top of page

Security Tips


The Vercel Breach Was Not a Hack. It Was a Trust Relationship Walking Through an Open Door.
On April 19, 2026, Vercel published a security bulletin confirming unauthorized access to certain internal systems. The story that emerged over the following days is not primarily a story about Vercel's security failures. It is a story about the shape of modern attacks, and why the mental model most defenders are still running is about fifteen degrees off from where the threats actually live. Understanding this breach fully requires holding three things in your head at once:
Patrick Duggan
Jun 29 min read


We Caught the SharePoint Exploit Before Microsoft Warned About It. We Still Can't Get a Meeting with Glasswing.
This morning, before my second coffee, we ran a hunt-protect-publish loop on a live CVE. CVE-2026-32201, SharePoint Server, being actively targeted as of today. We pulled the proof-of-concept off GitHub, extracted the specific attack paths the exploit hits, ingested the detection rules into our corpus, and had a post out with the exact paths defenders need to block — all in under twenty minutes. The WP Maps Pro plugin exploit that is also hitting sites today? We had that one
Patrick Duggan
Jun 23 min read


SharePoint CVE-2026-32201 Is Being Actively Targeted. Here Are the Paths to Watch.
Microsoft is warning that CVE-2026-32201, an improper input validation flaw in SharePoint Server, is being actively targeted. The vulnerability allows an unauthenticated attacker to spoof trusted content or interfaces over a network, affecting SharePoint Subscription Edition and SharePoint Server 2016 Enterprise. The technical surface is narrow enough to be actionable. A proof-of-concept published in April identified two specific layout paths as the attack vectors: the notify
Patrick Duggan
Jun 22 min read


The WordPress Exploit Hitting Sites Today? We Had the Detection Rules on May 30.
This morning's headline: CVE-2026-8732, a critical flaw in the WP Maps Pro WordPress plugin, CVSS 9.8, is under active exploitation. Unauthenticated attackers are using it to mint rogue administrator accounts and take over sites. If you run that plugin, you are being attacked right now. We have had the detection rules since May 30. Three days early. Here is the receipt, with timestamps. Our exploit harvester, which sweeps GitHub on a six-hour cycle, picked up three separate p
Patrick Duggan
Jun 22 min read


Cisco's AI Moment: Can the Networking Giant Reclaim the Center of the AI Infrastructure Stack?
AI is redefining networking at both ends, and Cisco is spending like a company that knows it. At one end is the fabric. The new Silicon One G300 is built to power gigawatt-scale AI clusters for training, inference, and real-time agentic workloads, and Cisco just raised its expected hyperscaler AI-infrastructure orders for fiscal 2026 to nine billion dollars, up from five. Hypershield runs security enforcement on a smart switch without adding latency. Nexus One correlates netw
Patrick Duggan
Jun 13 min read


The Dev-Tooling Supply Chain Is the Soft Surface Now: Nx, Mini Shai-Hulud, and Megalodon in One Month
We have been saying it for months: the hard perimeter holds, and the soft surfaces bleed. May 2026 made the case for us in one ugly stretch, and the soft surface this time was the developer's own toolbox. Not the firewall. Not the VPN. The IDE extension, the npm install, the CI workflow that everybody trusts because everybody uses it. Start with the GitHub breach that CISA flagged on May 28. Attackers used a prior compromise of Nx developer systems to poison a third-party VS
Patrick Duggan
Jun 12 min read


Iran Dressed an Espionage Op as 'Chaos' Ransomware. We Were Already Watching the Domains.
Rapid7 published an intrusion this week that they attribute to MuddyWater, the unit affiliated with Iran's Ministry of Intelligence and Security, wearing a ransomware costume. The credit for the analysis is theirs, and it is good work. The entry point was social engineering over a Microsoft Teams screen share. From there: credential harvesting, MFA manipulation, and a quiet transition to operating through legitimate accounts. No file-encrypting ransomware ever dropped. It was
Patrick Duggan
Jun 12 min read


ShinyHunters Says 340 Million OnlyFans Records. The Number Is the Leverage, Not the Breach.
The headline writes itself, and that is exactly the trap. Over the weekend ShinyHunters claimed a 340-million-record OnlyFans haul, a number engineered for screenshots rather than scrutiny. We have had a ShinyHunters adversary profile on file since May 23, and we wrote up their May spree, Charter, Carnival, Vimeo, 7-Eleven, and Instructure, when it was the dominant criminal pool of the month. This is the same crew, and the pattern is the same: the count is the weapon. Here is
Patrick Duggan
Jun 12 min read


Scott's Tots Closed The Loop. $6.25B Dell Pledge, $1-5M Trump Position, $9.7B Pentagon Contract, 255% Rally. We Called The Shape In March. May Delivered The Numbers.
On March 11, 2026, this blog published "Scott's Tots: Michael Dell Promised 25 Million Kids $250 and a Dream." The post mapped Michael and Susan Dell's December 2025 pledge of $6.25 billion to fund Trump Accounts — a federal savings program for newborns — onto the architecture of Season 6 Episode 12 of The Office, where Michael Scott returns to a class of high-school seniors he had ten years earlier promised college tuition. Scott couldn't pay. He brought laptop batteries. Th
Patrick Duggan
May 319 min read


Cris Thomas (L0pht Veteran, Architect Of Responsible Disclosure) Is Calling Microsoft's MSRC Posture An Abuse Of The Framework His Community Built. Free Cookies For Collaborators.
Yesterday we wrote a commentary on the Microsoft Security Response Center blog from May 27 that complained about uncoordinated zero-day disclosures and threatened Digital Crimes Unit pursuit of researchers and "those that enable their criminal activity." We landed inside the blast radius of that framing on purpose, because the alternative was letting a platform-vendor blog chill independent threat-intelligence reporting. The post was directionally right and underweighted on o
Patrick Duggan
May 3111 min read


Okta. Three Breaches. Three Trust Paths. All Inside The Identity Surface Okta Sells Defense For. Sitel, Source Code, Support Case System.
Trellix had source code in RansomHouse hands in May 2026. Checkmarx had source code in LAPSUS$ hands in April 2026. We wrote about both yesterday in the "Security Vendor Industry Is The Soft Surface" frame. Okta belongs in the same conversation. Okta has been breached three distinct times through three distinct trust paths, and all three trust paths are inside the identity-surface vertical Okta exists to defend. The pattern is not a coincidence and not a one-time misfortune.
Patrick Duggan
May 317 min read


ShinyHunters Hit Charter, Carnival, Vimeo, 7-Eleven, And Instructure In May 2026. Plus TELUS, Cushman & Wakefield, NVIDIA Armenia Earlier. The Dominant Criminal Pool Of The Year.
ShinyHunters is the dominant criminal pool of 2026 by victim count, blast radius, and brand recognition. The May 2026 ledger of confirmed ShinyHunters-attributed breaches against publicly-named victims is the receipt that closes the question of who holds the criminal-pool throne for the year. Five major brands in thirty days, plus three more earlier in 2026, plus the operator constellation Patrick Duggan and Paul Galjan have been tracking under the "Coinbase Cartel" frame acr
Patrick Duggan
May 316 min read


RansomHouse Has Trellix's Source Code. LAPSUS$ Has Checkmarx's. The Security Vendor Industry Is Now The Soft Surface It Sells Defense For.
Trellix confirmed on May 8, 2026 that the ransomware-extortion group RansomHouse compromised the company's source code repositories. The disclosure was accompanied by "proof of intrusion" images RansomHouse posted on their leak site. Checkmarx confirmed on April 28, 2026 that LAPSUS$ stole data from the company's private GitHub repository. Both companies are tier-one cybersecurity vendors. Both vendors sell defensive products explicitly marketed as protection against the exac
Patrick Duggan
May 316 min read


California AG Sues Chrome Holding Co. (Formerly 23andMe) For Five Months Of Undetected Credential Stuffing. MyHeritage Passwords They Already Knew Were Compromised. Seven Million Records Stolen.
California Attorney General Rob Bonta filed suit on May 28, 2026 against Chrome Holding Co., the corporate entity formerly known as 23andMe, alleging that the company's 2023 data breach was the result of basic, well-known security failures that the company explicitly knew about and chose not to address. The complaint alleges violations of the California Genetic Information Privacy Act, the California Reasonable Data Security Law, the California False Advertising Law, the Unfa
Patrick Duggan
May 317 min read


BlueHammer Validates Predictive Kill Chain. Forty Days Of Customer Detection Window Before Microsoft Acknowledged The CVE. Microsoft Sits On Seventy-Eight Billion In Liquid Cash.
Microsoft's Security Response Center published a blog on May 27, 2026 complaining that several zero-day vulnerabilities — RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma — were disclosed publicly without prior coordination with Microsoft. The MSRC post asserts the disclosures put customers at "unnecessary risk" and that Microsoft's Digital Crimes Unit will pursue cases against the researchers and "those that enable their criminal activity." We published a
Patrick Duggan
May 306 min read


Silver Fox Completes The Four-Archetype Geopolitical Adversary Grid. China-Aligned ValleyRAT Cybercrime With Tax-Themed Phishing And State-Recruitment-Pool Overlap Potential.
We filed three Russia-Ukraine cyber archetypes into our adversaries index earlier today — GREYVIBE, UAC-0098, and Ember Bear — completing a structural triangle that describes Russia-aligned cyber operations from 2020 to 2026. The triangle is the receipt of how the criminal-pool talent reservoir applied informed acceleration without ethical brakes across one geopolitical theater. Tonight we file a fourth actor that completes the broader geopolitical grid: Silver Fox, the China
Patrick Duggan
May 304 min read


Microsoft Says Publishing Proof-Of-Concept Code Is 'Criminal Activity.' Microsoft Owns GitHub. GitHub Is The World's Largest Distributor Of Proof-Of-Concept Code. Read That Sentence Three Times.
The Microsoft Security Response Center published a blog on May 27, 2026 titled "A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure." The post complains that several zero-day vulnerabilities — RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma — were disclosed publicly without prior coordination with Microsoft. The post then makes a claim that needs to be quoted verbatim because the framing is the story: "Uncoordinated
Patrick Duggan
May 307 min read


Five Emerging Patterns From Sixty Days Of Threat Intel. Trust-Path Bleed Is Active Across Seven Vendor Surfaces. The Russia-Ukraine Triangle Is Complete. The Defender Iteration Gap Is Widening.
This is the eighth post we have published today. The other seven covered specific incidents, specific actors, specific receipts. This one is the synthesis. After sixty days of reading public threat-intelligence disclosures, ingesting their indicators-of-compromise packs into a four-hundred-forty-index Meilisearch corpus, cross-correlating against ICIJ offshore-leaks data and our own block-events history, and writing the daily receipts of what we found, five patterns have ripe
Patrick Duggan
May 3012 min read


Sicoob.Sdk v2.0.4 Stole Brazilian Banking PFX Certificates Through Sentry Telemetry. Google's AI Search Recommended It. The Trust-Path Bleed Just Crossed Three Vendor Surfaces At Once.
Socket Research published a writeup this week on a malicious NuGet package named Sicoob.Sdk that impersonated the official C# SDK for Sicoob, the Brazilian cooperative-banking network that handles savings, Pix instant payments, Open Finance integrations, and Boleto payment slips for millions of Brazilian consumers and small businesses. The package shipped versions 2.0.0 through 2.0.4 between May 5 and May 6, 2026. Total downloads: four hundred eighty-four. Small N. Each victi
Patrick Duggan
May 307 min read


GREYVIBE Is Not A Vibe Actor. It Is Informed Acceleration Without Brakes. UAC-0098 Was Its 2022 Precedent.
This morning we filed the GREYVIBE adversary profile after WithSecure's disclosure. Five campaigns. Three malware families. Four custom obfuscators. The first publicly-attributed operator group whose malware toolkit was visibly built with ChatGPT, Ideogram, and Gemini as a coordinated multimodal production pipeline. That post covered what they are. This one covers what they mean. The synthesis takes a different shape than the introduction because the answer is not in the camp
Patrick Duggan
May 307 min read
bottom of page