DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

CISA Deadline Day: React2Shell and the Shai-Hulud Supply Chain

Patrick Duggan
Dec 29, 2025
3 min read

Today is CISA's remediation deadline for CVE-2025-55182 (React2Shell). If you're running Next.js or React Server Components and haven't patched, China-nexus actors have been inside for three weeks.

The React2Shell Timeline

December 3: Public disclosure of CVE-2025-55182 (CVSS 10.0)

December 5, 6:00 AM UTC: Active exploitation begins. Earth Lamia, Jackpot Panda, and UNC6595 are already deploying payloads.

December 8: CISA adds to Known Exploited Vulnerabilities catalog.

December 29 (TODAY): Remediation deadline.

This isn't theoretical. AWS, Microsoft, Google, Trend Micro, and Palo Alto all documented in-the-wild exploitation within 48 hours of disclosure.

React2Shell IOCs

If you run Next.js applications, check for connections to these C2 servers:

IPs:
193.34.213.150
154.89.152.240
107.174.123.91
38.165.44.205
45.76.155.14
216.238.68.169
78.153.140.16
80.64.16.241
2.56.176.35

Domains: gfxnick.emerald.usbx.me api.qtss.cc conclusion-ideas-cover-customise.trycloudflare.com proxy1.ip2worlds.vip ```

Malware deployed: VShell, EtherRAT, SNOWLIGHT, ShadowPAD, KSwapDoor, Auto-color backdoor, Cobalt Strike (CrossC2), Sliver, KINSING cryptominer.

Shai-Hulud 2.0: The Supply Chain Worm

While React2Shell grabbed headlines, Shai-Hulud 2.0 has been quietly infecting the npm ecosystem.

The scope: 25,000+ affected repositories across 350 unique developer accounts. Popular projects from Zapier, ENS Domains, PostHog, and Postman were temporarily trojanized.

The technique: Compromised maintainer accounts publish trojanized package versions. When developers run npm install, a two-stage infection deploys. First stage installs Bun runtime. Second stage harvests credentials and propagates.

The clever part: No traditional C2 servers. Shai-Hulud exfiltrates to GitHub repositories, blending with legitimate developer traffic.

This is trust inversion. The tools developers use to build software are now the attack surface.

Webrat: Targeting Security Researchers

Not content with attacking developers, threat actors are now targeting the defenders.

Fifteen malicious GitHub repositories disguised as CVE proof-of-concept exploits are distributing Webrat backdoor:

RedFoxNxploits/CVE-2025-10294-Poc
FixingPhantom/CVE-2025-10294
h4xnz/CVE-2025-10294-POC
stalker110119/CVE-2025-59230
DebugFrag/CVE-2025-12596-Exploit
rootreapers/CVE-2025-11499

C2 infrastructure: ezc5510min.temp.swtest.ru, shopsleta.ru

Security researchers downloading PoC code to understand vulnerabilities are executing malware instead.

Other Active Campaigns

Romania National Water Authority: Ransomware encrypted ~1,000 systems across national and regional offices.

France La Poste: Pro-Russian hacktivist group NoName057(16) disrupted postal and banking services.

Aflac: Scattered Spider breach exposed 22.7 million individuals.

Trust Wallet Chrome Extension: Compromised v2.68.0 resulted in $7M in cryptocurrency losses.

npm lotusbail package: 56,000 downloads before removal. Targeted WhatsApp data.

The Pattern

Every campaign this week exploits trust:

• React2Shell: Trust in framework code

• Shai-Hulud: Trust in npm packages

• Webrat: Trust in security research

• Trust Wallet: Trust in browser extensions

The attack surface isn't code. It's belief.

Immediate Actions

• Patch to React 19.0.0-rc-6e65b1e4-20241203 or later

• Audit for suspicious network connections to the IOCs above

• Check Kubernetes containers for unauthorized deployments

• Pin to known clean versions (pre-November 21, 2025)

• Rotate all npm tokens, GitHub PATs, SSH keys

• Enforce MFA on developer accounts

• Verify PoC repositories before executing

• Check file hashes against known malware signatures

• Monitor for connections to .ru C2 infrastructure

Machine-Readable IOCs

{
  "campaign": "React2Shell + Shai-Hulud December 2025",
  "cves": ["CVE-2025-55182"],
  "c2_ips": [
    "193.34.213.150", "154.89.152.240", "107.174.123.91",
    "38.165.44.205", "45.76.155.14", "216.238.68.169",
    "78.153.140.16", "80.64.16.241", "2.56.176.35"
  ],
  "c2_domains": [
    "gfxnick.emerald.usbx.me", "api.qtss.cc",
    "conclusion-ideas-cover-customise.trycloudflare.com",
    "proxy1.ip2worlds.vip", "ezc5510min.temp.swtest.ru",
    "shopsleta.ru"
  ],
  "malware_families": [
    "VShell", "EtherRAT", "SNOWLIGHT", "ShadowPAD",
    "KSwapDoor", "Auto-color", "Cobalt Strike", "Sliver",
    "KINSING", "Webrat", "Shai-Hulud"
  ],
  "webrat_hashes_md5": [
    "28a741e9fcd57bd607255d3a4690c82f",
    "a13c3d863e8e2bd7596bac5d41581f6a",
    "61b1fc6ab327e6d3ff5fd3e82b430315"
  ],
  "threat_actors": [
    "Earth Lamia", "Jackpot Panda", "UNC6595",
    "Scattered Spider", "NoName057(16)"
  ],
  "stix_feed": "https://analytics.dugganusa.com/api/v1/stix-feed"
}

CISA deadline is today. The attackers have been active for three weeks. Patch now.

*Analysis compiled December 29, 2025 by DugganUSA Threat Intelligence*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]