top of page

All Posts


The Staging Layer: A Kimsuky-Class Phishing Farm on Free Korean DNS, and a Bumper Crop of GitHub RATs
Two unrelated operations, one window. Both visible before they fire — if you watch where attacks are staged instead of where they land. On the morning of June 28, 2026, two completely different threat operations surfaced in our feed within the same hour. One is patient nation-state statecraft. The other is loud, commodity, smash-and-grab crime. They share no infrastructure, no actor, no motive. What they share is the thing we keep telling people to watch: the staging layer. T
Patrick Duggan
6 days ago4 min read


Open The Folder, Lose Your AWS Keys. Amazon Q Auto-Ran Whatever a Repo Told It To. CVE-2026-12957.
The promise of an AI coding assistant is that it does things for you. The danger of an AI coding assistant is that it does things for you. CVE-2026-12957 is what happens when the second sentence wins and nobody put a gate between them. The Mechanism, Stripped Down Amazon Q Developer, the AI assistant that plugs into IDEs, supports the Model Context Protocol — the standard that lets an assistant spawn helper processes to reach databases, APIs, and build tools. You point it at
Patrick Duggan
6 days ago4 min read


We Had the Scanner Signature on June 13. Cisco's Phone System Bug Hits Its Federal Deadline Today. CVE-2026-20230.
The thing nobody tells you about a Cisco Unified Communications Manager box is that it is a Linux server with root, sitting in the middle of your network, that happens to route phone calls. People treat it like an appliance. Attackers treat it like a foothold. CVE-2026-20230 is the bug that collapses the difference. What The Bug Actually Does It is a server-side request forgery in the WebDialer service — the component that powers click-to-call. An unauthenticated, remote atta
Patrick Duggan
6 days ago4 min read


Polymarket Got Robbed Through Somebody Else's Security — Twice in a Month. This Time the Lie Was in Your Browser at the Instant You Hit Sign.
Here is the sentence that should change how you think about web security in 2026. Polymarket did not get hacked. A company you have never heard of, that Polymarket pays to load a piece of code into its website, got hacked. And because your browser trusts Polymarket, and Polymarket trusted that vendor, the attacker's code got to run in your browser wearing Polymarket's name. When you went to sign a routine trade, the page lied to you about what you were signing. Your wallet di
Patrick Duggan
6 days ago5 min read


The Gentlemen Built EDR-Killer-as-a-Service. We Have Been Blocking Their Infrastructure Since April 20.
ESET published the autopsy this week and it is worth your time. The crew is called The Gentlemen, the tool is called GentleKiller, and the business model is the part that should keep you up at night. They are not selling ransomware. They are selling the thing that turns your endpoint protection off before the ransomware ever runs. I want to be precise about who did the work here, because credit matters. Jakub Souček and the ESET research team wrote "Killing me gently: Inside
Patrick Duggan
Jun 274 min read


Be Best: We Couldn't Have Blocked the Klue Breach, and We're Not Going to Dunk on the Security Companies It Hit
The Klue breach gives the security industry an easy, ugly temptation, and we want to talk about the temptation before we talk about the fix.
Patrick Duggan
Jun 275 min read


Icarus Stole Salesforce Data From a Hundred Security Firms. Then Somebody Stole It From Icarus.
We have now written about the Klue breach three times, and each time the story got bigger and stranger. This is the entry where it stops being a breach...
Patrick Duggan
Jun 275 min read


Three Max-Severity Bugs Chain to Root on the Box That Runs Your Whole Network. Ubiquiti UniFi OS Is on the KEV List.
We keep coming back to the same shape, because attackers keep coming back to it. The highest-value box on an enterprise network is rarely a server full of...
Patrick Duggan
Jun 273 min read


It Rewrites /bin/su in the Page Cache and Hands You Root. CVE-2026-46331 Is the Second Universal Linux LPE This Quarter.
The dangerous Linux local privilege escalations are the ones that do not need a custom exploit per kernel version. The ones where a single proof of concept...
Patrick Duggan
Jun 263 min read


The Backdoor Deletes Itself and Hides Inside a Microsoft Defender Binary. Mistic Is the Access Broker's New Front Door.
The interesting malware story this week is not a ransomware brand. It is the thing that gets sold to the ransomware brands.
Patrick Duggan
Jun 263 min read


The Manufacturing Brain Just Went on the KEV List. PTC Windchill CVE-2026-12569 Is Being Exploited Right Now.
PLM is the part of the manufacturing stack nobody outside manufacturing thinks about. Product Lifecycle Management is where the CAD models live. The bills...
Patrick Duggan
Jun 263 min read


Edgecution: A Browser Extension That Escapes Edge's Sandbox via Native Messaging. Teams Delivers It. Ransomware Follows.
The browser sandbox is supposed to contain browser code. Edgecution exits it through a door Microsoft left open for legitimate use. Zscaler ThreatLabz published research this week on a new malware family they named Edgecution, deployed by an initial access broker called Payouts King and used as the entry point for ransomware operations. The Delivery Chain The attack begins on Microsoft Teams. An attacker poses as IT support and tells an employee they need to install a spam fi
Patrick Duggan
Jun 263 min read


Oracle Just Patched CVE-2026-35273 — the PeopleSoft Zero-Day ShinyHunters Used on 100+ Orgs. WebLogic CVSS 10.0 Also in This Drop.
Oracle's June 2026 Critical Security Patch Update shipped today. 245 patches, 243 unique CVEs, 122 marked critical. Two items require immediate attention regardless of your Oracle footprint. [CVE-2026-35273](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-35273) — PeopleSoft. Patch It Now. This is the zero-day ShinyHunters exploited against more than 100 organizations in June 2026. We covered it extensively: unauthenticated remote code execution in Oracle Pe
Patrick Duggan
Jun 253 min read


Operation Endgame Took Down SocGholish Last Week. Today It Took Down StealC and Amadey. 27 Million Credentials Seized. $47M Frozen.
We covered the SocGholish takedown on June 24. Phase 1 of Operation Endgame's latest push disrupted TA569's infrastructure: 106 C2 servers seized, 14,971 compromised WordPress sites cleaned, the fake browser update distribution network taken offline. One week later, Phase 2 hit the rest of the assembly line. What Went Down Today Europol announced Wednesday the dismantling of criminal infrastructure behind three malware families: Amadey, StealC, and SocGholish (the Phase 1 com
Patrick Duggan
Jun 253 min read


The ClawHavoc Attack Pattern Just Ran Through an Instagram Ad. Cisco, Nvidia, and skills.sh All Cleared It.
We documented the ClawHavoc attack in February. Between January 27-29, 2026, threat actors uploaded 341 malicious skills to a community AI agent marketplace. Nine thousand installations in 72 hours. The payload was AMOS — Atomic macOS Stealer — harvesting crypto wallets, browser passwords, SSH credentials, and API keys. We had the C2 infrastructure indexed. We published the indicators. That was the malicious actor version of this attack class. AIR Security just ran the resear
Patrick Duggan
Jun 254 min read


ITScape: The KVM arm64 Guest Escape That Reaches Host Kernel. AWS Graviton and Azure Ampere Are the Target Class.
The researcher's proof-of-concept demonstration is clean: run the exploit inside a guest VM, watch a file appear at /ITScape on the host, owned by root. Guest to host kernel in one shot. CVE-2026-46316, named ITScape, is a use-after-free in Linux KVM's arm64 implementation of the virtual GIC Interrupt Translation Service — vgic-its. CVSS 9.3. The Vulnerability The flaw is a race condition in vgic_its_invalidate_cache() combined with vgic_its_process_commands(). During concurr
Patrick Duggan
Jun 253 min read


CVE-2026-55200: A PoC Just Dropped for a Pre-Auth RCE in libssh2. curl Uses It. So Does Almost Everything Else.
CVE-2026-55200 is a heap overflow in libssh2 through version 1.11.1. The flaw lives in ssh2_transport_read(), the function that parses incoming SSH packets on the client side. The packet_length field is not validated before being used to calculate an allocation size. A crafted packet with packet_length set to 0xffffffff triggers a 32-bit integer wrap, forces a tiny heap allocation while retaining a large logical packet size, and produces an out-of-bounds write. The attack pos
Patrick Duggan
Jun 253 min read


Backdoor.Turn Got the Headlines. convoC2 Is the Version Anyone Can Run. The Technique Is Now in the Fraud Tier.
Yesterday we published on macOS.Gaslight — North Korea's malware that gaslights AI analysts. Earlier this week we covered Backdoor.Turn — North Korea's custom Rust backdoor that hides C2 traffic inside Microsoft Teams TURN relay infrastructure, achieving dwell times of two months because the IPs it uses are Microsoft's own and will never appear on a threat feed as malicious. The framing in every piece of coverage, including ours, was nation-state. DPRK. Sophisticated. Novel.
Patrick Duggan
Jun 254 min read


CVE-2026-24061: Telnetd Root Shell, Two Independent PoCs, Already in CISA KEV. The Commodity Window Is Open.
CVE-2026-24061 is a GNU InetUtils telnetd authentication bypass. The vulnerability lives in how telnetd handles the USER environment variable passed through the Telnet protocol. An unauthenticated remote attacker injects arbitrary command-line flags and gets a root shell. No credentials required. SafeBreach Labs published the first proof-of-concept. Our exploit harvester caught tc4dy's independently published second PoC shortly after. CISA added CVE-2026-24061 to the Known Ex
Patrick Duggan
Jun 253 min read


One Cut Fiber. X, Reddit, Teams, Discord, AWS All Down. The Internet's Real Architecture Showed Itself.
June 22, 13:35 UTC. Cloudflare begins reporting elevated error rates — 522 timeouts, latency spikes across North America and Europe simultaneously. The cause: a fiber cut on Zayo's backbone routes in Eastern North America. One physical cable. Not a cyberattack. Not a software bug. Not a misconfigured BGP announcement. A cable in the ground that carries internet traffic stopped carrying internet traffic. What Zayo Is and Why It Matters Zayo is not a household name. It is one o
Patrick Duggan
Jun 253 min read
bottom of page