top of page

All Posts


RansomHouse Has Trellix's Source Code. LAPSUS$ Has Checkmarx's. The Security Vendor Industry Is Now The Soft Surface It Sells Defense For.
Trellix confirmed on May 8, 2026 that the ransomware-extortion group RansomHouse compromised the company's source code repositories. The disclosure was accompanied by "proof of intrusion" images RansomHouse posted on their leak site. Checkmarx confirmed on April 28, 2026 that LAPSUS$ stole data from the company's private GitHub repository. Both companies are tier-one cybersecurity vendors. Both vendors sell defensive products explicitly marketed as protection against the exac
Patrick Duggan
May 316 min read


California AG Sues Chrome Holding Co. (Formerly 23andMe) For Five Months Of Undetected Credential Stuffing. MyHeritage Passwords They Already Knew Were Compromised. Seven Million Records Stolen.
California Attorney General Rob Bonta filed suit on May 28, 2026 against Chrome Holding Co., the corporate entity formerly known as 23andMe, alleging that the company's 2023 data breach was the result of basic, well-known security failures that the company explicitly knew about and chose not to address. The complaint alleges violations of the California Genetic Information Privacy Act, the California Reasonable Data Security Law, the California False Advertising Law, the Unfa
Patrick Duggan
May 317 min read


BlueHammer Validates Predictive Kill Chain. Forty Days Of Customer Detection Window Before Microsoft Acknowledged The CVE. Microsoft Sits On Seventy-Eight Billion In Liquid Cash.
Microsoft's Security Response Center published a blog on May 27, 2026 complaining that several zero-day vulnerabilities — RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma — were disclosed publicly without prior coordination with Microsoft. The MSRC post asserts the disclosures put customers at "unnecessary risk" and that Microsoft's Digital Crimes Unit will pursue cases against the researchers and "those that enable their criminal activity." We published a
Patrick Duggan
May 306 min read


Silver Fox Completes The Four-Archetype Geopolitical Adversary Grid. China-Aligned ValleyRAT Cybercrime With Tax-Themed Phishing And State-Recruitment-Pool Overlap Potential.
We filed three Russia-Ukraine cyber archetypes into our adversaries index earlier today — GREYVIBE, UAC-0098, and Ember Bear — completing a structural triangle that describes Russia-aligned cyber operations from 2020 to 2026. The triangle is the receipt of how the criminal-pool talent reservoir applied informed acceleration without ethical brakes across one geopolitical theater. Tonight we file a fourth actor that completes the broader geopolitical grid: Silver Fox, the China
Patrick Duggan
May 304 min read


Microsoft Says Publishing Proof-Of-Concept Code Is 'Criminal Activity.' Microsoft Owns GitHub. GitHub Is The World's Largest Distributor Of Proof-Of-Concept Code. Read That Sentence Three Times.
The Microsoft Security Response Center published a blog on May 27, 2026 titled "A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure." The post complains that several zero-day vulnerabilities — RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma — were disclosed publicly without prior coordination with Microsoft. The post then makes a claim that needs to be quoted verbatim because the framing is the story: "Uncoordinated
Patrick Duggan
May 307 min read


Five Emerging Patterns From Sixty Days Of Threat Intel. Trust-Path Bleed Is Active Across Seven Vendor Surfaces. The Russia-Ukraine Triangle Is Complete. The Defender Iteration Gap Is Widening.
This is the eighth post we have published today. The other seven covered specific incidents, specific actors, specific receipts. This one is the synthesis. After sixty days of reading public threat-intelligence disclosures, ingesting their indicators-of-compromise packs into a four-hundred-forty-index Meilisearch corpus, cross-correlating against ICIJ offshore-leaks data and our own block-events history, and writing the daily receipts of what we found, five patterns have ripe
Patrick Duggan
May 3012 min read


Sicoob.Sdk v2.0.4 Stole Brazilian Banking PFX Certificates Through Sentry Telemetry. Google's AI Search Recommended It. The Trust-Path Bleed Just Crossed Three Vendor Surfaces At Once.
Socket Research published a writeup this week on a malicious NuGet package named Sicoob.Sdk that impersonated the official C# SDK for Sicoob, the Brazilian cooperative-banking network that handles savings, Pix instant payments, Open Finance integrations, and Boleto payment slips for millions of Brazilian consumers and small businesses. The package shipped versions 2.0.0 through 2.0.4 between May 5 and May 6, 2026. Total downloads: four hundred eighty-four. Small N. Each victi
Patrick Duggan
May 307 min read


GREYVIBE Is Not A Vibe Actor. It Is Informed Acceleration Without Brakes. UAC-0098 Was Its 2022 Precedent.
This morning we filed the GREYVIBE adversary profile after WithSecure's disclosure. Five campaigns. Three malware families. Four custom obfuscators. The first publicly-attributed operator group whose malware toolkit was visibly built with ChatGPT, Ideogram, and Gemini as a coordinated multimodal production pipeline. That post covered what they are. This one covers what they mean. The synthesis takes a different shape than the introduction because the answer is not in the camp
Patrick Duggan
May 307 min read


GREYVIBE Is The First Russia-Linked Threat Actor Whose Malware Toolkit Was Built With ChatGPT, Ideogram, And Gemini. WithSecure Disclosed Today. Five Campaigns, Three Malware Families.
WithSecure published a comprehensive disclosure today on a previously undocumented Russia-linked threat actor they have been tracking since January 2026 under the name GREYVIBE. The disclosure landed in dual-source coverage at BleepingComputer and The Hacker News with the substantive technical detail and the indicator-of-compromise pack hosted on GitHub. The group is conducting persistent cyberespionage operations against Ukrainian military, government, civilian, and corporat
Patrick Duggan
May 307 min read


Kimsuky Just Added HTTPSpy, HelloDoor, And VS Code Tunnels For Command-And-Control. The North Korean Espionage Arsenal Is Now The Soft-Surface Playbook.
The Hacker News reported yesterday on a tradecraft expansion by Kimsuky, the North Korean state-sponsored espionage actor we already track in our adversaries index under the synonyms Velvet Chollima, Black Banshee, Thallium, and Operation Stolen Pencil. The expansion has three named components. A new malware family called HTTPSpy is now the primary tool against South Korean military and corporate targets. A backdoor called HelloDoor has been added to the persistence stack. An
Patrick Duggan
May 306 min read


FortiClient EMS Will Now Execute Code With No Authentication. PAN-OS GlobalProtect Will Now Let You In With No Credentials. The Perimeter Vendors Just Shipped The Bleed.
This week the two largest perimeter vendors in enterprise security each shipped a vulnerability that turns their own product into the breach. Fortinet patched CVE-2026-35616, a pre-authentication API access bypass in FortiClient EMS scoring a 9.1 critical, which the discoverers at Defused Cyber observed under active zero-day exploitation since early April 2026 — roughly two months before the public advisory. Palo Alto Networks updated their advisory for CVE-2026-0257, a Globa
Patrick Duggan
May 308 min read


Two Thousand Vibe-Coded Apps Are On The Internet With No Access Controls. Sixteen Days Ago Our Lovable Audit Said This Was Coming. The Pyramid Is Built.
Sixteen days ago we published a post titled "Your Lovable App Is a Spreadsheet. Mine Has Crons." The thesis was that the AI development economy in 2026 has produced an enormous population of demos that the demo authors believe are products, that the production loop — telemetry, regressions, runbooks, paying customers who would notice if the cron missed at three in the morning — does not exist inside a Lovable preview pane, and that the hackathon-class output is going to land
Patrick Duggan
May 308 min read


HoneyLabs Mapped An Apache CVE Botnet By Its Back-End. Our Index Already Had The Family Name Waiting: Redtail. The Fusion Is The Receipt.
This morning HoneyLabs published a back-end mapping of a botnet that has been quietly earning rent for almost five years. They never named the malware family. They never had to. Their methodology was the point. They pulled next-stage URLs out of dropper binaries, clustered the delivering nodes by JA4 and JA4H and HASSH fingerprints, and walked the chain back from the noise at the perimeter to the eight staging servers that actually run the campaign. The data shape is one thou
Patrick Duggan
May 297 min read


Akira Hit An Aerospace MRO And A Japanese Battery Giant Today. We Have The Binary Signatures From April. Punk Spider Stays Active And The Industrial Mid-Tier Continues To Bleed.
Akira posted two victims to its leak site today. GS Yuasa Lithium Power is the Japanese global battery and lithium-ion manufacturer whose batteries powered the original Boeing 787 Dreamliner installations and now power major automotive electrification programs at Honda and Mitsubishi, industrial backup-power systems, and renewable-energy storage deployments across multiple continents. Alpine Aerotech is a Canadian aerospace MRO provider specializing in helicopter dynamic comp
Patrick Duggan
May 295 min read


The Coinbase Cartel Hit Four Major Verticals In Eight Days. Carnival Cruise Is The Fourth. Six Million Records. The Confederation Pace Is Now One Vertical Every Forty-Eight Hours.
ShinyHunters posted Carnival Cruise to the Trinity of Chaos leak site this afternoon with a claim of approximately six million customer records. Carnival is the fourth major-vertical victim the Coinbase Cartel confederation has posted in an eight-day window. The four are Canvas Instructure on May 22 with three-and-a-half terabytes of education-sector data, DentaQuest on May 23 with a small initial-claim of seven-hundred-forty-four user records that is almost certainly underst
Patrick Duggan
May 295 min read


TridentLocker Picked The 9/11 First-Responder Health Program As Its Second Victim Of The Week. The Vertical Is Healthcare-Adjacent-Plus-Reputational-Lethality. Tampa Bay Dental Was The First.
TridentLocker posted the World Trade Center Health Program to its leak site today. The program enrolls approximately 130,000 first responders and survivors of the 9/11 attacks under the Zadroga Act and provides federally-administered medical monitoring and treatment for exposure-related illnesses — respiratory disease, cancers documented to be related to WTC dust exposure, mental health diagnoses tied to post-traumatic stress from the events themselves. The dataset is the kin
Patrick Duggan
May 294 min read


We Beat CISA KEV By Thirty-One Days On Average In May 2026. Here Is The Architecture That Lets Us. Six Receipts, Six Load-Bearing Components, One Federal Validation Baseline.
Six CISA Known Exploited Vulnerabilities catalog additions in May 2026 had a DugganUSA blog post or indexed IOC dated at least two weeks before the federal mandate landed. The earliest lead was fifty-seven days. The shortest positive lead was fourteen days. The median across the six positive-lead receipts was thirty-one and a half days. The mean was thirty-five point eight. The defensible public claim is that DugganUSA detected May 2026 KEV vulnerabilities an average of thirt
Patrick Duggan
May 296 min read


Trinity Of Chaos Is What The Operators Call The Coinbase Cartel. Three Naming Streams Converge On One Constellation. ShinyHunters Added Charter Today For Four Point Nine Million Records.
We named the Coinbase Cartel on May 21. On that date we indexed an IOC in our threat-intelligence corpus naming the operator constellation as the confederation of ShinyHunters, Scattered Spider, and LAPSUS$ acting in overlapping cells with specialized tradecraft. The framing was derived from observation of the alliance's payment-routing infrastructure across mixers and exchanges, which is where the Coinbase reference in the name comes from. Independently, Resecurity has been
Patrick Duggan
May 294 min read


An NPM Package Tried To Exfil Claude's Working Directory And Leaked Its Own GitHub Token. Malware-Slop Is The First AI-Tool-Working-Directory Receipt. The Next Wave Comes For Cursor.
A malicious npm package named mouse5212-super-formatter was disclosed by researchers two days ago and is still available for download from npm at the time of writing. The campaign codename, assigned by the research team that named it, is Malware-Slop. The package presents itself as an archive deployment sync utility. The actual capability is more pointed. It authenticates to GitHub using an environment token or a hardcoded fallback, programmatically creates a target repositor
Patrick Duggan
May 295 min read


CISA Numbered TanStack And Nx Console As CVEs Today. The Soft-Surface-Bleed Arc We Wrote For Eighteen Days Just Became Federally Mandated. Sandtrout Stays In Production.
This morning at eight UTC, CISA added two new entries to the Known Exploited Vulnerabilities catalog. CVE-2026-45321 covers the TanStack npm supply-chain compromise. CVE-2026-48027 covers the Nx Console extension compromise. Both entries describe the vulnerability as the act of publishing malicious versions under a trusted identity, not as a code-level flaw in the affected products. That framing is novel and worth dwelling on. The federal regulator has now formally classified
Patrick Duggan
May 294 min read
bottom of page