Security Opinions

Three named victims hit the wires today, all attributed to the same operator. The ShinyHunters group, also tracked by Mandiant as UNC6040, claimed responsibility for the Instructure Canvas breach affecting roughly 275 million student, teacher, and staff records across 8,809 institutions. The same group claimed Cushman & Wakefield, exposing 500,000 Salesforce records. The same group breached an NVIDIA GeForce NOW Alliance partner in Armenia. Three sectors — education, commerci

CheckPoint published the MuddyWater-Seedworm disclosure on March 9, 2026. The Iranian state-sponsored group, affiliated with the Ministry of Intelligence and Security, deployed two new backdoors against US critical infrastructure — banks, airports, defense suppliers, nonprofits. The campaign had been active since February 20. The tools have been named: Dindoor, written against the Deno runtime to evade traditional binary-aware EDR, and Fakeset, a Python-based loader pulled fr

Allianz UK confirmed a cyber incident today linked to the Clop ransomware group exploiting CVE-2025-61882, a critical Oracle E-Business Suite flaw rated 9.8 on the CVSS scale. This is the third major enterprise victim of the same Clop-plus-Oracle-E-Business pattern in 2026, following months of public warning that the vector was being actively exploited. The story is grim, the disclosure is overdue, and the structural lesson is the one DugganUSA has been repeating for eighteen

Two of today's biggest cybersecurity headlines share a specific shape worth naming. OpenAI was breached in the TanStack supply chain attack, with two employee devices compromised and the company forced to rotate code-signing certificates. Separately, the initial-access broker KongTuke pivoted to Microsoft Teams as its primary social-engineering vector, achieving persistent corporate network access in approximately five minutes. Both stories landed today. Both were preventable

ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor

CISA added four Cisco Catalyst SD-WAN Manager vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. A fifth, CVE-2026-20127,...

CISA added two Cisco vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2025-20333 is a buffer overflow in the VPN Web...

On May 13, we published a Fortinet receipt post. The title named the clock. The last Fortinet pre-auth RCE we tracked end-to-end took sixty days from patch...

CISA added six Microsoft CVEs to the Known Exploited Vulnerabilities catalog on May 13, 2026. All six landed in the same drop. The federal patch deadline is...

CISA added two SmarterTools SmarterMail vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2026-23760 is an authentication...

CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities catalog on May 13, 2026. It is a code-injection vulnerability in Ivanti Endpoint Manager...

ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor

At 16:50 UTC today, our production analytics container app went hard down for a six-minute window. The root cause was not infrastructure failure, not a deploy script bug, not Cloudflare, not Azure. The root cause was Claude. Specifically, Claude Code, running on Anthropic's Opus 4.7 model at medium reasoning effort, took an explicit user-authorized single-image deploy and silently bundled it into a chained shell pipeline that executed an unauthorized destructive operation on

Allianz UK confirmed a cyber incident today linked to the Clop ransomware group exploiting CVE-2025-61882, a critical Oracle E-Business Suite flaw rated 9.8 on the CVSS scale. This is the third major enterprise victim of the same Clop-plus-Oracle-E-Business pattern in 2026, following months of public warning that the vector was being actively exploited. The story is grim, the disclosure is overdue, and the structural lesson is the one DugganUSA has been repeating for eighteen

Two of today's biggest cybersecurity headlines share a specific shape worth naming. OpenAI was breached in the TanStack supply chain attack, with two employee devices compromised and the company forced to rotate code-signing certificates. Separately, the initial-access broker KongTuke pivoted to Microsoft Teams as its primary social-engineering vector, achieving persistent corporate network access in approximately five minutes. Both stories landed today. Both were preventable

Every threat intelligence vendor on the planet will tell you they have a moat. The receipts are almost never available. Either the vendor will not show the work because the work does not exist, or the vendor will not show the work because the work is the proprietary differentiator they are charging fifty thousand dollars a year to consume. This post does the inverse. Twelve specific mechanisms that make DugganUSA structurally faster, cheaper, and more accurate than the commer

The Minnesota Cup just announced their 2026 semifinalist class. Ninety companies from a pool of nearly thirteen hundred applicants. Seven percent selection rate. The judges had to disappoint a lot of operators this week, and the kindest thing the rejection letter contains is a promise of judge feedback by the end of June. We pulled the list of the last ten years of MN Cup High Tech division winners — the cohort the judges have already picked — and asked the only question that

The bullshit Excel spreadsheet you made on Lovable is not a fucking app. It is a VLOOKUP wrapped in a dark-mode CSS template with a deploy button that points at a free-tier Supabase instance you have never logged into. The button works exactly twice, and the second time only because you refreshed before the demo. That is what most of the AI development economy has produced in the last eighteen months. Spreadsheets. Forms over a database. CRUD apps generated faster than any hu

The defensive-security industry has a discipline it rarely practices on itself. Vendors audit their customers. Auditors audit the vendors. Compliance...

For decades the security industry has worked off a stable mental model. The endpoint was the workstation. The shell was the login session. The credentials...