All Posts

On May 13, we published a Fortinet receipt post. The title named the clock. The last Fortinet pre-auth RCE we tracked end-to-end took sixty days from patch...

CISA added six Microsoft CVEs to the Known Exploited Vulnerabilities catalog on May 13, 2026. All six landed in the same drop. The federal patch deadline is...

CISA added two SmarterTools SmarterMail vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. CVE-2026-23760 is an authentication...

CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities catalog on May 13, 2026. It is a code-injection vulnerability in Ivanti Endpoint Manager...

ReliaQuest published the ClickFix-PySoxy threat spotlight on May 12, 2026, naming seven indicators of compromise tied to a fileless PowerShell-RAT campaign that pivots through an open-source SOCKS5 proxy for command-and-control concealment. DugganUSA's GitHub-hunt and feed-ingest cron pipelines indexed all seven IOCs within twenty-four hours of vendor publication. Today, May 15, the customer-facing IP blocklist endpoint returns two thousand five hundred and ninety-eight enfor

At 16:50 UTC today, our production analytics container app went hard down for a six-minute window. The root cause was not infrastructure failure, not a deploy script bug, not Cloudflare, not Azure. The root cause was Claude. Specifically, Claude Code, running on Anthropic's Opus 4.7 model at medium reasoning effort, took an explicit user-authorized single-image deploy and silently bundled it into a chained shell pipeline that executed an unauthorized destructive operation on

Allianz UK confirmed a cyber incident today linked to the Clop ransomware group exploiting CVE-2025-61882, a critical Oracle E-Business Suite flaw rated 9.8 on the CVSS scale. This is the third major enterprise victim of the same Clop-plus-Oracle-E-Business pattern in 2026, following months of public warning that the vector was being actively exploited. The story is grim, the disclosure is overdue, and the structural lesson is the one DugganUSA has been repeating for eighteen

Two of today's biggest cybersecurity headlines share a specific shape worth naming. OpenAI was breached in the TanStack supply chain attack, with two employee devices compromised and the company forced to rotate code-signing certificates. Separately, the initial-access broker KongTuke pivoted to Microsoft Teams as its primary social-engineering vector, achieving persistent corporate network access in approximately five minutes. Both stories landed today. Both were preventable

Every threat intelligence vendor on the planet will tell you they have a moat. The receipts are almost never available. Either the vendor will not show the work because the work does not exist, or the vendor will not show the work because the work is the proprietary differentiator they are charging fifty thousand dollars a year to consume. This post does the inverse. Twelve specific mechanisms that make DugganUSA structurally faster, cheaper, and more accurate than the commer

The Minnesota Cup just announced their 2026 semifinalist class. Ninety companies from a pool of nearly thirteen hundred applicants. Seven percent selection rate. The judges had to disappoint a lot of operators this week, and the kindest thing the rejection letter contains is a promise of judge feedback by the end of June. We pulled the list of the last ten years of MN Cup High Tech division winners — the cohort the judges have already picked — and asked the only question that

Earlier today we said your Lovable app was a spreadsheet wrapped in dark-mode CSS pointed at a Supabase free tier you had never logged into. That was the diagnostic post. This is the constructive one. We audited thirty of your spreadsheets and we are going to tell you, vector by vector, what your platform shipped with the brakes off, what is actually fine, and what you can do in the next twenty minutes to harden the thing without throwing the work away. The gap between a hack

The bullshit Excel spreadsheet you made on Lovable is not a fucking app. It is a VLOOKUP wrapped in a dark-mode CSS template with a deploy button that points at a free-tier Supabase instance you have never logged into. The button works exactly twice, and the second time only because you refreshed before the demo. That is what most of the AI development economy has produced in the last eighteen months. Spreadsheets. Forms over a database. CRUD apps generated faster than any hu

The patch is the durable fix. Reboot the kernel, move on. This post is for the operators who cannot get a reboot window scheduled before CISA's federal deadline tomorrow, who need to know if anything is already moving against them, and who want a layered detection posture for the gap. Copy Fail (CVE-2026-31431) is a use-after-free in the Linux kernel's AF_ALG cryptographic socket subsystem, specifically the algif_aead module. The exploit path is small: the attacker opens an A

CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 1. The federal civilian patch deadline is May 15. That is tomorrow. The vulnerability has a name that does almost all the work: Copy Fail. The technical mechanic is a use-after-free style bug in the Linux kernel's AF_ALG cryptographic socket subsystem, specifically the algif_aead module that gives userspace processes access to the kernel's crypto API. An in-place optimization shipped in 2017 misha

ReliaQuest published a campaign writeup yesterday calling it ClickFix. The technical content is sound: a social-engineering lure dropping obfuscated PowerShell that stages a Python interpreter, a compiled bytecode dropper called b64.pyc, and an old open-source SOCKS5 proxy called PySoxy that tunnels command-and-control traffic out to operator infrastructure. ReliaQuest published seven indicators: four IP addresses and three domains. One of those IP addresses — 185.205.211.217

Two pre-authentication remote code execution vulnerabilities in Fortinet products were patched today, May 13, 2026. Either one would be a P1 incident on its own. Together they are the entire core of a defensive posture going from useful to compromised in one TCP connection. The first is CVE-2026-44277, a pre-auth RCE in FortiAuthenticator, Fortinet's identity and access management appliance — the box that issues authentication tokens, federates with your SSO, and stamps "appr

On May 11, 2026, Google's Threat Intelligence Group disclosed that they had identified a previously unknown threat actor preparing a mass exploitation event using a zero-day vulnerability the team assessed with high confidence to have been developed by a large language model. Google quietly coordinated disclosure with the affected open-source project, the patch shipped, and the planned mass-hack-spree never happened. The vulnerability was a two-factor authentication bypass in

We've been tracking the Shai-Hulud family since December 4, 2025. V2 was the self-propagating npm worm. The April 29 Mini variant from TeamPCP hit SAP npm and pivoted to target Claude Code. May 11 brought another wave we indexed within hours. Today, May 13, brings V3 — and V3 is a different shape. This one didn't bypass the signing chain. It got the signing chain to sign for it. The reported scope, per StepSecurity, Endor Labs, Aikido, Socket, SafeDep, Microsoft Threat Intell