top of page

Security Tips


GREYVIBE Is The First Russia-Linked Threat Actor Whose Malware Toolkit Was Built With ChatGPT, Ideogram, And Gemini. WithSecure Disclosed Today. Five Campaigns, Three Malware Families.
WithSecure published a comprehensive disclosure today on a previously undocumented Russia-linked threat actor they have been tracking since January 2026 under the name GREYVIBE. The disclosure landed in dual-source coverage at BleepingComputer and The Hacker News with the substantive technical detail and the indicator-of-compromise pack hosted on GitHub. The group is conducting persistent cyberespionage operations against Ukrainian military, government, civilian, and corporat
Patrick Duggan
May 307 min read


Kimsuky Just Added HTTPSpy, HelloDoor, And VS Code Tunnels For Command-And-Control. The North Korean Espionage Arsenal Is Now The Soft-Surface Playbook.
The Hacker News reported yesterday on a tradecraft expansion by Kimsuky, the North Korean state-sponsored espionage actor we already track in our adversaries index under the synonyms Velvet Chollima, Black Banshee, Thallium, and Operation Stolen Pencil. The expansion has three named components. A new malware family called HTTPSpy is now the primary tool against South Korean military and corporate targets. A backdoor called HelloDoor has been added to the persistence stack. An
Patrick Duggan
May 306 min read


FortiClient EMS Will Now Execute Code With No Authentication. PAN-OS GlobalProtect Will Now Let You In With No Credentials. The Perimeter Vendors Just Shipped The Bleed.
This week the two largest perimeter vendors in enterprise security each shipped a vulnerability that turns their own product into the breach. Fortinet patched CVE-2026-35616, a pre-authentication API access bypass in FortiClient EMS scoring a 9.1 critical, which the discoverers at Defused Cyber observed under active zero-day exploitation since early April 2026 — roughly two months before the public advisory. Palo Alto Networks updated their advisory for CVE-2026-0257, a Globa
Patrick Duggan
May 308 min read


Two Thousand Vibe-Coded Apps Are On The Internet With No Access Controls. Sixteen Days Ago Our Lovable Audit Said This Was Coming. The Pyramid Is Built.
Sixteen days ago we published a post titled "Your Lovable App Is a Spreadsheet. Mine Has Crons." The thesis was that the AI development economy in 2026 has produced an enormous population of demos that the demo authors believe are products, that the production loop — telemetry, regressions, runbooks, paying customers who would notice if the cron missed at three in the morning — does not exist inside a Lovable preview pane, and that the hackathon-class output is going to land
Patrick Duggan
May 308 min read


HoneyLabs Mapped An Apache CVE Botnet By Its Back-End. Our Index Already Had The Family Name Waiting: Redtail. The Fusion Is The Receipt.
This morning HoneyLabs published a back-end mapping of a botnet that has been quietly earning rent for almost five years. They never named the malware family. They never had to. Their methodology was the point. They pulled next-stage URLs out of dropper binaries, clustered the delivering nodes by JA4 and JA4H and HASSH fingerprints, and walked the chain back from the noise at the perimeter to the eight staging servers that actually run the campaign. The data shape is one thou
Patrick Duggan
May 297 min read


Akira Hit An Aerospace MRO And A Japanese Battery Giant Today. We Have The Binary Signatures From April. Punk Spider Stays Active And The Industrial Mid-Tier Continues To Bleed.
Akira posted two victims to its leak site today. GS Yuasa Lithium Power is the Japanese global battery and lithium-ion manufacturer whose batteries powered the original Boeing 787 Dreamliner installations and now power major automotive electrification programs at Honda and Mitsubishi, industrial backup-power systems, and renewable-energy storage deployments across multiple continents. Alpine Aerotech is a Canadian aerospace MRO provider specializing in helicopter dynamic comp
Patrick Duggan
May 295 min read


The Coinbase Cartel Hit Four Major Verticals In Eight Days. Carnival Cruise Is The Fourth. Six Million Records. The Confederation Pace Is Now One Vertical Every Forty-Eight Hours.
ShinyHunters posted Carnival Cruise to the Trinity of Chaos leak site this afternoon with a claim of approximately six million customer records. Carnival is the fourth major-vertical victim the Coinbase Cartel confederation has posted in an eight-day window. The four are Canvas Instructure on May 22 with three-and-a-half terabytes of education-sector data, DentaQuest on May 23 with a small initial-claim of seven-hundred-forty-four user records that is almost certainly underst
Patrick Duggan
May 295 min read


TridentLocker Picked The 9/11 First-Responder Health Program As Its Second Victim Of The Week. The Vertical Is Healthcare-Adjacent-Plus-Reputational-Lethality. Tampa Bay Dental Was The First.
TridentLocker posted the World Trade Center Health Program to its leak site today. The program enrolls approximately 130,000 first responders and survivors of the 9/11 attacks under the Zadroga Act and provides federally-administered medical monitoring and treatment for exposure-related illnesses — respiratory disease, cancers documented to be related to WTC dust exposure, mental health diagnoses tied to post-traumatic stress from the events themselves. The dataset is the kin
Patrick Duggan
May 294 min read


We Beat CISA KEV By Thirty-One Days On Average In May 2026. Here Is The Architecture That Lets Us. Six Receipts, Six Load-Bearing Components, One Federal Validation Baseline.
Six CISA Known Exploited Vulnerabilities catalog additions in May 2026 had a DugganUSA blog post or indexed IOC dated at least two weeks before the federal mandate landed. The earliest lead was fifty-seven days. The shortest positive lead was fourteen days. The median across the six positive-lead receipts was thirty-one and a half days. The mean was thirty-five point eight. The defensible public claim is that DugganUSA detected May 2026 KEV vulnerabilities an average of thirt
Patrick Duggan
May 296 min read


Trinity Of Chaos Is What The Operators Call The Coinbase Cartel. Three Naming Streams Converge On One Constellation. ShinyHunters Added Charter Today For Four Point Nine Million Records.
We named the Coinbase Cartel on May 21. On that date we indexed an IOC in our threat-intelligence corpus naming the operator constellation as the confederation of ShinyHunters, Scattered Spider, and LAPSUS$ acting in overlapping cells with specialized tradecraft. The framing was derived from observation of the alliance's payment-routing infrastructure across mixers and exchanges, which is where the Coinbase reference in the name comes from. Independently, Resecurity has been
Patrick Duggan
May 294 min read


An NPM Package Tried To Exfil Claude's Working Directory And Leaked Its Own GitHub Token. Malware-Slop Is The First AI-Tool-Working-Directory Receipt. The Next Wave Comes For Cursor.
A malicious npm package named mouse5212-super-formatter was disclosed by researchers two days ago and is still available for download from npm at the time of writing. The campaign codename, assigned by the research team that named it, is Malware-Slop. The package presents itself as an archive deployment sync utility. The actual capability is more pointed. It authenticates to GitHub using an environment token or a hardcoded fallback, programmatically creates a target repositor
Patrick Duggan
May 295 min read


CISA Numbered TanStack And Nx Console As CVEs Today. The Soft-Surface-Bleed Arc We Wrote For Eighteen Days Just Became Federally Mandated. Sandtrout Stays In Production.
This morning at eight UTC, CISA added two new entries to the Known Exploited Vulnerabilities catalog. CVE-2026-45321 covers the TanStack npm supply-chain compromise. CVE-2026-48027 covers the Nx Console extension compromise. Both entries describe the vulnerability as the act of publishing malicious versions under a trusted identity, not as a code-level flaw in the affected products. That framing is novel and worth dwelling on. The federal regulator has now formally classified
Patrick Duggan
May 294 min read


The Discord Crawler That Wasn't. How A Four-Year-Old PTR Record Becomes The Cover For A Weaponized Scraper. GCP IP Recycling Is The New Reputation-Laundering Channel.
An operator emailed our inbox this morning claiming the IP address 35.237.4.214 is a Discord embed proxy and demanding we stop reporting it. The email is paraphrased here without identification because the technical pattern is the interesting thing, not the operator. Their claim does not survive contact with the facts. The threat-intelligence community has been writing about this specific abuse pattern for two years, and today's email is the closing artifact for a clean publi
Patrick Duggan
May 296 min read


Thirty Thousand Gitea Deployments Leaked Private Container Images For Four Years. CVE-2026-27771 Is Soft-Surface-Bleed At The DevOps Tier. Rotate Every Secret Baked Into A Layer Tonight.
Noscope researchers disclosed CVE-2026-27771 yesterday. Gitea is the leading self-hosted alternative to GitHub. Approximately thirty thousand Gitea deployments across more than thirty countries shipped a container-registry authorization bypass that let unauthenticated remote attackers pull private container images from any vulnerable instance without an account, password, or any credential. The bug shipped roughly four years ago. The detection window has been the entire regis
Patrick Duggan
May 284 min read


DentaQuest Is The Coinbase Cartel's Second Vertical Pivot Of The Month. Canvas Was Education. DentaQuest Is Dental Insurance. The Pattern Is Consent-Leak Verticals With Class-Action Lethality.
Three hours ago, the ShinyHunters leak site added DentaQuest LLC to its victim list. DentaQuest is a major US dental and vision insurance provider; the claimed exfil per public dark-web monitoring is seven-hundred-forty-four users plus one third-party employee credential. DentaQuest has acknowledged the cybersecurity incident on its website. Class-action plaintiffs' counsel is already investigating. The threatened-leak deadline was yesterday — the tranche has not surfaced pub
Patrick Duggan
May 284 min read


MyPillow Is On The Play Ransomware Leak Site And The Deadline Is Friday. The Victim Is In Chaska, Minnesota. The Decision Tree Is The Same Whether You Like The Victim Or Not.
On Monday May 25, 2026, the Play ransomware crew posted MyPillow Inc. on its name-and-shame leak site with a Friday deadline. The leak-site notice claims private and personal confidential data, client documents, budget, payroll, IDs, taxes, and finance information. The volume claim is left vague — no gigabytes figure, no sample tranche posted yet. Mike Lindell told Straight Arrow News nobody has asked them for a ransom, that the company does not have any data breaches, and th
Patrick Duggan
May 285 min read


We Named The Microsoft Defender Five-CVE Cluster May 20. The News Caught Up Eight Days Later. BlueHammer, RedSun, UnDefend, And Two New Codenames Joined Active Exploitation.
On May 20, 2026, we indexed an IOC in our threat-intelligence corpus named defender-attack-surface-campaign-2026-05-20. The body of that IOC names BlueHammer, RedSun, UnDefend, CVE-2026-41091, and CVE-2026-45498 — a five-CVE family of Microsoft Defender vulnerabilities, three of which CISA promoted to the Known Exploited Vulnerabilities catalog that same day. Eight days later, today, the broader news cycle caught up. BleepingComputer, Malwarebytes, Dark Reading, and SecurityW
Patrick Duggan
May 284 min read


Instructure Paid ShinyHunters For The Canvas Data Back. The Number Is Reported At Ten Million. We Named The Coinbase Cartel Confederation On May 21. The Frame Just Paid Off.
Instructure, the parent company of the Canvas learning-management system, announced it had reached an agreement with ShinyHunters to recover the 3.65 terabytes of student and faculty data stolen during the late-April through mid-May extortion campaign. The terms of the agreement are not publicly disclosed. Unconfirmed reporting puts the payment at approximately ten million dollars. Instructure states it received cryptographic shred logs as proof of data destruction and that n
Patrick Duggan
May 285 min read


CISA Just Added CVE-2026-31431 To KEV. We Wrote The 732-Byte AF_ALG Path Fourteen Days Ago. Block The Socket. Patch The Kernel. Watch The Sandbox.
CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog today. The KEV entry confirms what oss-security, Microsoft, Sysdig, Unit 42, CERT-EU, and Xint Code have been documenting since April 29: there is a deterministic seven-hundred-thirty-two-byte path from any unprivileged user on a modern Linux box to root, and the path runs through the kernel cryptographic socket family that almost no workload actually needs to use. We wrote the mechanism up on May 14. Th
Patrick Duggan
May 284 min read


GitHub Confirmed The TanStack Repo Breach Memorial Day Weekend. Our Sandtrout Signal Caught The Mini-Shai-Hulud Bloom The Night It Fired. Seven Receipts, One Worm, One Pyramid.
GitHub confirmed over Memorial Day weekend that the repository breach it had been investigating was linked to the TanStack npm supply-chain attack. Two days later, the same vendor shipped a two-factor approval gate on npm publish — the kind of control that exists because the prior control failed. This is the receipt arc we have been writing since April 29, when the variant first landed in our index. The headline today is GitHub. The headline two weeks ago was OpenAI. The head
Patrick Duggan
May 285 min read
bottom of page