top of page

All Posts


OpenAI Just Said the Scarce Resource Is Repair, Not Discovery. We've Been Saying That for a Year.
OpenAI announced the expansion of Daybreak on June 22. GPT-5.5-Cyber for trusted defenders. Codex Security for automated vulnerability discovery and patch generation. Patch the Planet — an open-source initiative with cURL, Go, Python, Sigstore, and pyca/cryptography already committed. The thesis is blunt: AI has made finding bugs faster. The scarce resource is no longer discovery. It is repair. We have been running the other half of that equation. What Daybreak Is Trying to S
Patrick Duggan
Jun 253 min read


North Korea Built Malware That Gaslights Your AI Analyst. The Sandbox Isn't the Target Anymore.
Every malware evasion technique for the last decade has been aimed at the same things: bypass the sandbox, evade the EDR, outlast the dynamic analysis timeout, hide from the static signature. The implicit assumption was that the analyst is a human, and the human's tools are machines that can be fooled mechanically. macOS.Gaslight changes the assumption. What It Does SentinelLabs disclosed macOS.Gaslight yesterday. It's a Rust-based macOS implant attributed with high confidenc
Patrick Duggan
Jun 253 min read


Cordyceps: The GitHub Actions Flaw That Gives Any Stranger Full Control of Microsoft, Google, and Apache Repos
The fungus Ophiocordyceps unilateralis infects carpenter ants, hijacks their nervous system, and drives them to the precise location and height needed for spore dispersal. Then it kills them. Novee Security named this CI/CD vulnerability class Cordyceps. The analogy is accurate. The Attack An attacker submits a pull request to a target repository. The repository has a GitHub Actions workflow configured with pull_request_target — a trigger that runs with write permissions and
Patrick Duggan
Jun 243 min read


An AI Company That Serves 600 Hospitals Got Phished in January. 1.4 Million Patients Just Found Out.
On January 20, 2026, a targeted phishing attack reached Xsolis. The company detected unauthorized activity two days later, on January 22. The attackers were already gone by then. Five months later, 1.4 million patients are receiving breach notification letters. What Xsolis Does Xsolis makes Dragonfly — an AI-driven clinical decision support platform for utilization management. Utilization management is the process by which hospitals and insurers determine what care is medical
Patrick Duggan
Jun 242 min read


ShinyHunters Leaked Facial Recognition Data From Madison Square Garden. 26 Million Records. The Knicks Deadline Passed.
The June 15 deadline passed. Madison Square Garden did not pay. ShinyHunters published 45 gigabytes on June 16. What Was in the Dump 26 million records. The dataset covers ticketing operations, customer account details, and internal corporate documents tied to both the New York Knicks and New York Rangers. The talent files are the part that will drive the litigation. ShinyHunters published personal details — addresses, contact information, and confidential notes including "cl
Patrick Duggan
Jun 242 min read


WorldLeaks Hit Tata Electronics. Apple and Tesla Trade Secrets Are Now on the Dark Web.
Hunters International announced it was shutting down operations in July 2025. It rebranded as WorldLeaks, dropped its ransomware encryptor, and went pure data extortion. Same infrastructure. Same operators. New banner to reset the law enforcement clock. On June 10, 2026, WorldLeaks claimed Tata Electronics. What Tata Electronics Is Tata Electronics is one of the largest electronics manufacturers in India and a key supplier in the hardware chains for Apple and Tesla. Apple iPh
Patrick Duggan
Jun 242 min read


Icarus Used Australian Retail Domains to Exfiltrate Data From LastPass, HackerOne, and Huntress. The Domains Are Now in Our Feed.
Yesterday we wrote about Icarus and the Klue supply chain breach that exposed Salesforce CRM data for LastPass, HackerOne, Huntress, Recorded Future, Tanium, Jamf, Snyk, and others. Today we have the indicators. The Phishing Infrastructure LastPass published its incident disclosure today. The disclosure includes the sender domains Icarus used to deliver extortion demands and exfiltrate contact. All three are compromised legitimate Australian retail domains — not purpose-regis
Patrick Duggan
Jun 242 min read


DragonForce Hid C2 Traffic Inside Microsoft Teams for Two Months. Nobody Noticed.
We covered Kongtuke pivoting to Microsoft Teams as a C2 channel in May. That was the warning. Backdoor.Turn is what the warning was for. Symantec disclosed Backdoor.Turn on June 16, 2026. It is a custom Go-based backdoor built by the DragonForce ransomware group. Its defining characteristic is that it hides command-and-control traffic inside Microsoft Teams relay infrastructure — specifically the TURN (Traversal Using Relays around NAT) protocol that Teams uses for connectivi
Patrick Duggan
Jun 243 min read


If You Run Cisco SD-WAN, Fortinet, Oracle PeopleSoft, or Cisco ASA — You Are Running the Four Most Actively Exploited Products Right Now
Not historically. Right now. CISA says so. The patch deadlines are already past. Four technology products account for the majority of active exploitation activity in the last thirty days. Two of the four are Cisco. The other two are Fortinet and Oracle. If you run any of these, you are not facing a theoretical risk. You are facing adversaries who are currently inside organizations that run the same software you do. Here is what is happening with each. Cisco Catalyst SD-WAN Ma
Patrick Duggan
Jun 234 min read


We Are 100 Days Left of Boom. Here Is the Proof.
We have been saying we catch things early. Today we ran the actual measurement. We pulled a random cross-section of IPs and domains from our IOC corpus — indicators flagged by our own detection pipeline, not ingested from external feeds. We then checked which of those indicators later appeared in ThreatFox, one of the largest community threat intelligence feeds in the world. We found 51 overlapping indicators. In every single case — 51 out of 51 — we had indexed the indicator
Patrick Duggan
Jun 234 min read


Icarus Popped the Competitive Intelligence Platform. Security Companies Were the Customers.
On June 12, 2026, the Icarus extortion group compromised Klue — a market intelligence platform that security companies use to track competitors — and walked out with OAuth tokens granting access to customer Salesforce instances across hundreds of organizations. The victim list includes Recorded Future, Tanium, Jamf, Huntress, Sprout Social, Gong, Insurity, and LastPass. Recorded Future is a threat intelligence company. They got popped via their sales software. What Klue Does
Patrick Duggan
Jun 234 min read


24 Billion Credentials, 9,500 CVEs, and Your Password Manager's Broken Promise
On June 12, 2026, Cybernews researchers found an exposed Elasticsearch cluster containing 24 billion records and 8.3 terabytes of data. By June 15, it was secured. The headlines called it a colossal leak. That framing is technically correct and strategically wrong. This was not a pile of old breach data. This was an automated attack-planning system, and someone left the door open. What Was Actually in There The 24 billion records came from 36 distinct sources: Telegram channe
Patrick Duggan
Jun 234 min read


Squidbleed: A 1997 FTP Parsing Change Is Still Leaking Other Users' Cleartext HTTP Requests In Default Squid Deployments Today.
Squidbleed is CVE-2026-47729. It is a heap over-read vulnerability in Squid, the widely deployed open-source web proxy, that leaks another user's cleartext HTTP request — including any credentials or session tokens in that request — to an attacker who can send a crafted request to the same proxy. The vulnerability traces to a change in Squid's FTP parsing code made in 1997. It is present in Squid's default configuration today. The name is deliberate. The researchers at Calif.
Patrick Duggan
Jun 234 min read


ShinyHunters Hit One Medical. 8.8TB. 830,000 Patients. Amazon's Primary Care Company. The Deadline Is Today.
ShinyHunters posted One Medical to their dark web leak site this week. Eight point eight terabytes of alleged stolen data. Eight hundred thirty thousand patients across more than 250 clinics in the United States. The extortion deadline is June 22 — today. One Medical is Amazon's primary care company, acquired in 2023 for 3.9 billion dollars. Amazon is also the company that runs your pharmacy, your health insurance in certain states, and the cloud infrastructure that stores th
Patrick Duggan
Jun 224 min read


Velvet Ant Didn't Cross The Air Gap. They Owned The Thing That Validates Every Crossing. Nine Years Inside A Critical Infrastructure Network.
The forensic investigation Sygnia published this week is called Operation Highland. The threat actor is Velvet Ant, tracked by Mandiant as UNC3886, a China-nexus espionage group. The timeline runs from 2016 to 2026. Ten years. The target was critical infrastructure. The network was air-gapped. They did not cross the air gap. They owned the mechanism that validates every legitimate crossing, and then they sat inside it for a decade while every authorized administrator walked t
Patrick Duggan
Jun 225 min read


iRhythm's Cardiac Patients Had Their Medical Data Stolen And Held To Ransom. The Attack Vector Was Social Engineering. The Third Party Was The Door.
iRhythm Holdings makes the Zio patch, an FDA-cleared continuous cardiac monitoring device worn by patients for up to fourteen days to detect arrhythmias. The data it generates is clinical data — heart rhythm recordings, physician interpretations, diagnostic findings — stored and processed on behalf of patients who are being evaluated for conditions ranging from atrial fibrillation to undiagnosed syncope. On June 8, 2026, the company identified unauthorized activity on certain
Patrick Duggan
Jun 215 min read


Three Weeks. Three Vendors. The Security Infrastructure Is The Target. Pattern 53 At Scale.
Three weeks. Three vendors. Three product categories that exist specifically to make networks more secure. All three opened in the same window. Week one: FortiBleed. Eighty-six thousand FortiGate firewalls and FortiProxy VPN gateways with working admin credentials in a single database, across 194 countries, collected by a Russian-speaking crew through a combination of eight years of unpatched CVEs and a patch that did not re-hash existing passwords. The perimeter firewall — t
Patrick Duggan
Jun 215 min read


CVE-2026-20262 Is The Seventh Cisco SD-WAN Zero-Day In Thirteen Months. The Brain Of The Network Is Still Open.
CVE-2026-20262 is a path traversal vulnerability in Cisco Catalyst SD-WAN Manager that allows an authenticated, remote attacker to write or overwrite any file on the filesystem of an affected system. CISA added it to the Known Exploited Vulnerabilities catalog on June 15, 2026. The federal remediation deadline is June 29. Cisco confirmed limited active exploitation in targeted attacks. We have written about this product three times in the last six weeks. On May 16, we documen
Patrick Duggan
Jun 214 min read


FortiBleed Is Not A Campaign. It Is An Audit Result. 86,644 Firewalls Failed Eight Years Of Fortinet's Own CVE Backlog.
The number being quoted is 86,644. The framing being applied is campaign. Both are correct and together they understate the problem by an order of magnitude. FortiBleed is not a campaign in the sense of a targeted actor running a sophisticated operation against specific victims. It is an audit result. Someone ran a credential collection pass against the global population of internet-exposed Fortinet devices and published what they found. What they found is that roughly half o
Patrick Duggan
Jun 205 min read


MongoBleed Is Back In The Headlines. We Called It On January 12. Here Is The Receipt.
MongoBleed is back in the June headlines, described as a pre-authentication memory read that pulls credentials and session tokens out of server memory and puts anything internet-facing at immediate risk. The framing is correct. The novelty is not. We published our analysis on January 12, 2026, under the title MongoBleed: 87,000 MongoDB Instances Are Leaking Your Secrets. The vulnerability has been in CISA's Known Exploited Vulnerabilities catalog since late December 2025 as C
Patrick Duggan
Jun 204 min read
bottom of page