top of page

All Posts


We Had Megalodon's C2 Forty-Nine Days Before It Bit. Here Are The Three Detectors We Just Wired To Catch The Next One.
I published a blog yesterday about Megalodon, the mass GitHub Actions workflow-poisoning campaign that compromised 5,561 repositories in six hours on May 18, 2026. The headline I led with was that DugganUSA's IOC index carried the command-and-control endpoint at 216.126.225.129 before the campaign was publicly named by SafeDep, StepSecurity, OX, the Hacker News, and the rest. That was true. It was also a serious undercount of the actual receipt. Tonight's deeper hunt against
Patrick Duggan
May 234 min read


Command and Control Over Blockchain. Two Actors, One Year, A New Category That Cannot Be Taken Down.
There are exactly two Internet Computer Protocol blockchain canister command and control endpoints in DugganUSA's IOC index as of today. The first, cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io, was indexed by SSL Blacklist on April 23, 2026, attributed to an unnamed criminal actor. The second, tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io, was indexed independently on May 22, 2026, attributed to TeamPCP, the cluster behind the Megalodon GitHub Actions mass-poisoning campaign that ate 5,
Patrick Duggan
May 234 min read


Netflix Is At The Top of Our Brand Pyramid Today. Two Independent Axes. The Math Says Watch Tonight.
DugganUSA's brand-impersonation watch list ran its multi-axis aggregation this afternoon. Thirty candidate brands across five orthogonal signal axes. The top of the pyramid today is Netflix at 0.95 composite confidence, the only brand at that confidence band, and the only brand currently hitting two independent axes at the elevated level. The math is not a forecast; it is a description of two independent measurements that converged on the same target without coordination. The
Patrick Duggan
May 234 min read


Megalodon Ate 5,561 GitHub Repos in Six Hours. We Had the C2 in the Feed Before It Had a Name.
Between 11:36 and 17:48 UTC on May 18, 2026, a single automated campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours. The campaign was named Megalodon four days later by SafeDep, StepSecurity, OX Security, and a half-dozen other researchers who independently dissected the attack pattern. The malicious payload injected into each repository's .github/workflows/ directory is a base64-encoded bash loader that exfiltrates CI secrets, AWS and GCP and Az
Patrick Duggan
May 234 min read


The Laravel-Lang Credential Stealer Never Touched the Official Repo. It Used GitHub Tags As Misdirection.
On May 22, 2026, a credential-stealing supply chain attack lit up the Laravel/PHP ecosystem. By May 23, security researchers at Aikido, Socket, and the Hacker News had published the dissection. The headline number is 700 — as in 700-plus version tags rewritten across three widely used packages in the Laravel-Lang organization. The number that matters more is zero, as in the number of malicious commits ever pushed to the official repositories. The attacker did not compromise t
Patrick Duggan
May 234 min read


The FBI Just Named the VPN Dozens of Ransomware Groups Share. The Quiet Part Is What That Means.
The FBI confirmed this week that dozens of ransomware groups have been routing reconnaissance, initial access tooling, and intrusion traffic through a single commercial VPN service called First VPN. The advisory frames it as a notable operational pattern. The structural read is more interesting than that. When the FBI names a shared piece of adversary infrastructure, the actual disclosure is not that the bad guys use VPNs — that has been true for two decades — but that defend
Patrick Duggan
May 224 min read


Verizon DBIR 2026 Just Made Our Pattern 53 Industry Data — Vulnerability Exploitation Overtakes Credential Theft
May 22, 2026. Verizon dropped the 2026 Data Breach Investigations Report this morning. The headline finding, the line every CISO will quote in the next...
Patrick Duggan
May 224 min read


Edges Are All Over Now — Why The Decision Boundary Is The New Perimeter
May 21, 2026. Earlier today we shipped a post called Edge-Appliance Week — five vendor RCEs in fourteen days, the foot in the door is every foot. That post...
Patrick Duggan
May 215 min read


Edge-Appliance Week — Five Vendor RCEs In Fourteen Days, And The Foot In The Door Is Every Foot
May 21, 2026. CISA's Known Exploited Vulnerabilities catalog added three entries today. Two of them are edge-appliance vendors — Ivanti and Fortinet. In the...
Patrick Duggan
May 214 min read


The Week The Defenders Became The Supply Chain — TanStack, CISA, And The Pyramid We Wrote Six Weeks Ago
May 21, 2026. Three days ago we shipped a soft-surface-bleed post about three vendors getting cracked open while the perimeter held. Last night we shipped a...
Patrick Duggan
May 214 min read


Defender Is The Attack Surface Now — Five CVEs, Thirty Days, Three On KEV
May 20, 2026. CISA added two more Microsoft Defender vulnerabilities to the Known Exploited Vulnerabilities catalog today. CVE-2026-41091 is an...
Patrick Duggan
May 203 min read


Three Soft Surfaces Bled Today — The Perimeter Held Every Time
May 20, 2026. Three separate incidents on the wire today, three separate vendors, three separate threat actors. Same shape on all of them. The hardened...
Patrick Duggan
May 203 min read


Four Hours From Disclosure To Exploitation. PraisonAI Just Set The New Floor.
CVE-2026-44338 in PraisonAI was disclosed publicly on May 14, 2026. Threat actors were observed attempting to exploit it within four hours. This is the new floor. PraisonAI is an open-source framework for building agentic AI applications. The vulnerability allowed remote code execution against PraisonAI instances. The disclosure-to-weaponization gap of four hours is approximately one hundred and sixty-eight times shorter than the gap commonly cited in security writeups from 2
Patrick Duggan
May 204 min read


Dirty Frag Plus NGINX Rift Plus CVE-2026-43284. The May 2026 Kill Chain Nobody Is Calling A Kill Chain.
The cybersecurity press names individual CVEs because individual CVEs make for clean headlines. The defender press should also be naming exploit chains, because exploit chains are what actually compromise production environments. May 2026 delivered a three-CVE chain that Security Boulevard called "a reliable, race-free, forensically quiet kill chain from the public internet to root." This post unpacks each CVE, how they chain, and why a chain-aware detection posture is the on
Patrick Duggan
May 205 min read


Trellix Got Breached. Attackers Stole The Code Powering Their Security Tools. The Cobbler's Children Have An Inventory Problem Now.
This week, the security vendor Trellix disclosed that attackers had gained unauthorized access to the code powering the company's security tools. Not customer data. Not employee records. The source code of the tools Trellix sells to defenders. Trellix descended from the 2022 merger of McAfee Enterprise and FireEye, two of the most storied security vendors in the industry. McAfee was breached in 2010. FireEye was breached in 2020 by the SolarWinds operator — the breach that ta
Patrick Duggan
May 205 min read


🔺 CONSPIRACY THEORY Newsletter Vol. 49: The Embedder Is The Progeny
🔺 CONSPIRACY THEORY 🔺 The Newsletter They Don't Want You To Read Volume 49 | May 20, 2026 | $2.00 (cash only, exact change, no tracking, do NOT use Venmo) ――――――――――――――――――――― ATTENTION SUBSCRIBERS: If you registered for the STIX feed this week, you're already in the system. Yes, that one. Yes, the analytics ARE logged. The transparency goes one way. No nose biting, Jerry. ――――――――――――――――――――― THIS WEEK'S PATTERN: THE EMBEDDER IS THE PROGENY Stay with me. July eighth, 197
Patrick Duggan
May 195 min read


Five Minutes To Make Claude Code A Threat-Intel-Aware Defender. Add Jeevesus And Dredd As MCP Servers.
The activation problem in defender tooling is the curl wall. A SOC analyst registers for a STIX feed, gets a key, sees an example curl command, copies it, gets a 401 because they pasted the key wrong, never comes back. Three quarters of the keys we have ever issued never made a first call. We published the funnel data on that yesterday. The MCP path does not have the curl wall. If you run Claude Code, Cursor, Cline, ChatGPT desktop, or any other MCP client, you can wire two D
Patrick Duggan
May 195 min read


Ten Curls That Make The DugganUSA STIX Feed Pay For Itself. Run These In Your Daily Standup.
The DugganUSA STIX feed gives every registered defender a free-tier key with five hundred queries per day across the iocs, pulses, epstein_files, blog, and content indexes. The free tier is generous. The activation rate on the free tier is not. Three quarters of the keys we have ever issued have never made a first call. This post is the first call. Ten specific curl commands a defender can run against the public DugganUSA APIs to get useful output today. Each query has a sing
Patrick Duggan
May 195 min read


Cleaver Is Five Iranian APTs. PLA Navy Is Three Pandas. Grizzly Steppe Is Two Intelligence Services. The Vendor Naming Graph In Public.
The DugganUSA blog ran a post on May 13 titled "ClickFix Is Konni Is PySoxy. Three Vendor Labels, One IP." The single-IP version of the thesis: vendor attribution fragmentation provides operational camouflage for the threat actor. Three analyst teams looking at the same infrastructure produce three different campaign labels at three different abstraction levels, and the defender ends up tracking a phantom three-campaign threat instead of the real one-operator threat. Today we
Patrick Duggan
May 195 min read


Six Months. 844 Megabytes. Three GovCloud Accounts. The CISA Leak Is The Class We Just Closed In Our Own Stack This Week.
The disclosure landed this week. A contractor working for CISA — the agency responsible for cybersecurity guidance across the federal civilian network — kept a public GitHub repository named "Private-CISA" with 844 megabytes of credentials, internal blueprints, and signed certificates from November 13, 2025 through May 15, 2026. Six months in the open. GitGuardian's automated scanner caught it on May 14, 2026. Krebs and Seralys notified CISA the next day. The repository came
Patrick Duggan
May 197 min read
bottom of page