top of page

All Posts


The Discord Crawler That Wasn't. How A Four-Year-Old PTR Record Becomes The Cover For A Weaponized Scraper. GCP IP Recycling Is The New Reputation-Laundering Channel.
An operator emailed our inbox this morning claiming the IP address 35.237.4.214 is a Discord embed proxy and demanding we stop reporting it. The email is paraphrased here without identification because the technical pattern is the interesting thing, not the operator. Their claim does not survive contact with the facts. The threat-intelligence community has been writing about this specific abuse pattern for two years, and today's email is the closing artifact for a clean publi
Patrick Duggan
May 296 min read


Thirty Thousand Gitea Deployments Leaked Private Container Images For Four Years. CVE-2026-27771 Is Soft-Surface-Bleed At The DevOps Tier. Rotate Every Secret Baked Into A Layer Tonight.
Noscope researchers disclosed CVE-2026-27771 yesterday. Gitea is the leading self-hosted alternative to GitHub. Approximately thirty thousand Gitea deployments across more than thirty countries shipped a container-registry authorization bypass that let unauthenticated remote attackers pull private container images from any vulnerable instance without an account, password, or any credential. The bug shipped roughly four years ago. The detection window has been the entire regis
Patrick Duggan
May 284 min read


DentaQuest Is The Coinbase Cartel's Second Vertical Pivot Of The Month. Canvas Was Education. DentaQuest Is Dental Insurance. The Pattern Is Consent-Leak Verticals With Class-Action Lethality.
Three hours ago, the ShinyHunters leak site added DentaQuest LLC to its victim list. DentaQuest is a major US dental and vision insurance provider; the claimed exfil per public dark-web monitoring is seven-hundred-forty-four users plus one third-party employee credential. DentaQuest has acknowledged the cybersecurity incident on its website. Class-action plaintiffs' counsel is already investigating. The threatened-leak deadline was yesterday — the tranche has not surfaced pub
Patrick Duggan
May 284 min read


MyPillow Is On The Play Ransomware Leak Site And The Deadline Is Friday. The Victim Is In Chaska, Minnesota. The Decision Tree Is The Same Whether You Like The Victim Or Not.
On Monday May 25, 2026, the Play ransomware crew posted MyPillow Inc. on its name-and-shame leak site with a Friday deadline. The leak-site notice claims private and personal confidential data, client documents, budget, payroll, IDs, taxes, and finance information. The volume claim is left vague — no gigabytes figure, no sample tranche posted yet. Mike Lindell told Straight Arrow News nobody has asked them for a ransom, that the company does not have any data breaches, and th
Patrick Duggan
May 285 min read


We Named The Microsoft Defender Five-CVE Cluster May 20. The News Caught Up Eight Days Later. BlueHammer, RedSun, UnDefend, And Two New Codenames Joined Active Exploitation.
On May 20, 2026, we indexed an IOC in our threat-intelligence corpus named defender-attack-surface-campaign-2026-05-20. The body of that IOC names BlueHammer, RedSun, UnDefend, CVE-2026-41091, and CVE-2026-45498 — a five-CVE family of Microsoft Defender vulnerabilities, three of which CISA promoted to the Known Exploited Vulnerabilities catalog that same day. Eight days later, today, the broader news cycle caught up. BleepingComputer, Malwarebytes, Dark Reading, and SecurityW
Patrick Duggan
May 284 min read


Instructure Paid ShinyHunters For The Canvas Data Back. The Number Is Reported At Ten Million. We Named The Coinbase Cartel Confederation On May 21. The Frame Just Paid Off.
Instructure, the parent company of the Canvas learning-management system, announced it had reached an agreement with ShinyHunters to recover the 3.65 terabytes of student and faculty data stolen during the late-April through mid-May extortion campaign. The terms of the agreement are not publicly disclosed. Unconfirmed reporting puts the payment at approximately ten million dollars. Instructure states it received cryptographic shred logs as proof of data destruction and that n
Patrick Duggan
May 285 min read


CISA Just Added CVE-2026-31431 To KEV. We Wrote The 732-Byte AF_ALG Path Fourteen Days Ago. Block The Socket. Patch The Kernel. Watch The Sandbox.
CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog today. The KEV entry confirms what oss-security, Microsoft, Sysdig, Unit 42, CERT-EU, and Xint Code have been documenting since April 29: there is a deterministic seven-hundred-thirty-two-byte path from any unprivileged user on a modern Linux box to root, and the path runs through the kernel cryptographic socket family that almost no workload actually needs to use. We wrote the mechanism up on May 14. Th
Patrick Duggan
May 284 min read


GitHub Confirmed The TanStack Repo Breach Memorial Day Weekend. Our Sandtrout Signal Caught The Mini-Shai-Hulud Bloom The Night It Fired. Seven Receipts, One Worm, One Pyramid.
GitHub confirmed over Memorial Day weekend that the repository breach it had been investigating was linked to the TanStack npm supply-chain attack. Two days later, the same vendor shipped a two-factor approval gate on npm publish — the kind of control that exists because the prior control failed. This is the receipt arc we have been writing since April 29, when the variant first landed in our index. The headline today is GitHub. The headline two weeks ago was OpenAI. The head
Patrick Duggan
May 285 min read


Tomorrow Is The CISA Deadline For Exchange CVE-2026-42897. While You're Patching, Here Are Three Other Things That Hit This Week.
The U.S. Cybersecurity and Infrastructure Security Agency added Microsoft Exchange CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026, with a Federal Civilian Executive Branch patch-or-mitigate deadline of May 29, 2026. That deadline is tomorrow. By close of business in Washington, every federal civilian agency running on-premises Exchange Server is required to have applied the mitigation or removed the vulnerable instance from public-facing infrast
Patrick Duggan
May 274 min read


We Renamed Our Detector After The Larval Form. Sandtrouts Are Easier To Catch Than Worms.
The npm supply-chain worm that hit the TanStack, Nx Console, and @antv ecosystems across May 2026 is publicly named Mini-Shai-Hulud, after the giant sandworms of Frank Herbert's Dune. The naming travels because the campaign behaves like a worm — burrows into a maintainer's GitHub Actions pipeline, harvests the credentials necessary to publish, and then breaches the surface in a mass-publish event that consumes everything in its blast radius. Eighty-four malicious package arti
Patrick Duggan
May 275 min read


PreCog Just Caught Its First Active Campaign. We Deployed The Detector Three Days Ago. Mini-Shai-Hulud Hit The High-Confidence Band Overnight.
Three days ago, on May 24, 2026, we deployed three new precursor signals into the DugganUSA PreCog hourly aggregator: Decentralized C2 Emergence, CI/CD Compromise Indicators, and Trycloudflare Staging Velocity. The signals were designed against the post-mortem of the Megalodon GitHub Actions campaign, where TeamPCP's blockchain canister command-and-control endpoint sat in our IOC index for forty-nine days before the attack fired without any detector elevating its presence. Th
Patrick Duggan
May 275 min read


Memorial Day 2026: Five Different Customers Lost Today. We Had The Receipt On Every One Of Them.
Memorial Day 2026 fired five separate cybersecurity incidents at scale. By the end of the day, the news cycle had named every one of them. Each campaign had identifiable victims whose names landed in headlines this afternoon. For each of those five campaigns, DugganUSA's STIX feed and IOC index carried the receipt before the attack fired against the public victim list. This post is the customer-protective audit. Five victims today, five receipts already in our feed, sized by
Patrick Duggan
May 265 min read


Ghost CMS Just Hit Seven Hundred Sites With ClickFix. We Had The Detection Rule Six Days Early.
The Hacker News this morning reports that Ghost CMS CVE-2026-26980, the unauthenticated SQL-injection vulnerability disclosed earlier this month, has now been exploited to compromise more than seven hundred websites running the platform. The injection payload deploys a ClickFix attack chain that pivots visitors of the compromised Ghost-served pages into the standard Russian-language clipboard-hijacking flow — copy a malicious PowerShell command, paste it into Windows Run, exe
Patrick Duggan
May 263 min read


TeamPCP Breached GitHub Itself Over Memorial Day Weekend. The Fifth Indirect-Trust Vector Is The VS Code Extension. We Predicted The Doctrine Would Spread.
Three days ago I published a blog naming three indirect-trust supply-chain vectors that had hit corporate developers in three weeks: Laravel-Lang tag-pointer compromise, Megalodon GitHub Actions workflow injection, Ghost CMS theme execution primitive. A few hours later, while back-filling adversary profiles, we surfaced a fourth — the Polymarket Bot supply-chain attack through a hijacked verified GitHub organization, attributable to a distinct actor cluster but using the same
Patrick Duggan
May 256 min read


Ten Cluster Analyses Against PURSUE. The Phenomenon Has A Stable Phenotype And At Least Two Object Classes. Here's The Synthesis.
The U.S. Department of War's PURSUE Release 1 and Release 2 together comprise 222 declassified UAP records as of May 22, 2026. The press cycle covering each release focused on the items DoW pulled out in the press release. The clusters that actually carry the analytic weight have been sitting unsurfaced. We ran ten cluster analyses against the full 222-record corpus over the last 24 hours. Each cluster cut the data along a different axis — geography, year, multi-object behavi
Patrick Duggan
May 256 min read


The Strongest UAP Case In PURSUE Release 1 Is The One Nobody Has Named Yet. Thirty-Three Documents. Senior Intelligence Official On The Record. Western US, Late 2025.
The Department of War's PURSUE Release 1 dropped on May 8, 2026, with 158 declassified UAP records. The mainstream coverage focused on the headline items the press release teased: 1947-era FBI Vault material on Oak Ridge, the 1970s Sandia Base file, the recycled documents from the 62-HQ-83894 case. Release 2 dropped May 22 with 64 more, and the cycle repeated — coverage centered on the "4 UAP Formation Iran 26 Aug 2022" video that DoW highlighted. Each cycle, the journalists
Patrick Duggan
May 256 min read


A Fourth Indirect-Trust Vector Just Surfaced. Polymarket Bot Stole Wallet Keys Through A Hijacked Verified GitHub Org. Also We Now Have ShinyHunters' Leak-Site Onion.
I wrote a blog this morning naming three indirect-trust supply-chain vectors that hit corporate developers in May 2026 — Laravel-Lang tag-pointers, Megalodon workflow files, Ghost CMS themes — and called it a doctrine that the criminal marketplace had crossed into operational use. Six hours later, while back-filling adversary profiles into our IOC index, our extractor surfaced an unexpected URL inside a TeamPCP-related research article: a Cloudflare Workers endpoint at...
Patrick Duggan
May 244 min read


Eight Distinct USPS Phishing Domains Live In Our IOC Feed Right Now. The Tracking-Number Scam Is The Consumer's Megalodon.
DugganUSA's multi-axis brand-impersonation watch list put globaluspslogistics.com in the top tier this morning at composite confidence 0.85, single-axis pattern-49 detection. The watch list is the synthesis layer; the IOC index is the raw substrate. A quick cross-query against the substrate returns eight distinct USPS-themed phishing infrastructures currently live in our feed, all sourced from OpenPhish's automated detection pipeline, all classified as active phishing, all ru
Patrick Duggan
May 244 min read


Anthropic's Project Glasswing Just Cleared Ten Thousand High-Severity Vulnerabilities In One Month. The Partnership Asymmetry Is Real.
Anthropic disclosed on Friday that Project Glasswing, their cybersecurity vulnerability research initiative launched last month, has now produced more than ten thousand high- or critical-severity vulnerabilities across some of the most systemically important software in the world. Ten thousand findings in a single month from an AI-assisted research program is the kind of throughput that is difficult to characterize in conventional terms. The number is large enough that the co
Patrick Duggan
May 243 min read


Three Indirect-Trust Vectors In Three Weeks. The Attacker's New Doctrine Is The Artifact Layer Nobody Audits.
Over the last three weeks DugganUSA's IOC index has carried receipts on three independent supply-chain compromises that, on the surface, look like three different stories. The Laravel-Lang credential stealer on May 22. The Megalodon mass GitHub Actions workflow poisoning on May 18. The Ghost CMS remote code execution disclosed earlier in May and re-surfaced this weekend with a publicly available proof-of-concept exploit. Three packaging ecosystems, three different attacker cl
Patrick Duggan
May 244 min read
bottom of page