DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

LinkedIn Scans Your Browser for 6,222 Chrome Extensions Without Asking. Microsoft Owns LinkedIn.

Patrick Duggan
Apr 2
4 min read

Every time you visit LinkedIn, a 2.7 megabyte JavaScript file loads in your browser. Inside it: 6,222 hardcoded Chrome extension IDs. The code probes each one — sending fetch() requests to chrome-extension:// URLs to detect what you have installed. The results go to LinkedIn's telemetry servers.

You were never asked. LinkedIn's privacy policy doesn't mention it. And a LinkedIn Senior Manager admitted under sworn affidavit that the company has "extension detection mechanisms" — while publicly disclosing none of them.

This isn't a bug. It's a feature. Cryptographically timestamped evidence, filed under the EU's Digital Markets Act, with video proof captured in Chrome developer tools.

Microsoft owns LinkedIn. The same Microsoft whose Intune MDM was weaponized by Iran to wipe 200,000 devices at Stryker. The same Microsoft on the IRGC's 18-company target list. The same Microsoft that sells security tools while its professional network quietly inventories your browser.

What LinkedIn Scans For

6,222 Chrome extension IDs. That's not a sample. That's a census.

Ad blockers — uBlock Origin, AdBlock Plus, Privacy Badger
VPN clients — NordVPN, ExpressVPN, ProtonVPN browser extensions
Privacy tools — DuckDuckGo Privacy Essentials, HTTPS Everywhere
Security extensions — LastPass, 1Password, Bitwarden
Developer tools — React DevTools, Redux DevTools, Wappalyzer
Accessibility tools — screen readers, color adjusters

Every category tells LinkedIn something about you that you didn't volunteer. An ad blocker means you resist tracking. A VPN means you value privacy. A password manager tells them your security posture. Developer tools reveal your profession. Accessibility extensions reveal disabilities.

This is profiling. Not by what you click — by what you install.

How It Works

The JavaScript bundle loads on every LinkedIn page view. The code:

Constructs chrome-extension://[EXTENSION_ID]/manifest.json URLs for each of the 6,222 IDs
Fires fetch() requests to each URL
If the extension is installed, the browser returns the manifest. If not, the request fails silently.
Detected extensions are packaged and sent to LinkedIn telemetry endpoints.

This technique exploits a Chrome behavior: extensions that expose web-accessible resources can be detected by any page that knows the extension ID. LinkedIn knows 6,222 of them.

The detection runs in the background. No permission dialog. No notification. No opt-out.

The Legal Filing

Fairlinked, an EU digital fairness alliance, filed proceedings under the Digital Markets Act. Their evidence pack includes:

JavaScript source analysis with specific line numbers showing the detection code
Video demonstration of the scanning captured in Chrome DevTools network tab
Cryptographic timestamp from an independent authority (February 19, 2026)
Sworn affidavit from LinkedIn Senior Manager Milinda Lakkam

The affidavit is the smoking gun. Lakkam admits LinkedIn has "extension detection mechanisms" — confirming the practice exists — while LinkedIn's public privacy policy contains zero disclosure of browser extension scanning.

A company admitting under oath what it denies in its privacy policy. That's not a gap. That's fraud.

Why This Matters for Security

97% of our traffic is dark. Cloudflare sees 10,000+ page views per week. GA4 sees 500. The gap is researchers, analysts, security professionals, and privacy-conscious users who run ad blockers, VPNs, and anti-tracking extensions.

These are exactly the people LinkedIn is profiling.

If you're a security researcher who visits LinkedIn to check a threat actor's profile — LinkedIn now knows you run uBlock Origin, a VPN, and Burp Suite's browser extension. If you're a journalist investigating a breach — LinkedIn knows you have Signal's browser integration and a password manager.

The extensions you install are a fingerprint. LinkedIn is collecting that fingerprint from every visitor, building a shadow profile of your security posture and privacy preferences, and sending it to Microsoft's telemetry infrastructure.

The Microsoft Pattern

This is the third time this week we've written about Microsoft's products becoming the attack surface:

Monday: Microsoft Intune weaponized by Handala/MOIS to wipe 200,000 Stryker devices. The device management tool became the weapon.

Tuesday: Microsoft named on the IRGC's 18-company target list. The company whose products run enterprise infrastructure is now a kinetic military target.

Today: Microsoft's LinkedIn scans your browser extensions without consent. The professional network you use for job searching is inventorying your security tools.

The pattern: Microsoft builds trusted platforms. Users grant access because Microsoft is a security company. That trust is then used for purposes the user never consented to — whether it's a nation-state weaponizing Intune, or LinkedIn quietly profiling your browser.

Trust and access. The two things attackers want most. The two things Microsoft's products are designed to provide.

What To Do

Use Firefox. Firefox doesn't expose extension IDs to web pages the way Chrome does. The LinkedIn scanner doesn't work on Firefox.
Use a dedicated browser for LinkedIn. Don't visit LinkedIn from the same browser profile where you have security tools installed.
Check what's exposed. Open Chrome DevTools (F12) → Network tab → visit LinkedIn → filter by chrome-extension:// → watch the requests fire.
Support the EU filing. The evidence pack is at browsergate.eu. The DMA complaint has teeth — the Digital Markets Act carries fines up to 10% of global revenue.

The Irony

LinkedIn is where security professionals network. It's where CISOs post thought leadership about privacy. It's where vendors pitch data protection products. And the platform itself is running a 6,222-extension surveillance script on every visitor.

The professional network for the security industry is the surveillance tool the security industry should be protecting against.

DugganUSA tracks how platforms weaponize trust. Microsoft Intune became a wiper delivery system. LinkedIn became a browser fingerprinting system. The pattern is the same: access granted for one purpose, used for another.

Evidence pack: browsergate.eu/the-evidence-pack/ EU filing: Digital Markets Act proceedings by Fairlinked e.V.