Friday Sweep: EU Commission Breached, Kash Patel Confirmed, LangChain Leaking Secrets, and We Scanned Europa.eu in 235 Seconds

# Friday Sweep: EU Commission Breached, Kash Patel Confirmed, LangChain Leaking Secrets, and We Scanned Europa.eu in 235 Seconds

March 27, 2026 — DugganUSA

Four stories broke today. All of them matter. Here's what happened, what we found, and what to do about it.

1. Kash Patel Breach: Confirmed

The DOJ confirmed that Iran-linked Handala breached FBI Director Kash Patel's personal Gmail account. This is no longer a claim. CNN, CNBC, CBS, NBC, TechCrunch, Axios, Al Jazeera — everyone has it.

What was stolen: 300+ emails spanning 2010-2019. Personal, business, and travel correspondence. Photos published online.

The FBI is offering $10 million for information leading to identification of the Handala Hack Team. We submitted our infrastructure intelligence package to the Rewards for Justice program today. We mapped Handala's post-seizure infrastructure this week — three replacement domains across three hosting providers, mail server IPs derived from DNS that no other threat feed has published, the Telegram C2 bot token, and the ASN relationships connecting Iranian MOIS operations to Russian DDoS protection infrastructure.

The FBI seized Handala's domains on March 20. Handala breached the FBI Director's email and published it on March 27. One week. That's the scoreboard.

Handala escalation in 16 days: Stryker (200K devices wiped, confirmed) then Tamir Pardo (ex-Mossad, 14GB claimed) then Lockheed Martin (passports confirmed matching LinkedIn) then the FBI Director (DOJ confirmed).

148 Handala IOCs in our STIX feed. Free at analytics.dugganusa.com/stix.

2. European Commission Breached — We Scanned Them in 235 Seconds

The European Commission confirmed a cyberattack on March 24 targeting their AWS cloud infrastructure hosting the Europa.eu platform. Data was stolen. Attribution pending. This is their second breach in six weeks — staff mobile devices were compromised in February.

Context: On March 16, the EU Council sanctioned Integrity Technology Group, a Chinese company, for providing products used to compromise devices in EU member states. Eight days later, the Commission itself was breached.

We ran our attack surface scanner against europa.eu. 235 seconds. No authentication required.

What we found:

• 1,482 subdomains in certificate transparency records

• 542 unique IPs resolved

• 390 hosts with open ports

• 206 known CVEs across their infrastructure

• 4 CISA Known Exploited Vulnerabilities — actively exploited in the wild, on EU Commission infrastructure

• 2 hosts with RDP, SMB, Telnet, or database ports exposed to the internet

• 37 admin interfaces discoverable from public certificate records

• 39 VPN access points — the exact entry vector Handala and Pay2Key use

• Security tools (Vault, Bitwarden, Sentry, incident response) discoverable in public certs

• 198 dev/test/staging environments with public SSL certificates

Open SMB on the European Commission. In 2026. EternalBlue was 2017. NotPetya used SMB to wipe half of Ukraine's government. Sandworm — Russia's GRU cyber unit — wrote the playbook for SMB exploitation. Russia is part of the trilateral pact with China and Iran.

Everything we found is visible to any adversary with a DNS client and a Shodan query. If we found it in 235 seconds from Minnesota, the trilateral pact found it months ago.

3. LangChain Is Leaking Your Secrets

Three critical vulnerabilities disclosed today in LangChain and LangGraph — the most widely used framework for building LLM applications:

CVE-2026-34070: Path traversal in LangChain's prompt loader. Read any file on the system — Docker configs, .env files, SSH keys. CVSS 7.5.

CVE-2025-67644: SQL injection in LangGraph's SQLite checkpoint. Run arbitrary SQL against your conversation database.

CVE-2025-68664 (LangGrinch): Serialization injection exposing environment secrets. Disclosed in December 2025. Three months later, most deployments are still unpatched.

If your organization built AI applications on LangChain in the last two years — chatbots, RAG pipelines, agentic workflows — your filesystem data, API keys, and conversation histories may be exposed. Every conversation your users had with your AI assistant, every secret in your .env file, every Docker configuration on the host.

We indexed all three CVEs into our IOC database today. We don't use LangChain — our AI integrations use Anthropic and OpenAI SDKs directly. But if you consume our STIX feed through a LangChain-based SOAR pipeline, check your versions.

Patches: langchain-core >= 1.2.22 and langgraph-checkpoint-sqlite >= 3.0.1.

4. BreachForums V5 Got Hacked

ShinyHunters leaked 339,800 accounts from BreachForums V5 — email addresses, usernames, and argon2 password hashes. Added to Have I Been Pwned today.

The cybercriminal marketplace where stolen data gets traded just had its own database stolen. ShinyHunters claims frustration with fake forum operators after the FBI's October 2025 seizure, and threatens to release private messages, IP addresses, and full backend backups.

When that IP dump drops, it maps the cybercriminal ecosystem. Cross-referenced against honeypot data, threat intelligence feeds, and IOC databases, it identifies the people behind the handles. We'll be watching.

The Pattern

EU Commission. FBI Director. LangChain. BreachForums. Four different targets, four different actors, one Friday afternoon. This is the operating tempo in a formally aligned adversary environment.

Handala is the loud one. China is the quiet one (pre-positioned in critical infrastructure, sanctioned by the EU, possibly behind the Commission breach). Russia provides the doctrine and the hosting. And the entire AI development ecosystem is running on a framework with three unpatched critical vulnerabilities.

PreCog has been red for 48 hours. The infrastructure activation surge hasn't subsided. The scanning rotated from Chinese IPs to new source networks. The Spamhaus DROP list is still spiking at 7x daily average.

Defend accordingly.

Patrick Duggan is the founder of DugganUSA LLC. He scanned the European Commission's attack surface in 235 seconds, submitted a Rewards for Justice tip on Handala's infrastructure, and doesn't use LangChain. The STIX feed is free. PreCog is watching. It's Friday.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →