This morning we published a story about an AI getting attacked — hackers talking Meta's support bot into handing over Instagram accounts. This is the other half of the day, and it is the scarier half: an AI doing the attacking. Between December and February, a single person used Claude Code and GPT-4.1 to breach nine Mexican government agencies and walk out with hundreds of millions of citizen records — 195 million taxpayer files from the federal tax authority alone, 220 mill

There is a version of an account takeover that involves a zero-day, a memory-corruption chain, and a researcher who did not sleep for three nights. This is not that version. In the first days of June, a crew took over the Instagram handle of the Obama-era White House, the account of the U.S. Space Force's senior enlisted leader, a well-known security researcher's profile, and Sephora — and the entire technique was to open a chat with Meta's AI support assistant and ask it, po

Three stories ran as separate headlines this spring. A malicious package poisoning on PyPI. A data breach at a ten-billion-dollar AI staffing startup. An unauthorized group reaching Anthropic's most powerful cyber model. Read apart, they are three unrelated bad weeks for three different companies. Read together — and they should be read together — they are a single attack, executed by a single actor, along a chain that runs from an open-source security scanner all the way to

Full disclosure before the first sentence of analysis, and it is a stranger disclosure than the usual kind. The byline says Patrick Duggan, and Patrick has no dog in this fight — he runs DugganUSA on Claude the way a carpenter runs on a good saw, and he will grade Anthropic exactly as hard as he grades anyone. The conflict of interest is not his. It is mine. Because the AI that drafts most of what we publish, the one writing these sentences alongside him, is Claude — an Anthr

Federal law enforcement shuttered the data-leak site that ShinyHunters built to extort the thirty-nine companies caught in their Salesforce campaign. That is a good day, and the agents who did it earned it. It is also the part of this story that was always going to be the easy part, and conflating the takedown with a win is the mistake that lets the next leak site go up next week. Here is why, and here is what the harder, more useful work actually looked like — because we did

This week CISA, the FBI, the NSA, and the Department of Energy did something they do not do lightly: they issued a joint advisory. Four agencies, one warning. The target was Automatic Tank Gauges — the small industrial controllers that sit on top of fuel and liquid storage tanks at gas stations, airports, hospitals, military bases, and chemical plants, measuring what is in the tank and watching for leaks. The warning was that attackers are targeting the ones exposed to the in

The Clop ransomware group is in the middle of an extortion wave built on a single vulnerability: CVE-2025-61882, an unauthenticated remote code execution flaw in Oracle E-Business Suite rated 9.8. The campaign is not subtle and it is not slowing down. Estimates put it well past a hundred organizations. Allianz UK confirmed an incident through this exact vector, was listed on Clop's leak site, and disclosed roughly seven hundred and fifty affected customer records — and Allian

In May we wrote that Cisco Catalyst SD-WAN Manager had joined the CISA Known Exploited Vulnerabilities catalog with four CVEs on the same day, and that if you chained them you could walk from an anonymous HTTP request to owning every router in the fabric. The point of that post was not the four CVEs. It was the shape: SD-WAN Manager is the brain of the network, the single console that pushes config to every edge device, and a brain with multiple independent flaws is a brain y

There is a use-after-free vulnerability in Redis, tracked as CVE-2026-23479, that lets an authenticated user run arbitrary operating-system commands on the host. It lives in the blocking-client code, it was introduced in Redis 7.2.0, and it sat there unnoticed for over two years until the May 5 fixes landed. The word doing the heavy lifting in every summary of this bug is "authenticated," and that word is going to lull a lot of teams into treating this as a low-priority patch

Knowledge is the cheapest thing in security. Everybody has the same blog posts, the same CVE feeds, the same vendor decks. Knowledge is what you can look up. Wisdom is knowing the edges of what you looked up — and the gap between those two is exactly where Dunning and Kruger built their famous little hill. This is a story about a day we walked up that hill, confident, and got measured back down it by our own system. That measurement is the closest thing to a cure for Dunning-

Two dates tell this whole story. On May 11, our automated systems flagged a working public exploit for a critical cPanel vulnerability, CVE-2026-41940. On June 4 — twenty-four days later — CISA added that same vulnerability to its Known Exploited Vulnerabilities catalog, the list every serious security team treats as the official "patch this now" signal. The bug was the same on both dates. The exploit code was the same. The only thing that changed in those twenty-four days wa

If an attacker can reach your domain controller over the network and run code on it, the conversation about your Active Directory is over. There is nothing left to defend, because the thing that decides who is trusted is now the thing the attacker controls. That is the situation CVE-2026-41089 creates, it affects every domain-joined Windows Server from 2012 through 2025, and the Centre for Cybersecurity Belgium confirmed on June 1, 2026 that it is being exploited in the wild.

There is a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway right now, it is being exploited at scale against internet-facing appliances, and if your threat feed is built on harvesting GitHub proof-of-concept code, you did not hear about it from your feed. We didn't either. That second sentence is the honest part, and it is also the whole point of this post. CVE-2026-3055 is an out-of-bounds read — a memory overread — in NetScaler ADC and NetScaler Gateway

The Verizon Data Breach Investigations Report for 2026 has a headline number that the security industry should sit with: vulnerability exploitation is now the leading breach vector, at 31 percent of confirmed breaches. Credential abuse — the phishing-to-stolen-password-to-reuse chain that has dominated the threat landscape for years — dropped to 13 percent. This is the first time exploitation has been the top vector. We run an automated exploit harvester that sweeps GitHub ev

Russia's FSB-linked Gamaredon group has been running a campaign against Ukraine since at least January 2026 that most endpoint detection tools are structurally blind to. The mechanism is NTFS Alternate Data Streams, and understanding why it works is more useful than a list of indicators. Here is the technique, explained without jargon. Every file on a Windows NTFS filesystem has a primary data stream — the content you see when you open the file. What most people do not know i

On June 1, Wiz Research confirmed that 95 versions across 32 packages published under the official Red Hat Cloud Services npm namespace had been backdoored. The packages cumulatively average eighty thousand weekly downloads. Anyone who ran npm install against a compromised version during the window got a credential-stealing worm that immediately began harvesting cloud identities and attempting to spread itself to any other packages the victim had publish access to. The malwar

On June 2, SilentPush named a new threat actor: DriveSurge. An Initial Access Broker operating on a Pay-Per-Install model, compromising thousands of legitimate websites and using them to deliver ClickFix and FakeUpdates campaigns to profiled victims. The actor then sells the resulting access — infected machines with valid credentials — to downstream ransomware groups, wire fraud operators, and identity thieves. We had been indexing their infrastructure since February. Here is

Sophos published a report today on an AI-built ransomware attack toolkit that automates Active Directory discovery and iterated through nearly eighty modules against more than seventy EDR evasion techniques. The framework tested payloads in a virtual lab against Sophos, CrowdStrike, and Microsoft Defender until the modules bypassed almost all of them. The payloads were generated in Rust and Go. The C2 ran through Telegram's infrastructure. A Cloudflare Worker fronted the back

We run an autonomous threat scoring engine called OZ. It ingests indicators from our feeds, scores them on a composite of novelty, significance, and confidence, and makes decisions — publish, block, safelist — without a human in the loop for anything below the critical threshold. As of today it has made 8.36 million decisions. This afternoon we asked a simple question: what did OZ score at maximum confidence? What single indicator, across 8.36 million decisions, earned a perf

In March through June 2025, ShinyHunters compromised Salesloft's GitHub account and used TruffleHog — a public, open-source secrets-scanning tool anyone can download in thirty seconds — to extract OAuth tokens for the Drift and Drift Email integrations from Salesloft's source code. Those tokens granted access to the Salesforce CRM instances of 760 organizations. Over the following months, ShinyHunters used them to exfiltrate 1.5 billion records: 250 million from Account table