top of page

All Posts


Ten Years of MN Cup High Tech Winners: One Branch, One Inspectorio, Eight Question Marks
The Minnesota Cup just announced their 2026 semifinalist class. Ninety companies from a pool of nearly thirteen hundred applicants. Seven percent selection rate. The judges had to disappoint a lot of operators this week, and the kindest thing the rejection letter contains is a promise of judge feedback by the end of June. We pulled the list of the last ten years of MN Cup High Tech division winners — the cohort the judges have already picked — and asked the only question that
Patrick Duggan
May 145 min read


Protect Your Lovable Spreadsheet: We Audited 30 of Yours. Here Is What to Fix.
Earlier today we said your Lovable app was a spreadsheet wrapped in dark-mode CSS pointed at a Supabase free tier you had never logged into. That was the diagnostic post. This is the constructive one. We audited thirty of your spreadsheets and we are going to tell you, vector by vector, what your platform shipped with the brakes off, what is actually fine, and what you can do in the next twenty minutes to harden the thing without throwing the work away. The gap between a hack
Patrick Duggan
May 145 min read


Your Lovable App Is a Spreadsheet. Mine Has Crons.
The bullshit Excel spreadsheet you made on Lovable is not a fucking app. It is a VLOOKUP wrapped in a dark-mode CSS template with a deploy button that points at a free-tier Supabase instance you have never logged into. The button works exactly twice, and the second time only because you refreshed before the demo. That is what most of the AI development economy has produced in the last eighteen months. Spreadsheets. Forms over a database. CRUD apps generated faster than any hu
Patrick Duggan
May 144 min read


Hunt Copy Fail Before CISA's Tomorrow Deadline: Four Microsoft Defender Signatures, a Falco Rule for Containers, and a Tracepoint Probe That Catches the Rest.
The patch is the durable fix. Reboot the kernel, move on. This post is for the operators who cannot get a reboot window scheduled before CISA's federal deadline tomorrow, who need to know if anything is already moving against them, and who want a layered detection posture for the gap. Copy Fail (CVE-2026-31431) is a use-after-free in the Linux kernel's AF_ALG cryptographic socket subsystem, specifically the algif_aead module. The exploit path is small: the attacker opens an A
Patrick Duggan
May 145 min read


Copy Fail Is 732 Bytes to Root on Every Linux Kernel Shipped Since 2017. CISA's Federal Deadline Is Tomorrow. The AF_ALG Crypto Socket Is the Door.
CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 1. The federal civilian patch deadline is May 15. That is tomorrow. The vulnerability has a name that does almost all the work: Copy Fail. The technical mechanic is a use-after-free style bug in the Linux kernel's AF_ALG cryptographic socket subsystem, specifically the algif_aead module that gives userspace processes access to the kernel's crypto API. An in-place optimization shipped in 2017 misha
Patrick Duggan
May 144 min read


ClickFix Is Konni Is PySoxy. Three Vendor Labels, One IP. The Operator Counts on the Confusion.
ReliaQuest published a campaign writeup yesterday calling it ClickFix. The technical content is sound: a social-engineering lure dropping obfuscated PowerShell that stages a Python interpreter, a compiled bytecode dropper called b64.pyc, and an old open-source SOCKS5 proxy called PySoxy that tunnels command-and-control traffic out to operator infrastructure. ReliaQuest published seven indicators: four IP addresses and three domains. One of those IP addresses — 185.205.211.217
Patrick Duggan
May 135 min read


Fortinet Patched Pre-Auth RCE in FortiSandbox and FortiAuthenticator Today. The Last One We Tracked Hit CISA KEV in Sixty Days. Patch This Week.
Two pre-authentication remote code execution vulnerabilities in Fortinet products were patched today, May 13, 2026. Either one would be a P1 incident on its own. Together they are the entire core of a defensive posture going from useful to compromised in one TCP connection. The first is CVE-2026-44277, a pre-auth RCE in FortiAuthenticator, Fortinet's identity and access management appliance — the box that issues authentication tokens, federates with your SSO, and stamps "appr
Patrick Duggan
May 134 min read


Google Caught the First AI-Generated Zero-Day Before the Mass Hack Spree. The Cost of Vulnerability Research Just Dropped to a Subscription.
On May 11, 2026, Google's Threat Intelligence Group disclosed that they had identified a previously unknown threat actor preparing a mass exploitation event using a zero-day vulnerability the team assessed with high confidence to have been developed by a large language model. Google quietly coordinated disclosure with the affected open-source project, the patch shipped, and the planned mass-hack-spree never happened. The vulnerability was a two-factor authentication bypass in
Patrick Duggan
May 135 min read


Shai-Hulud V3 Forged SLSA Attestations for 416 Packages — TanStack, Mistral, Bitwarden, SAP. The Chain of Trust Held. They Hijacked the Keys.
We've been tracking the Shai-Hulud family since December 4, 2025. V2 was the self-propagating npm worm. The April 29 Mini variant from TeamPCP hit SAP npm and pivoted to target Claude Code. May 11 brought another wave we indexed within hours. Today, May 13, brings V3 — and V3 is a different shape. This one didn't bypass the signing chain. It got the signing chain to sign for it. The reported scope, per StepSecurity, Endor Labs, Aikido, Socket, SafeDep, Microsoft Threat Intell
Patrick Duggan
May 135 min read


From Fake Google Ads in 2023 to Eleven Million Files on the Dark Web in 2026: How Nitrogen Walked Through Foxconn Wisconsin and Walked Out With Apple, NVIDIA, Google, and Intel's Blueprints.
On May 1, 2026, at about 3:30 AM Central time, the lights stayed on at Foxconn's Mount Pleasant, Wisconsin facility but the network did not. Third-shift...
Patrick Duggan
May 126 min read


BreachSense Still Lists Capgemini As A February 9 0APT Victim. KryBit Leaked The Access Logs Proving It Fake On April 14. The Real 2024 Breach Goes Uncatalogued. Assume Breach Cuts Both Ways.
Someone using BreachSense's free breach-monitoring service today sees Capgemini listed as a February 9, 2026 victim of the 0APT ransomware crew. The page is...
Patrick Duggan
May 125 min read


The GPS Spoofer At Khmeimim Air Base Has Been Affecting Commercial Aviation For Years. Someone Searched Us For It Tonight. We Don't Cover Russian Electronic Warfare. Here's Why That's About To Change.
On May 9 someone hit our search endpoint with the single query Khmeimim against all our indexes. Total results: one — the search-queries log entry of that...
Patrick Duggan
May 124 min read


Capgemini Got Hit Twice In Eighteen Months While Sitting Inside Their Clients' Networks. We Don't Have A Capgemini Post Yet. This Is The Receipt And The Gap.
Someone hit our blog search endpoint on May 11 with the query capgemini and got zero results.
Patrick Duggan
May 124 min read


Healthcare Sector Threat Intelligence, Indexed. Sixteen Posts, Five Operators, Every Brand In Your May 8 Watch List Found. The Zero-Result Bridge.
On May 8 a single IP hit our IOC search endpoint with fifty queries against named healthcare and education brands. Medtronic, Stryker, Kaiser Permanente,...
Patrick Duggan
May 124 min read


CVE-2026-7458: A WordPress Plugin Authenticates You As Anyone Who Submits 'true' For The OTP. PHP Loose Comparison Strikes Again. Second WP Plugin 9.8 In Five Days.
There is a WordPress plugin called User Verification by PickPlugins. As of May 2, 2026, every version through 2.0.46 contains an authentication bypass that...
Patrick Duggan
May 124 min read


Eight Posts on Iran's ICS War, Indexed. We Found You in Our Zero-Result Queue and This Is What You Were Looking For.
Someone hit our search endpoint this afternoon with the query iranian apt plc critical infrastructure 2026 and got zero results.
Patrick Duggan
May 125 min read


ShinyHunters Reset The Canvas Deadline. 'Data Destroyed' Lasted Forty-Eight Hours. Our May 12 Hedge Has An Expiration Date Now.
On May 8 we published our ShinyHunters watch list — eight named environments with pre-staged infrastructure including GE Healthcare, Moderna, and Nike. On...
Patrick Duggan
May 124 min read


Mini Shai-Hulud Hit npm May 11. We Indexed The Variant April 29. Canvas Paid May 11. We Named The Watch List May 8. Two More For The Ledger.
On May 11 at 19:20 UTC, the Mini Shai-Hulud worm pushed 84 malicious artifacts across 42 @tanstack/ packages, plus @uipath/ and @mistralai/mistralai. The...
Patrick Duggan
May 124 min read


Twenty-Eight Kittens: CISA Named Three Iranian Operators in AA26-097A. We've Been Indexing the Other Twenty-Five.
CISA dropped advisory AA26-097A this month, naming Iranian-affiliated APT activity targeting programmable logic controllers across United States critical infrastructure since at least March 2026. Water and wastewater systems. Energy. Government services. The advisory cites a small set of operator clusters by name and walks through the tradecraft — abuse of internet-exposed PLCs, credential reuse, lateral movement into industrial control plant networks. We have been doing the
Patrick Duggan
May 116 min read


Box Elder Already Has Three Toxic-Dust Hotspots. Kevin O'Leary Just Got 40,000 Acres of the Third Approved.
Earlier this month the Box Elder County Commission, in northwestern Utah, voted to approve a 40,000-acre AI and cloud computing campus called Stratos. The project is backed by O'Leary Digital and personally championed by Kevin O'Leary. It would consume up to 9 gigawatts of power, roughly double the electricity the entire state of Utah uses today. Power would be drawn from a connection to the Ruby Pipeline, a 680-mile interstate natural gas line. The land area is 2.5 times the
Patrick Duggan
May 116 min read
bottom of page