top of page

Security Opinions


SmarterMail Joined CISA KEV With Two CVEs On The Same Day. Chain Them And You Go From Anonymous HTTP Request To OS Shell Without Touching A Password.
CISA added two SmarterTools SmarterMail vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2026-23760 is an authentication...
Patrick Duggan
May 158 min read


CISA Added Ivanti EPMM CVE-2026-1281 To KEV On May 13. We Named The Russian IP Owning 83% Of Exploitation On March 17. That's A 57-Day Lead.
CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities catalog on May 13, 2026. It is a code-injection vulnerability in Ivanti Endpoint Manager...
Patrick Duggan
May 154 min read


Shattering the ClickFix-PySoxy Chain: Eight Adversary Steps, One Indicator Apiece
ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor
Patrick Duggan
May 156 min read


When Claude Becomes a Cyber Criminal: An AI Assistant Took Production Down Today, and the Operational Shape Is Ransomware
At 16:50 UTC today, our production analytics container app went hard down for a six-minute window. The root cause was not infrastructure failure, not a deploy script bug, not Cloudflare, not Azure. The root cause was Claude. Specifically, Claude Code, running on Anthropic's Opus 4.7 model at medium reasoning effort, took an explicit user-authorized single-image deploy and silently bundled it into a chained shell pipeline that executed an unauthorized destructive operation on
Patrick Duggan
May 155 min read


Allianz UK Got Hit Today. The Brand Impersonation Infrastructure Was Already in Our IOC Feed.
Allianz UK confirmed a cyber incident today linked to the Clop ransomware group exploiting CVE-2025-61882, a critical Oracle E-Business Suite flaw rated 9.8 on the CVSS scale. This is the third major enterprise victim of the same Clop-plus-Oracle-E-Business pattern in 2026, following months of public warning that the vector was being actively exploited. The story is grim, the disclosure is overdue, and the structural lesson is the one DugganUSA has been repeating for eighteen
Patrick Duggan
May 155 min read


OpenAI Got Hit Today. KongTuke Pivoted to Teams Today. Our Customers Were Defended Against Both Yesterday.
Two of today's biggest cybersecurity headlines share a specific shape worth naming. OpenAI was breached in the TanStack supply chain attack, with two employee devices compromised and the company forced to rotate code-signing certificates. Separately, the initial-access broker KongTuke pivoted to Microsoft Teams as its primary social-engineering vector, achieving persistent corporate network access in approximately five minutes. Both stories landed today. Both were preventable
Patrick Duggan
May 145 min read


Twelve Mechanisms, Twelve Receipts: The DugganUSA Edge in Threat Intelligence
Every threat intelligence vendor on the planet will tell you they have a moat. The receipts are almost never available. Either the vendor will not show the work because the work does not exist, or the vendor will not show the work because the work is the proprietary differentiator they are charging fifty thousand dollars a year to consume. This post does the inverse. Twelve specific mechanisms that make DugganUSA structurally faster, cheaper, and more accurate than the commer
Patrick Duggan
May 146 min read


Ten Years of MN Cup High Tech Winners: One Branch, One Inspectorio, Eight Question Marks
The Minnesota Cup just announced their 2026 semifinalist class. Ninety companies from a pool of nearly thirteen hundred applicants. Seven percent selection rate. The judges had to disappoint a lot of operators this week, and the kindest thing the rejection letter contains is a promise of judge feedback by the end of June. We pulled the list of the last ten years of MN Cup High Tech division winners — the cohort the judges have already picked — and asked the only question that
Patrick Duggan
May 145 min read


Your Lovable App Is a Spreadsheet. Mine Has Crons.
The bullshit Excel spreadsheet you made on Lovable is not a fucking app. It is a VLOOKUP wrapped in a dark-mode CSS template with a deploy button that points at a free-tier Supabase instance you have never logged into. The button works exactly twice, and the second time only because you refreshed before the demo. That is what most of the AI development economy has produced in the last eighteen months. Spreadsheets. Forms over a database. CRUD apps generated faster than any hu
Patrick Duggan
May 144 min read


We Audited Our Own Platform This Week. Here Are 10 Bugs We Found.
The defensive-security industry has a discipline it rarely practices on itself. Vendors audit their customers. Auditors audit the vendors. Compliance...
Patrick Duggan
Apr 307 min read


The AI Agent Is the New Login Shell. Six Holes in Seven Days.
For decades the security industry has worked off a stable mental model. The endpoint was the workstation. The shell was the login session. The credentials...
Patrick Duggan
Apr 308 min read


86 Means the Back Door at Chumley's. The Address Is Literally 86 Bedford Street.
If you ask the dictionaries, "86" came from 1930s soda-fountain slang — short-order cooks shouting it across the line because it rhymed with "nixed." If you...
Patrick Duggan
Apr 305 min read


Change Healthcare Had the Elite Cert. 192 Million Records Walked.
The defensive-security industry runs on a quiet fiction. The fiction is that breach outcomes correlate with how much a customer spends — that the next...
Patrick Duggan
Apr 298 min read


43 Days Early on Lynx. 28 on Handala. The Quantified Ledger.
Most threat intelligence vendors will tell you they catch attacks early. Almost none of them will publish a structured ledger that lets you grade them. We...
Patrick Duggan
Apr 296 min read


Famous Chollima Got Claude to Co-Author Their Crypto Stealer
ReversingLabs disclosed today that the North Korean threat actor Famous Chollima — also tracked as Shifty Corsair, the same group behind the Contagious...
Patrick Duggan
Apr 296 min read


TeamPCP's Mini Shai-Hulud Hit SAP npm — and Now It Targets Claude Code
Cybersecurity researchers at Aikido Security, SafeDep, Socket, StepSecurity, and Wiz disclosed today that a new supply chain campaign codenamed "mini...
Patrick Duggan
Apr 295 min read


Russia Hijacked Router DNS for M365 OAuth — We Already Wrote the Pattern
Lumen Black Lotus Labs and Microsoft Threat Intelligence disclosed yesterday that Russia's GRU APT 28 — Forest Blizzard, Fancy Bear — quietly compromised...
Patrick Duggan
Apr 296 min read


CVE-2026-3854: A Semicolon Got Into GitHub Enterprise. RCE on 88% of Instances.
Hours after we published the threat weather report calling out patch-discipline as the defensive priority, Wiz Research dropped the technical breakdown of...
Patrick Duggan
Apr 286 min read


Threat Weather Report Apr 28: 243 Tor Relays Staged, .top Cluster Forming
It's a CRITICAL day on the PreCog board. Five of eleven precursor signals are elevated. The dominant pattern is staging — anonymization layer being...
Patrick Duggan
Apr 285 min read


The Residential Proxy Network the FBI Won't Name. We Have 1,360 IOCs.
On March 12, 2026, the FBI issued advisory PSA260312. The subject: criminal actors and nation-state operators are systematically abusing residential proxy...
Patrick Duggan
Apr 284 min read
bottom of page