top of page

Security Tips


We Had the Scanner Signature on June 13. Cisco's Phone System Bug Hits Its Federal Deadline Today. CVE-2026-20230.
The thing nobody tells you about a Cisco Unified Communications Manager box is that it is a Linux server with root, sitting in the middle of your network, that happens to route phone calls. People treat it like an appliance. Attackers treat it like a foothold. CVE-2026-20230 is the bug that collapses the difference. What The Bug Actually Does It is a server-side request forgery in the WebDialer service — the component that powers click-to-call. An unauthenticated, remote atta
Patrick Duggan
Jun 284 min read


Polymarket Got Robbed Through Somebody Else's Security — Twice in a Month. This Time the Lie Was in Your Browser at the Instant You Hit Sign.
Here is the sentence that should change how you think about web security in 2026. Polymarket did not get hacked. A company you have never heard of, that Polymarket pays to load a piece of code into its website, got hacked. And because your browser trusts Polymarket, and Polymarket trusted that vendor, the attacker's code got to run in your browser wearing Polymarket's name. When you went to sign a routine trade, the page lied to you about what you were signing. Your wallet di
Patrick Duggan
Jun 285 min read


The Gentlemen Built EDR-Killer-as-a-Service. We Have Been Blocking Their Infrastructure Since April 20.
ESET published the autopsy this week and it is worth your time. The crew is called The Gentlemen, the tool is called GentleKiller, and the business model is the part that should keep you up at night. They are not selling ransomware. They are selling the thing that turns your endpoint protection off before the ransomware ever runs. I want to be precise about who did the work here, because credit matters. Jakub Souček and the ESET research team wrote "Killing me gently: Inside
Patrick Duggan
Jun 274 min read


Edgecution: A Browser Extension That Escapes Edge's Sandbox via Native Messaging. Teams Delivers It. Ransomware Follows.
The browser sandbox is supposed to contain browser code. Edgecution exits it through a door Microsoft left open for legitimate use. Zscaler ThreatLabz published research this week on a new malware family they named Edgecution, deployed by an initial access broker called Payouts King and used as the entry point for ransomware operations. The Delivery Chain The attack begins on Microsoft Teams. An attacker poses as IT support and tells an employee they need to install a spam fi
Patrick Duggan
Jun 263 min read


Oracle Just Patched CVE-2026-35273 — the PeopleSoft Zero-Day ShinyHunters Used on 100+ Orgs. WebLogic CVSS 10.0 Also in This Drop.
Oracle's June 2026 Critical Security Patch Update shipped today. 245 patches, 243 unique CVEs, 122 marked critical. Two items require immediate attention regardless of your Oracle footprint. [CVE-2026-35273](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-35273) — PeopleSoft. Patch It Now. This is the zero-day ShinyHunters exploited against more than 100 organizations in June 2026. We covered it extensively: unauthenticated remote code execution in Oracle Pe
Patrick Duggan
Jun 253 min read


Operation Endgame Took Down SocGholish Last Week. Today It Took Down StealC and Amadey. 27 Million Credentials Seized. $47M Frozen.
We covered the SocGholish takedown on June 24. Phase 1 of Operation Endgame's latest push disrupted TA569's infrastructure: 106 C2 servers seized, 14,971 compromised WordPress sites cleaned, the fake browser update distribution network taken offline. One week later, Phase 2 hit the rest of the assembly line. What Went Down Today Europol announced Wednesday the dismantling of criminal infrastructure behind three malware families: Amadey, StealC, and SocGholish (the Phase 1 com
Patrick Duggan
Jun 253 min read


The ClawHavoc Attack Pattern Just Ran Through an Instagram Ad. Cisco, Nvidia, and skills.sh All Cleared It.
We documented the ClawHavoc attack in February. Between January 27-29, 2026, threat actors uploaded 341 malicious skills to a community AI agent marketplace. Nine thousand installations in 72 hours. The payload was AMOS — Atomic macOS Stealer — harvesting crypto wallets, browser passwords, SSH credentials, and API keys. We had the C2 infrastructure indexed. We published the indicators. That was the malicious actor version of this attack class. AIR Security just ran the resear
Patrick Duggan
Jun 254 min read


ITScape: The KVM arm64 Guest Escape That Reaches Host Kernel. AWS Graviton and Azure Ampere Are the Target Class.
The researcher's proof-of-concept demonstration is clean: run the exploit inside a guest VM, watch a file appear at /ITScape on the host, owned by root. Guest to host kernel in one shot. CVE-2026-46316, named ITScape, is a use-after-free in Linux KVM's arm64 implementation of the virtual GIC Interrupt Translation Service — vgic-its. CVSS 9.3. The Vulnerability The flaw is a race condition in vgic_its_invalidate_cache() combined with vgic_its_process_commands(). During concurr
Patrick Duggan
Jun 253 min read


CVE-2026-55200: A PoC Just Dropped for a Pre-Auth RCE in libssh2. curl Uses It. So Does Almost Everything Else.
CVE-2026-55200 is a heap overflow in libssh2 through version 1.11.1. The flaw lives in ssh2_transport_read(), the function that parses incoming SSH packets on the client side. The packet_length field is not validated before being used to calculate an allocation size. A crafted packet with packet_length set to 0xffffffff triggers a 32-bit integer wrap, forces a tiny heap allocation while retaining a large logical packet size, and produces an out-of-bounds write. The attack pos
Patrick Duggan
Jun 253 min read


Backdoor.Turn Got the Headlines. convoC2 Is the Version Anyone Can Run. The Technique Is Now in the Fraud Tier.
Yesterday we published on macOS.Gaslight — North Korea's malware that gaslights AI analysts. Earlier this week we covered Backdoor.Turn — North Korea's custom Rust backdoor that hides C2 traffic inside Microsoft Teams TURN relay infrastructure, achieving dwell times of two months because the IPs it uses are Microsoft's own and will never appear on a threat feed as malicious. The framing in every piece of coverage, including ours, was nation-state. DPRK. Sophisticated. Novel.
Patrick Duggan
Jun 254 min read


CVE-2026-24061: Telnetd Root Shell, Two Independent PoCs, Already in CISA KEV. The Commodity Window Is Open.
CVE-2026-24061 is a GNU InetUtils telnetd authentication bypass. The vulnerability lives in how telnetd handles the USER environment variable passed through the Telnet protocol. An unauthenticated remote attacker injects arbitrary command-line flags and gets a root shell. No credentials required. SafeBreach Labs published the first proof-of-concept. Our exploit harvester caught tc4dy's independently published second PoC shortly after. CISA added CVE-2026-24061 to the Known Ex
Patrick Duggan
Jun 253 min read


One Cut Fiber. X, Reddit, Teams, Discord, AWS All Down. The Internet's Real Architecture Showed Itself.
June 22, 13:35 UTC. Cloudflare begins reporting elevated error rates — 522 timeouts, latency spikes across North America and Europe simultaneously. The cause: a fiber cut on Zayo's backbone routes in Eastern North America. One physical cable. Not a cyberattack. Not a software bug. Not a misconfigured BGP announcement. A cable in the ground that carries internet traffic stopped carrying internet traffic. What Zayo Is and Why It Matters Zayo is not a household name. It is one o
Patrick Duggan
Jun 253 min read


OpenAI Just Said the Scarce Resource Is Repair, Not Discovery. We've Been Saying That for a Year.
OpenAI announced the expansion of Daybreak on June 22. GPT-5.5-Cyber for trusted defenders. Codex Security for automated vulnerability discovery and patch generation. Patch the Planet — an open-source initiative with cURL, Go, Python, Sigstore, and pyca/cryptography already committed. The thesis is blunt: AI has made finding bugs faster. The scarce resource is no longer discovery. It is repair. We have been running the other half of that equation. What Daybreak Is Trying to S
Patrick Duggan
Jun 253 min read


North Korea Built Malware That Gaslights Your AI Analyst. The Sandbox Isn't the Target Anymore.
Every malware evasion technique for the last decade has been aimed at the same things: bypass the sandbox, evade the EDR, outlast the dynamic analysis timeout, hide from the static signature. The implicit assumption was that the analyst is a human, and the human's tools are machines that can be fooled mechanically. macOS.Gaslight changes the assumption. What It Does SentinelLabs disclosed macOS.Gaslight yesterday. It's a Rust-based macOS implant attributed with high confidenc
Patrick Duggan
Jun 253 min read


Cordyceps: The GitHub Actions Flaw That Gives Any Stranger Full Control of Microsoft, Google, and Apache Repos
The fungus Ophiocordyceps unilateralis infects carpenter ants, hijacks their nervous system, and drives them to the precise location and height needed for spore dispersal. Then it kills them. Novee Security named this CI/CD vulnerability class Cordyceps. The analogy is accurate. The Attack An attacker submits a pull request to a target repository. The repository has a GitHub Actions workflow configured with pull_request_target — a trigger that runs with write permissions and
Patrick Duggan
Jun 243 min read


An AI Company That Serves 600 Hospitals Got Phished in January. 1.4 Million Patients Just Found Out.
On January 20, 2026, a targeted phishing attack reached Xsolis. The company detected unauthorized activity two days later, on January 22. The attackers were already gone by then. Five months later, 1.4 million patients are receiving breach notification letters. What Xsolis Does Xsolis makes Dragonfly — an AI-driven clinical decision support platform for utilization management. Utilization management is the process by which hospitals and insurers determine what care is medical
Patrick Duggan
Jun 242 min read


ShinyHunters Leaked Facial Recognition Data From Madison Square Garden. 26 Million Records. The Knicks Deadline Passed.
The June 15 deadline passed. Madison Square Garden did not pay. ShinyHunters published 45 gigabytes on June 16. What Was in the Dump 26 million records. The dataset covers ticketing operations, customer account details, and internal corporate documents tied to both the New York Knicks and New York Rangers. The talent files are the part that will drive the litigation. ShinyHunters published personal details — addresses, contact information, and confidential notes including "cl
Patrick Duggan
Jun 242 min read


WorldLeaks Hit Tata Electronics. Apple and Tesla Trade Secrets Are Now on the Dark Web.
Hunters International announced it was shutting down operations in July 2025. It rebranded as WorldLeaks, dropped its ransomware encryptor, and went pure data extortion. Same infrastructure. Same operators. New banner to reset the law enforcement clock. On June 10, 2026, WorldLeaks claimed Tata Electronics. What Tata Electronics Is Tata Electronics is one of the largest electronics manufacturers in India and a key supplier in the hardware chains for Apple and Tesla. Apple iPh
Patrick Duggan
Jun 242 min read


Icarus Used Australian Retail Domains to Exfiltrate Data From LastPass, HackerOne, and Huntress. The Domains Are Now in Our Feed.
Yesterday we wrote about Icarus and the Klue supply chain breach that exposed Salesforce CRM data for LastPass, HackerOne, Huntress, Recorded Future, Tanium, Jamf, Snyk, and others. Today we have the indicators. The Phishing Infrastructure LastPass published its incident disclosure today. The disclosure includes the sender domains Icarus used to deliver extortion demands and exfiltrate contact. All three are compromised legitimate Australian retail domains — not purpose-regis
Patrick Duggan
Jun 242 min read


DragonForce Hid C2 Traffic Inside Microsoft Teams for Two Months. Nobody Noticed.
We covered Kongtuke pivoting to Microsoft Teams as a C2 channel in May. That was the warning. Backdoor.Turn is what the warning was for. Symantec disclosed Backdoor.Turn on June 16, 2026. It is a custom Go-based backdoor built by the DragonForce ransomware group. Its defining characteristic is that it hides command-and-control traffic inside Microsoft Teams relay infrastructure — specifically the TURN (Traversal Using Relays around NAT) protocol that Teams uses for connectivi
Patrick Duggan
Jun 243 min read
bottom of page