Security Tips

In the last thirty-six hours, four different nation-state threat actors — China, North Korea, Russia, and Iran — each executed a different supply chain attack against a different trusted dev-tool or software vendor. One week, four flags, one playbook. The door is developer trust of upstream. The attackers walk through it until someone closes it. For the six months I've been writing about Pattern 38 through 52, the thesis has been the same: the weakest link in enterprise secur

On April 19 I published a piece arguing that the Vercel breach wasn't a phishing attack. It was an AI supply chain compromise — a Context.ai OAuth token that held access to Vercel's Google Workspace, pivoted laterally by whoever compromised the AI vendor first. I wrote that the actual entry vector was trust, not social engineering. Vercel confirmed it today, April 23. Four days later. The public narrative is now the thing I wrote on my couch on Saturday. This is the week the

Mustang Panda has a new target. It isn't Mongolian NGOs anymore. It's you — the developer searching for "claude install" at 11pm on a Wednesday. 82 Claude-themed indicators are sitting in our IOC index. 29 of them landed in the last 30 days. Six different malware families are using the Anthropic brand as bait — IClickFix, ClearFake, SmartLoader, Unknown Stealer, and two unlabeled droppers. Malwarebytes did the primary sandbox work on April 13 — a fake Claude Pro installer ZIP

We scanned five Minnesota-headquartered companies from the public internet. No tools beyond dig, curl, and openssl. No authentication. No exploitation. Just the things any attacker sees before they start. The results are not what you would expect. The Scorecard We checked seven controls that every company should have deployed in 2026: HSTS (force HTTPS), X-Frame-Options (prevent clickjacking), X-Content-Type-Options (prevent MIME sniffing), Content-Security-Policy (control sc

Check Point Research published a DFIR report this month that cracked open a live command-and-control server linked to a Gentlemen affiliate. 1,570 corporate victims on one C2 box. 320+ publicly claimed. Growth rivaling early LockBit 3. The fastest-scaling RaaS operation of 2026. The report gave us two C2 IPs: a Cobalt Strike beacon on Hetzner in Frankfurt, and a SystemBC proxy on Clouvider in Ashburn. Twenty-seven file hashes. A leak site onion address. Two Tox IDs. Good repo

CISA added CVE-2026-35616 to the Known Exploited Vulnerabilities catalog on April 6th. The federal remediation deadline was April 9th. That was twelve days ago. There are now four independent weaponized proof-of-concept exploits on GitHub. The newest one dropped yesterday. CVE-2026-35616 is an improper access control vulnerability in Fortinet FortiClient EMS. The exploit bypasses the API certificate chain validation, allowing an unauthenticated attacker to forge certificates

OX Security dropped a disclosure on April 15th. Anthropic's Model Context Protocol — the STDIO transport that connects AI models to tools — has a configuration-to-command-execution path baked into the SDK. Python. TypeScript. Java. Rust. All of them. 150 million downloads affected. 200,000 servers exposed. Anthropic's response: "expected behavior." Expected behavior. Remote code execution is expected behavior. The CVE chain reads like a casualty list. MCP Inspector. LibreChat

Six months ago DugganUSA was a guy with a STIX feed and a blog. Today we shipped the Tor Infrastructure Attribution Framework, updated 12 integration repositories, and found a 50-relay operator cluster sharing infrastructure with Interlock ransomware. On a Monday. Before lunch. Here is every way you can consume our threat intelligence right now. VS Code Extension (v0.3.0 — live on the Marketplace). Select any IP, domain, hash, CVE, or .onion address in your code. Right-click.

We built a Tor Infrastructure Attribution Framework this morning. Indexed 10,269 relays from the live consensus. Cross-referenced every relay IP against our 1,086,742 IOCs. Then we found Quetzalcoatl. 50 Tor exit relays. All of them exit nodes. Seven countries. Seven ASNs. One nickname. 782,000 units of consensus bandwidth. The second-largest relay operator we indexed by node count, and every single relay is purpose-built for exit traffic. The primary hosting provider is 1337

Earlier today we published our investigation into the Vercel breach, tracking ShinyHunters-pattern phishing domains and finding vercel-sso.com staged seven months before the announcement. That was the wrong thread. The root cause just dropped. Vercel CEO Guillermo Rauch confirmed it: an employee was compromised through Context.ai, a third-party AI platform. Context.ai had a Google Workspace OAuth app. That app was separately compromised. The attacker used the OAuth token to p

Someone posted on BreachForums today claiming to be ShinyHunters, offering Vercel's internal data for $2 million. Source code. NPM tokens. GitHub tokens. 580 employee records. A screenshot of an internal Enterprise dashboard. Vercel confirmed a breach. "Unauthorized access to certain internal Vercel systems." Law enforcement notified. IR firm engaged. Then the twist: actual ShinyHunters-affiliated threat actors told BleepingComputer they had nothing to do with it. So who's we

This week, someone bought 30 WordPress plugins on Flippa for six figures, planted a PHP deserialization backdoor in all of them, and activated it on a Saturday. 800,000 websites. One attacker. Zero alerts from your vendor. It was the weekend. That same weekend, the Smart Slider 3 Pro update channel was compromised. Nextend's servers pushed a fully weaponized remote access toolkit to every site that auto-updated. Rogue admin accounts. Backdoors that execute system commands via

Three stories broke this week that are actually one story. The thread connecting them is the gap — the window between when a vulnerability becomes known and when defenders can act on it. Every organization lives in that gap. The question is how wide yours is. Story One: Nightmare-Eclipse Huntress SOC published findings on a trio of Windows Defender zero-days being chained together in the wild under the collective name Nightmare-Eclipse. Three separate privilege escalation fla

There are 1,080,000 indicators of compromise in our database right now. IPs running Cobalt Strike C2 servers. Domains serving STX RAT payloads. SHA256 hashes of ransomware samples. CVE IDs with weaponized proof-of-concept code live on GitHub. As of today, all of them are searchable from inside your VS Code editor without opening a browser. The DugganUSA Threat Intel Scanner is live on the VS Code Marketplace. Install it. Open a file. Every IP, domain, hash, and CVE in your co

International law enforcement announced Operation PowerOFF this week: 53 domains seized, 4 arrests, and a user base of more than 75,000 cybercriminals who paid for commercial DDoS-for-hire services — "booter" and "stresser" platforms that let anyone with a credit card take down a website, a gaming server, or a small business. The takedown is real. The infrastructure is gone. The arrests will produce intelligence that feeds the next operation. But the story that matters isn't

The National Institute of Standards and Technology announced this week that they will only enrich CVEs that meet certain conditions going forward. The reason: an "explosion in CVE submissions" has overwhelmed the National Vulnerability Database's capacity to process them. Translation: the canonical source of truth for vulnerability data — the database every scanner, every SIEM, every compliance audit references — just told the world it can't keep up. This is not a surprise. T

At 17:27 UTC today, a security researcher in Pune, India named Varad Mene pushed a new repository to GitHub: a working proof-of-concept exploit for CVE-2026-37748 — an unrestricted file upload vulnerability in Visitor Management System 1.0 that escalates to remote code execution. Two files in the repo. A README. A Python exploit script. 1,986 bytes of weaponized code. At 18:04 UTC today — thirty-seven minutes after the push — our exploit harvester pipeline had the repo indexe

Federal civilian executive branch agencies have until end of day today, April 16, 2026, to mitigate CVE-2026-21643 — a pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 that hands attackers OS-level remote code execution. CISA added it to the Known Exploited Vulnerabilities catalog on April 13. The deadline is three days later. That's the tightest federal timeline I've seen on a non-emergency directive in months, and it's the right call. Active exploitation h

Every IT person on Earth has downloaded CPU-Z or HWMonitor at some point. Hardware nerds, overclockers, support techs, forensic investigators — the tools are free, they're signed, they come from a French company called CPUID that nobody thinks twice about. Trust is the whole product. On April 9, 2026 at 15:00 UTC, attackers flipped the download links on cpuid.com. For the next 19 hours, anyone clicking "Download" on CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57, or PerfMonit

Tonight we ran our end-of-day net sweep and something jumped out of Microsoft Clarity's session feed: 127 "Unknown browser / Unknown device / Desktop" sessions, all from ASN 32934 — Facebook. That didn't smell like a person. We cross-checked against Cloudflare's firewall logs and got the answer in under sixty seconds: the 127 sessions weren't sessions at all. They were hits from `meta-externalagent/1.1` — Meta's AI-training web crawler — pulling 200 requests in the last 23 ho