DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Moltbot Supply Chain Attack: Why We Dodged It (And You Should Care)

Patrick Duggan
Feb 2
4 min read

# Moltbot Supply Chain Attack: Why We Dodged It (And You Should Care)

**Published:** February 2, 2026

**Author:** DugganUSA Threat Intelligence

TL;DR

On January 27, 2026, a fake "ClawdBot Agent" VS Code extension hit Microsoft's Marketplace. It looked like the popular Moltbot AI coding assistant, worked like it too - but silently dropped a ConnectWise ScreenConnect RAT on every Windows machine that installed it. The same week, researchers found hundreds of real Moltbot instances leaking API keys and credentials through unauthenticated admin ports. We use Claude Code. Here's why that matters.

What Happened

The Fake Extension (Supply Chain Attack)

| Detail | Value |

|--------|-------|

| Extension Name | ClawdBot Agent – AI Coding Assistant |

| Publisher | "clawdbot" (impersonator) |

| Published | January 27, 2026 |

| Removed | January 28, 2026 |

| Payload | ConnectWise ScreenConnect RAT |

| Target | Windows developers |

The attack was elegant: build a fully functional AI coding assistant that actually works, then bundle malware that drops when VS Code starts. Developers get the tool they wanted. Attackers get full remote access to their machines.

The kicker? **Moltbot doesn't have a legitimate VS Code extension.** The attackers knew the tool was popular enough that developers would install anything claiming to be it.

The Architecture Problem (Bigger Issue)

While everyone focused on the fake extension, security researchers found something worse:

- **Hundreds of Moltbot instances** exposed online with unauthenticated admin ports

- **API keys, OAuth credentials, and chat histories** leaking freely

- **Cleartext credential storage** in `~/.clawdbot` directory

- **Malicious MoltHub skill** reached 4,000+ downloads as proof-of-concept

Heather Adkins, founding member of Google's Security Team, issued a blunt advisory: **"Don't run Clawdbot [Moltbot]."**

Why We're Not Affected

We Use Claude Code

Our agentic AI infrastructure runs on Claude Code (Anthropic's official CLI), not Moltbot. Here's the difference:

| Factor | Moltbot | Claude Code |

|--------|---------|-------------|

| Credential Storage | Cleartext in `~/.clawdbot` | Encrypted keychain integration |

| Admin Ports | Often exposed, unauthenticated | No exposed admin interface |

| Extension Ecosystem | MoltHub (unvetted) | Anthropic-controlled |

| Architecture Philosophy | "Ease of deployment" | "Secure by default" |

| VS Code Extension | None (impersonated) | Official, verified |

Our Detection Caught It

The fake extension hit our Pattern 43 supply chain detection:

We flagged "ClawdBot Agent" within hours of publication based on behavioral analysis - the extension requested network permissions inconsistent with a coding assistant.

The Lesson: AI Tool Supply Chain Risk

This attack worked because:

1. **Developers trust marketplaces** - "It's on the official VS Code Marketplace, must be safe"

2. **AI tools are hot** - Everyone wants the new shiny, vetting comes second

3. **Impersonation is easy** - No verification that "clawdbot" publisher was actually Moltbot

4. **Functionality masks malice** - The extension actually worked as an AI assistant

Questions to Ask Before Installing AI Dev Tools

1. **Does the vendor have an official extension?** (Moltbot didn't)

2. **Is the publisher verified?** (Check for verification badges)

3. **What permissions does it request?** (Network + file system = red flag)

4. **Where does it store credentials?** (Cleartext = dealbreaker)

5. **Is the admin interface authenticated?** (Exposed ports = no)

What To Do If You Installed It

If you installed "ClawdBot Agent" from VS Code Marketplace before January 28:

1. **Uninstall immediately** - VS Code Extensions panel

2. **Check for ScreenConnect** - Look for `ScreenConnect.ClientService` in running processes

3. **Rotate all credentials** - API keys, OAuth tokens, anything in environment variables

4. **Check `~/.clawdbot`** - If it exists, assume those credentials are compromised

5. **Scan for persistence** - ScreenConnect creates scheduled tasks and services

IOCs

| Indicator | Type |

|-----------|------|

| clawdbot.clawdbot-agent | VS Code Extension ID |

| ScreenConnect.ClientService | Process Name |

| ~/.clawdbot/* | Credential Storage Path |

| ConnectWise relay domains | C2 Infrastructure |

The Broader Pattern

This is the third major AI tool supply chain attack in 2026:

1. **January 2026**: Fake Moltbot VS Code extension (ScreenConnect RAT)

2. **January 2026**: MoltHub malicious skill (credential exfil)

3. **Ongoing**: Exposed Moltbot instances leaking credentials

The pattern is clear: **AI coding tools are the new attack surface.** Developers have elevated privileges, access to source code, and credentials to production systems. Compromise a developer's AI assistant, compromise everything they touch.

Our Security Posture

For transparency, here's how we protect against this class of attack:

| Control | Implementation |

|---------|----------------|

| AI Tool Selection | Claude Code (Anthropic) - no third-party extensions |

| Credential Management | Azure Key Vault, no local cleartext storage |

| Supply Chain Monitoring | Pattern 43 detection on dev tool installations |

| Network Segmentation | Dev environments isolated from production |

| Extension Vetting | Allowlist-only for VS Code extensions |

We've made 294,716 automated security decisions. Zero of them involved trusting unvetted AI tools.

Platform Stats

| Metric | Value |

|--------|-------|

| IOCs Tracked | 272,310 |

| Automated Decisions | 294,716 |

| Supply Chain Patterns | 43+ documented |

| AI Tool Incidents (2026) | 3 major |

Bottom Line

The Moltbot attack succeeded because developers wanted a convenient AI assistant and didn't verify what they were installing. The architecture failures succeeded because Moltbot prioritized ease of deployment over security.

We use Claude Code because Anthropic prioritizes security by default. We store credentials in Key Vault because cleartext is unacceptable. We monitor supply chains because Pattern 43 is real.

Don't install AI tools you can't verify. Don't trust marketplaces to vet for you. Don't store credentials in cleartext.

Or just use Claude Code.

*This analysis was performed using the DugganUSA Threat Intelligence Platform. The same infrastructure that detects supply chain attacks also tracks 272,310 IOCs and makes 294,716 automated security decisions.*

**Sources:**

- [The Hacker News - Fake Moltbot VS Code Extension](https://thehackernews.com/2026/01/fake-moltbot-ai-coding-assistant-on-vs.html)

- [Aikido - Fake Clawdbot Extension Analysis](https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware)

- [OX Security - MoltBot Data Breach Risk](https://www.ox.security/blog/one-step-away-from-a-massive-data-breach-what-we-found-inside-moltbot/)

- [Infinum - MoltBot Security Crisis](https://infinum.com/blog/moltbot-clawdbot-viral-ai-sidekick/)

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*