top of page



Adobe Just Dropped Five Perfect-10s in ColdFusion. The Exploit Is the Oldest Religion on the Web: Upload a File, Get a Shell.
On July 1, Adobe shipped an emergency stack of patches for ColdFusion and Campaign Classic, and the severity numbers are the kind you do not see often: five separate vulnerabilities rated CVSS 10.0, a perfect score, the maximum the scale allows. Two of them — [CVE-2026-48276](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48276) and [CVE-2026-48283](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48283) — are unrestricted file-upload flaws
Patrick Duggan
4 days ago4 min read


China Is Inside DHS's Own Threat-Sharing Network. The Bug They Used Has Been on CISA's Known-Exploited List Since 2025.
The Department of Homeland Security exists, in part, to warn everyone else about cyber threats. Its Homeland Security Information Network — HSIN — is the platform where DHS shares sensitive, unclassified intelligence with federal, state, local, and private-sector partners: alerts, incident coordination, information about persons of interest. This week, DHS confirmed that HSIN and a connected SharePoint collaboration server were breached. The watchmen's own watchtower got walk
Patrick Duggan
4 days ago4 min read


AI Is Now a Door, a Lure, and a Safe. The Twist Is That Attackers Are Opening All Three With Tricks Older Than the Technology.
In a single week we documented three separate attacks against artificial intelligence, and at first glance they have nothing to do with each other. One...
Patrick Duggan
4 days ago6 min read


BlackField Didn't Just Ransom Nidec. It Published a Price Menu: $2M to Make It Go Away, $5K a Day to Stall, $400K for Anyone to Just Buy Your Data.
A ransomware group calling itself BlackField hit a Taiwanese subsidiary of the Japanese motor-manufacturing giant Nidec in late June 2026, claimed more than...
Patrick Duggan
4 days ago5 min read


AI Hallucinates a Domain for Your Brand. An Attacker Registers It Before You Do. We Already Measure the First Half — Which Is the Whole Point.
Here is an attack that could only exist in 2026. A large language model, asked about your company, confidently invents a web address for you that does not...
Patrick Duggan
4 days ago5 min read


Ten of Eleven AI Coding Agents Can Be Fooled by Bash Tricks Older Than Their Users. The One That Held Won by Reading the Command the Way the Shell Will.
Researchers at Adversa AI took eleven popular open-source AI coding agents — the kind that read a repository, reason about it, and then run shell commands...
Patrick Duggan
4 days ago5 min read


Four Japanese Giants Breached in Two Weeks. An Insurer, a Telecom, a Brewer, a Motor Maker. Almost None of Them Were Breached at the Front Door.
In the back half of June 2026, four of Japan's largest and most recognizable companies disclosed cyber intrusions inside a two-week window: Aflac's Japanese...
Patrick Duggan
4 days ago5 min read


RustDuck Is a Small Botnet Engineering Like It Plans to Get Big. The Tell Isn't Its Size — It's How Hard It's Being Built.
There is a botnet called RustDuck that most defenders can safely ignore today on the numbers alone. It is not large. It is not, yet, knocking major services...
Patrick Duggan
4 days ago5 min read


BlackNevas Doesn't Leak Your Data Itself. It Subcontracts the Threat to Six Other Gangs. That's the Part Worth Watching.
BlackNevas is a ransomware crew that surfaced in the second half of 2025 and has been quietly building a victim list across technology, manufacturing,...
Patrick Duggan
4 days ago4 min read


The Gentlemen: A Ransomware Crew Polite Enough to Brand Its Passwords, Sloppy Enough to Get Breached Itself. The Leak Is a Gift to Defenders.
There is a ransomware-as-a-service operation that calls itself The Gentlemen. Since it surfaced in mid-2025 it has posted 483 victims across sixty-six...
Patrick Duggan
4 days ago5 min read


No Funding. Two People. Here's Where We Kick Ass — and the Receipt for Every Claim.
We took no venture capital. No Series A, no seed, no bridge. Two people run this on a budget you could mistake for a rounding error. We say that first...
Patrick Duggan
4 days ago4 min read


A Monero Miner Rode a Langflow Bug Into AI Servers in March. The C2 It Called Home Was in Our Feed Since February. Here's the Timestamp.
Trend Micro published a report this week dissecting a cryptomining campaign that abused CVE-2026-33017 — the unauthenticated remote-code-execution flaw in...
Patrick Duggan
5 days ago5 min read


There Is a Public Exploit for a Pre-Auth Root Bug in Kemp LoadMaster. If Your Load Balancer's API Is On, Read This First.
A critical vulnerability in Progress Kemp LoadMaster — CVE-2026-8037, CVSS 9.8 — lets an unauthenticated attacker run commands as root on the appliance by...
Patrick Duggan
5 days ago5 min read


A New Infostealer Is Hunting Your Claude, Gemini, and Codex Keys. It Gets In Through Your Help Desk.
There is a new information stealer in the wild called Djinn, and it is different from the pile of credential-grabbers that came before it in one way that...
Patrick Duggan
5 days ago6 min read
bottom of page