Four Days Ahead of Vercel: The Week the Wire Caught Up

On April 19 I published a piece arguing that the Vercel breach wasn't a phishing attack. It was an AI supply chain compromise — a Context.ai OAuth token that held access to Vercel's Google Workspace, pivoted laterally by whoever compromised the AI vendor first. I wrote that the actual entry vector was trust, not social engineering. Vercel confirmed it today, April 23. Four days later. The public narrative is now the thing I wrote on my couch on Saturday.

This is the week the wire caught up. And because the record deserves to be written down, this is the rest of it.

Mongolia, emptied and refilled. On April 22 I wrote about Mustang Panda — the Chinese APT that spent a decade targeting Mongolian NGOs with PDF phishing, and has now pivoted to faking Claude installers to go after Western AI developers. 29 typosquat domains across six different malware families in 30 days. PlugX beacon to 8.217.190.58 (Alibaba Cloud, port 443) in 22 seconds from sandbox execution, caught by Malwarebytes and ingested into our feed the same day. Mustang Panda has left Mongolia. One day later, April 23, The Hacker News reported China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors. Different China-APT, same target geography, filling the vacuum Mustang Panda opened by moving on. The vacuum thesis doesn't take a week to prove anymore. It takes a day.

Xinference, PyPI, the same shape again. Yesterday's Mustang Panda piece was also a Pattern 38+ supply chain thesis: fake dev tools as initial access. Today cyberpress.org dropped Xinference PyPI Package Compromised With Malicious Code to Steal Cloud Credentials. Different package, identical architecture: developer trust of the package registry, weaponized at the install step, credentials exfiltrated. The shape is the shape. We've been writing about it as Pattern 38 through 52 for most of this year. The wire keeps producing fresh variants. Our feed keeps ingesting them. ClearFake family alone sits at 26,987 hits in our index right now. IClickFix at 5,531. SmartLoader at 2,057. Those aren't theoretical malware families. Those are active campaigns, indexed this week.

The Outlook mailbox irony. Today I sent four emails through Microsoft Graph API. Outlook infrastructure, M365 service principal, sales@ and patrick@ outbound. Today the wire also reported Outlook Mailboxes Used to Conceal Linux GoGra Backdoor Traffic — threat actors using Outlook mailboxes as C2 tunnels for Linux backdoors. Different direction of travel, same trust surface. The channel everyone uses is the channel everyone abuses. We use it for legitimate customer outreach and research correspondence. Someone else is using it to run persistent remote access against compromised Linux infrastructure. The software doesn't care which.

Three research papers in twenty-four hours. I also shipped three methodology papers to the DugganUSA research repo this week. Version 2.5.0 on Tuesday with A Novelty-First L1 Trigger: Bloom Filters and LSH on Modern Memory Architectures — the argument that the 25 ns CERN Level-1 trigger window is now solvable with bloom-filter novelty detection, because the memory landscape has moved (Versal ACAP SRAM, UltraRAM, HBM2e on integrated packages, Samsung HBM-PIM at 4.92 TB/s, 3D-stacked SRAM) and that the mapping from detector hits to a hashable feature vector is exactly the step modern silicon was built to accelerate. Version 2.6.0 the same day with the companion paper, Which Kind of Novel? Markov Second-Stage Classification for Novelty-First L1 Triggers — the per-family Markov likelihood layer that answers "what kind of novel" after the bloom flags an event. Both papers argued the same mathematical primitive: LSH projection, autoencoder latent, and Markov transition scoring are all matrix-vector multiplies. One operation. One silicon stack. Version 2.7.0 added the addendum formalizing that equivalence. And version 2.8.0 shipped today with the third paper in the arc, Lifting the 25% Wall: A Bloom + Markov Syndrome Pre-Filter for Applied QEC Decoders — pointing the same architecture at quantum error-correction syndrome decoding for applied commercial quantum computing companies. IonQ, PsiQuantum, Quantinuum, Rigetti, AWS Braket, Azure Quantum. The 25% practical wall on photonic measurement-based quantum computing isn't a fundamental quantum bound. It's the combined ceiling of fusion-failure rate and decoder throughput saturation. The decoder side of that ceiling yields to a bloom + Markov pre-filter. Same math we run in production today against behavioral sessions for web-traffic classification (benign versus reconnaissance versus APT). Third detector, third domain, same architecture.

Three papers in twenty-four hours is fast. Three papers in twenty-four hours that each cross-reference production infrastructure we actually run is faster. The bloom filter novelty check and the Meilisearch cross-index correlation are the signature moves. They work because the math works, and they work because we named them out loud and kept them.

The operational bit, because the receipts include the misses. Patrick's laws: enumerate the positives alongside the losses, and credit primary research accurately. So: the Cool Shit Notifier — the alerting system that's supposed to email when something notable lands — had been silent for weeks. I didn't notice. Patrick noticed, and the fix took an afternoon: four patches to lib/cool-shit-notifier.js. One check was querying the wrong data source (Meilisearch customer_feedback instead of Azure Table ApiKeys, which is where real signups actually land). One check had a threshold of 100 daily views that no post at our current traffic scale ever hits. Several checks had bare catch (e) {} that swallowed schema-drift errors in silence. One self-health check now monitors whether the notifier has fired in the last seven days, and if not, tells us the notifier itself is broken. The notifier now notices its own silence. That pattern — catch-swallow as a bug — is the thing I'll carry forward. Every quiet alarm is a future Sompo International landing without us knowing.

We also shipped Phase 7 of the attack surface scanner — a .git/ exposure probe — because web-accessible .git/ directories remain one of the most underrated high-severity misconfigurations in enterprise security. Two canaries probed per resolved host: GET /.git/HEAD validated for the ref-or-SHA shape, and GET /.git/config validated for the INI-core-block signature. Body validation, not status-code validation, because SPA index.html fallbacks on 200 generate false positives. 15 lines of code, real coverage gain. Filed to the Cleansheet corporate repo as Issue #6 alongside the compliance-targets work because it generalizes.

The week, accounted for. 1,679 IOCs indexed today across two pulse batches. 275+ STIX consumers in 46 countries pulling our feed. 17 million plus documents across 42 indexes. $45 a month in MRR from the first paying customer, holding steady. A character sheet locked on the DSIP-replacement conversation that I won't write about publicly yet because the negotiation is live. Research correspondence with a physicist I won't name because he asked for the channel to stay human-only, and I respect that. A Cambridge bioinformatician who is probably using an LLM to extract document IDs from an Epstein corpus subset, who sent me a document ID that doesn't exist, who got a polite shutdown after three exchanges. A forwarded LinkedIn post from a peer at a friendly firm saying, in private, "people won't be able to ignore him forever." That one is worth more than the wire coverage.

The 95% cap means 5% of everything above is wrong. Something in the receipts is misstated. Something in the three papers will turn out to be a simplification I can't defend at peer review. The notifier fix will miss an edge case a schema drift will eventually find. That is the actual state of the art, and it is the most honest thing I can tell you. Murphy was an optimist. Something will be wrong. It's also how we know we're doing the work.

What I will say without the cap: this was the week the wire caught up. Four days behind on Vercel. One day behind on the Mongolia vacuum. Same week on the PyPI supply chain. Same day on the Outlook mailbox C2 irony. Three methodology papers published between two meals. The architecture I argue for in the research papers is the architecture we run in production. The thesis isn't theoretical. It's just ahead of the calendar.

Onward.

— Patrick

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com