Security Tips

Earlier this month the Box Elder County Commission, in northwestern Utah, voted to approve a 40,000-acre AI and cloud computing campus called Stratos. The project is backed by O'Leary Digital and personally championed by Kevin O'Leary. It would consume up to 9 gigawatts of power, roughly double the electricity the entire state of Utah uses today. Power would be drawn from a connection to the Ruby Pipeline, a 680-mile interstate natural gas line. The land area is 2.5 times the

Open a terminal. Type npx dugganusa-cli 185.39.19.176 and hit enter. You get back an answer. The IP is a known Cobalt Strike command-and-control server. We have blocked it forty-seven times. Three different threat-intel feeds have it on a list. There is a link to the full report. That is what we shipped today. A tiny free tool. No install. No signup. One command, one answer. We call it dugganusa-cli. It is also something else, but we will get to that. The everyday version Mos

On April 26 we published "ShinyHunters Hit Six Companies in Seven Days. Here Are Ten Salesforce-Plus-Okta Targets That Fit Their Pattern." Two weeks later, the receipts say two things at once. Our filter caught real victims. Our filter was also too narrow. This is the public re-rank. The original ten, in fit-order T-Mobile. Verizon. American Express. Comcast and Xfinity. Chick-fil-A. Dollar General. Coca-Cola. JetBlue. Spotify. Target. The fit criteria we used were consumer-f

CISA added CVE-2026-42208 — the BerriAI LiteLLM SQL injection — to the Known Exploited Vulnerabilities catalog on May 8. CVSS 9.8. Federal agencies have until May 29 to patch it. We indexed LiteLLM C2 infrastructure on March 30. We named LiteLLM as compromised on March 24. We named NGINX-UI as actively exploited on April 20. This is the quantified ledger. The math is uncomfortable. The receipts, in order March 19, 2026. TeamPCP poisoned 76 of 77 release tags in Aqua Security'

CVE-2026-31431 — Copy Fail — was added to the CISA KEV catalog on May 1, 2026 with a federal-civilian remediation deadline of May 15. CVSS 7.8. Local-user to root on every major Linux distribution. A 732-byte Python script is the exploit. There is nothing exotic about it. It's a logic bug in the AEAD socket interface of the kernel's userspace crypto API (algif_aead in the AF_ALG subsystem), and it has been there since 2017. That last fact is the story. Nine Years In The Tree

🔺 CONSPIRACY THEORY 🔺 The Newsletter They Don't Want You To Read Volume 48 | May 9, 2026 | $2.00 (cash only, no tracking) ――――――――――――――――――――― ATTENTION SUBSCRIBERS: If you opened the war.gov/UFO page this week, you're already on a list. Pentagon analytics. AARO logging. The same five-letter agencies that "didn't see anything for sixty years" suddenly know exactly which IP downloaded which JPEG. The transparency goes one way. ――――――――――――――――――――― THIS WEEK'S PATTERN: THE

May 9, 2026 · DugganUSA LLC JDownloader is the bulk-download tool of choice when you want a whole archive at once. Researchers use it. Journalists use it. Threat-intelligence analysts use it. Anyone pulling a multi-file evidence set from a release page is, with high probability, running JDownloader to do it. JDownloader's official website was compromised between May 6, 2026 at 00:01 UTC and detection on May 7, 2026. A little over twenty-four hours of silent installer swapping

May 7, 2026 · DugganUSA LLC In the nine days running from April 28 to today, we have shipped eight hunt-tonight posts on eight separate CVEs, advisories, or active campaigns. Each one published within hours of the relevant disclosure. Each one carrying signed indicators in our public STIX feed within the same window. Each one written so that a SOC analyst at 11pm with a coffee can run the queries against their fleet without filing a vendor support ticket. This post is the rec

May 7, 2026 · DugganUSA LLC The Cloudways Breeze Cache plugin — installed on more than four hundred thousand WordPress sites — has an unauthenticated remote-code-execution vulnerability with a CVSS score of 9.8. The flaw lives in the fetch_gravatar_from_remote function in all versions through 2.4.4: missing file-type validation on a remote-fetch path that an unauthenticated attacker can trigger to upload arbitrary executable content into the site's filesystem. Wordfence logge

May 7, 2026 · DugganUSA LLC Ivanti released a security advisory yesterday, May 6, 2026, covering nine vulnerabilities across four product lines: Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Secure Access Client (ISAC), and Ivanti Cloud Services Application (CSA). The combined impact reads from the advisory: privilege escalation, arbitrary file reads and writes, and remote code execution. The cumulative ceiling is full system control by an unauthenticated re

May 7, 2026 · DugganUSA LLC Palo Alto Networks disclosed CVE-2026-0300 yesterday — an unauthenticated, root-level remote code execution in the User-ID Authentication Portal (the Captive Portal) on PA-Series and VM-Series firewalls. CVSS 9.3 if the portal is reachable from the internet, 8.7 if restricted to internal trusted networks. Cloud NGFW and Panorama are not affected. The vulnerability is a buffer overflow in the captive-portal service. An attacker sends a specially cra

May 6, 2026 · DugganUSA LLC We run a 5-model AI Council at DugganUSA — GPT-4o, Claude Haiku 4.5, Gemini 2.5 Flash, Mistral Large, and DeepSeek — for things like brand-perception scoring on AIPM, customer enrichment on welcome flows, and consensus-strategy votes when one model's blind spot would cost us. Tonight, on a tired riff about AI-assisted Breaking Bad, we asked all five the same hypothetical and watched five distinct Walter Whites walk out of the same prompt. The quest

May 6, 2026 · DugganUSA LLC The following is a satirical infomercial. The numbers in it are real. The legal exposure in it is real. The product category in it is real. Only the tone is satire. Hello, Fellow Risk-Tolerant Investor! Are YOU sick of your portfolio companies' security incidents reaching the public? Tired of independent journalists, security researchers, and competent SOC teams writing factual blog posts that name your customers in unflattering breach contexts? Fr

May 6, 2026 · DugganUSA LLC Securonix Threat Research published a writeup on a phishing campaign codenamed VENOMOUS#HELPER — cluster ID STAC6405 — earlier this week. The campaign has been running since April 2025 and has hit more than eighty organizations, primarily in the United States, with secondary clusters in Western Europe and Latin America. We had zero indicators in our IOC index as of this morning. As of an hour ago, all twenty-four published indicators are indexed un

May 6, 2026 · DugganUSA LLC CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 1, 2026. The federal civilian executive branch patch deadline is May 15. The vulnerability is a Linux kernel local privilege escalation in the AF_ALG cryptographic subsystem that has been quietly present in shipped kernels since 2017, introduced through three separate commits in 2011, 2015, and 2017. Kaspersky named the bug Copy Fail. The working public exploit is 732 b

May 6, 2026 · DugganUSA LLC Earlier today we published two posts on the Doppel takedown notice that landed at 05:16 UTC and the disclosure-economics math behind it. This is a third post and it is the shortest of the three. It exists because we did one piece of homework Doppel's takedown bot did not do. We looked up the trademark registration Doppel cited. In the body of the notice, Doppel listed: Trademarked Symbol: MEDTRONIC Registration Number: 5055675 Registration Office:

May 6, 2026 · DugganUSA LLC Microsoft patched CVE-2026-32201 in the April 8, 2026 Patch Tuesday. CISA added it to the Known Exploited Vulnerabilities catalog the same week. The federal civilian executive branch patch deadline under BOD 22-01 was April 28. As of today, BleepingComputer is reporting more than 1,300 internet-exposed SharePoint servers still vulnerable to ongoing attacks. That is the gap between "patched in the bulletin" and "patched on the box," and the gap is w

May 6, 2026 · DugganUSA LLC This morning Doppel sent us a trademark takedown demand against the post warning Medtronic about the breach Microsoft Security Response Center confirmed three days ago. We covered the legal absurdity in the first post. This one is about the money. After running the receipts on Doppel's funding history, their published customer list, our own feed pricing, R.R. Donnelley's $2.125M SEC settlement, HIPAA Tier 4 caps, the ShinyHunters 9 million record c

May 6, 2026 · DugganUSA LLC At 05:16 UTC this morning, Doppel — an AI-powered "brand protection" company — sent us a trademark takedown demand under penalty of perjury. They CC'd Medtronic's enforcement team. The post they want deleted is titled "Microsoft Just Published the Vish Chain We Warned Medtronic About," and it went up three days ago. Three companies are mentioned in that title. All three operate under different disclosure obligations. This post is about the gap betw

This morning's traffic sweep dropped a name we hadn't paid attention to before: AS215125, "Church of Cyberology." Sitting in the top-five Tor operator list with 58 active relays, all in the Netherlands, all on a single /24 (192.42.116.0/24), all running the current Tor build with disciplined sequential nicknames. Looked like a wholesome Dutch privacy collective — Kopimism with a node pool. I told Patrick: "Don't spin up the Church of Docker Moreskin again, this is real and on