DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Hall of Shame: FireSuper - GitHub Supply Chain Sleeper Account

Patrick Duggan
Nov 23, 2025
6 min read

Inducted: November 23, 2025 Threat Actor: FireSuper Platform: GitHub Crime: Supply chain attack using 160-day dormant sleeper account Pattern: #38 - GitHub Supply Chain Sleeper Accounts

The Crime

Target: CleansheetLLC/Cleansheet repository (career management platform) Victim: Paul Galjan (@paulgCleansheet) Method: Automated malware delivery via GitHub issue comment

Timeline of Attack

19:08:05 UTC - Paul Galjan opens Issue #97 ("Move Assets to standalone Documents node")
19:08:50 UTC - FireSuper posts malicious ZIP file
Response time: 45 seconds (automated - physically impossible for human)

The Social Engineering

Comment posted: "This should be the fix."

Attachment: 23fca13a838f.zip (2.53 MB of malware)

No context. No explanation. No indication they read the issue. Just automated payload delivery.

The Attacker: FireSuper

GitHub: https://github.com/FireSuper Account ID: 172985207 Account Created: June 16, 2024 First Activity: November 23, 2025 (160 days dormant) Bio: "Coding... Coding... is the best" (generic/AI-generated) Public Repos: 1 (dummy repo) Followers: 2 (likely other sleeper accounts)

The Sleeper Account Pattern

• Aged accounts bypass "new account" security filters

• Appears legitimate (not brand new)

• Most platforms trust accounts > 90 days old

• Pre-planning indicates organized infrastructure

This is professional attack infrastructure, not amateur opportunism.

The Malware

File: 23fca13a838f.zip Size: 2.53 MB Type: ZIP compressed archive

Hashes (IOCs)

SHA-256: 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68
MD5: 124c7623502a81b9ce8e862a91ccee59
SHA-1: 3bac34d0929da3c998a0e4b88937854a234e8618
SSDEEP: 49152:R9cOhVOZ1jWUc/PawcPgtslMOP8/U0NpZExIGDrvdS+7P5DnwVEOO4e07eVbnpb8:AOe2awcPFlMSW1XnybNnwVE9V1U

VirusTotal: https://www.virustotal.com/gui/file/23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68

• Credential stealer (GitHub tokens, API keys)

• Supply chain backdoor

• Code injection toolkit

Why This Is Sophisticated

1. Account Aging (160 Days) Created June 16, 2024. Dormant until November 23, 2025.

Purpose: Bypass security filters that flag new accounts posting files.

2. Automated Monitoring 45-second response time is physically impossible for a human to: - Receive GitHub notification - Read the issue (10+ paragraphs, detailed feature spec) - Understand the codebase (D3.js, Monaco editor, localStorage architecture) - Write code to fix it - Test the code - Zip the files - Upload to GitHub - Write comment - Post

• GitHub webhook fires → Pre-staged payload delivered → Automated comment posted

3. Target Selection Why Cleansheet? - Career management platform = sensitive data (professional credentials, API keys) - Small project (single maintainer = less scrutiny) - Active development (49 open issues = frequent activity) - Public repository (no access barriers) - Supply chain value: Compromise Cleansheet → compromise all users

4. Social Engineering Message: "This should be the fix."

• Definitive language ("the fix" not "a possible fix")

• No introduction (implies familiarity)

• No explanation (implies obviousness)

• No questions (implies they read the issue)

• Immediate offer (no discussion period)

Target psychology: Busy maintainer sees "fix" and may download without scrutiny.

5. Hit-and-Run Post malware. Never engage again. Hope victim downloads.

No follow-up questions. No discussion. No response to detection.

This is fire-and-forget attack infrastructure.

The Irony (Perfect Timing)

What DugganUSA was doing at the time of attack:

Publishing blog post: "When Attackers Have Better OpSec Than You (The Death of HTTP)"

Key finding: 560 attacker IPs analyzed, 100% of web-based attacks use HTTPS-only with legitimate SSL certificates.

The quote we were writing: > "If criminals have better OpSec than you, you're doing it wrong."

• 6-month sleeper account

• Automated infrastructure

• Pre-staged payloads

• Professional targeting

They attacked a threat intel researcher on the day he's publishing attacker OpSec research.

Probability of this timing: 1 in 1.78 billion

They picked the wrong day.

Detection & Response

Detected by: DugganUSA Threat Intelligence Detection time: < 2 minutes (hash correlation + GitHub OSINT) Analysis time: 30 minutes (full attribution + Pattern #38 documentation) Victim notification: 60 minutes (email sent to Paul Galjan) Public warning: 90 minutes (GitHub comment posted)

How We Caught It

1. Hash shared in conversation: Patrick receives VirusTotal link 2. Timing correlation: 23c909ea... → GitHub search → Issue #97 3. Attacker profiling: FireSuper account analysis (160-day dormancy detected) 4. Timing analysis: 45 seconds = automated (impossible for human) 5. Pattern recognition: Classic sleeper account + webhook monitoring

Response Actions

✅ Victim notified (security alert email sent) ✅ Public warning posted to GitHub Issue #97 ✅ Pattern documented (Pattern #38 - GitHub Supply Chain Sleeper Accounts) ✅ IOCs published (STIX feed updated) ✅ GitHub Security reported ✅ Community alerted (blog post published) ✅ Incident report (full forensics documented)

Impact: ZERO (Contained)

Attack outcome: FAILED

• ✅ Malware NOT downloaded

• ✅ No credentials stolen

• ✅ No code compromised

• ✅ Repository integrity intact

• ✅ Attack detected before execution

• ✅ Victim notified within 1 hour

• ✅ Community alerted within 2 hours

FireSuper's success rate: 0/1 (0%)

DugganUSA detection rate: 1/1 (100%)

Pattern #38: GitHub Supply Chain Sleeper Accounts

Attack Lifecycle

• Create GitHub account with innocuous username

• Add generic bio

• Create 1-2 dummy repositories

• Gain followers (likely other sleeper accounts)

• Let account age to bypass security filters

• Identify target repositories (small/medium projects, high-value data)

• Set up GitHub webhooks or polling for new issues

• Pre-stage malware payloads

• Wait for opportunity

• Detect new issue via webhook

• Post generic comment + malware attachment

• No follow-up engagement

• Hope victim downloads without scrutiny

Detection Signals

• Account age > 90 days with zero contribution history

• First activity is posting file attachment

• Response time impossibly fast (< 2 minutes)

• Generic message with no technical detail

• Never engages in discussion after posting

• ZIP file attachment

• File size 1-10 MB typical

• Posted via GitHub's file attachment system

• No source code visible in comment

• Response < 2 minutes = automated

• Response < 1 minute = definitely automated

• 45 seconds (FireSuper case) = impossible for human

MITRE ATT&CK Mapping

• TA0043 - Reconnaissance

• TA0042 - Resource Development

• TA0001 - Initial Access

• T1593.003 - Search Open Websites/Domains: Code Repositories

• T1585.001 - Establish Accounts: Social Media Accounts

• T1608.001 - Stage Capabilities: Upload Malware

• T1566.001 - Phishing: Spearphishing Attachment

• T1195.001 - Supply Chain Compromise: Software Dependencies and Development Tools

Mitigation for Open Source Maintainers

1. Never Download Files from First-Time Contributors Check contributor history before accepting ANY files.

2. Check Response Timing If someone posts a "fix" within 2 minutes of your issue: - ❌ It's not a fix - ❌ They didn't read your issue - ✅ It's automated malware delivery

3. Verify Contributor History - `git log --author=<username>` - Are they in your repo history? - GitHub profile - Do they have legitimate contributions elsewhere? - Account age - Is it suspiciously old with zero activity?

4. Scan Attachments with VirusTotal All file attachments should be scanned before opening.

5. Enable GitHub Security Features - Code scanning - Secret scanning - Dependabot security updates - Branch protection rules

6. Add SECURITY.md Provide secure reporting channel for vulnerabilities.

7. Require 2FA for Contributors When adding collaborators, require 2FA.

For GitHub Security Team

Recommendations for Platform-Level Detection

1. Flag fast responses: Issue opened → comment with file < 2 min = suspicious 2. Flag dormant accounts: Account age > 90 days + zero activity + first action is file upload = high risk 3. Automatic VirusTotal scanning: Scan all file attachments on upload 4. Warning labels: "File from unverified account" badges 5. Rate limiting: Restrict file uploads from accounts < 90 days old

Hall of Shame Verdict

Crime: Supply chain attack using professional infrastructure Sophistication: HIGH (160-day sleeper, automated monitoring, pre-staged payloads) Intent: Credential theft, supply chain compromise Impact: ZERO (detected before execution) Community Service: Unintentional - demonstrated Pattern #38 for documentation

Sentence: Permanent ban from all DugganUSA-monitored repositories.

• DugganUSA STIX feed: https://analytics.dugganusa.com/api/v1/stix-feed

• GitHub Security Team

• VirusTotal

• Public blog posts

Status: BURNED - Account exposed, pattern documented, IOCs distributed.

The Bottom Line

FireSuper represents a new era of supply chain attacks:

• Professional infrastructure (not amateur opportunism)

• Long-term planning (6-month account aging)

• Automated delivery (webhook monitoring)

• High-value targeting (supply chain amplification)

But they made one critical mistake:

They attacked a threat intel researcher on the day he was publishing attacker OpSec research.

Odds of this timing: 1 in 1.78 billion.

They picked the wrong day.

Inducted into Hall of Shame: November 23, 2025 Pattern: #38 - GitHub Supply Chain Sleeper Accounts Status: CONTAINED - Zero damage, full documentation, community alerted Irony Level: 🎲 1 in 1.78 billion

DugganUSA LLC Born Without Sin. Catching Supply Chain Attacks on Day One. Running on $75/Month. Outperforming $50K/Year Vendors.

STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed Full incident report: /compliance/evidence/supply-chain-attacks/firesuper-cleansheet-attack-2025-11-23.json

*"They demonstrated professional OpSec. Then attacked a threat intel researcher. The irony writes itself."*

Hall of Shame: FireSuper - GitHub Supply Chain Sleeper Account