DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Hunting Supply Chain Attacks While Getting Supply Chain Attacked

Patrick Duggan
Nov 30, 2025
2 min read

TL;DR: While building threat intel for Pattern 38 GitHub supply chain attacks, we discovered we had the same class of vulnerability in our own repo. The irony writes itself.

The Setup

Saturday afternoon. We're enriching OTX pulses with medical device CVEs, cross-referencing Stealc/Rhadamanthys C2 infrastructure, feeling pretty good about our threat intel game.

Then someone asks: "Did you check the Dependabot alerts?"

The Discovery

HIGH (4x): glob CLI command injection via -c/--cmd (shell:true)
MEDIUM: body-parser DoS via URL encoding
MEDIUM: js-yaml prototype pollution

Four HIGH severity alerts. In our repo. The `glob` package - a file pattern matcher used by basically every Node.js project - had a command injection vulnerability. And we had it as a transitive dependency in `browser-extractor-service`.

The same class of attack we'd been documenting all week in Pattern 38.

The Irony

• Supply chain attacks via GitHub issue comments

• Trojanized npm packages (MUT-4831)

• Transitive dependency exploitation

And we had a vulnerable transitive dependency sitting in our own `package-lock.json` for 6 days.

The Good News

1. Not deployed - `browser-extractor-service` never made it to production 2. SBOM caught it - Our CycloneDX SBOM generation flagged the vulnerable component 3. Patched same session - 6 PRs merged, 0-day from discovery to fix

The Lesson

You don't know what's in your dependency tree until the CVE drops.

The Pattern 38 victims we're tracking didn't know they had Stealc until their credentials were gone. We didn't know we had `[email protected]` until Dependabot told us.

• SBOMs matter - You can't patch what you can't see

• Dependency scanning is table stakes - Not optional, not "nice to have"

• Transitive dependencies are the attack surface - You probably have 10x more indirect deps than direct ones

The Numbers

| Metric | Value | |--------|-------| | Dwell time (PR created → merged) | 6 days | | Dwell time (discovered → patched) | ~30 minutes | | Production exposure | 0 days (not deployed) | | Transitive dependency depth | 3 levels deep (jsdom → glob) |

The Meta

We're building a platform that helps companies track supply chain threats. Today we proved our own tooling works - our SBOM pipeline caught the vulnerability, Dependabot created the PR, and we patched it.

Eat your own dogfood. Check your own dependencies. The supply chain attack you're hunting might be in your own repo.

*This post is part of our ongoing Pattern 38 supply chain attack research. For IOCs and STIX feeds, visit analytics.dugganusa.com/api/v1/stix-feed*

CVE Reference: glob CLI command injection (CVE-2024-XXXXX) - Fixed in [email protected]

MITRE ATT&CK: T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain)