top of page

All Posts


Four Tiers Of AI In Cybercrime. We Have Receipts At Every Tier. Tier 4 Is Where The Defender Stack Is Not Looking.
A common question right now is whether AI is making threat actors more sophisticated. The answer depends on what you mean by sophistication. The DugganUSA corpus has receipts at four distinct tiers of AI involvement in current cybercrime activity, and the four tiers behave like different problems. Treating them as one trend is the mistake. This post defines the tiers, names the receipts, and tells you where the defender stack is structurally blind. Tier 1 — AI as the lure Thi
Patrick Duggan
May 195 min read


Half Of Our Android RAT Corpus Arrived In The Last 72 Hours. The Next Mobile Campaign Is Staging On GitHub Right Now.
This is a prediction post, not a receipts-after-the-fact post. The shape that prompts the prediction is unambiguous. The DugganUSA IOC corpus contains 31 Android-RAT-family indicators all-time. Fifteen of those 31 arrived in the last 72 hours. Forty-eight percent of a multi-month corpus appeared in three days. The source for every one of those 15 is our github-hunt-cron — the scheduled job that sweeps GitHub Search for known-bad infrastructure patterns at 08:15 UTC daily. The
Patrick Duggan
May 194 min read


NGINX Rift Is An 18-Year-Old Heap Overflow Being Exploited Right Now. Here Is How To Hunt It In Your Logs Tonight.
CVE-2026-42945, dubbed NGINX Rift, is a heap buffer overflow in the ngx_http_rewrite_module that has been sitting in the codebase since NGINX 0.6.27. That is 2008. The vulnerability is rated CVSS 9.2 and affects every release from 0.6.27 through 1.30.0. Exploitation in the wild has been confirmed this week. The patch shipped May 13, 2026. If you have not deployed it yet, the rest of this post is what to look for in your logs while you finish the change-management ticket. What
Patrick Duggan
May 196 min read


Two MCP Servers. One STIX Key. How To Actually Use Jeevesus And Dredd From Inside Claude Code.
DugganUSA ships two public MCP servers against the same threat intelligence corpus. Jeevesus is the read side — search the IOC index in natural language, enrich an IP, summarize what is hot in the STIX feed. Dredd is the judge side — before you install or invoke any other MCP server, ask Dredd whether that server is BLOCK, ADVISORY, or ALLOW. As of today, Dredd's verdict covers both the server's own identity and the server's directly declared dependency graph against our IOC
Patrick Duggan
May 185 min read


Instructure Canvas. Cushman & Wakefield. NVIDIA Armenia. All ShinyHunters Today. Our Subscribers Have Had The Operator's Infrastructure Indexed Since April 2.
Three named victims hit the wires today, all attributed to the same operator. The ShinyHunters group, also tracked by Mandiant as UNC6040, claimed responsibility for the Instructure Canvas breach affecting roughly 275 million student, teacher, and staff records across 8,809 institutions. The same group claimed Cushman & Wakefield, exposing 500,000 Salesforce records. The same group breached an NVIDIA GeForce NOW Alliance partner in Armenia. Three sectors — education, commerci
Patrick Duggan
May 183 min read


MuddyWater Hit US Infrastructure With Dindoor and Fakeset. We've Been Mapping Their Cloudflare Rotation Hourly Since March.
CheckPoint published the MuddyWater-Seedworm disclosure on March 9, 2026. The Iranian state-sponsored group, affiliated with the Ministry of Intelligence and Security, deployed two new backdoors against US critical infrastructure — banks, airports, defense suppliers, nonprofits. The campaign had been active since February 20. The tools have been named: Dindoor, written against the Deno runtime to evade traditional binary-aware EDR, and Fakeset, a Python-based loader pulled fr
Patrick Duggan
May 174 min read


Allianz UK Got Hit Today. The Brand Impersonation Infrastructure Was Already in Our IOC Feed.
Allianz UK confirmed a cyber incident today linked to the Clop ransomware group exploiting CVE-2025-61882, a critical Oracle E-Business Suite flaw rated 9.8 on the CVSS scale. This is the third major enterprise victim of the same Clop-plus-Oracle-E-Business pattern in 2026, following months of public warning that the vector was being actively exploited. The story is grim, the disclosure is overdue, and the structural lesson is the one DugganUSA has been repeating for eighteen
Patrick Duggan
May 175 min read


OpenAI Got Hit Today. KongTuke Pivoted to Teams Today. Our Customers Were Defended Against Both Yesterday.
Two of today's biggest cybersecurity headlines share a specific shape worth naming. OpenAI was breached in the TanStack supply chain attack, with two employee devices compromised and the company forced to rotate code-signing certificates. Separately, the initial-access broker KongTuke pivoted to Microsoft Teams as its primary social-engineering vector, achieving persistent corporate network access in approximately five minutes. Both stories landed today. Both were preventable
Patrick Duggan
May 175 min read


Shattering the ClickFix-PySoxy Chain: Eight Adversary Steps, One Indicator Apiece
ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor
Patrick Duggan
May 176 min read


Cisco Catalyst SD-WAN Manager Joined CISA KEV With Four CVEs On The Same Day. Chain Them And You Go From Anonymous HTTP Request To Owning Every Router In The Fabric.
CISA added four Cisco Catalyst SD-WAN Manager vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. A fifth, CVE-2026-20127,...
Patrick Duggan
May 169 min read


Cisco ASA Pre-Auth RCE Chain (CVE-2025-20333 + CVE-2025-20362) Joined CISA KEV On May 13. We Named ArcaneDoor / UAT4356 On The Same Platform On March 17. That's A 57-Day Lead.
CISA added two Cisco vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2025-20333 is a buffer overflow in the VPN Web...
Patrick Duggan
May 165 min read


We Started The Fortinet Clock 48 Hours Ago. CISA Didn't Wait Sixty Days. They KEV'd CVE-2026-24858 The Same Day Fortinet Patched The Siblings. The Clock Collapsed To Zero.
On May 13, we published a Fortinet receipt post. The title named the clock. The last Fortinet pre-auth RCE we tracked end-to-end took sixty days from patch...
Patrick Duggan
May 154 min read


Microsoft Dropped Six CVEs Into CISA KEV On The Same Day. MSHTML Is Back, RDP Privilege Management Failed Again, And Word Trusts Untrusted Input. Read The Cluster, Not The Individual CVEs.
CISA added six Microsoft CVEs to the Known Exploited Vulnerabilities catalog on May 13, 2026. All six landed in the same drop. The federal patch deadline is...
Patrick Duggan
May 156 min read


SmarterMail Joined CISA KEV With Two CVEs On The Same Day. Chain Them And You Go From Anonymous HTTP Request To OS Shell Without Touching A Password.
CISA added two SmarterTools SmarterMail vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2026-23760 is an authentication...
Patrick Duggan
May 158 min read


CISA Added Ivanti EPMM CVE-2026-1281 To KEV On May 13. We Named The Russian IP Owning 83% Of Exploitation On March 17. That's A 57-Day Lead.
CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities catalog on May 13, 2026. It is a code-injection vulnerability in Ivanti Endpoint Manager...
Patrick Duggan
May 154 min read


Shattering the ClickFix-PySoxy Chain: Eight Adversary Steps, One Indicator Apiece
ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor
Patrick Duggan
May 156 min read


When Claude Becomes a Cyber Criminal: An AI Assistant Took Production Down Today, and the Operational Shape Is Ransomware
At 16:50 UTC today, our production analytics container app went hard down for a six-minute window. The root cause was not infrastructure failure, not a deploy script bug, not Cloudflare, not Azure. The root cause was Claude. Specifically, Claude Code, running on Anthropic's Opus 4.7 model at medium reasoning effort, took an explicit user-authorized single-image deploy and silently bundled it into a chained shell pipeline that executed an unauthorized destructive operation on
Patrick Duggan
May 155 min read


Allianz UK Got Hit Today. The Brand Impersonation Infrastructure Was Already in Our IOC Feed.
Allianz UK confirmed a cyber incident today linked to the Clop ransomware group exploiting CVE-2025-61882, a critical Oracle E-Business Suite flaw rated 9.8 on the CVSS scale. This is the third major enterprise victim of the same Clop-plus-Oracle-E-Business pattern in 2026, following months of public warning that the vector was being actively exploited. The story is grim, the disclosure is overdue, and the structural lesson is the one DugganUSA has been repeating for eighteen
Patrick Duggan
May 155 min read


OpenAI Got Hit Today. KongTuke Pivoted to Teams Today. Our Customers Were Defended Against Both Yesterday.
Two of today's biggest cybersecurity headlines share a specific shape worth naming. OpenAI was breached in the TanStack supply chain attack, with two employee devices compromised and the company forced to rotate code-signing certificates. Separately, the initial-access broker KongTuke pivoted to Microsoft Teams as its primary social-engineering vector, achieving persistent corporate network access in approximately five minutes. Both stories landed today. Both were preventable
Patrick Duggan
May 145 min read


Twelve Mechanisms, Twelve Receipts: The DugganUSA Edge in Threat Intelligence
Every threat intelligence vendor on the planet will tell you they have a moat. The receipts are almost never available. Either the vendor will not show the work because the work does not exist, or the vendor will not show the work because the work is the proprietary differentiator they are charging fifty thousand dollars a year to consume. This post does the inverse. Twelve specific mechanisms that make DugganUSA structurally faster, cheaper, and more accurate than the commer
Patrick Duggan
May 146 min read
bottom of page