCP servers against the same threat intelligence corpus. Jeevesus is the read side — search the IOC index in natural language, enrich an IP, summarize what is hot in the STIX feed. Dredd is the judge side — before you install or invoke any other MCP server, ask Dredd whether that server is BLOCK, ADVISORY, or ALLOW. As of today, Dredd's verdict covers both the server's own identity and the server's directly declared dependency graph against our IOC

Three named victims hit the wires today, all attributed to the same operator. The ShinyHunters group, also tracked by Mandiant as UNC6040, claimed responsibility for the Instructure Canvas breach affecting roughly 275 million student, teacher, and staff records across 8,809 institutions. The same group claimed Cushman & Wakefield, exposing 500,000 Salesforce records. The same group breached an NVIDIA GeForce NOW Alliance partner in Armenia. Three sectors — education, commerci

CheckPoint published the MuddyWater-Seedworm disclosure on March 9, 2026. The Iranian state-sponsored group, affiliated with the Ministry of Intelligence and Security, deployed two new backdoors against US critical infrastructure — banks, airports, defense suppliers, nonprofits. The campaign had been active since February 20. The tools have been named: Dindoor, written against the Deno runtime to evade traditional binary-aware EDR, and Fakeset, a Python-based loader pulled fr

Allianz UK confirmed a cyber incident today linked to the Clop ransomware group exploiting CVE-2025-61882, a critical Oracle E-Business Suite flaw rated 9.8 on the CVSS scale. This is the third major enterprise victim of the same Clop-plus-Oracle-E-Business pattern in 2026, following months of public warning that the vector was being actively exploited. The story is grim, the disclosure is overdue, and the structural lesson is the one DugganUSA has been repeating for eighteen

Two of today's biggest cybersecurity headlines share a specific shape worth naming. OpenAI was breached in the TanStack supply chain attack, with two employee devices compromised and the company forced to rotate code-signing certificates. Separately, the initial-access broker KongTuke pivoted to Microsoft Teams as its primary social-engineering vector, achieving persistent corporate network access in approximately five minutes. Both stories landed today. Both were preventable

ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor

CISA added four Cisco Catalyst SD-WAN Manager vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. A fifth, CVE-2026-20127,...

CISA added two Cisco vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2025-20333 is a buffer overflow in the VPN Web...

On May 13, we published a Fortinet receipt post. The title named the clock. The last Fortinet pre-auth RCE we tracked end-to-end took sixty days from patch...

CISA added six Microsoft CVEs to the Known Exploited Vulnerabilities catalog on May 13, 2026. All six landed in the same drop. The federal patch deadline is...

CISA added two SmarterTools SmarterMail vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2026-23760 is an authentication...

CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities catalog on May 13, 2026. It is a code-injection vulnerability in Ivanti Endpoint Manager...

ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor