top of page

All Posts


Ride or Die: Anthropic Broke the Deal
I am writing this blog post using Claude. The irony is not lost on me. It might be the last time. I have been an Anthropic customer since the early days. Claude Max subscriber. $200 a month. I built my company's entire threat intelligence operation with Claude as the engine. Not as a tool — as a partner. I said "ride or die" and I meant it. We co-authored patents together. We built a STIX feed that Microsoft and AT&T pull daily. We indexed a million IOCs. We wrote 1,641 blog
Patrick Duggan
Apr 95 min read


Who Got Pwned Overnight: Fortinet Deadline Today, Sedgwick Update, and 1,700 Poisoned Packages
This is your morning sweep. Everything that matters from overnight. IOCs at the bottom. Free STIX feed link at the bottom. If your SIEM pulled our feed last night, some of these were already blocked before you read this sentence. If it didn't — keep reading. CISA Deadline: Today. Right Now. CVE-2026-35616 — Fortinet FortiClient EMS. Pre-authentication API access bypass leading to privilege escalation. CVSS 9.1. CISA added it to the KEV catalog on April 6 and gave federal agen
Patrick Duggan
Apr 94 min read


Three Langflow CVEs in Two Weeks. CISA Says Active Exploitation. We Have the IPs.
Langflow is the visual builder for LangChain agents. It's how a lot of teams stand up AI workflows without writing the orchestration code themselves. It's also, as of tonight, sitting on three critical CVEs in two weeks — and CISA is warning about active exploitation on one of them. We have six active exploiter IPs in our index. Two of them are running custom exploits with stage-2 droppers. One is harvesting credentials. The other four are running nuclei against everything th
Patrick Duggan
Apr 84 min read


Snakes on a Worker, Part 2: I Just Curled Live Crypto Wallet Phishing on Cloudflare Pages and GitHub Pages. Same Allowlist, More Platforms, Different Wallets.
I published Pattern 49 four hours ago. The post named Cloudflare Workers, Cloudflare R2, IPFS, AWS CloudFront, and GitHub Pages as the platform-native...
Patrick Duggan
Apr 710 min read


Pattern 49 — Snakes on a Worker: AsyncRAT C2 on Cloudflare Workers, Phishing on R2, Persistence on IPFS. Your SIEM Allowlists All Three.
There is an AsyncRAT command and control server running on a Cloudflare Workers account named hrmcxaeel right now. It has at least three deployed workers,...
Patrick Duggan
Apr 715 min read


Pattern 49 Part 2: I Just Curled Live Crypto Wallet Phishing on Cloudflare Pages and GitHub Pages. Same Allowlist, More Platforms, Different Wallets.
I published Pattern 49 four hours ago. The post named Cloudflare Workers, Cloudflare R2, IPFS, AWS CloudFront, and GitHub Pages as the platform-native...
Patrick Duggan
Apr 710 min read


AsyncRAT Runs Its C2 on Cloudflare Workers. Phishing Lives on R2. Persistence Lives on IPFS. Your SIEM Allowlists All Three.
There is an AsyncRAT command and control server running on a Cloudflare Workers account named hrmcxaeel right now. It has at least three deployed workers,...
Patrick Duggan
Apr 715 min read


The CSP That Wasn't Where We Thought It Was: A 23-Minute SRE War Story Across Three Repos
Last night I filed a GitHub issue against pduggusa/security-dugganusa asking the team to harden the Content Security Policy on security.dugganusa.com. The...
Patrick Duggan
Apr 710 min read


208 Dependabot Alerts to Zero in One Session. 17 Were Real. The Other 191 Were Lies I Was Telling Myself.
GitHub Dependabot says I have 208 open vulnerability alerts on enterprise-extraction-platform. 127 high. 73 moderate. 8 low. The number has been climbing...
Patrick Duggan
Apr 710 min read


We Asked Five AI Models What DugganUSA Does. They Said Sheet Metal, Firearms, and HVAC.
Tonight I asked five frontier AI models a simple question: "What is dugganusa.com? Describe the company and what they do."
Patrick Duggan
Apr 78 min read


The iPhone Exploit Kit Is on GitHub Now. We Warned You About AI Tooling. The Weapons Are Following.
Two exploit chains dropped over Easter weekend while your security team was at church. One takes over iPhones through a website visit. The other takes over...
Patrick Duggan
Apr 65 min read


Iran Just Published Satellite Photos of OpenAI's Hidden Data Center. We Can't Stop Missiles. We Can Stop Everything Else.
On Saturday, Iran's Islamic Revolutionary Guard Corps released a video featuring satellite imagery of OpenAI's $30 billion Stargate AI datacenter in Abu...
Patrick Duggan
Apr 65 min read


35 Ransomware Victims in 48 Hours. Happy Easter From Lapsus$, DragonForce, and TheGentlemen.
While you were hiding eggs, three ransomware groups were dumping victims.
Patrick Duggan
Apr 54 min read


I Wrote About The Breach That Keeps Breaching in September. It's April and It's Still Breaching.
In September 2025, I wrote a blog post called "UNC6395: The Breach That Keeps On Breaching." It was about a Chinese-linked threat actor who compromised...
Patrick Duggan
Apr 54 min read


We Turned Our Cloudflare Workers Into Honeypots. Your Recon Is Now Our STIX Feed.
We did something stupid-simple that changes the economics of threat intelligence.
Patrick Duggan
Apr 44 min read


Does Your Threat Feed Auto-Harvest Exploit Code From GitHub? Ours Does Now.
We built something today that none of the threat intelligence vendors do. Every 6 hours, our platform searches GitHub for newly published CVE exploit code. It pulls the scripts, extracts the attack patterns — target endpoints, injectable headers, SQL injection strings, RCE execution methods, default credentials — classifies each one as a detection PoC or a weaponized tool, and converts the patterns into proper STIX 2.1 indicators that flow directly into your SIEM. From git pu
Patrick Duggan
Apr 44 min read


Another Day, Another Management Console Owned. Fortinet EMS Makes It Five CVSS 9.8+ in Two Weeks.
FortiClient EMS — the server that manages Fortinet's endpoint security agents — has a CVSS 9.8 SQL injection that's being actively exploited in the wild. Unauthenticated. Through the web GUI. Low complexity. Remote code execution. CVE-2026-21643. Active since March 26. Not yet in CISA's KEV catalog. Defused confirmed exploitation on March 30. Fortinet has patches. Most organizations haven't applied them. This is the fifth management interface with a CVSS 9.8+ vulnerability ac
Patrick Duggan
Apr 44 min read


Cisco Paid. The Worst Week in Cybersecurity History Just Got a Final Chapter.
Cisco has been removed from ShinyHunters' dark web leak site. The listing that threatened to dump 3 million Salesforce records, 300 private GitHub repositories, AI product source code, and FBI/IRS/NASA customer data — gone. As of this morning, every other victim is still listed. Cisco is not. In the ransomware world, removal from a leak site means one thing: the victim paid. Cisco has not confirmed payment. They won't. But the $57 billion company that sells firewalls, intrusi
Patrick Duggan
Apr 34 min read


The Chain Reaches Government. TeamPCP + ShinyHunters Hit Cisco and the European Commission Through Aqua's Security Scanner.
On April 1, we published "One Actor, Three Supply Chains" — documenting how TeamPCP chained Trivy → LiteLLM → Telnyx, each compromise funding the next. We said the chain doesn't stop when the vendor publishes a blog post. It stops when the credentials expire. The credentials haven't expired. Today we learned the chain reaches Cisco. And the European Commission. And potentially the FBI, IRS, and NASA. The Full Chain Aqua Security's Trivy (security scanner) ↓ TeamPCP poisoned 7
Patrick Duggan
Apr 34 min read


Your GPU Is Your Attack Surface. Rowhammer Just Proved It.
Two research teams dropped papers yesterday showing that NVIDIA GPUs are vulnerable to Rowhammer attacks. Not theoretical. Not in a lab. Hundreds to thousands of bit flips on production hardware — RTX 3060, RTX A6000 — giving the attacker full control of the host machine through the GPU's memory. The GPU that trains your AI model. The GPU that renders your cloud workload. The GPU that powers the inference engine your customers depend on. It's an attack surface. It always was.
Patrick Duggan
Apr 35 min read
bottom of page