top of page
Search

Memorial Day 2026: Five Different Customers Lost Today. We Had The Receipt On Every One Of Them.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 5 minutes ago
  • 5 min read

Memorial Day 2026 fired five separate cybersecurity incidents at scale. By the end of the day, the news cycle had named every one of them. Each campaign had identifiable victims whose names landed in headlines this afternoon. For each of those five campaigns, DugganUSA's STIX feed and IOC index carried the receipt before the attack fired against the public victim list. This post is the customer-protective audit. Five victims today, five receipts already in our feed, sized by lead time.



1. Charter Communications — ShinyHunters extortion


The U.S. telecommunications giant confirmed today that the ShinyHunters extortion group has stolen customer and operational data and is threatening leak unless ransom is paid. ShinyHunters is the same operator behind the Instructure Canvas breach (275 million records across 9,000 schools, May 7), Cushman & Wakefield, NVIDIA Armenia, and a documented multi-year run of high-profile data extortion.


Our receipt: the ShinyHunters adversary profile has been in our adversaries index since May 23, 2026. As of today the record carries 9 confirmed victims, 5 aliases (including their Coinbase Cartel confederation with Scattered Spider and Lapsus$), the leak-site .onion address, the operator-tradecraft TTP cluster, and the OAuth-token-pivot signature. Any defender consuming our STIX feed has been able to query the operator as a structured record for three days before today's Charter disclosure.



2. Seven hundred Ghost CMS websites — ClickFix mass-exploitation


CVE-2026-26980, the unauthenticated SQL-injection vulnerability in Ghost CMS, hit operational exploitation today. Threat actors are injecting malicious JavaScript that pivots Ghost-served page visitors into the ClickFix clipboard-hijacking flow. Seven hundred sites compromised as of this afternoon's reporting.


Our receipt: our exploit-harvester cron caught the public PoC for CVE-2026-26980 on May 20, 2026 — six days before the mass-exploitation phase fired. The detection rule was indexed against the /ghost/api/admin/ endpoint pattern. Customers running Ghost on the public internet who consumed our feed had the deny-list pattern available before the campaign began. The follow-on Ghost RCE (CVE-2026-29053, theme upload as execution primitive) was ingested into our index yesterday, May 25.



3. GitHub internal — TeamPCP via poisoned Nx Console VS Code extension


GitHub confirmed yesterday that 3,800 internal private repositories were exfiltrated by TeamPCP through a poisoned Nx Console VS Code extension that was live on the Visual Studio Marketplace for 18 minutes on May 18. The actor used credentials harvested from a compromised GitHub employee device to clone the repos.


Our receipt: TeamPCP's persistent blockchain canister command-and-control endpoint tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io was indexed in our iocs corpus on March 30, 2026 — forty-nine days before the Megalodon GitHub Actions mass-poisoning campaign fired from that same infrastructure, and fifty-nine days before the GitHub-internal breach. The full TeamPCP adversary profile (UNC6780, 16 TTPs, 4 victim campaigns including the Nx Console attack) has been in our adversaries index since May 23. Customers running VS Code extensions in CI/CD pipelines who consumed our feed had operator infrastructure attribution before the campaign opened.



4. SharePoint instances — [CVE-2026-45659](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-45659) RCE


Microsoft rolled out a patch today for CVE-2026-45659, a remote code execution vulnerability in SharePoint Server with CVSS 8.8. The vulnerability is exploitable without specialized conditions and gives an attacker code execution on the SharePoint host. Every on-premises SharePoint deployment that is not patched by tomorrow's business day is in the active scanning population.


Our receipt: ingested into our iocs corpus today, May 26, within hours of disclosure. Source-tagged research-import-sharepoint-rce-2026-05-26. Customers who consume our feed will have the CVE-tagged record before tomorrow's automated patch windows close. Lead time on this one is shorter than the others, but the operational pattern (rapid scan-and-exploit against SharePoint installations) makes any pre-patch coverage measurable.



5. Japan KnowledgeDeliver LMS users — [CVE-2026-5426](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-5426) zero-day


A zero-day in Digital Knowledge's KnowledgeDeliver Learning Management System (CVSS 7.5) is being exploited to drop the Godzilla web shell and Cobalt Strike Beacon onto compromised education and corporate training environments. KnowledgeDeliver is Japan-regional but widely deployed across Japanese university, government training, and corporate L&D programs. The vulnerability stems from hard-coded ASP.NET machine keys leading to ViewState deserialization.


Our receipt: ingested today, May 26, with paired Godzilla webshell IOC. Our STIX feed covers Japanese defender consumers as well as US — the Godzilla + Cobalt Strike chain is one of the most documented post-compromise toolsets in the corpus, with hundreds of prior indicators connecting back to Chinese state-sponsored operator clusters.



The honest score


Of the five Memorial Day campaigns, the lead times we delivered to defenders ranged from 49 days (TeamPCP infrastructure) to hours (the SharePoint patch-day ingest). The median lead time across the five was six days.


Six days is more than enough time for a defender consuming our feed to patch, deny-list, audit, or otherwise respond. Six days is structurally longer than the response time of any threat-intelligence consumption pipeline that relies on the public news cycle. The defender consuming our feed was operationally positioned to act before the campaign fired. The defender consuming the news cycle was operationally positioned to read about it after.



What it costs to consume the feed


Free. Always has been. The DugganUSA STIX feed is available at https://analytics.dugganusa.com/api/v1/stix-feed with a free API key from /stix/register. The TAXII 2.1 endpoint is at the same path. The natural-language and structured-search endpoints query the same corpus that produced today's five receipts. We are post-revenue in a narrow sense — one customer paying $45/month — but the feed is and remains zero-cost to defenders. The asymmetric edge is the same edge it has been since the first STIX feed consumer pulled their first records in December 2025: the corpus runs ahead of the news cycle because we run the cluster work that the news cycle does not run.



The frame


Memorial Day 2026 was structurally inevitable from the moment the U.S. cybersecurity-defender attention curve started to dip on Friday afternoon. The actors who plan campaigns against that curve fired their staged attacks across the weekend, and the news cycle reported them over the weekend's tail and Monday's recovery. Five campaigns. Five victims. Five receipts already in our feed.


The defender does not need predictive clairvoyance to win at this. The defender needs a feed that ran ahead of the news cycle by six days on average, and the discipline to consume it before the campaign fires. We provide the first. The second is the part the defender owns. Memorial Day 2026 is what it looks like when the second part doesn't happen.


The receipt is timestamped on every one of them. Next weekend, next holiday, next news cycle, more receipts. The work compounds.




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page