top of page

Security Opinions


The Strongest UAP Case In PURSUE Release 1 Is The One Nobody Has Named Yet. Thirty-Three Documents. Senior Intelligence Official On The Record. Western US, Late 2025.
The Department of War's PURSUE Release 1 dropped on May 8, 2026, with 158 declassified UAP records. The mainstream coverage focused on the headline items the press release teased: 1947-era FBI Vault material on Oak Ridge, the 1970s Sandia Base file, the recycled documents from the 62-HQ-83894 case. Release 2 dropped May 22 with 64 more, and the cycle repeated — coverage centered on the "4 UAP Formation Iran 26 Aug 2022" video that DoW highlighted. Each cycle, the journalists
Patrick Duggan
May 256 min read


A Fourth Indirect-Trust Vector Just Surfaced. Polymarket Bot Stole Wallet Keys Through A Hijacked Verified GitHub Org. Also We Now Have ShinyHunters' Leak-Site Onion.
I wrote a blog this morning naming three indirect-trust supply-chain vectors that hit corporate developers in May 2026 — Laravel-Lang tag-pointers, Megalodon workflow files, Ghost CMS themes — and called it a doctrine that the criminal marketplace had crossed into operational use. Six hours later, while back-filling adversary profiles into our IOC index, our extractor surfaced an unexpected URL inside a TeamPCP-related research article: a Cloudflare Workers endpoint at...
Patrick Duggan
May 244 min read


Eight Distinct USPS Phishing Domains Live In Our IOC Feed Right Now. The Tracking-Number Scam Is The Consumer's Megalodon.
DugganUSA's multi-axis brand-impersonation watch list put globaluspslogistics.com in the top tier this morning at composite confidence 0.85, single-axis pattern-49 detection. The watch list is the synthesis layer; the IOC index is the raw substrate. A quick cross-query against the substrate returns eight distinct USPS-themed phishing infrastructures currently live in our feed, all sourced from OpenPhish's automated detection pipeline, all classified as active phishing, all ru
Patrick Duggan
May 244 min read


Anthropic's Project Glasswing Just Cleared Ten Thousand High-Severity Vulnerabilities In One Month. The Partnership Asymmetry Is Real.
Anthropic disclosed on Friday that Project Glasswing, their cybersecurity vulnerability research initiative launched last month, has now produced more than ten thousand high- or critical-severity vulnerabilities across some of the most systemically important software in the world. Ten thousand findings in a single month from an AI-assisted research program is the kind of throughput that is difficult to characterize in conventional terms. The number is large enough that the co
Patrick Duggan
May 243 min read


Three Indirect-Trust Vectors In Three Weeks. The Attacker's New Doctrine Is The Artifact Layer Nobody Audits.
Over the last three weeks DugganUSA's IOC index has carried receipts on three independent supply-chain compromises that, on the surface, look like three different stories. The Laravel-Lang credential stealer on May 22. The Megalodon mass GitHub Actions workflow poisoning on May 18. The Ghost CMS remote code execution disclosed earlier in May and re-surfaced this weekend with a publicly available proof-of-concept exploit. Three packaging ecosystems, three different attacker cl
Patrick Duggan
May 244 min read


We Had Megalodon's C2 Forty-Nine Days Before It Bit. Here Are The Three Detectors We Just Wired To Catch The Next One.
I published a blog yesterday about Megalodon, the mass GitHub Actions workflow-poisoning campaign that compromised 5,561 repositories in six hours on May 18, 2026. The headline I led with was that DugganUSA's IOC index carried the command-and-control endpoint at 216.126.225.129 before the campaign was publicly named by SafeDep, StepSecurity, OX, the Hacker News, and the rest. That was true. It was also a serious undercount of the actual receipt. Tonight's deeper hunt against
Patrick Duggan
May 234 min read


Command and Control Over Blockchain. Two Actors, One Year, A New Category That Cannot Be Taken Down.
There are exactly two Internet Computer Protocol blockchain canister command and control endpoints in DugganUSA's IOC index as of today. The first, cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io, was indexed by SSL Blacklist on April 23, 2026, attributed to an unnamed criminal actor. The second, tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io, was indexed independently on May 22, 2026, attributed to TeamPCP, the cluster behind the Megalodon GitHub Actions mass-poisoning campaign that ate 5,
Patrick Duggan
May 234 min read


Netflix Is At The Top of Our Brand Pyramid Today. Two Independent Axes. The Math Says Watch Tonight.
DugganUSA's brand-impersonation watch list ran its multi-axis aggregation this afternoon. Thirty candidate brands across five orthogonal signal axes. The top of the pyramid today is Netflix at 0.95 composite confidence, the only brand at that confidence band, and the only brand currently hitting two independent axes at the elevated level. The math is not a forecast; it is a description of two independent measurements that converged on the same target without coordination. The
Patrick Duggan
May 234 min read


Megalodon Ate 5,561 GitHub Repos in Six Hours. We Had the C2 in the Feed Before It Had a Name.
Between 11:36 and 17:48 UTC on May 18, 2026, a single automated campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours. The campaign was named Megalodon four days later by SafeDep, StepSecurity, OX Security, and a half-dozen other researchers who independently dissected the attack pattern. The malicious payload injected into each repository's .github/workflows/ directory is a base64-encoded bash loader that exfiltrates CI secrets, AWS and GCP and Az
Patrick Duggan
May 234 min read


The Laravel-Lang Credential Stealer Never Touched the Official Repo. It Used GitHub Tags As Misdirection.
On May 22, 2026, a credential-stealing supply chain attack lit up the Laravel/PHP ecosystem. By May 23, security researchers at Aikido, Socket, and the Hacker News had published the dissection. The headline number is 700 — as in 700-plus version tags rewritten across three widely used packages in the Laravel-Lang organization. The number that matters more is zero, as in the number of malicious commits ever pushed to the official repositories. The attacker did not compromise t
Patrick Duggan
May 234 min read


The FBI Just Named the VPN Dozens of Ransomware Groups Share. The Quiet Part Is What That Means.
The FBI confirmed this week that dozens of ransomware groups have been routing reconnaissance, initial access tooling, and intrusion traffic through a single commercial VPN service called First VPN. The advisory frames it as a notable operational pattern. The structural read is more interesting than that. When the FBI names a shared piece of adversary infrastructure, the actual disclosure is not that the bad guys use VPNs — that has been true for two decades — but that defend
Patrick Duggan
May 224 min read


Instructure Canvas. Cushman & Wakefield. NVIDIA Armenia. All ShinyHunters Today. Our Subscribers Have Had The Operator's Infrastructure Indexed Since April 2.
Three named victims hit the wires today, all attributed to the same operator. The ShinyHunters group, also tracked by Mandiant as UNC6040, claimed responsibility for the Instructure Canvas breach affecting roughly 275 million student, teacher, and staff records across 8,809 institutions. The same group claimed Cushman & Wakefield, exposing 500,000 Salesforce records. The same group breached an NVIDIA GeForce NOW Alliance partner in Armenia. Three sectors — education, commerci
Patrick Duggan
May 183 min read


MuddyWater Hit US Infrastructure With Dindoor and Fakeset. We've Been Mapping Their Cloudflare Rotation Hourly Since March.
CheckPoint published the MuddyWater-Seedworm disclosure on March 9, 2026. The Iranian state-sponsored group, affiliated with the Ministry of Intelligence and Security, deployed two new backdoors against US critical infrastructure — banks, airports, defense suppliers, nonprofits. The campaign had been active since February 20. The tools have been named: Dindoor, written against the Deno runtime to evade traditional binary-aware EDR, and Fakeset, a Python-based loader pulled fr
Patrick Duggan
May 174 min read


Allianz UK Got Hit Today. The Brand Impersonation Infrastructure Was Already in Our IOC Feed.
Allianz UK confirmed a cyber incident today linked to the Clop ransomware group exploiting CVE-2025-61882, a critical Oracle E-Business Suite flaw rated 9.8 on the CVSS scale. This is the third major enterprise victim of the same Clop-plus-Oracle-E-Business pattern in 2026, following months of public warning that the vector was being actively exploited. The story is grim, the disclosure is overdue, and the structural lesson is the one DugganUSA has been repeating for eighteen
Patrick Duggan
May 175 min read


OpenAI Got Hit Today. KongTuke Pivoted to Teams Today. Our Customers Were Defended Against Both Yesterday.
Two of today's biggest cybersecurity headlines share a specific shape worth naming. OpenAI was breached in the TanStack supply chain attack, with two employee devices compromised and the company forced to rotate code-signing certificates. Separately, the initial-access broker KongTuke pivoted to Microsoft Teams as its primary social-engineering vector, achieving persistent corporate network access in approximately five minutes. Both stories landed today. Both were preventable
Patrick Duggan
May 175 min read


Shattering the ClickFix-PySoxy Chain: Eight Adversary Steps, One Indicator Apiece
ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor
Patrick Duggan
May 176 min read


Cisco Catalyst SD-WAN Manager Joined CISA KEV With Four CVEs On The Same Day. Chain Them And You Go From Anonymous HTTP Request To Owning Every Router In The Fabric.
CISA added four Cisco Catalyst SD-WAN Manager vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. A fifth, CVE-2026-20127,...
Patrick Duggan
May 169 min read


Cisco ASA Pre-Auth RCE Chain (CVE-2025-20333 + CVE-2025-20362) Joined CISA KEV On May 13. We Named ArcaneDoor / UAT4356 On The Same Platform On March 17. That's A 57-Day Lead.
CISA added two Cisco vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2025-20333 is a buffer overflow in the VPN Web...
Patrick Duggan
May 165 min read


We Started The Fortinet Clock 48 Hours Ago. CISA Didn't Wait Sixty Days. They KEV'd CVE-2026-24858 The Same Day Fortinet Patched The Siblings. The Clock Collapsed To Zero.
On May 13, we published a Fortinet receipt post. The title named the clock. The last Fortinet pre-auth RCE we tracked end-to-end took sixty days from patch...
Patrick Duggan
May 154 min read


Microsoft Dropped Six CVEs Into CISA KEV On The Same Day. MSHTML Is Back, RDP Privilege Management Failed Again, And Word Trusts Untrusted Input. Read The Cluster, Not The Individual CVEs.
CISA added six Microsoft CVEs to the Known Exploited Vulnerabilities catalog on May 13, 2026. All six landed in the same drop. The federal patch deadline is...
Patrick Duggan
May 156 min read
bottom of page