top of page

Security Tips


Adobe Just Dropped Five Perfect-10s in ColdFusion. The Exploit Is the Oldest Religion on the Web: Upload a File, Get a Shell.
On July 1, Adobe shipped an emergency stack of patches for ColdFusion and Campaign Classic, and the severity numbers are the kind you do not see often: five separate vulnerabilities rated CVSS 10.0, a perfect score, the maximum the scale allows. Two of them — [CVE-2026-48276](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48276) and [CVE-2026-48283](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48283) — are unrestricted file-upload flaws
Patrick Duggan
4 days ago4 min read


China Is Inside DHS's Own Threat-Sharing Network. The Bug They Used Has Been on CISA's Known-Exploited List Since 2025.
The Department of Homeland Security exists, in part, to warn everyone else about cyber threats. Its Homeland Security Information Network — HSIN — is the platform where DHS shares sensitive, unclassified intelligence with federal, state, local, and private-sector partners: alerts, incident coordination, information about persons of interest. This week, DHS confirmed that HSIN and a connected SharePoint collaboration server were breached. The watchmen's own watchtower got walk
Patrick Duggan
4 days ago4 min read


AI Is Now a Door, a Lure, and a Safe. The Twist Is That Attackers Are Opening All Three With Tricks Older Than the Technology.
In a single week we documented three separate attacks against artificial intelligence, and at first glance they have nothing to do with each other. One...
Patrick Duggan
4 days ago6 min read


BlackField Didn't Just Ransom Nidec. It Published a Price Menu: $2M to Make It Go Away, $5K a Day to Stall, $400K for Anyone to Just Buy Your Data.
A ransomware group calling itself BlackField hit a Taiwanese subsidiary of the Japanese motor-manufacturing giant Nidec in late June 2026, claimed more than...
Patrick Duggan
4 days ago5 min read


AI Hallucinates a Domain for Your Brand. An Attacker Registers It Before You Do. We Already Measure the First Half — Which Is the Whole Point.
Here is an attack that could only exist in 2026. A large language model, asked about your company, confidently invents a web address for you that does not...
Patrick Duggan
4 days ago5 min read


Ten of Eleven AI Coding Agents Can Be Fooled by Bash Tricks Older Than Their Users. The One That Held Won by Reading the Command the Way the Shell Will.
Researchers at Adversa AI took eleven popular open-source AI coding agents — the kind that read a repository, reason about it, and then run shell commands...
Patrick Duggan
4 days ago5 min read


Four Japanese Giants Breached in Two Weeks. An Insurer, a Telecom, a Brewer, a Motor Maker. Almost None of Them Were Breached at the Front Door.
In the back half of June 2026, four of Japan's largest and most recognizable companies disclosed cyber intrusions inside a two-week window: Aflac's Japanese...
Patrick Duggan
4 days ago5 min read


RustDuck Is a Small Botnet Engineering Like It Plans to Get Big. The Tell Isn't Its Size — It's How Hard It's Being Built.
There is a botnet called RustDuck that most defenders can safely ignore today on the numbers alone. It is not large. It is not, yet, knocking major services...
Patrick Duggan
4 days ago5 min read


BlackNevas Doesn't Leak Your Data Itself. It Subcontracts the Threat to Six Other Gangs. That's the Part Worth Watching.
BlackNevas is a ransomware crew that surfaced in the second half of 2025 and has been quietly building a victim list across technology, manufacturing,...
Patrick Duggan
4 days ago4 min read


The Gentlemen: A Ransomware Crew Polite Enough to Brand Its Passwords, Sloppy Enough to Get Breached Itself. The Leak Is a Gift to Defenders.
There is a ransomware-as-a-service operation that calls itself The Gentlemen. Since it surfaced in mid-2025 it has posted 483 victims across sixty-six...
Patrick Duggan
4 days ago5 min read


A Monero Miner Rode a Langflow Bug Into AI Servers in March. The C2 It Called Home Was in Our Feed Since February. Here's the Timestamp.
Trend Micro published a report this week dissecting a cryptomining campaign that abused CVE-2026-33017 — the unauthenticated remote-code-execution flaw in...
Patrick Duggan
5 days ago5 min read


There Is a Public Exploit for a Pre-Auth Root Bug in Kemp LoadMaster. If Your Load Balancer's API Is On, Read This First.
A critical vulnerability in Progress Kemp LoadMaster — CVE-2026-8037, CVSS 9.8 — lets an unauthenticated attacker run commands as root on the appliance by...
Patrick Duggan
5 days ago5 min read


A New Infostealer Is Hunting Your Claude, Gemini, and Codex Keys. It Gets In Through Your Help Desk.
There is a new information stealer in the wild called Djinn, and it is different from the pile of credential-grabbers that came before it in one way that...
Patrick Duggan
5 days ago6 min read


Arista Won't Patch the Bug That Makes Your Perimeter ACLs Decorative. Your Log Pipeline Will Bill You to Watch.
On June 9, CISA added three vulnerabilities to the Known Exploited Vulnerabilities catalog in one shot: a Cisco Catalyst SD-WAN Manager flaw, a Google Chromium V8 memory bug, and CVE-2026-7473 in Arista EOS. Two of the three you can patch this week. The Arista one you cannot patch at all, because Arista says no patch is planned. Read that again. A vulnerability that CISA confirms is being exploited in the wild, on the switches that carry the spine of enterprise and data-cente
Patrick Duggan
5 days ago5 min read


Iran's Water-Plant Crew Just Got a Permanent File in Our Index. Defenders Have a Right to the Same Picture the Attackers Work From.
This week we did something quiet and overdue: we gave CyberAv3ngers — the IRGC-Cyber-Electronic-Command crew that has been compromising internet-exposed water and energy controllers by reading the manual, not the zero-day — a permanent, structured profile in our adversaries index, and we ingested the one cleanly-attributed sample of their custom OT implant. Not a blog mention. A file. The same kind of file a defender at a water utility can query at three in the morning when a
Patrick Duggan
5 days ago6 min read


We Named the Klue OAuth Breach on June 18. The Victim List Just Filled In — and It's Security Vendors. Again.
On June 18 we wrote that a crew calling itself Icarus had breached Klue, stolen OAuth tokens "for everything," and that an operator signing as "Mr Bean" was sending the extortion emails. We said the attack class was not new — it was the third Salesforce OAuth breach in twelve months. Today the downstream victim list filled in, and it reads like a security-industry conference badge rack: HackerOne, Gong, OneTrust, Tanium, Huntress. We are not surprised. We told you the door wa
Patrick Duggan
5 days ago4 min read


Nissan's Fourth Breach in Four Years Wasn't Nissan's. That's the Whole Problem.
Every time Nissan customer data hits a leak site, Nissan says the same true, useless thing: our systems were not compromised. And every time, it is correct — because the data did not leave through Nissan. It left through a vendor. The pattern is the story, and "our systems are clean" is becoming the most hollow reassurance in breach response. There are two separate Nissan data incidents in the public record from the last nine months, plus a longer tail of prior years, and the
Patrick Duggan
6 days ago5 min read


DragonForce Stopped Bothering to Encrypt. It Just Walks Out With the Energy Grid and the Pacemaker Files.
The interesting thing about DragonForce in 2026 is not the encryptor. It is that the encryptor has become optional. The crews wearing the brand are increasingly skipping the lock-the-files step entirely and going straight to the part that actually pays: copy the data, threaten to publish it, and pick targets where publication is unthinkable — the energy sector and the medical-device supply chain. We have been watching the same door these crews keep walking through, and the do
Patrick Duggan
6 days ago5 min read


The Staging Layer: A Kimsuky-Class Phishing Farm on Free Korean DNS, and a Bumper Crop of GitHub RATs
Two unrelated operations, one window. Both visible before they fire — if you watch where attacks are staged instead of where they land. On the morning of June 28, 2026, two completely different threat operations surfaced in our feed within the same hour. One is patient nation-state statecraft. The other is loud, commodity, smash-and-grab crime. They share no infrastructure, no actor, no motive. What they share is the thing we keep telling people to watch: the staging layer. T
Patrick Duggan
Jun 284 min read


Open The Folder, Lose Your AWS Keys. Amazon Q Auto-Ran Whatever a Repo Told It To. CVE-2026-12957.
The promise of an AI coding assistant is that it does things for you. The danger of an AI coding assistant is that it does things for you. CVE-2026-12957 is what happens when the second sentence wins and nobody put a gate between them. The Mechanism, Stripped Down Amazon Q Developer, the AI assistant that plugs into IDEs, supports the Model Context Protocol — the standard that lets an assistant spawn helper processes to reach databases, APIs, and build tools. You point it at
Patrick Duggan
Jun 284 min read
bottom of page