top of page

All Posts


We're Two People. We Exceed CMMC Level 2 Requirements That 500-Person Defense Contractors Struggle to Meet.
CMMC Level 2 requires 110 security controls from NIST SP 800-171. It's the standard every defense contractor must meet to handle Controlled Unclassified Information. Companies spend $34,000 to $112,000 on assessments. They hire compliance teams. They buy GRC platforms. They struggle. We're two people in Minneapolis running a threat intelligence platform on $600 a month. We've implemented 78 of 110 controls. Not because we were trying to pass an audit. Because we were building
Patrick Duggan
Apr 35 min read


Cisco Is Having the Worst Week in Cybersecurity History. Here's the Scoreboard.
It's Thursday, April 3. ShinyHunters' deadline to dump Cisco's data expires today. This is the fifth simultaneous crisis hitting Cisco in seven days. Nobody's had a week this bad. The Scoreboard # Crisis Severity Status 1 CVE-2026-20131 — FMC zero-day (CVSS 10.0) Maximum Exploited 36 days before disclosure. Interlock ransomware used it to hit hospitals and Saint Paul, MN. Amazon found it, not Cisco. 2 ShinyHunters extortion — 3M+ Salesforce records Critical Three breach vecto
Patrick Duggan
Apr 35 min read


The FBI's Wiretap Network Got Hacked. They Called It a 'Major Incident.' That Almost Never Happens.
The FBI just told Congress that the breach of its wiretap and surveillance network qualifies as a "major incident." The former deputy assistant director of the FBI's cyber division says she can't recall the bureau making that determination about its own systems since at least 2020. The affected system manages electronic surveillance — wiretaps, pen registers, trap and trace data, and personally identifiable information on subjects of FBI investigations. The people the FBI is
Patrick Duggan
Apr 24 min read


LinkedIn Scans Your Browser for 6,222 Chrome Extensions Without Asking. Microsoft Owns LinkedIn.
Every time you visit LinkedIn, a 2.7 megabyte JavaScript file loads in your browser. Inside it: 6,222 hardcoded Chrome extension IDs. The code probes each one — sending fetch() requests to chrome-extension:// URLs to detect what you have installed. The results go to LinkedIn's telemetry servers. You were never asked. LinkedIn's privacy policy doesn't mention it. And a LinkedIn Senior Manager admitted under sworn affidavit that the company has "extension detection mechanisms"
Patrick Duggan
Apr 24 min read


IP Reputation Is Dead. GreyNoise Just Proved What Our Behavioral Engine Has Known Since December.
GreyNoise analyzed 4 billion malicious sessions over three months. The finding: 78% of them evaded IP reputation checks entirely. Not because the attackers were sophisticated. Not because the blocklists were outdated. Because the traffic came from your neighbor's WiFi. The Residential Proxy Problem 39% of the malicious sessions in GreyNoise's study originated from home networks. Real residential IP addresses. Real ISPs. Addresses that have never been on a blocklist because th
Patrick Duggan
Apr 24 min read


We Checked GitHub for Exploit Code Targeting the IRGC's Hit List. Nobody Else Is Looking.
Yesterday the IRGC named 18 American companies as military targets. Today we went hunting on GitHub for the exploit code that's already being staged against them. We found webshells disguised as security research. Full exploitation toolkits published the day before CISA deadlines. Java GUI "exploit tools" committed with debug logs. And nobody paying attention. This is the wasteland. The space between a CVE disclosure and a patch deployment where attackers stage their tools in
Patrick Duggan
Apr 24 min read


Iran Just Named 18 American Companies as Military Targets. We Have Files on Six of Them.
Yesterday at 8 PM Tehran time, the Islamic Revolutionary Guard Corps published a list of 18 American technology companies it considers "legitimate military targets." For every assassination of an Iranian leader, an American company will be destroyed. Employees were told to leave their workplaces immediately. The list: Apple. Google. Meta. Microsoft. Nvidia. Intel. Cisco. HP. Dell. Oracle. IBM. Palantir. Tesla. Boeing. General Electric. JPMorgan Chase. Spire Solutions. G42. We
Patrick Duggan
Apr 25 min read


Hasbro Got Hacked. Their AI Art Pipeline Was Visible From a DNS Query.
Hasbro filed an SEC disclosure today confirming a cyberattack detected on March 28. Systems are down. Hackers may still be inside. Recovery will take "several weeks." The company that owns Transformers, Dungeons & Dragons, Magic: The Gathering, Peppa Pig, Monopoly, and My Little Pony is operating on business continuity plans. Every outlet is reporting the same thing: Hasbro got hacked, we don't know by whom, no ransomware claim yet, spokesperson won't answer questions. We loo
Patrick Duggan
Apr 14 min read


Iran Is Fighting Two Wars. We Have the IOCs for Both.
Tonight at 9 PM Eastern, the President addresses the nation on the Iran war. The Strait of Hormuz is contested. Isfahan steel plants are burning. Oil futures are swinging on every Truth Social post. Iran says the strait is "fully under their control." Trump says it'll be over in two to three weeks. That's the kinetic war. The other war — the one that hit a $22 billion medical device manufacturer, the FBI Director's personal email, and Lockheed Martin's hiring pipeline — has b
Patrick Duggan
Apr 14 min read


Dell Bought EMC for $67 Billion. Chinese Hackers Lived in RecoverPoint for Two Years.
I worked at Dell EMC. I sat in the rooms where they talked about convergence, hyper-convergence, the $67 billion acquisition that was supposed to make Dell the most complete infrastructure company on earth. VxRail, VxBlock, VMAX, Unity, Isilon, Data Domain, Avamar, RecoverPoint. The storage portfolio to end all storage portfolios. RecoverPoint was the disaster recovery product. The one that replicated your virtual machines to a secondary site so when the primary burns down, y
Patrick Duggan
Apr 15 min read


Cisco FMC Got Owned for 36 Days Before Anyone Said Anything. We Found the Fake PoC in January.
On January 14, 2026, we found a fake Cisco Firepower Management Center proof-of-concept on GitHub. It wasn't a PoC. It was a webshell disguised as one — a Pattern 38 supply chain attack targeting security researchers who test vulnerabilities for a living. We published the findings. We reported the repo. Twelve days later, on January 26, someone started exploiting the real Cisco FMC for real. Not a fake PoC. Not a webshell in a GitHub repo. A CVSS 10.0 unauthenticated remote c
Patrick Duggan
Apr 14 min read


One Actor, Three Supply Chains: How TeamPCP Chained Trivy, LiteLLM, and Telnyx Into a Single Kill Chain
On March 19, someone poisoned 76 of 77 release tags in Aqua Security's Trivy-Action GitHub repository. The credential stealer ran silently inside CI/CD pipelines — the security scanner stealing secrets from the infrastructure it was trusted to protect. Five days later, malicious versions of LiteLLM appeared on PyPI. Same actor. Different package. Same technique: harvest environment variables, .env files, and shell histories from every machine that imported the package. Three
Patrick Duggan
Apr 16 min read


Your Security Vendor Is Your Attack Surface: CrowdStrike, Microsoft, and Aqua Trivy Proved It
Three security vendors walked into a bar. One bricked 8.5 million machines. One wiped 200,000 medical devices for Iran. One turned its own vulnerability scanner into a credential stealer. Nobody's laughing. The Trifecta In nine months, the three most trusted categories of security tooling — endpoint protection, device management, and CI/CD scanning — all became the attack vector. July 2024: CrowdStrike Falcon. A faulty channel file update crashed 8.5 million Windows machines
Patrick Duggan
Mar 315 min read


We Almost Got Hit by the Axios Supply Chain Attack. Here's What Saved Us.
Yesterday someone hijacked the most popular HTTP client in the JavaScript ecosystem and turned it into a cross-platform RAT. We run 18 services on axios. Every single one of them would have pulled the malicious version on a fresh install. A lock file is the only reason I'm writing this post instead of an incident report. What Happened On March 30, 2026, an attacker compromised the npm account of axios maintainer @jasonsaayman — likely by stealing a long-lived npm access token
Patrick Duggan
Mar 315 min read


Monday Update: Handala Registered New Domains, the FBI Director Is Trending for the Wrong Reasons, and PreCog Is Still Red
It's Monday morning. PreCog has been at CRITICAL for six days. The supply chain staging signal hit maximum over the weekend. And Handala is quietly...
Patrick Duggan
Mar 305 min read


Five Things Nobody Is Talking About Tonight
It's Saturday night. The news cycle is quiet. PreCog is not.
Patrick Duggan
Mar 285 min read


PreCog Caught a Malware Staging Repo on GitHub While We Slept
This morning at 8:17 AM, I checked PreCog over coffee. It had been red for three days — infrastructure activation surge, IOC velocity spike, the usual war...
Patrick Duggan
Mar 283 min read


Friday Sweep: EU Commission Breached, Kash Patel Confirmed, LangChain Leaking Secrets, and We Scanned Europa.eu in 235 Seconds
Four stories broke today. All of them matter. Here's what happened, what we found, and what to do about it.
Patrick Duggan
Mar 274 min read


A Defender's Guide to the Current War Footing: Russia-China-Iran Cyber Operations Against Five Eyes Nations
This is not a threat brief. This is a field guide for defenders operating in a formally aligned adversary environment that didn't exist six months ago. The...
Patrick Duggan
Mar 278 min read


Threat Brief: March 27, 2026 — Handala Claims FBI, Publishes Lockheed Passports, PreCog Stays Red
PreCog is still CRITICAL. Handala escalated twice overnight. The scanning infrastructure rotated but didn't stop. Here's what changed since yesterday.
Patrick Duggan
Mar 273 min read
bottom of page