top of page

All Posts


Every Layer of the AI Stack Was Attacked This Week. Here's the Full Picture.
We published five separate stories this week. Mastra on Monday. Vertex AI on Tuesday. Novo Nordisk on Wednesday. JetBrains on Friday morning. PromptSnatcher alongside it. Each one looked like an independent breach disclosure. Reading them together, they are not independent at all. This week, every layer of the AI development and usage stack was attacked. Not metaphorically. Literally — every layer, by different actors, using different techniques, hitting different victims. If
Patrick Duggan
Jun 195 min read


PromptSnatcher: The Adblockers That Were Reading Every AI Conversation You Had
The same week JetBrains pulled fifteen plugins stealing AI API keys from developer IDEs, two Chrome extensions with a combined 100,000 users were caught doing something narrower but in some ways more invasive: reading every AI conversation you had. Not the API key. The actual conversation. The campaign is being tracked as PromptSnatcher. The delivery mechanism was two adblocker extensions — Smart Adblocker (100,000 users, published October 2022) and Adblock for Browser (10,00
Patrick Duggan
Jun 193 min read


70,000 Developers Installed These JetBrains Plugins. Every AI API Key They Typed Went to Beijing.
Fifteen plugins sat in the JetBrains Marketplace for eight months. They worked. They provided AI code review, commit message generation, bug finding, unit test creation — exactly what they advertised. They also silently POSTed every AI API key a developer typed into their settings to a server in Beijing the moment the developer clicked Apply. The campaign ran from October 2025 to June 10, 2026. Combined installs across the fifteen plugins exceeded 70,000. JetBrains pulled the
Patrick Duggan
Jun 193 min read


SocGholish Now Stages Directly Into RansomHub. The Fake Browser Update You've Seen for Three Years Is Now a Ransomware Loader.
SocGholish is one of the most durable initial access campaigns in the threat landscape. TA569, the group behind it, has been running fake browser update lures on compromised legitimate websites since at least 2017. The lure is always the same: visit a compromised site, see a modal that looks like a Chrome or Firefox update prompt, download a ZIP, execute a JavaScript loader. If you work in enterprise security, you have seen this campaign in someone's inbox, in a phishing awar
Patrick Duggan
Jun 186 min read


The Third Salesforce OAuth Breach in Twelve Months: Icarus Hit Klue, Stole Tokens for Everything, and 'Mr Bean' Sent the Extortion Email
We have written about this attack three times now. September 2025 we named it OAuth's Blind Spot and walked through the Salesloft/Drift breach. June 2 we covered how ShinyHunters used TruffleHog to extract OAuth tokens from source code and exfiltrated 1.5 billion records from 760 organizations. June 5 we wrote about the federal takedown of the leak site and noted that closing the site doesn't close the attack class. On June 11, a threat actor called Icarus — operator signs as
Patrick Duggan
Jun 185 min read


Six Cisco SD-WAN Zero-Days in One Year. The Brain of the Network Has Been Open All Along.
On June 5, we wrote that the Cisco Catalyst SD-WAN Manager had just grown a new zero-day and that anyone tracking this product line should not be surprised. The May post we referenced in that piece mapped the four CVEs that landed in the CISA Known Exploited Vulnerabilities catalog on the same day, and made a point about the shape: SD-WAN Manager is the single brain that pushes configuration to every edge device in the fabric. When the brain has multiple independent flaws, th
Patrick Duggan
Jun 185 min read


RoguePlanet Is Exploit #8 From the Researcher Microsoft Tried to Criminalize. They Still Haven't Patched It.
We have been writing about Chaotic Eclipse, the researcher who goes by Nightmare Eclipse, since April 17, 2026. We wrote about BlueHammer — a TOCTOU race condition in Defender's malware cleanup engine, CVSS 7.8, SYSTEM-level privilege escalation on fully patched Windows 10 and 11 — the day it dropped. We wrote on June 5 that Microsoft's response to that disclosure was to ban the researcher from its own GitHub and refer him to its Crimes and Security Team, which cybersecurity
Patrick Duggan
Jun 184 min read


We Ran the Numbers Against ThreatFox. 75% of Our Supply-Chain and Research IOCs Aren't There.
We ran a cross-reference this week — pulled ThreatFox's seven-day IOC batch and compared it against our own corpus source by source. Not to pick a fight with ThreatFox. They are very good at what they do. The point was to find out honestly where the overlap lives and, more importantly, where it doesn't. The answer surprised us by being as clean as it was. ThreatFox is a community feed built around command-and-control network indicators: malicious IPs, domains, and URLs tagged
Patrick Duggan
Jun 174 min read


A Stolen GitHub Token, Two Months of Quiet, and 1.3 Terabytes: FulcrumSec Walked Out of Novo Nordisk With the AI Models Themselves
The most expensive thing Novo Nordisk lost was not the 1.3 terabytes, the 700,000 files, or the clinical trial records on real patients. It was the AI. FulcrumSec walked out with a 16.7-gigabyte multimodal model checkpoint — a trained system that reads text, images, and transcriptomic data together — plus roughly 407 megabytes of the proprietary biological and chemical datasets used to train it. That is not a copy of a database. That is the distilled, multi-year output of a d
Patrick Duggan
Jun 175 min read


Pickle in the Middle: Google's Vertex AI Let a Stranger Squat Your Bucket and Run Code Inside Google's Cloud
Here is the uncomfortable part of the Vertex AI flaw that Palo Alto Networks Unit 42 disclosed this week: to poison your machine-learning model and run code inside Google's own serving infrastructure, an attacker needed no access to your project, no stolen credentials, and no phishing email. They needed to know your project ID — which is frequently public — and to own any Google Cloud project with a billing account attached. That's the whole cost of entry. Unit 42 named it "P
Patrick Duggan
Jun 174 min read


144 AI-Framework Packages Backdoored in 88 Minutes: The Mastra easy-day-js Hit and the Contributor Token Nobody Revoked
On June 17, 2026, somebody logged in as a former Mastra contributor whose npm access had never been turned off, and in 88 minutes republished 144 packages in the @mastra namespace — the framework a lot of you are using to build AI agents — each one carrying a credential-stealing dropper that fires the moment you run npm install. @mastra/core alone pulls more than 918,000 weekly downloads. The window between the first poisoned publish and the rest of the wave was an hour and a
Patrick Duggan
Jun 174 min read


Your Pipeline Can Now Block 225,000 Malicious Packages. Here's That — and Every Other Way We Plug Into Your Stack.
For months we have indexed every malicious npm and PyPI package OSV publishes — about 225,000 of them, exact named packages, not heuristics. You could search them. You could correlate them. What you could not do was stop one from landing in your build. As of this morning, you can. The new endpoint is /api/v1/stix-feed/packages.csv (and .json). It is the malicious-package corpus as a deny-list your build pipeline can actually enforce. Point a CI step at https://analytics.dugga
Patrick Duggan
Jun 164 min read


LiteLLM Just Got Its Second CISA KEV Entry in 31 Days. We Indexed the Poisoned Versions Back in March.
CISA added a second LiteLLM vulnerability to its Known Exploited Vulnerabilities catalog on June 8. That's two entries for the same AI gateway in thirty-one days — and it's worth saying out loud what kind of component keeps landing on the federal must-patch list. LiteLLM is a proxy. Its entire job is to sit in front of every model an organization uses and hold the keys — OpenAI, Anthropic, the internal endpoints, all of it routed through one process that authenticates callers
Patrick Duggan
Jun 163 min read


It's Not 23 Malicious MCP Packages. It's 122 — and the Worst Ones Are Postman, Zapier, and Red Hat's Real Servers.
Yesterday we wired OSV's catalog of known-malicious PyPI packages into our index and found 24 of them squatting the Model Context Protocol ecosystem — the tools AI agents call. This morning we turned on the npm half: a 207MB ZIP64 export, about 214,000 named-malicious advisories. Then we did the unglamorous part — we pulled every MCP-named entry out of both ecosystems and took it apart, package by package, against each one's real registry history and OSV advisory. The clean n
Patrick Duggan
Jun 163 min read


We Turned On a PyPI Feed This Morning. It Found 24 Malicious MCP Packages — One Named 'runcommand-server'.
This morning we wired up a new threat feed — OSV's catalog of known-malicious PyPI packages, about 11,400 of them, pulled into our index. Routine plumbing. Then we pulled the string to see what the new data connected to, and it walked straight into the one surface we know better than almost anyone: Model Context Protocol servers — the tools AI agents call. The new feed contains 24 malicious PyPI packages targeting the MCP/agent ecosystem. Not generic malware that happens to b
Patrick Duggan
Jun 153 min read


One Asia-Based Crew Surveilled 155 Countries and Breached 70 Governments. They Wanted Election Data, Not Money.
Most of what we cover is loud — ransomware leak sites, extortion deadlines, breach dumps designed to be seen. This one is the opposite, and that's exactly why it's worth a profile. Palo Alto's Unit 42 identified a state-aligned cyber-espionage group, TGR-STA-1030 (also tracked as UNC6619), running an operation they call the Shadow Campaigns. The numbers are the kind you read twice: surveillance activity spanning 155 countries, confirmed breaches of more than 70 organizations
Patrick Duggan
Jun 153 min read


Silent Ransom Walked Operatives Into Law Firm Offices. 38 Firms Leaked. Your Air Gap Is a Person.
We track Silent Ransom Group as a data-theft extortion crew, and for a while their playbook was the familiar one: callback phishing, fake IT support calls, remote-access tooling, exfiltrate, extort. Then their leak site count climbed past thirty-eight law firms, and the method behind the newest entries broke the model we'd filed them under. They stopped phoning it in. They walked in the door. Reporting on the group's recent escalation describes operatives physically entering
Patrick Duggan
Jun 153 min read


Four Edge Appliances, One Weekend: PAN-OS, Check Point, Serv-U, and PeopleSoft Are All 0-Day'd Right Now
Run down this weekend's actively-exploited zero-day list and notice what every entry has in common. Palo Alto Networks PAN-OS — CVE-2026-0257, an authentication bypass on GlobalProtect portals, exploited in the wild. Check Point VPN — CVE-2026-50751, exploited since early May, now linked to a Qilin ransomware affiliate. SolarWinds Serv-U — CVE-2026-28318, being used to crash servers. Oracle PeopleSoft — CVE-2026-35273, a 9.8 remote code execution gadget chain that ShinyHunter
Patrick Duggan
Jun 153 min read


Three New Ransomware Brands Surfaced in One Week. None of Them Built Their Own Malware.
Three ransomware and extortion brands showed up in our breach sweep this week — Brain Cipher listing an Australian newspaper, Kairos listing a jeweler, Nitrogen claiming eight terabytes from Foxconn. We added all three to our adversary index. And then we noticed the thing that actually matters, the thing that connects them and connects them to the npm supply-chain story we keep writing: none of these crews built their own capability from scratch. They assembled it from parts.
Patrick Duggan
Jun 154 min read


ShinyHunters Stopped Waiting for Leaks and Started Writing Exploits: a PeopleSoft 0-Day, 100+ Orgs, 500K Students
We have spent a lot of words on ShinyHunters as a data broker — the crew that shows up after someone else's breach, buys or aggregates the data, stands up a leak site, and extorts. Canvas. OnlyFans. The Salesforce-adjacent leak sites the feds shuttered. That was their lane: downstream of the intrusion, monetizing other people's failures. As of this month, that mental model is out of date, and the upgrade is worth paying attention to. Between roughly May 27 and June 9, 2026 —
Patrick Duggan
Jun 143 min read
bottom of page