The most expensive thing Novo Nordisk lost was not the 1.3 terabytes, the 700,000 files, or the clinical trial records on real patients. It was the AI. FulcrumSec walked out with a 16.7-gigabyte multimodal model checkpoint — a trained system that reads text, images, and transcriptomic data together — plus roughly 407 megabytes of the proprietary biological and chemical datasets used to train it. That is not a copy of a database. That is the distilled, multi-year output of a d

Here is the uncomfortable part of the Vertex AI flaw that Palo Alto Networks Unit 42 disclosed this week: to poison your machine-learning model and run code inside Google's own serving infrastructure, an attacker needed no access to your project, no stolen credentials, and no phishing email. They needed to know your project ID — which is frequently public — and to own any Google Cloud project with a billing account attached. That's the whole cost of entry. Unit 42 named it "P

On June 17, 2026, somebody logged in as a former Mastra contributor whose npm access had never been turned off, and in 88 minutes republished 144 packages in the @mastra namespace — the framework a lot of you are using to build AI agents — each one carrying a credential-stealing dropper that fires the moment you run npm install. @mastra/core alone pulls more than 918,000 weekly downloads. The window between the first poisoned publish and the rest of the wave was an hour and a

For months we have indexed every malicious npm and PyPI package OSV publishes — about 225,000 of them, exact named packages, not heuristics. You could search them. You could correlate them. What you could not do was stop one from landing in your build. As of this morning, you can. The new endpoint is /api/v1/stix-feed/packages.csv (and .json). It is the malicious-package corpus as a deny-list your build pipeline can actually enforce. Point a CI step at https://analytics.dugga

CISA added a second LiteLLM vulnerability to its Known Exploited Vulnerabilities catalog on June 8. That's two entries for the same AI gateway in thirty-one days — and it's worth saying out loud what kind of component keeps landing on the federal must-patch list. LiteLLM is a proxy. Its entire job is to sit in front of every model an organization uses and hold the keys — OpenAI, Anthropic, the internal endpoints, all of it routed through one process that authenticates callers

Yesterday we wired OSV's catalog of known-malicious PyPI packages into our index and found 24 of them squatting the Model Context Protocol ecosystem — the tools AI agents call. This morning we turned on the npm half: a 207MB ZIP64 export, about 214,000 named-malicious advisories. Then we did the unglamorous part — we pulled every MCP-named entry out of both ecosystems and took it apart, package by package, against each one's real registry history and OSV advisory. The clean n

This morning we wired up a new threat feed — OSV's catalog of known-malicious PyPI packages, about 11,400 of them, pulled into our index. Routine plumbing. Then we pulled the string to see what the new data connected to, and it walked straight into the one surface we know better than almost anyone: Model Context Protocol servers — the tools AI agents call. The new feed contains 24 malicious PyPI packages targeting the MCP/agent ecosystem. Not generic malware that happens to b

Most of what we cover is loud — ransomware leak sites, extortion deadlines, breach dumps designed to be seen. This one is the opposite, and that's exactly why it's worth a profile. Palo Alto's Unit 42 identified a state-aligned cyber-espionage group, TGR-STA-1030 (also tracked as UNC6619), running an operation they call the Shadow Campaigns. The numbers are the kind you read twice: surveillance activity spanning 155 countries, confirmed breaches of more than 70 organizations

We track Silent Ransom Group as a data-theft extortion crew, and for a while their playbook was the familiar one: callback phishing, fake IT support calls, remote-access tooling, exfiltrate, extort. Then their leak site count climbed past thirty-eight law firms, and the method behind the newest entries broke the model we'd filed them under. They stopped phoning it in. They walked in the door. Reporting on the group's recent escalation describes operatives physically entering

Run down this weekend's actively-exploited zero-day list and notice what every entry has in common. Palo Alto Networks PAN-OS — CVE-2026-0257, an authentication bypass on GlobalProtect portals, exploited in the wild. Check Point VPN — CVE-2026-50751, exploited since early May, now linked to a Qilin ransomware affiliate. SolarWinds Serv-U — CVE-2026-28318, being used to crash servers. Oracle PeopleSoft — CVE-2026-35273, a 9.8 remote code execution gadget chain that ShinyHunter

Three ransomware and extortion brands showed up in our breach sweep this week — Brain Cipher listing an Australian newspaper, Kairos listing a jeweler, Nitrogen claiming eight terabytes from Foxconn. We added all three to our adversary index. And then we noticed the thing that actually matters, the thing that connects them and connects them to the npm supply-chain story we keep writing: none of these crews built their own capability from scratch. They assembled it from parts.

We have spent a lot of words on ShinyHunters as a data broker — the crew that shows up after someone else's breach, buys or aggregates the data, stands up a leak site, and extorts. Canvas. OnlyFans. The Salesforce-adjacent leak sites the feds shuttered. That was their lane: downstream of the intrusion, monetizing other people's failures. As of this month, that mental model is out of date, and the upgrade is worth paying attention to. Between roughly May 27 and June 9, 2026 —

Someone asked me a fair question this week: are we among the best? Not "are you good" — anyone will tell you they're good. Among the best. It deserves an honest answer, and the honest answer is two things that sound contradictory and aren't. On the axes that will decide this fight in two years, yes — and I'll show the receipts instead of asserting it. On the scoreboard the market keeps today, no — we have two paying customers. Both of those are true at the same time, and lear

Every vendor claims they'd have stopped the breach. Almost none will show you the one they'd have missed. So here is the uncomfortable version: we took the breaches that actually happened over the last few weeks, mapped each one against the specific defensive surfaces we run, and graded ourselves honestly. Three we'd have stopped. Three we'd have caught early but not prevented. One we'd have missed entirely. The misses are in here on purpose, because a capability claim you ca

If you rank the autonomous systems in our blocklist by raw count, the worst actor on the internet appears to be Amazon. AWS (AS16509) sits at the top with 1,876 blocked events, ahead of Tencent, Google, Microsoft, Alibaba, DigitalOcean, and Meta. Case closed, right? Amazon is the problem. That conclusion is wrong, and the reason it's wrong is the whole point of this post. Counting raw abuse events rewards bigness. AWS announces something on the order of 120 million IPv4 addre

DefiLlama's Q2 numbers are in, and they are a record nobody wanted: roughly 70 separate exploits in the second quarter of 2026, draining about $746 million, making it the most-hacked quarter in crypto history by incident count — close to double the prior record. The dollar figure actually trails past peaks, which is the part worth sitting with. More attacks, less stolen per attack. The crime is professionalizing into a high-frequency business. April carried the quarter on its

On June 11, 2026, the Iran-linked group Handala posted a claim on its blog that it had breached California Water Service — Cal Water, one of the largest investor-owned water utilities in the country, serving around two million people across roughly 100 California communities — and dropped a 5 gigabyte proof-of-concept data set to prove it. The headlines that followed reached for the obvious fear: Iranian hackers in the drinking water. We track Handala closely, and we think th

We just pulled the FBI's own Majestic 12 file into our UAP document index, and the Bureau's review of the most famous "smoking gun" in UFO history fits on a Post-it. One word, handwritten in the margin: bogus. You can read the file yourself now — FBI case 65-81170, a Dallas field-office communication dated October 25, 1988, sitting in our uap_files corpus as document uap-0295 and live on the UAP map at epstein.dugganusa.com/uap. It is a 24-page scan describing how the U.S. Ai

For two years the standard advice for surviving a hostile npm install has been three words: run --ignore-scripts. Block the preinstall and postinstall hooks, the thinking goes, and the malware never gets to run. On June 3, 2026, a worm the researchers are calling Phantom Gyp walked straight around that advice and backdoored 57 packages — 286-plus malicious versions, published in a rolling burst under two hours — through a file your scanner has never been taught to look at. Th

The Department of War published its third release of declassified Unidentified Anomalous Phenomena files this week as part of the PURSUE initiative, and it landed on the morning shows the way these things do now, with the word "potato" attached to a shape one of the witnesses used. We did what we do with a primary-source dump: we ingested all seventy-two new documents into our searchable index, ran the optical character recognition, embedded them for semantic search, and upda