top of page

All Posts


We're Among the Best at What CrowdStrike Structurally Can't Be. We Have Two Paying Customers. Both Are True.
Someone asked me a fair question this week: are we among the best? Not "are you good" — anyone will tell you they're good. Among the best. It deserves an honest answer, and the honest answer is two things that sound contradictory and aren't. On the axes that will decide this fight in two years, yes — and I'll show the receipts instead of asserting it. On the scoreboard the market keeps today, no — we have two paying customers. Both of those are true at the same time, and lear
Patrick Duggan
Jun 144 min read


We Audited Last Month's Breaches Against Our Own Defenses. 3 We'd Have Stopped, 3 We'd Have Warned, 1 We'd Have Missed.
Every vendor claims they'd have stopped the breach. Almost none will show you the one they'd have missed. So here is the uncomfortable version: we took the breaches that actually happened over the last few weeks, mapped each one against the specific defensive surfaces we run, and graded ourselves honestly. Three we'd have stopped. Three we'd have caught early but not prevented. One we'd have missed entirely. The misses are in here on purpose, because a capability claim you ca
Patrick Duggan
Jun 144 min read


Volume Says AWS Is the Worst Host Alive. Abuse-Per-IP Says It's a 6-Month-Old Paris /24 Called BUCKLOG.
If you rank the autonomous systems in our blocklist by raw count, the worst actor on the internet appears to be Amazon. AWS (AS16509) sits at the top with 1,876 blocked events, ahead of Tencent, Google, Microsoft, Alibaba, DigitalOcean, and Meta. Case closed, right? Amazon is the problem. That conclusion is wrong, and the reason it's wrong is the whole point of this post. Counting raw abuse events rewards bigness. AWS announces something on the order of 120 million IPv4 addre
Patrick Duggan
Jun 144 min read


DefiLlama Says Q2 Was Crypto's Worst Quarter Ever: 70 Hacks, $746M. The Two Biggest Drained Trust, Not Code.
DefiLlama's Q2 numbers are in, and they are a record nobody wanted: roughly 70 separate exploits in the second quarter of 2026, draining about $746 million, making it the most-hacked quarter in crypto history by incident count — close to double the prior record. The dollar figure actually trails past peaks, which is the part worth sitting with. More attacks, less stolen per attack. The crime is professionalizing into a high-frequency business. April carried the quarter on its
Patrick Duggan
Jun 144 min read


Handala Hit Cal Water's Billing Database and a GPS Server — Not the Water Supply. The Restraint Is the Message.
On June 11, 2026, the Iran-linked group Handala posted a claim on its blog that it had breached California Water Service — Cal Water, one of the largest investor-owned water utilities in the country, serving around two million people across roughly 100 California communities — and dropped a 5 gigabyte proof-of-concept data set to prove it. The headlines that followed reached for the obvious fear: Iranian hackers in the drinking water. We track Handala closely, and we think th
Patrick Duggan
Jun 144 min read


Majestic 12 Fails Every Check We Run on a Forgery — and the FBI Already Said 'Bogus'
We just pulled the FBI's own Majestic 12 file into our UAP document index, and the Bureau's review of the most famous "smoking gun" in UFO history fits on a Post-it. One word, handwritten in the margin: bogus. You can read the file yourself now — FBI case 65-81170, a Dallas field-office communication dated October 25, 1988, sitting in our uap_files corpus as document uap-0295 and live on the UAP map at epstein.dugganusa.com/uap. It is a 24-page scan describing how the U.S. Ai
Patrick Duggan
Jun 145 min read


Your --ignore-scripts Won't Save You: Phantom Gyp Backdoored 57 npm Packages Through a File Nobody Watches
For two years the standard advice for surviving a hostile npm install has been three words: run --ignore-scripts. Block the preinstall and postinstall hooks, the thinking goes, and the malware never gets to run. On June 3, 2026, a worm the researchers are calling Phantom Gyp walked straight around that advice and backdoored 57 packages — 286-plus malicious versions, published in a rolling burst under two hours — through a file your scanner has never been taught to look at. Th
Patrick Duggan
Jun 145 min read


The Third UAP Drop Has Two Faces: The CIA Explaining It Away in 1953, and the FBI Filing FD-302s on Orbs in 2026. We Indexed All 72 — Search Them Yourself.
The Department of War published its third release of declassified Unidentified Anomalous Phenomena files this week as part of the PURSUE initiative, and it landed on the morning shows the way these things do now, with the word "potato" attached to a shape one of the witnesses used. We did what we do with a primary-source dump: we ingested all seventy-two new documents into our searchable index, ran the optical character recognition, embedded them for semantic search, and upda
Patrick Duggan
Jun 134 min read


AudiA6 Laundered $389M for Fifteen Ransomware Crews — Including the Ones Who Stole Your Carnival and University Records. The Cash-Out Rail Got Seized. The Demand Won't.
This week European and American law enforcement seized AudiA6, a cryptocurrency laundering service, and the numbers attached to the operation are the kind that make a press release write itself: more than three hundred eighty-nine million dollars washed between 2022 and 2025, twenty-five domains taken down, more than thirty servers seized, two administrators arrested in Batumi, Georgia, and — the detail that matters most — laundering services provided to at least fifteen dist
Patrick Duggan
Jun 135 min read


Microsoft Patched YellowKey and Banned the Researcher. He Dropped His Second BitLocker Bypass on His Own Server — and Running a Defender Scan Is the Trigger. GreatXML.
We have been following a researcher who calls himself Chaotic Eclipse — also tracked as Nightmare-Eclipse — for two months, and the story keeps escalating in a direction Microsoft clearly did not anticipate. We wrote about his Defender vulnerabilities in April. We wrote on June 5 that Microsoft responded to his disclosures by banning him from its own GitHub and referring him to its crimes unit. We wrote on June 11 that within hours of Microsoft quietly patching his GreenPlasm
Patrick Duggan
Jun 135 min read


Twelve Hours Ago We Said the Empty PeopleSoft Repos Were a Tripwire, Not a Weapon. Tonight One Filled With a 7KB Python Exploit. CVE-2026-35273 Is Becoming Commodity.
This morning we published a post making a narrow, careful argument. The PeopleSoft zero-day CVE-2026-35273 — the unauthenticated remote code execution that ShinyHunters used to breach more than a hundred organizations, two-thirds of them universities — had attracted two new GitHub repositories named after the CVE. We opened them, found seventeen and three kilobytes of nothing, and refused to call it a public proof-of-concept, because it was not one. What we called it instead
Patrick Duggan
Jun 124 min read


We Said in April the AI Agent Is the New Login Shell. The Newest OpenClaw Attack Doesn't Even Need a Login — Just a Contact Card. The Agent Can't Tell Data From Orders.
In April we published a post with a title we meant literally: the AI agent is the new login shell. The argument was that a tool like OpenClaw — a self-hosted AI agent with broad access to your files, your shell, and more than twenty messaging platforms — is functionally a remote-access shell that happens to speak English, and that defenders were treating it like a chatbot instead of like the privileged process it actually is. We counted six holes in seven days then. This week
Patrick Duggan
Jun 125 min read


The Researcher Microsoft Tried to Ban Also Handed You a BitLocker Bypass. YellowKey, CVE-2026-45585, and the CTRL Key That Unlocks an Encrypted Drive.
For six weeks we have been following a researcher who goes by Chaotic Eclipse, also tracked as Nightmare Eclipse, and the increasingly ugly fight between him and Microsoft. We wrote about his Defender vulnerabilities — BlueHammer, the TOCTOU race in Defender's cleanup engine that escalates a low-privileged user to SYSTEM, back on April 26, and the RedSun and UnDefend tools alongside it. We wrote on June 5 that Microsoft's response to the disclosures was to ban him from its ow
Patrick Duggan
Jun 124 min read


We Said the PeopleSoft PoC Would Drop. Overnight Two GitHub Repos Appeared With the CVE Number and Almost Nothing Else. That Is Not a Weapon. It Is the Tripwire.
Yesterday we published on CVE-2026-35273, the unauthenticated remote-code-execution zero-day in Oracle PeopleSoft that ShinyHunters used to breach more than a hundred organizations, two-thirds of them universities. We ended that post with a specific prediction: our exploit harvester watches GitHub for the public proof-of-concept that would turn a targeted, hundred-victim campaign into a commodity one that anyone could run, and we said it was watching for exactly that drop. Ov
Patrick Duggan
Jun 124 min read


Shodan Says 1,479 Ivanti EPM Boxes Are Exposed. Three-Quarters Are Cloud-VPS Noise. The Number That Matters Is 6,637 — and It's Wearing a Different Name. Count Blast Radius, Not Boxes.
Just after midnight our exploit harvester logged a fresh proof-of-concept reference for CVE-2024-29824, an unauthenticated SQL injection in Ivanti Endpoint Manager that gives an attacker remote code execution on the EPM core server. It is a 2024 bug, it is in CISA's Known Exploited Vulnerabilities catalog, and it is actively exploited. The reasonable next question — the one a defender should always ask before spending a single hour on a vulnerability — is how exposed the thin
Patrick Duggan
Jun 114 min read


One Door, Every Crew: This Week Ransomware, Iranian Intelligence, and a Data-Extortion Gang All Walked Through the Same Pre-Auth Enterprise Edge. The Convergence Is the Pattern.
We published seven threat-intelligence posts this week about seven different vulnerabilities, attributed across three completely unrelated kinds of adversary, and somewhere around the fifth one a pattern stopped being a coincidence and became the story. The actors do not know each other. Their motives have nothing in common. Their tradecraft, historically, looked nothing alike. And this week they all walked through the same door. This post is about that door, because when cri
Patrick Duggan
Jun 115 min read


ShinyHunters Built Their Name on Phone Calls to the Help Desk. Now They Have a 9.8 Oracle Zero-Day, 100+ Breached Orgs, and Two-Thirds Are the Schools We Watched Them Hit in May.
For two months we have been documenting ShinyHunters as a crew that does not, on the whole, exploit software. Their signature move — the one we wrote about when they hit six named companies in seven days in April — was a phone call. Someone rings a help desk claiming to be an employee, asks for a multi-factor reset on the Okta single sign-on, the help desk obliges, and the attacker walks into the company's Salesforce instance and exports the customer file as a CSV. No CVE. No
Patrick Duggan
Jun 115 min read


The Record Patch Tuesday Has a Kill Chain Hidden Inside It. Six June CVEs Turn an Anonymous Network Packet Into Your Encrypted Disks — All Patched the Same Day.
Earlier today we wrote about the single most dangerous bug in Microsoft's record 208-CVE June Patch Tuesday: CVE-2026-45657, a wormable kernel TCP/IP remote code execution that takes a machine to SYSTEM with no password and no click. That post argued you should patch it first. This post argues something narrower and more useful for the team that has to triage all 208: the June release is not 208 isolated bugs. It contains, in a single Tuesday, every link you need to chain an
Patrick Duggan
Jun 115 min read


Microsoft Shipped a Record 208 Patches Tuesday. One Is a Wormable Kernel Bug That Needs No Password and No Click. CVE-2026-45657 Is the 2017 Setup, Again.
Microsoft shipped the largest Patch Tuesday in the program's history this week — 208 CVEs in a single release, three of them zero-days. The volume is the headline everyone wrote. The volume is not the story. Buried in that pile is one bug that does not care how busy your patch team is, because it is the kind of flaw that patches itself onto the front page eventually: CVE-2026-45657, a remote code execution vulnerability in the Windows kernel's TCP/IP stack, rated CVSS 9.8, re
Patrick Duggan
Jun 114 min read


Law Enforcement Took LockBit Down in 2024. LockBit 5.0 Posted Three Fresh Victims Today and Now Encrypts Your Hypervisors Too. The Reboot Is the Pattern.
This morning we set a watch for where First VPN would reboot after its takedown, on the principle that disrupting criminal infrastructure relocates demand rather than ending it. By the afternoon, a different name was demonstrating the same law on a leak site: LockBit, the ransomware-as-a-service operation that international law enforcement disrupted in early 2024 with great fanfare, posted three fresh victims today as LockBit 5.0 — Central Romana Corporation, a Dominican agro
Patrick Duggan
Jun 113 min read
bottom of page