All Posts

CISA dropped advisory AA26-097A this month, naming Iranian-affiliated APT activity targeting programmable logic controllers across United States critical infrastructure since at least March 2026. Water and wastewater systems. Energy. Government services. The advisory cites a small set of operator clusters by name and walks through the tradecraft — abuse of internet-exposed PLCs, credential reuse, lateral movement into industrial control plant networks. We have been doing the

Earlier this month the Box Elder County Commission, in northwestern Utah, voted to approve a 40,000-acre AI and cloud computing campus called Stratos. The project is backed by O'Leary Digital and personally championed by Kevin O'Leary. It would consume up to 9 gigawatts of power, roughly double the electricity the entire state of Utah uses today. Power would be drawn from a connection to the Ruby Pipeline, a 680-mile interstate natural gas line. The land area is 2.5 times the

Open a terminal. Type npx dugganusa-cli 185.39.19.176 and hit enter. You get back an answer. The IP is a known Cobalt Strike command-and-control server. We have blocked it forty-seven times. Three different threat-intel feeds have it on a list. There is a link to the full report. That is what we shipped today. A tiny free tool. No install. No signup. One command, one answer. We call it dugganusa-cli. It is also something else, but we will get to that. The everyday version Mos

On April 26 we published "ShinyHunters Hit Six Companies in Seven Days. Here Are Ten Salesforce-Plus-Okta Targets That Fit Their Pattern." Two weeks later, the receipts say two things at once. Our filter caught real victims. Our filter was also too narrow. This is the public re-rank. The original ten, in fit-order T-Mobile. Verizon. American Express. Comcast and Xfinity. Chick-fil-A. Dollar General. Coca-Cola. JetBlue. Spotify. Target. The fit criteria we used were consumer-f

CISA added CVE-2026-42208 — the BerriAI LiteLLM SQL injection — to the Known Exploited Vulnerabilities catalog on May 8. CVSS 9.8. Federal agencies have until May 29 to patch it. We indexed LiteLLM C2 infrastructure on March 30. We named LiteLLM as compromised on March 24. We named NGINX-UI as actively exploited on April 20. This is the quantified ledger. The math is uncomfortable. The receipts, in order March 19, 2026. TeamPCP poisoned 76 of 77 release tags in Aqua Security'

CVE-2026-31431 — Copy Fail — was added to the CISA KEV catalog on May 1, 2026 with a federal-civilian remediation deadline of May 15. CVSS 7.8. Local-user to root on every major Linux distribution. A 732-byte Python script is the exploit. There is nothing exotic about it. It's a logic bug in the AEAD socket interface of the kernel's userspace crypto API (algif_aead in the AF_ALG subsystem), and it has been there since 2017. That last fact is the story. Nine Years In The Tree

🔺 CONSPIRACY THEORY 🔺 The Newsletter They Don't Want You To Read Volume 48 | May 9, 2026 | $2.00 (cash only, no tracking) ――――――――――――――――――――― ATTENTION SUBSCRIBERS: If you opened the war.gov/UFO page this week, you're already on a list. Pentagon analytics. AARO logging. The same five-letter agencies that "didn't see anything for sixty years" suddenly know exactly which IP downloaded which JPEG. The transparency goes one way. ――――――――――――――――――――― THIS WEEK'S PATTERN: THE

May 9, 2026 · DugganUSA LLC JDownloader is the bulk-download tool of choice when you want a whole archive at once. Researchers use it. Journalists use it. Threat-intelligence analysts use it. Anyone pulling a multi-file evidence set from a release page is, with high probability, running JDownloader to do it. JDownloader's official website was compromised between May 6, 2026 at 00:01 UTC and detection on May 7, 2026. A little over twenty-four hours of silent installer swapping