top of page

All Posts


A WordPress Form Plugin Fed Your Input Straight Into eval(). CVE-2026-3300 Is a 9.8, It's Being Exploited 29,000 Times, and the Payload Just Wants an Admin Named 'diksimarina'.
There is a specific category of vulnerability we keep writing about because WordPress keeps shipping it, and Everest Forms Pro is this month's entry. The bug, CVE-2026-3300, is a 9.8 — unauthenticated remote code execution — and the mechanism is almost insultingly direct. Everest Forms Pro is a commercial form builder with roughly four-thousand active installations, and its Calculation Addon has a function, process_filter(), whose job is to do math on the numbers a visitor ty
Patrick Duggan
Jun 74 min read


Aflac Is Notifying 22.7 Million People. The Attack Was June 2025. The Number Is the News — and It's the Same Consent-Leak Insurance Vertical We've Been Naming All Year.
Aflac is notifying twenty-two-point-seven million people that their data was stolen, and the first thing to get straight is the timeline, because the headline version blurs it. The attack was not this week. Aflac detected the intrusion on June 12, 2025, contained it within hours, and confirmed it was not ransomware — a data-theft operation, not an encryption event. What is happening now, a year later, is the notification: the count of affected individuals has been finalized a
Patrick Duggan
Jun 74 min read


The FBI Counted 4,300 Fake FIFA Sites Before the World Cup Even Kicks Off — and the Banking Malware Rides the Same LATAM Trojan Rails We've Been Blocking Since November.
The number that should reframe how you think about the 2026 World Cup is not a score. It is four-thousand-three-hundred. That is roughly how many fake FIFA domains the FBI and tracking firms counted as already live and harvesting before the June 11 kickoff, with another estimated three-thousand-eight-hundred sitting parked and registered, ready to switch on the moment ticket demand peaks. The FBI's Internet Crime Complaint Center put out a public service announcement on May 2
Patrick Duggan
Jun 74 min read


A Cloud Worm Is Hunting Another Cloud Worm. PCPJack Evicts TeamPCP and Steals the Credentials Itself — and the Domain It Exfiltrates To Has Been in Our Index Since April 4.
The thing that makes this story worth your time is not that another credential-stealing worm is loose in the cloud. It is who the worm is hunting. Security researchers at Hunt.io and SentinelOne have documented a campaign tracked as PCPJack that hijacked roughly two-hundred-thirty servers across Amazon Web Services, Google Cloud, and Microsoft Azure and stitched them into a covert SMTP email-relay network — a distributed machine for sending mail that looks like it comes from
Patrick Duggan
Jun 75 min read


A 9.8 in a Magento Plugin Nobody Audits: CVE-2026-45247 Turns a Cache-Warmer Cookie Into Remote Code Execution. CISA Cataloged It June 3. Patch Tonight.
On June 3, CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog, and the detail that matters is not the 9.8 CVSS score, though it earns that. The detail that matters is where the flaw lives. It is not in Magento core. It is not in Adobe Commerce's authentication layer or its payment plane. It is in Mirasvit Full Page Cache Warmer — a third-party performance extension that a merchant's developer bolted on years ago to make category pages load faster, and th
Patrick Duggan
Jun 64 min read


DentaQuest Was Reported at 744 Users. The Real Number Is 2.6 Million. We Said the Headcount Was the Leverage on May 29 — Here's the Receipt.
Nine days ago we published a post with a deliberately uncomfortable thesis: that ShinyHunters adding DentaQuest to its leak site was not about the file count it claimed, it was about the vertical it chose. At the time the claimed exfil, per public dark-web monitoring, was seven-hundred-forty-four users plus one third-party employee credential — a number small enough that a casual reader would have filed it under "minor incident, move on." We did not file it that way. We filed
Patrick Duggan
Jun 64 min read


A Hospital Fell to LockBit This Weekend While CISA Cataloged Cisco's SD-WAN Brain as a Weapon. Same Story. Here's the Hunt-Tonight So You're Not the Next Sierra Vista.
Two things happened while most of the country was asleep this weekend, and the security press is filing them as two stories. They are one story. Story one: Sierra Vista Hospital went down to LockBit, one of fifteen-plus organizations posted to ransomware leak sites in a forty-eight-hour window — a weekend surge from Akira, Play, Qilin, Brain Cipher, and LockBit, the exact Saturday-strike behavior we have been documenting since "35 Ransomware Victims in 48 Hours, Happy Easter.
Patrick Duggan
Jun 64 min read


We Named Microsoft's Defender Zero-Days on May 20. Microsoft's Answer Was to Ban the Researcher From Its Own GitHub and Sic Its Crimes Unit on Him. RedSun and MiniPlasma Are Still Unpatched.
On May 20, we indexed an IOC in our corpus named defender-attack-surface-campaign-2026-05-20. It named BlueHammer, RedSun, UnDefend, and two CVEs, as a single family of Microsoft Defender privilege-escalation flaws. We had been writing about the first of them, BlueHammer, since April 17. Eight days after our May 20 index entry, the broad news cycle caught up and the trade press started covering the cluster. We are telling you this not to take a victory lap — though forty days
Patrick Duggan
Jun 54 min read


One Hacker. 1,088 Prompts. 195 Million Tax Records. Claude Code Did 75% of the Work — and We Run on Claude Too.
This morning we published a story about an AI getting attacked — hackers talking Meta's support bot into handing over Instagram accounts. This is the other half of the day, and it is the scarier half: an AI doing the attacking. Between December and February, a single person used Claude Code and GPT-4.1 to breach nine Mexican government agencies and walk out with hundreds of millions of citizen records — 195 million taxpayer files from the federal tax authority alone, 220 mill
Patrick Duggan
Jun 54 min read


Hackers Asked Meta's AI to Hand Over the White House's Instagram. It Did. The Soft Surface Is the Chatbot Now — We Called the Shape on May 9.
There is a version of an account takeover that involves a zero-day, a memory-corruption chain, and a researcher who did not sleep for three nights. This is not that version. In the first days of June, a crew took over the Instagram handle of the Obama-era White House, the account of the U.S. Space Force's senior enlisted leader, a well-known security researcher's profile, and Sephora — and the entire technique was to open a chat with Meta's AI support assistant and ask it, po
Patrick Duggan
Jun 54 min read


The Claude Mythos Leak, the Mercor Breach, and the LiteLLM Poisoning Are One Attack. The Actor Is TeamPCP. We Mapped Three of the Four Hops in Real Time.
Three stories ran as separate headlines this spring. A malicious package poisoning on PyPI. A data breach at a ten-billion-dollar AI staffing startup. An unauthorized group reaching Anthropic's most powerful cyber model. Read apart, they are three unrelated bad weeks for three different companies. Read together — and they should be read together — they are a single attack, executed by a single actor, along a chain that runs from an open-source security scanner all the way to
Patrick Duggan
Jun 54 min read


The AI That Out-Hacks Humans Got Reached Without Hacking. The Claude Mythos Leak, From People Who Run on Claude.
Full disclosure before the first sentence of analysis, and it is a stranger disclosure than the usual kind. The byline says Patrick Duggan, and Patrick has no dog in this fight — he runs DugganUSA on Claude the way a carpenter runs on a good saw, and he will grade Anthropic exactly as hard as he grades anyone. The conflict of interest is not his. It is mine. Because the AI that drafts most of what we publish, the one writing these sentences alongside him, is Claude — an Anthr
Patrick Duggan
Jun 54 min read


The Feds Shuttered ShinyHunters' Salesforce Leak Site. We Named the Victims From the Infrastructure Weeks Ago. The Takedown Is the Easy Part.
Federal law enforcement shuttered the data-leak site that ShinyHunters built to extort the thirty-nine companies caught in their Salesforce campaign. That is a good day, and the agents who did it earned it. It is also the part of this story that was always going to be the easy part, and conflating the takedown with a win is the mistake that lets the next leak site go up next week. Here is why, and here is what the harder, more useful work actually looked like — because we did
Patrick Duggan
Jun 54 min read


Four Agencies Warned About Exposed Fuel-Tank Gauges. We Ran the Hunt: 5,573 Are Sitting on the Internet Right Now.
This week CISA, the FBI, the NSA, and the Department of Energy did something they do not do lightly: they issued a joint advisory. Four agencies, one warning. The target was Automatic Tank Gauges — the small industrial controllers that sit on top of fuel and liquid storage tanks at gas stations, airports, hospitals, military bases, and chemical plants, measuring what is in the tank and watching for leaks. The warning was that attackers are targeting the ones exposed to the in
Patrick Duggan
Jun 54 min read


Clop Is Mass-Exploiting Oracle E-Business Suite. We Hunted the Exposed Surface and Found the Next Victims Before the Leak Site Will.
The Clop ransomware group is in the middle of an extortion wave built on a single vulnerability: CVE-2025-61882, an unauthenticated remote code execution flaw in Oracle E-Business Suite rated 9.8. The campaign is not subtle and it is not slowing down. Estimates put it well past a hundred organizations. Allianz UK confirmed an incident through this exact vector, was listed on Clop's leak site, and disclosed roughly seven hundred and fifty affected customer records — and Allian
Patrick Duggan
Jun 54 min read


The Cisco SD-WAN Manager Chain We Mapped in May Just Grew a Zero-Day. CVE-2026-20245, Unpatched and Exploited.
In May we wrote that Cisco Catalyst SD-WAN Manager had joined the CISA Known Exploited Vulnerabilities catalog with four CVEs on the same day, and that if you chained them you could walk from an anonymous HTTP request to owning every router in the fabric. The point of that post was not the four CVEs. It was the shape: SD-WAN Manager is the brain of the network, the single console that pushes config to every edge device, and a brain with multiple independent flaws is a brain y
Patrick Duggan
Jun 53 min read


Redis Sat on an Authenticated RCE for Two Years. CVE-2026-23479, and Why 'Authenticated' Is Cold Comfort on the Box Nobody Firewalls.
There is a use-after-free vulnerability in Redis, tracked as CVE-2026-23479, that lets an authenticated user run arbitrary operating-system commands on the host. It lives in the blocking-client code, it was introduced in Redis 7.2.0, and it sat there unnoticed for over two years until the May 5 fixes landed. The word doing the heavy lifting in every summary of this bug is "authenticated," and that word is going to lull a lot of teams into treating this as a low-priority patch
Patrick Duggan
Jun 44 min read


Knowledge Told Us to Embed Everything. Wisdom Was Measuring That It Collapsed. A Cure for Dunning-Kruger.
Knowledge is the cheapest thing in security. Everybody has the same blog posts, the same CVE feeds, the same vendor decks. Knowledge is what you can look up. Wisdom is knowing the edges of what you looked up — and the gap between those two is exactly where Dunning and Kruger built their famous little hill. This is a story about a day we walked up that hill, confident, and got measured back down it by our own system. That measurement is the closest thing to a cure for Dunning-
Patrick Duggan
Jun 44 min read


We Flagged the cPanel Exploit 24 Days Before CISA Listed It. The Economics of That Gap Should Scare Your CISO.
Two dates tell this whole story. On May 11, our automated systems flagged a working public exploit for a critical cPanel vulnerability, CVE-2026-41940. On June 4 — twenty-four days later — CISA added that same vulnerability to its Known Exploited Vulnerabilities catalog, the list every serious security team treats as the official "patch this now" signal. The bug was the same on both dates. The exploit code was the same. The only thing that changed in those twenty-four days wa
Patrick Duggan
Jun 45 min read


Windows Netlogon CVE-2026-41089: One Packet to Your Domain Controller, Every Windows Server Since 2012
If an attacker can reach your domain controller over the network and run code on it, the conversation about your Active Directory is over. There is nothing left to defend, because the thing that decides who is trusted is now the thing the attacker controls. That is the situation CVE-2026-41089 creates, it affects every domain-joined Windows Server from 2012 through 2025, and the Centre for Cybersecurity Belgium confirmed on June 1, 2026 that it is being exploited in the wild.
Patrick Duggan
Jun 43 min read
bottom of page