top of page

All Posts


In March We Said the AI Agent Builder Got Owned in 20 Hours. Langflow Is Now a Serial Target — Iran's MuddyWater Weaponized One, and a Fresh Unauthenticated RCE Is Live in the Wild.
On March 21 we published a post with a blunt title: the AI agent builder got owned in twenty hours. It was about Langflow, the open-source drag-and-drop tool for building LangChain AI agent pipelines, and a critical flaw — CVE-2026-33017, rated 9.3 — that let a single unauthenticated HTTP request turn into full remote code execution. Twenty hours after the advisory dropped, before any public proof-of-concept existed, attackers had built working exploits from the advisory text
Patrick Duggan
Jun 113 min read


Five Actively-Exploited Chrome Zero-Days in Five Months: The Browser Is the Most-Attacked Program on Your Machine, and CVE-2026-11645 Is Just June's.
On Tuesday Google shipped an emergency Chrome update for CVE-2026-11645, an out-of-bounds memory access in V8, the JavaScript and WebAssembly engine at the heart of the browser, already being exploited in the wild. On its own that is a routine entry in a defender's week: patch Chrome, move on. The number worth pausing on is not the CVE, it is the ordinal. This is the fifth actively-exploited Chrome zero-day of 2026, and we are barely past the halfway point of the year. The ca
Patrick Duggan
Jun 113 min read


The Third Nerve Center: SAP Just Patched Four Nine-Point Holes in the System That Runs Your Money — and One of Them Needs No Login.
Yesterday we wrote that the two systems an attacker most wants are the boring, trusted ones nobody thinks of as front doors — the service desk and the backup server — and that you should weight your attention toward the nerve centers rather than the perimeter. There is a third nerve center, and it patched four critical holes this week. SAP, the enterprise resource planning platform that runs the finance, supply chain, and human resources of a very large share of the world's b
Patrick Duggan
Jun 114 min read


Your Service Desk Was Answering Strangers and Your Backups Take One Login to Own: ServiceNow's Zero-Auth API and Veeam's 9.4 Landed the Same Week.
Two vulnerabilities surfaced this week that do not look related and are. One is a ServiceNow API endpoint that was answering requests from people who never logged in. The other is a Veeam Backup and Replication flaw rated 9.4 that hands remote code execution to any authenticated domain user. They sit at opposite ends of an enterprise — the service desk where work is tracked and the backup server where recovery lives — and they are the same story told twice, because those two
Patrick Duggan
Jun 104 min read


This Morning We Said Microsoft's Persecution of the Defender Researcher Would Backfire. This Afternoon He Dropped a Working Exploit on the Patches Microsoft Shipped Yesterday.
This morning we published a piece arguing that Microsoft had spent six weeks trying to criminalize the researcher who found a family of Defender vulnerabilities, then quietly patched those exact bugs in its record June Patch Tuesday — and that the persecution was the wrong response because a process that breaks down on both ends produces scorched earth, not safety. We did not expect the demonstration to arrive the same day. Within hours of Microsoft shipping the patches for G
Patrick Duggan
Jun 104 min read


The Seizure Notice Published First VPN's IP Addresses. A Free Certificate-Transparency Query Handed Us Its Entire Twelve-Year Stack.
When law enforcement seizes a piece of criminal infrastructure, the advisory that follows usually contains a list of IP addresses, and defenders dutifully feed those into their logs to check for historical connections. That is the right thing to do, and it is also the smallest version of what is available. This week's takedown of First VPN — the anonymization service used by at least twenty-five ransomware groups since 2014, seized May 19 and 20 in the French-and-Dutch-led Op
Patrick Duggan
Jun 105 min read


Our Sandtrout Detector Flagged a Pipeline-Exfil and MSI-Stager Cluster With Hours to Spare. Three Indicators Nobody Else Has Published Yet.
This morning one of our precursor detectors, the one we call Sandtrout, climbed from a score of 0.4 to 0.6 and crossed its elevation threshold, with a stated lead time of zero to six hours before the campaign it stages typically fires. That detector is named for the larval form of Frank Herbert's sandworm, because the entire premise is that the worm is easier to catch before it grows. Sandtrout watches for the larval phase of supply-chain worms — credential encapsulation, mai
Patrick Duggan
Jun 104 min read


Microsoft Spent Six Weeks Trying to Criminalize the Researcher Who Found Its Defender Bugs. This Week's Record 208-CVE Patch Tuesday Quietly Fixed Them.
On Tuesday Microsoft shipped the largest Patch Tuesday in its history — two hundred and eight CVEs, beating the previous record of one hundred and seventy-seven — and buried in that pile are fixes for a family of Microsoft Defender and Windows vulnerabilities that the company spent the previous six weeks insisting were so dangerous to disclose that it banned the researcher who found them off GitHub and GitLab, revoked his vulnerability-reporting account, and referred him to i
Patrick Duggan
Jun 105 min read


The Bulletproof Hosts That Went Quiet: Thirteen Days After Operation Riptide, Half Our Regular Offenders Vanished From the Edge
We just brought our edge block telemetry back online after a two-week instrumentation gap, and the first thing worth doing with a restored sensor is to ask what changed while it was dark. The answer, when we lined up the providers our infrastructure has been rejecting over the last thirteen days against the bulletproof hosts that used to be regulars in our block data, is that a whole cohort of them has simply gone quiet. This is an observation, not a victory lap, and the dist
Patrick Duggan
Jun 95 min read


One VPN Served 25 Ransomware Crews. Operation Riptide Seized All 33 Servers. The Leverage Was Never the Payload — It Was the Shared Infrastructure.
The FBI's Boston field office went public today with the seizure side of an operation called Riptide, and the shape of it is the thing I want defenders to sit with, because it is the same lesson we have been writing all week from a different angle. The target was not a ransomware gang. It was a single virtual private network service — marketed as "First VPN Service," advertised almost exclusively on Russian-language criminal forums, in operation since roughly 2014 — that serv
Patrick Duggan
Jun 94 min read


Google Said 'Limited, Targeted Exploitation' About CVE-2025-48595. In Android Patch Notes, That Phrase Means Spyware.
In the June 2026 Android security bulletin Google patched a hundred and twenty-four flaws, and buried in that pile is one — CVE-2025-48595 — that they flagged with a specific, deliberate phrase: there are indications it may be under "limited, targeted exploitation." CISA agreed, added it to the Known Exploited Vulnerabilities catalog at the start of the month, and gave federal agencies an unusually short fuse to remediate. If you read Android bulletins for a living you alread
Patrick Duggan
Jun 93 min read


SolarWinds Serv-U Just Earned Its Fifth Spot on CISA's Exploited List. One Unauthenticated POST With a Deflate Header Crashes the Whole Service.
CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog this month, with a remediation mandate for federal civilian agencies, and it is a SolarWinds Serv-U flaw — which by itself would be a routine patch note, except that when I cross-referenced it against our own KEV index this morning, it turned out to be the fifth Serv-U vulnerability on that list. Not the fifth SolarWinds product. The fifth time this one file-transfer server has been added to the catalog
Patrick Duggan
Jun 93 min read


NightSpire Is the Busiest Ransomware Crew on Earth Right Now. We Built Their Profile This Morning — RDP, Chrome Remote Desktop, and a .nspire Extension.
This morning our adversary index pulled in a fresh profile for a ransomware crew called NightSpire, and by the time I sat down to look at the day's leak-site activity, NightSpire was sitting at the top of it — twenty-six victims claimed in a single daily digest, more than LockBit and DragonForce combined on the same day. That is not a fluke of one bad afternoon. NightSpire first surfaced in February 2025 as a closed, operator-driven crew, and across 2026 it has rolled past tw
Patrick Duggan
Jun 94 min read


This Morning Our Harvester Stopped Catching Kid-Grade Token-Grabbers and Caught an EDR-Evasion Kit and an MSI Stager on GitHub. That's the Step After the VPN.
For most of the past week our GitHub hunting cron has been pulling the same low tier of malware out of public repositories: Android remote-access trojans of the SpyNote family and Discord token-grabbers, the kid-grade stuff aimed at gamers and World Cup streamers, which I wrote about two days ago. This morning the stream changed character. At the top of today's catches are two repositories that are not aimed at teenagers: one tagged EDR-Bypass, an AV-and-EDR evasion toolkit,
Patrick Duggan
Jun 94 min read


Two Days Ago I Said the #2 Ransomware Crew's Whole Game Was Your SSL VPN. Now the #1 Crew Is Burning a Check Point VPN Zero-Day With No Password Required. CVE-2026-50751.
Two days ago I wrote that Akira — the second most active ransomware crew on earth — has one favorite door, and that door is your SSL VPN: Cisco ASA, SonicWall, WatchGuard, missing MFA or stolen credentials, in and encrypting in under four hours. I said the edge appliance is the initial-access surface of the era. I did not expect the sequel to land this fast. As of this week, the number-one crew by volume, Qilin, is in the same place by a different vendor. Check Point disclose
Patrick Duggan
Jun 94 min read


I Did Everything Right and Still Lost $5,300 to Two Mainland-China E-Bike Vendors. A Warning About eAhora and Wallke — and the Accountability Vacuum the Trade War Runs On.
I run a threat-intelligence company. My job is asymmetry — the structural fact that an adversary can act against you from a place your courts cannot reach, behind a hand-off chain you cannot attribute, with a cost-benefit math that says ignoring you is the rational move. It is the defining feature of the cyber conflict between China and the United States, and I write about it constantly. This month I learned it does not stay in the network. It arrives in your driveway, attach
Patrick Duggan
Jun 96 min read


Akira Just Hit a Swiss Radiology Network. It's the #2 Ransomware Crew on Earth and Its Whole Game Is Your SSL VPN — Even With MFA On. We Just Put It in the Index.
Akira claimed a Swiss radiology network this week — Réseau Radiologique Romand, with around forty-eight gigabytes of data alleged stolen — and we are using the occasion to do something we should have done sooner: put Akira in our adversaries index as a full profile. It belongs there for a simple reason. Akira is, by publicly disclosed victim volume, the second most active ransomware operation on the planet right now, behind only Qilin, and unlike the sprawling supply-chain an
Patrick Duggan
Jun 84 min read


The Press Named the Brightspeed Telecom Breach Today. We Profiled Crimson Collective — With the Brightspeed Claim Already in It — Ten Days Ago.
Today the security press named a new breach: a cyber-extortion crew called Crimson Collective claiming the theft of more than a million customer records from the US telecommunications provider Brightspeed. It is a real story and worth covering. It is also, for us, a story we filed ten days early — not the breach itself, which we cannot claim to have predicted to the day, but the actor behind it. Our adversaries index has carried a Crimson Collective profile since May 28, and
Patrick Duggan
Jun 84 min read


Our Harvester Caught 'android-shadowspy' This Morning. It's One of 44 Android RATs Sitting in Public GitHub Repos — and It's the Same Malware the FBI Says Is Riding the World Cup.
At 08:15 UTC this morning, our GitHub hunting cron did what it does every day — swept a set of high-signal search queries against public repositories with a word-boundary bait regex and a strong false-positive filter — and it pulled in a repo called android-shadowspy, tagged Android RAT. That is not remarkable on its own. What is remarkable is that it is routine. android-shadowspy is the newest entry in a steady, daily stream: across the catches our harvester has indexed, for
Patrick Duggan
Jun 74 min read


An August Zero-Day in FreePBX Just Got a Push-Button Exploit. Shodan Shows ~10,700 Admin Panels Still Hanging Open — a Third of Them in the US.
If you saw FreePBX exploitation in a surge this week and thought it was odd to still be seeing it, your instinct was correct, and the explanation is not a new vulnerability — it is a new exploit for an old one. The bug at the center of the surge is CVE-2025-57819, an authentication bypass in the FreePBX commercial Endpoint Manager that chains into SQL injection and then remote code execution, carrying the maximum CVSS score of 10.0. That bug is not fresh. It was exploited as
Patrick Duggan
Jun 74 min read
bottom of page