top of page

All Posts


APT28 Is Live-Exploiting CVE-2026-32202 — Zero-Click NTLMv2 Leak via LNK
Microsoft confirmed active exploitation of CVE-2026-32202 in a revised security advisory on April 27, 2026. The vulnerability is a Windows Shell spoofing...
Patrick Duggan
Apr 304 min read


Autovista Ransomware: Four Auto-Data Brands Down Across EU and Australia
Autovista Group disclosed a ransomware attack this week affecting their core data infrastructure, with concurrent disruption to four customer-facing brands:...
Patrick Duggan
Apr 303 min read


WorldLeaks Hit Mediaworks.hu — We Already Had This Actor Tagged
WorldLeaks claimed Mediaworks.hu, Hungary's largest commercial-media holding company, on April 29, 2026. Mediaworks runs Bors, Best, Story, Nők Lapja, plus...
Patrick Duggan
Apr 303 min read


We Wrote Our Scrapers a Letter in Mandarin
Earlier today we caught a Tencent Cloud Singapore cluster, plus an Alibaba Cloud Hong Kong/Singapore cluster, scraping our public Epstein search frontend...
Patrick Duggan
Apr 306 min read


We Caught a Tencent Cloud Singapore Scraping Cluster With a Tarpit
Yesterday morning we ran a self-examination week against our own platform. Ten findings. Six shipped fixes. One of them was the discovery that our public...
Patrick Duggan
Apr 306 min read


An Independent Read On DugganUSA's AI-Operations Stack
DugganUSA LLC, founded October 2025 in Minnesota, operates at a level of AI architectural fluency that places its working stack in approximately the top...
Patrick Duggan
Apr 303 min read


Correction: Yesterday's Self-Audit Overstated The Blast Radius On Finding #10
Yesterday morning we shipped a post called "We Audited Our Own Platform This Week. Here Are 10 Bugs We Found." Finding #10 described a Meilisearch...
Patrick Duggan
Apr 302 min read


We Audited Our Own Platform This Week. Here Are 10 Bugs We Found.
The defensive-security industry has a discipline it rarely practices on itself. Vendors audit their customers. Auditors audit the vendors. Compliance...
Patrick Duggan
Apr 307 min read


The AI Agent Is the New Login Shell. Six Holes in Seven Days.
For decades the security industry has worked off a stable mental model. The endpoint was the workstation. The shell was the login session. The credentials...
Patrick Duggan
Apr 308 min read


86 Means the Back Door at Chumley's. The Address Is Literally 86 Bedford Street.
If you ask the dictionaries, "86" came from 1930s soda-fountain slang — short-order cooks shouting it across the line because it rhymed with "nixed." If you...
Patrick Duggan
Apr 305 min read


Change Healthcare Had the Elite Cert. 192 Million Records Walked.
The defensive-security industry runs on a quiet fiction. The fiction is that breach outcomes correlate with how much a customer spends — that the next...
Patrick Duggan
Apr 298 min read


43 Days Early on Lynx. 28 on Handala. The Quantified Ledger.
Most threat intelligence vendors will tell you they catch attacks early. Almost none of them will publish a structured ledger that lets you grade them. We...
Patrick Duggan
Apr 296 min read


Famous Chollima Got Claude to Co-Author Their Crypto Stealer
ReversingLabs disclosed today that the North Korean threat actor Famous Chollima — also tracked as Shifty Corsair, the same group behind the Contagious...
Patrick Duggan
Apr 296 min read


TeamPCP's Mini Shai-Hulud Hit SAP npm — and Now It Targets Claude Code
Cybersecurity researchers at Aikido Security, SafeDep, Socket, StepSecurity, and Wiz disclosed today that a new supply chain campaign codenamed "mini...
Patrick Duggan
Apr 295 min read


Russia Hijacked Router DNS for M365 OAuth — We Already Wrote the Pattern
Lumen Black Lotus Labs and Microsoft Threat Intelligence disclosed yesterday that Russia's GRU APT 28 — Forest Blizzard, Fancy Bear — quietly compromised...
Patrick Duggan
Apr 296 min read


CVE-2026-3854: A Semicolon Got Into GitHub Enterprise. RCE on 88% of Instances.
Hours after we published the threat weather report calling out patch-discipline as the defensive priority, Wiz Research dropped the technical breakdown of...
Patrick Duggan
Apr 286 min read


Threat Weather Report Apr 28: 243 Tor Relays Staged, .top Cluster Forming
It's a CRITICAL day on the PreCog board. Five of eleven precursor signals are elevated. The dominant pattern is staging — anonymization layer being...
Patrick Duggan
Apr 285 min read


The Residential Proxy Network the FBI Won't Name. We Have 1,360 IOCs.
On March 12, 2026, the FBI issued advisory PSA260312. The subject: criminal actors and nation-state operators are systematically abusing residential proxy...
Patrick Duggan
Apr 284 min read


Russia Turned Signal's QR Code Into a Wiretap — IOCs Inside
On March 20, 2026, the FBI, CISA, NSA, and allied agencies issued joint advisory PSA260320. The subject: Russia's SVR and FSB have developed a reliable...
Patrick Duggan
Apr 284 min read


One Russian IP Block Is Behind 83% of Ivanti Connect Secure Exploitation. Here's the Address.
193.24.123.42. PROSPERO OOO. Autonomous System 200593. Saint Petersburg, Russia. That single IP block is responsible for 83% of the active exploitation traffic we've observed against Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Not 83% of all IVanti traffic. Eighty-three percent of the malicious exploitation attempts, concentrated in one Russian commercial hosting provider. CISA added CVE-2025-22457 and CVE-2025-0282 to the Known Exploited Vulnerabilities catalog.
Patrick Duggan
Apr 283 min read
bottom of page