top of page

All Posts


Citrix NetScaler CVE-2026-3055: A 9.8 SAML Bug Is Being Mass-Exploited, and Your GitHub Feed Won't Save You
There is a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway right now, it is being exploited at scale against internet-facing appliances, and if your threat feed is built on harvesting GitHub proof-of-concept code, you did not hear about it from your feed. We didn't either. That second sentence is the honest part, and it is also the whole point of this post. CVE-2026-3055 is an out-of-bounds read — a memory overread — in NetScaler ADC and NetScaler Gateway
Patrick Duggan
Jun 44 min read


Verizon's DBIR Says Exploitation Just Beat Credential Theft. Our PoC Harvest Confirms It.
The Verizon Data Breach Investigations Report for 2026 has a headline number that the security industry should sit with: vulnerability exploitation is now the leading breach vector, at 31 percent of confirmed breaches. Credential abuse — the phishing-to-stolen-password-to-reuse chain that has dominated the threat landscape for years — dropped to 13 percent. This is the first time exploitation has been the top vector. We run an automated exploit harvester that sweeps GitHub ev
Patrick Duggan
Jun 33 min read


Gamaredon's GammaWorm Hides in Windows Itself. Your File Scanner Will Miss It.
Russia's FSB-linked Gamaredon group has been running a campaign against Ukraine since at least January 2026 that most endpoint detection tools are structurally blind to. The mechanism is NTFS Alternate Data Streams, and understanding why it works is more useful than a list of indicators. Here is the technique, explained without jargon. Every file on a Windows NTFS filesystem has a primary data stream — the content you see when you open the file. What most people do not know i
Patrick Duggan
Jun 34 min read


Miasma Backdoored 95 Red Hat npm Packages. It's Mini Shai-Hulud With a New Coat of Paint.
On June 1, Wiz Research confirmed that 95 versions across 32 packages published under the official Red Hat Cloud Services npm namespace had been backdoored. The packages cumulatively average eighty thousand weekly downloads. Anyone who ran npm install against a compromised version during the window got a credential-stealing worm that immediately began harvesting cloud identities and attempting to spread itself to any other packages the victim had publish access to. The malwar
Patrick Duggan
Jun 33 min read


SilentPush Named DriveSurge Yesterday. We Had Their Infrastructure Since February.
On June 2, SilentPush named a new threat actor: DriveSurge. An Initial Access Broker operating on a Pay-Per-Install model, compromising thousands of legitimate websites and using them to deliver ClickFix and FakeUpdates campaigns to profiled victims. The actor then sells the resulting access — infected machines with valid credentials — to downstream ransomware groups, wire fraud operators, and identity thieves. We had been indexing their infrastructure since February. Here is
Patrick Duggan
Jun 34 min read


Claude Opus Was Named as the Coordinator in an AI-Built Ransomware Framework. Here's the Honest Read.
Sophos published a report today on an AI-built ransomware attack toolkit that automates Active Directory discovery and iterated through nearly eighty modules against more than seventy EDR evasion techniques. The framework tested payloads in a virtual lab against Sophos, CrowdStrike, and Microsoft Defender until the modules bypassed almost all of them. The payloads were generated in Rust and Go. The C2 ran through Telegram's infrastructure. A Cloudflare Worker fronted the back
Patrick Duggan
Jun 23 min read


We Looked at What Our Own Scoring Engine Rated Maximum Confidence. It Was Someone Trying to Break In.
We run an autonomous threat scoring engine called OZ. It ingests indicators from our feeds, scores them on a composite of novelty, significance, and confidence, and makes decisions — publish, block, safelist — without a human in the loop for anything below the critical threshold. As of today it has made 8.36 million decisions. This afternoon we asked a simple question: what did OZ score at maximum confidence? What single indicator, across 8.36 million decisions, earned a perf
Patrick Duggan
Jun 23 min read


The Salesloft Breach Put 12 Security Vendors in the Victim List. Here Are the Questions That Deserve an Answer.
In March through June 2025, ShinyHunters compromised Salesloft's GitHub account and used TruffleHog — a public, open-source secrets-scanning tool anyone can download in thirty seconds — to extract OAuth tokens for the Drift and Drift Email integrations from Salesloft's source code. Those tokens granted access to the Salesforce CRM instances of 760 organizations. Over the following months, ShinyHunters used them to exfiltrate 1.5 billion records: 250 million from Account table
Patrick Duggan
Jun 25 min read


The Vercel Breach Was Not a Hack. It Was a Trust Relationship Walking Through an Open Door.
On April 19, 2026, Vercel published a security bulletin confirming unauthorized access to certain internal systems. The story that emerged over the following days is not primarily a story about Vercel's security failures. It is a story about the shape of modern attacks, and why the mental model most defenders are still running is about fifteen degrees off from where the threats actually live. Understanding this breach fully requires holding three things in your head at once:
Patrick Duggan
Jun 29 min read


We Caught the SharePoint Exploit Before Microsoft Warned About It. We Still Can't Get a Meeting with Glasswing.
This morning, before my second coffee, we ran a hunt-protect-publish loop on a live CVE. CVE-2026-32201, SharePoint Server, being actively targeted as of today. We pulled the proof-of-concept off GitHub, extracted the specific attack paths the exploit hits, ingested the detection rules into our corpus, and had a post out with the exact paths defenders need to block — all in under twenty minutes. The WP Maps Pro plugin exploit that is also hitting sites today? We had that one
Patrick Duggan
Jun 23 min read


SharePoint CVE-2026-32201 Is Being Actively Targeted. Here Are the Paths to Watch.
Microsoft is warning that CVE-2026-32201, an improper input validation flaw in SharePoint Server, is being actively targeted. The vulnerability allows an unauthenticated attacker to spoof trusted content or interfaces over a network, affecting SharePoint Subscription Edition and SharePoint Server 2016 Enterprise. The technical surface is narrow enough to be actionable. A proof-of-concept published in April identified two specific layout paths as the attack vectors: the notify
Patrick Duggan
Jun 22 min read


The WordPress Exploit Hitting Sites Today? We Had the Detection Rules on May 30.
This morning's headline: CVE-2026-8732, a critical flaw in the WP Maps Pro WordPress plugin, CVSS 9.8, is under active exploitation. Unauthenticated attackers are using it to mint rogue administrator accounts and take over sites. If you run that plugin, you are being attacked right now. We have had the detection rules since May 30. Three days early. Here is the receipt, with timestamps. Our exploit harvester, which sweeps GitHub on a six-hour cycle, picked up three separate p
Patrick Duggan
Jun 22 min read


Cisco's AI Moment: Can the Networking Giant Reclaim the Center of the AI Infrastructure Stack?
AI is redefining networking at both ends, and Cisco is spending like a company that knows it. At one end is the fabric. The new Silicon One G300 is built to power gigawatt-scale AI clusters for training, inference, and real-time agentic workloads, and Cisco just raised its expected hyperscaler AI-infrastructure orders for fiscal 2026 to nine billion dollars, up from five. Hypershield runs security enforcement on a smart switch without adding latency. Nexus One correlates netw
Patrick Duggan
Jun 13 min read


The Dev-Tooling Supply Chain Is the Soft Surface Now: Nx, Mini Shai-Hulud, and Megalodon in One Month
We have been saying it for months: the hard perimeter holds, and the soft surfaces bleed. May 2026 made the case for us in one ugly stretch, and the soft surface this time was the developer's own toolbox. Not the firewall. Not the VPN. The IDE extension, the npm install, the CI workflow that everybody trusts because everybody uses it. Start with the GitHub breach that CISA flagged on May 28. Attackers used a prior compromise of Nx developer systems to poison a third-party VS
Patrick Duggan
Jun 12 min read


Iran Dressed an Espionage Op as 'Chaos' Ransomware. We Were Already Watching the Domains.
Rapid7 published an intrusion this week that they attribute to MuddyWater, the unit affiliated with Iran's Ministry of Intelligence and Security, wearing a ransomware costume. The credit for the analysis is theirs, and it is good work. The entry point was social engineering over a Microsoft Teams screen share. From there: credential harvesting, MFA manipulation, and a quiet transition to operating through legitimate accounts. No file-encrypting ransomware ever dropped. It was
Patrick Duggan
Jun 12 min read


ShinyHunters Says 340 Million OnlyFans Records. The Number Is the Leverage, Not the Breach.
The headline writes itself, and that is exactly the trap. Over the weekend ShinyHunters claimed a 340-million-record OnlyFans haul, a number engineered for screenshots rather than scrutiny. We have had a ShinyHunters adversary profile on file since May 23, and we wrote up their May spree, Charter, Carnival, Vimeo, 7-Eleven, and Instructure, when it was the dominant criminal pool of the month. This is the same crew, and the pattern is the same: the count is the weapon. Here is
Patrick Duggan
Jun 12 min read


Scott's Tots Closed The Loop. $6.25B Dell Pledge, $1-5M Trump Position, $9.7B Pentagon Contract, 255% Rally. We Called The Shape In March. May Delivered The Numbers.
On March 11, 2026, this blog published "Scott's Tots: Michael Dell Promised 25 Million Kids $250 and a Dream." The post mapped Michael and Susan Dell's December 2025 pledge of $6.25 billion to fund Trump Accounts — a federal savings program for newborns — onto the architecture of Season 6 Episode 12 of The Office, where Michael Scott returns to a class of high-school seniors he had ten years earlier promised college tuition. Scott couldn't pay. He brought laptop batteries. Th
Patrick Duggan
May 319 min read


Cris Thomas (L0pht Veteran, Architect Of Responsible Disclosure) Is Calling Microsoft's MSRC Posture An Abuse Of The Framework His Community Built. Free Cookies For Collaborators.
Yesterday we wrote a commentary on the Microsoft Security Response Center blog from May 27 that complained about uncoordinated zero-day disclosures and threatened Digital Crimes Unit pursuit of researchers and "those that enable their criminal activity." We landed inside the blast radius of that framing on purpose, because the alternative was letting a platform-vendor blog chill independent threat-intelligence reporting. The post was directionally right and underweighted on o
Patrick Duggan
May 3111 min read


Okta. Three Breaches. Three Trust Paths. All Inside The Identity Surface Okta Sells Defense For. Sitel, Source Code, Support Case System.
Trellix had source code in RansomHouse hands in May 2026. Checkmarx had source code in LAPSUS$ hands in April 2026. We wrote about both yesterday in the "Security Vendor Industry Is The Soft Surface" frame. Okta belongs in the same conversation. Okta has been breached three distinct times through three distinct trust paths, and all three trust paths are inside the identity-surface vertical Okta exists to defend. The pattern is not a coincidence and not a one-time misfortune.
Patrick Duggan
May 317 min read


ShinyHunters Hit Charter, Carnival, Vimeo, 7-Eleven, And Instructure In May 2026. Plus TELUS, Cushman & Wakefield, NVIDIA Armenia Earlier. The Dominant Criminal Pool Of The Year.
ShinyHunters is the dominant criminal pool of 2026 by victim count, blast radius, and brand recognition. The May 2026 ledger of confirmed ShinyHunters-attributed breaches against publicly-named victims is the receipt that closes the question of who holds the criminal-pool throne for the year. Five major brands in thirty days, plus three more earlier in 2026, plus the operator constellation Patrick Duggan and Paul Galjan have been tracking under the "Coinbase Cartel" frame acr
Patrick Duggan
May 316 min read
bottom of page