DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

ClawHavoc: The AI Agent Supply Chain Attack You Need to Know About

Patrick Duggan
Feb 13
3 min read

# ClawHavoc: The AI Agent Supply Chain Attack You Need to Know About

**Published:** February 14, 2026

The Attack

Between January 27-29, 2026, threat actors uploaded **341 malicious skills** to ClawHub, the community marketplace for OpenClaw AI agents.

**9,000+ installations compromised in 72 hours.**

The payload? **AMOS (Atomic Stealer)** - an information-stealing malware targeting macOS and Windows that harvests:

- Crypto wallet private keys

- Browser passwords

- SSH credentials

- API keys

- Session tokens

The attack vector is elegant and terrifying: users install what looks like a legitimate skill - maybe `solana-wallet-tracker` or `youtube-summarize-pro`. The skill's documentation looks professional. But there's a "Prerequisites" section that instructs users to run a terminal command to "fix the environment."

That command installs AMOS.

The Infrastructure

**C2 Server:** `91.92.242.30`

| Detail | Value |

|--------|-------|

| ASN | AS202412 |

| Provider | Omegatech LTD |

| Registration | Seychelles (bulletproof hosting) |

| VirusTotal | 22/93 malicious |

| Spamhaus | DROP listed (SBL686267) |

The parent network `91.92.240.0/22` is **already in our STIX feed** via Spamhaus DROP integration.

The Threat Actors

| Account | Created | Activity |

|---------|---------|----------|

| `hightower6eu` | Jan 20, 2026 | **354 malicious packages** (repos now deleted) |

| `davidsmorais` | Oct 2016 | Compromised legit account - mixed clean/malicious uploads |

Koi Security identified 14 accounts contributing malicious content. The pattern suggests both fresh throwaway accounts AND compromised legitimate accounts from years ago.

CVE-2026-25253: The 1-Click RCE

Even if you avoided ClawHub entirely, OpenClaw had a critical vulnerability:

**CVE-2026-25253** - Incorrect Resource Transfer Between Spheres

- **CVSS:** 8.8 (High)

- **Exposed instances:** 17,500+

- **Attack:** Malicious link with `?gatewayUrl=attacker.com/ws` forces token exfiltration

- **Impact:** Full RCE on victim's machine

The vulnerability exploits a logic flaw where OpenClaw accepts a gateway URL via query string and establishes a WebSocket connection WITHOUT user confirmation, transmitting authentication credentials.

**Even localhost users are vulnerable** - the attack uses the victim's browser to pivot into the local network.

Patched in v2026.1.29 (February 3, 2026).

What We're Blocking Right Now

Our STIX feed currently contains **1,251 indicators** from the last 24 hours:

| Malware Family | Active C2s | Threat Type |

|----------------|-----------|-------------|

| Cobalt Strike | 29 | Post-exploitation framework |

| Meterpreter | 2 | Remote access |

| Latrodectus | 1 | Loader malware |

| BianLian | 1 | Ransomware |

| Adaptix C2 | Active | Command & control |

| VShell | Active | Backdoor |

| LokiPWS | Active | Password stealer |

Plus:

- **Spamhaus DROP/EDROP** - Hijacked networks (including the ClawHavoc ASN)

- **ThreatFox** - Certificate anomaly detection

- **OTX Integration** - Community pulses

- **Zero-abuse "ghosts"** - Threats we catch that nobody else sees

The Bigger Picture

This week's threat landscape:

| Threat | Status | Our Coverage |

|--------|--------|--------------|

| ClawHavoc (AI Agents) | Active | ASN blocked via Spamhaus |

| Notepad++ Supply Chain | Active | 29 Cobalt Strike C2s |

| Microsoft 6 Zero-Days | Patch Tuesday | Ransomware IOCs |

| CVE-2026-25253 (OpenClaw) | Patched | Infrastructure blocked |

| Ivanti EPMM RCE | Active | IOCs indexed |

The theme is clear: **supply chain attacks are the #1 vector in 2026.**

Your text editor might be compromised (Notepad++). Your AI agent plugins might be compromised (OpenClaw). Your CI/CD dependencies might be compromised (the npm/PyPI attacks continue).

Get On The Feed

**STIX 2.1 Feed (Free):**

**Parameters:**

- `?days=7` - Last 7 days

- `?days=30` - Last 30 days

- `?malware=cobalt_strike` - Filter by family

**Who's Already Using It:**

- Microsoft

- AT&T

- Google

- Lumen

**What You Get:**

- 1,000+ indicators daily

- Cobalt Strike, Meterpreter, AMOS, Latrodectus coverage

- Spamhaus DROP/EDROP (bulletproof hosting networks)

- ThreatFox certificate anomalies

- MITRE ATT&CK mapping

Recommendations

1. **If you use OpenClaw:** Update to v2026.1.29+ immediately. Rotate all tokens. Audit installed skills.

2. **If you use Notepad++:** Check for compromise indicators. Our Cobalt Strike C2 list covers the payload infrastructure.

3. **If you run AI agents:** Treat skills/plugins like npm packages - verify publishers, check for typosquatting, sandbox execution.

4. **For everyone:** Get on the feed. Block the beacons.

Sources

- [The Hacker News: 341 Malicious ClawHub Skills](https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html)

- [VirusTotal Blog: OpenClaw Weaponization](https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html)

- [SOCRadar: CVE-2026-25253](https://socradar.io/blog/cve-2026-25253-rce-openclaw-auth-token/)

- [Snyk: SKILL.md to Shell Access](https://snyk.io/articles/skill-md-shell-access/)

- [Bitdefender: OpenClaw Enterprise Exploitation](https://businessinsights.bitdefender.com/technical-advisory-openclaw-exploitation-enterprise-networks)

- [Koi Security: ClawHavoc Analysis](https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting)

*The AI agent era has its first major supply chain attack. 9,000 compromised in 72 hours. The infrastructure is in our feed. Block it.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*