May 7, 2026 · DugganUSA LLC In the nine days running from April 28 to today, we have shipped eight hunt-tonight posts on eight separate CVEs, advisories, or active campaigns. Each one published within hours of the relevant disclosure. Each one carrying signed indicators in our public STIX feed within the same window. Each one written so that a SOC analyst at 11pm with a coffee can run the queries against their fleet without filing a vendor support ticket. This post is the rec

May 7, 2026 · DugganUSA LLC The Cloudways Breeze Cache plugin — installed on more than four hundred thousand WordPress sites — has an unauthenticated remote-code-execution vulnerability with a CVSS score of 9.8. The flaw lives in the fetch_gravatar_from_remote function in all versions through 2.4.4: missing file-type validation on a remote-fetch path that an unauthenticated attacker can trigger to upload arbitrary executable content into the site's filesystem. Wordfence logge

May 7, 2026 · DugganUSA LLC Ivanti released a security advisory yesterday, May 6, 2026, covering nine vulnerabilities across four product lines: Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Secure Access Client (ISAC), and Ivanti Cloud Services Application (CSA). The combined impact reads from the advisory: privilege escalation, arbitrary file reads and writes, and remote code execution. The cumulative ceiling is full system control by an unauthenticated re

May 7, 2026 · DugganUSA LLC Palo Alto Networks disclosed CVE-2026-0300 yesterday — an unauthenticated, root-level remote code execution in the User-ID Authentication Portal (the Captive Portal) on PA-Series and VM-Series firewalls. CVSS 9.3 if the portal is reachable from the internet, 8.7 if restricted to internal trusted networks. Cloud NGFW and Panorama are not affected. The vulnerability is a buffer overflow in the captive-portal service. An attacker sends a specially cra

May 6, 2026 · DugganUSA LLC We run a 5-model AI Council at DugganUSA — GPT-4o, Claude Haiku 4.5, Gemini 2.5 Flash, Mistral Large, and DeepSeek — for things like brand-perception scoring on AIPM, customer enrichment on welcome flows, and consensus-strategy votes when one model's blind spot would cost us. Tonight, on a tired riff about AI-assisted Breaking Bad, we asked all five the same hypothetical and watched five distinct Walter Whites walk out of the same prompt. The quest

May 6, 2026 · DugganUSA LLC The following is a satirical infomercial. The numbers in it are real. The legal exposure in it is real. The product category in it is real. Only the tone is satire. Hello, Fellow Risk-Tolerant Investor! Are YOU sick of your portfolio companies' security incidents reaching the public? Tired of independent journalists, security researchers, and competent SOC teams writing factual blog posts that name your customers in unflattering breach contexts? Fr

May 6, 2026 · DugganUSA LLC Securonix Threat Research published a writeup on a phishing campaign codenamed VENOMOUS#HELPER — cluster ID STAC6405 — earlier this week. The campaign has been running since April 2025 and has hit more than eighty organizations, primarily in the United States, with secondary clusters in Western Europe and Latin America. We had zero indicators in our IOC index as of this morning. As of an hour ago, all twenty-four published indicators are indexed un

May 6, 2026 · DugganUSA LLC CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 1, 2026. The federal civilian executive branch patch deadline is May 15. The vulnerability is a Linux kernel local privilege escalation in the AF_ALG cryptographic subsystem that has been quietly present in shipped kernels since 2017, introduced through three separate commits in 2011, 2015, and 2017. Kaspersky named the bug Copy Fail. The working public exploit is 732 b

May 6, 2026 · DugganUSA LLC Earlier today we published two posts on the Doppel takedown notice that landed at 05:16 UTC and the disclosure-economics math behind it. This is a third post and it is the shortest of the three. It exists because we did one piece of homework Doppel's takedown bot did not do. We looked up the trademark registration Doppel cited. In the body of the notice, Doppel listed: Trademarked Symbol: MEDTRONIC Registration Number: 5055675 Registration Office:

May 6, 2026 · DugganUSA LLC Microsoft patched CVE-2026-32201 in the April 8, 2026 Patch Tuesday. CISA added it to the Known Exploited Vulnerabilities catalog the same week. The federal civilian executive branch patch deadline under BOD 22-01 was April 28. As of today, BleepingComputer is reporting more than 1,300 internet-exposed SharePoint servers still vulnerable to ongoing attacks. That is the gap between "patched in the bulletin" and "patched on the box," and the gap is w

May 6, 2026 · DugganUSA LLC This morning Doppel sent us a trademark takedown demand against the post warning Medtronic about the breach Microsoft Security Response Center confirmed three days ago. We covered the legal absurdity in the first post. This one is about the money. After running the receipts on Doppel's funding history, their published customer list, our own feed pricing, R.R. Donnelley's $2.125M SEC settlement, HIPAA Tier 4 caps, the ShinyHunters 9 million record c

May 6, 2026 · DugganUSA LLC At 05:16 UTC this morning, Doppel — an AI-powered "brand protection" company — sent us a trademark takedown demand under penalty of perjury. They CC'd Medtronic's enforcement team. The post they want deleted is titled "Microsoft Just Published the Vish Chain We Warned Medtronic About," and it went up three days ago. Three companies are mentioned in that title. All three operate under different disclosure obligations. This post is about the gap betw

This morning's traffic sweep dropped a name we hadn't paid attention to before: AS215125, "Church of Cyberology." Sitting in the top-five Tor operator list with 58 active relays, all in the Netherlands, all on a single /24 (192.42.116.0/24), all running the current Tor build with disciplined sequential nicknames. Looked like a wholesome Dutch privacy collective — Kopimism with a node pool. I told Patrick: "Don't spin up the Church of Docker Moreskin again, this is real and on

The auth itself may not look terrible. The damage is what the token gets used for in the next fifteen minutes. May 5, 2026 · Patrick Duggan, DugganUSA LLC On May 3rd, Microsoft published the device-code vishing chain — the same attack pattern we'd warned Medtronic about six weeks earlier when it was still pre-disclosure. The mechanic is well-documented now: attacker calls the victim, walks them through microsoft.com/devicelogin, victim enters the attacker's code, attacker wal

Same campaign. Three months earlier. Two orders of magnitude cheaper. May 5, 2026 · Patrick Duggan, DugganUSA LLC Zscaler's ThreatLabz published a deep-dive today on a malicious AI skill called DeepSeek-Claw, distributed via an open-source framework named OpenClaw, that delivers Remcos RAT on Windows and GhostLoader on macOS/Linux. Their writeup is solid — full IOC table, attack-chain breakdown, DLL-sideloading tradecraft. The kind of report enterprises pay six figures a year

EDR blocked four attempts. The fifth landed. May 5, 2026 · Patrick Duggan, DugganUSA LLC DigiCert — one of the largest commercial certificate authorities on earth — got phished through their own customer support chat. The vector was a Windows screensaver file in a ZIP, disguised as a customer screenshot. CrowdStrike + endpoint defense blocked four delivery attempts. Number five got through. The attacker spent ten days inside before anyone noticed. They walked out with the abi

Domain rotation is the symptom. Path signature is the disease. May 5, 2026 · Patrick Duggan, DugganUSA LLC Huntress is on stage today walking through ClearFake — the malware-delivery framework that's been chewing through workforces for two years now. The take, from the abstract going around, is roughly: ClearFake is impossible to protect against because the operators rotate domains faster than blocklists can keep up. That's true if you're looking at domains. It is not true if

And the survivor's payload is sitting in a folder named "entach." May 4, 2026 · Patrick Duggan, DugganUSA LLC This morning Dredd MCP — our pre-flight firewall for the Model Context Protocol ecosystem — flagged 14 GitHub repos posing as helpful MCP servers but cross-referenced against URLhaus to a malware family called SmartLoader. By 9 PM Central, GitHub had wiped 13 of them. Not just the repos. The owner accounts. Gone. One survived: FezAreCool/mcp-claude-hackernews. The REA