DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Follow the Followers: Unraveling GitHub's Shadow Social Graph

Patrick Duggan
Nov 25, 2025
4 min read

*How recursive network analysis exposed a coordinated follow-farm connected to supply chain attacks*

Soundtrack

This one is so awesome we got two songs out of it:

The Question That Started Everything

"You realize the followers are in on it, right?"

That simple observation changed everything. We had just finished investigating Pattern 38 - the GitHub supply chain attack that used sleeper accounts to distribute Stealc/Rhadamanthys malware through issue comments. Four accounts had been suspended (FireSuper, rampubg14-cmyk, anuxagfr, winchmrsmilegodsgf). We traced the C2 infrastructure to Contabo. We published the STIX bundle. Case closed, right?

Wrong.

The followers of those malicious accounts weren't innocent bystanders. They were the supporting infrastructure.

The Power of Recursion

We built a spider. Not just any spider - a recursive network analyzer that follows the follows. Starting from any seed account, it traverses the GitHub social graph, flagging accounts that exceed human-possible engagement thresholds:

• Following > 5,000 accounts: Nobody meaningfully engages with 5,000+ developers

• Repos > 500: Usually indicates automated forking (Pattern 39)

• Mechanical timing: 2-15 second intervals between actions (Pattern 41)

The algorithm is simple: ``` 1. Check if account exceeds thresholds 2. If suspicious, get their followers AND who they follow 3. Recurse to depth N 4. Build network graph of connected suspicious accounts ```

What We Found

Tier 1: The Seeds (Known Pattern 38 Connected)

| Account | Following | Followers | Repos | Pattern | |---------|-----------|-----------|-------|---------| | standardgalactic | 911,935 | 16,038 | 22,313 | Fork Farm (Pattern 39) | | dirambora | 63,468 | 5,059 | 31 | Follow Farm | | andrecrafts | 11,959 | 347 | 24 | Follow Farm | | barrylustig | 16 | 4 | 827 | Saturation Bot (Pattern 41) |

Let's talk about standardgalactic for a moment. This account follows 911,935 other accounts. That's not a typo. Nearly a million follows. All 22,313 of their repos are forks. This isn't a developer - it's a pollution engine.

barrylustig is different but equally damning. Only 16 following, 4 followers - looks innocent. But 827 repos with 98.97% mechanical timing (our Pattern 41 detection). Every action is 2-15 seconds apart. That's not a human typing - that's a script executing.

Tier 2: The Network (Spider Discovered)

Starting from these seeds, the recursive spider found more:

| Account | Metric | Discovery Path | |---------|--------|----------------| | esin | 190,939 following | andrecrafts -> | | chrisj21 | 32,108 following | barrylustig -> | | fengjixuchui | 8,124 following | andrecrafts -> | | chennqqi | 1,720 repos | andrecrafts -> | | cephurs | 1,380 repos | andrecrafts -> | | sbusso | 987 repos | andrecrafts -> |

Notice the pattern. andrecrafts is a hub - its follower network leads to multiple other suspicious accounts. That's not coincidence. That's coordination.

The Connection to Pattern 38

Here's where it gets interesting. We didn't start this investigation randomly. We started by analyzing the followers of the *suspended* malware distribution accounts. The trail led us here.

Pattern 38 Malware Accounts (Suspended)
         |
         | followers
         v
    Lazarus-glhf (APT-themed)
         |
         | following
         v
    standardgalactic (911K following)
         |
         | network analysis
         v
    Follow-Farm Network (10+ accounts)

The malware distributors didn't operate in isolation. They had a social infrastructure - accounts that followed them to make them appear legitimate, accounts that inflated engagement metrics, accounts that provided the "social proof" that GitHub's recommendation algorithms reward.

Why This Matters

1. GitHub's Social Graph is Weaponized

• Search result rankings

• "Suggested developers" recommendations

• Perceived legitimacy of accounts and repos

• Trust signals when reviewing issue comments

A follow-farm network can artificially inflate these signals for malicious accounts, making them appear trustworthy before activation.

2. Pattern Stacking is Real

• Pattern 38: Sleeper accounts for malware distribution

• Pattern 39: Fork farms to pollute search results

• Pattern 41: Saturation bots to establish history

These aren't isolated tactics. They work together. The follow-farm provides social proof. The fork-farm pollutes search. The saturation bot creates activity history. When the sleeper activates and posts malware, it has all the signals of a "legitimate" account.

3. Detection Requires Network Analysis

• Who follows the malicious accounts?

• Who do those followers follow?

• What's the overlap between suspicious networks?

Our recursive spider caught accounts that individual heuristics would miss. dirambora looks suspicious on its own (63K following), but the connection to standardgalactic (911K following) confirms coordination.

The Methodology

We're publishing our detection scripts:

• Recursive depth-first traversal of GitHub social graph

• Configurable thresholds for following/repo counts

• Automatic cycle detection (avoid infinite loops)

• Rate limiting to respect GitHub's API limits

• JSON output with full network topology

Thresholds: ```javascript const SUSPICIOUS_THRESHOLDS = { following: 5000, // No human engages with 5K+ accounts followRatio: 50, // Following/Followers > 50 = follow bot repoCount: 500, // 500+ repos usually means fork farm forkRatio: 0.95 // 95%+ forks = definitely fork farm }; ```

IOCs for Threat Intel Teams

All indicators have been added to our STIX feed: `analytics.dugganusa.com/api/v1/stix-feed`

• standardgalactic (911K following, 22K forks)

• dirambora (63K following)

• andrecrafts (12K following)

• barrylustig (827 repos, mechanical timing)

• esin (190K following)

• chrisj21 (32K following)

• fengjixuchui (8K following)

• chennqqi (1.7K repos)

• cephurs (1.4K repos)

• sbusso (987 repos)

• Pattern 39: Fork Farms (MITRE T1583.001 analogy)

• Pattern 41: Repository Saturation Bots (MITRE T1585.001)

• Follow Farm: Mass following for social proof

What We Reported

• Network diagram showing account connections

• Evidence for each account (metrics, timestamps, patterns)

• Connection to previously suspended Pattern 38 accounts

• Recommended actions (investigate ToS violations, implement rate limits)

The four core accounts have been reported. The secondary network is documented. The STIX bundle is public.

Conclusion: Follow the Money, Follow the Followers

Traditional threat hunting focuses on malware hashes, C2 IPs, and attack patterns. But modern supply chain attacks rely on *social infrastructure* - the network of accounts that provide legitimacy before the attack.

When you find a malicious account, don't just block it. Ask: Who follows them? Who do they follow? What's the network topology?

In our case, that question led from 4 suspended accounts to a 10+ account follow-farm network, to patterns we hadn't documented before. The followers weren't bystanders - they were collaborators.

*Follow the followers. The infrastructure tells the story.*

STIX Feed: analytics.dugganusa.com/api/v1/stix-feed

Previous Post: Stealc/Rhadamanthys: Anatomy of a GitHub Supply Chain Infostealer

Detection Script: spider-follow-network.js

*DugganUSA LLC - Minnesota-based threat intelligence. We publish what we find.*