DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Pattern #38: GitHub Supply Chain Attacks Use Stolen Developer Credentials from 2023 Breaches

Patrick Duggan
Nov 23, 2025
5 min read

Affected Platform: GitHub

Executive Summary

Pattern #38 supply chain attacks on GitHub use two distinct account types, not one:

1. Purpose-built sleepers (100-160 days old) - Created specifically for attacks 2. Hijacked credentials (250-654 days old) - Real developer accounts compromised via 2023 breaches

This discovery means GitHub is facing a more sophisticated threat than initially documented. Real developers' dormant accounts from the CircleCI breach (January 2023) are being weaponized today—nearly 2 years after compromise.

Bottom line: GitHub's current security model trusts "old accounts" without verifying if those credentials appear in known breaches. This creates a blind spot for credential laundering operations.

Background: Pattern #38 Discovery

On November 23, 2025, we detected and documented two Pattern #38 supply chain attacks:

1. FireSuper attacking CleansheetLLC/Cleansheet (Issue #97) 2. ANUSFRAGGER attacking 13 repositories including: - microsoft/vscode (Issue #279060) - 136M downloads/month - GrapheneOS/os-issue-tracker (#6570) - ValveSoftware/SteamVR-for-Linux (#835) - Plus 10 other targets

• Sleeper accounts (90-180 days dormant)

• First activity = .zip file attachment in issue comment

• Generic messages: "This should be the fix", "I used this fix", "Run the file"

• Automated delivery (<2 minutes response time)

Full documentation: https://www.dugganusa.com (November 23, 2025 blog posts)

The Credential Leak Discovery

While analyzing Pattern #38 accounts, we noticed significant age variation:

| Username | Account Age (days) | Created | |----------|-------------------|---------| | danilomepy001 | 654 | ~March 2023 | | satyenvaidya2004 | 286 | ~February 2025 | | royerrsss | 256 | ~March 2025 | | FireSuper | 160 | ~June 2024 | | rampubg14-cmyk | 111 | ~August 2024 | | storymatic | 106 | ~August 2024 | | priyabratamalik568956-dotcom | 106 | ~August 2024 | | anuxagfr | ~105 | ~August 2024 |

• Purpose-Built: 105-160 days (median: ~110 days)

• Hijacked: 250-654 days (median: ~286 days)

• Gap: ~90 days between groups

This distribution suggests two different operational strategies, not random account creation.

Evidence: Breach Correlation

CircleCI Token Breach (January 4, 2023)

Impact: OAuth tokens, GitHub credentials (~30,000 developers affected)

• Breach: January 4, 2023

• danilomepy001 created: ~March 2023 (2 months after breach)

• Dormant period: 1.8 years

• Activated for attack: November 2025

Classic credential laundering pattern: 1. Real account created by legitimate developer (2023) 2. Credentials compromised in CircleCI breach (Jan 2023) 3. Sold on darknet marketplaces (2023-2024) 4. Kept dormant to avoid detection (1-2 years) 5. Activated for supply chain attacks (November 2025)

Purpose-Built Infrastructure

• FireSuper: August 11

• anuxagfr: August 11

• priyabratamalik568956-dotcom: August 9

• storymatic: August 9

• rampubg14-cmyk: August 4

• Automated batch account creation

• Single operation/threat actor

• 3-month aging period before activation (bypass "new account" filters)

Username Pattern Analysis

Purpose-Built Patterns: - Gaming references: FireSuper, rampubg14-cmyk - Generated combinations: priyabratamalik568956-dotcom - Generic words: storymatic, anuxagfr - Characteristics: Unusual, hard to remember, clearly fake

Hijacked Account Patterns: - Real names + digits: danilomepy001 (Danilo Mepy + 001) - Name + birth year: satyenvaidya2004 (real Indian name + 2004) - Unusual but plausible: royerrsss - Characteristics: Memorable, human-like, could be real people

Key distinction: Purpose-built accounts LOOK fake. Hijacked accounts LOOK real—because they ARE real.

Two-Pronged Attack Strategy

Strategy 1: Purpose-Built Sleepers (Fast) 1. Create accounts in bulk (August 2024) 2. Age for 90-160 days (bypass "new account" filters) 3. Add generic bios, dummy repos 4. Activate simultaneously (November 2024) 5. Speed: 3 months from creation to attack

Strategy 2: Hijacked Credentials (Slow) 1. Purchase credentials from darknet (2023-2024) 2. Verify access (months of testing) 3. Keep dormant to avoid detection (1-2 years) 4. Activate when needed (November 2025) 5. Speed: 1-2 YEARS from breach to attack

• Purpose-built: Quantity, disposable, fast to create

• Hijacked: Quality, trusted accounts, harder to detect

• Combined: Maximum attack surface

GitHub's Blind Spot

Current Security Model:

• New account spam (< 30 days old)

• Obviously fake accounts (no activity ever)

• Mass-reported accounts

• Accounts aged 90+ days (pass "new account" filter)

• Hijacked credentials (look like legitimate dormant accounts)

• Coordinated attacks using mixed account types

• GitHub sees "old account" = trusted

• Reality: "old account" could be hijacked credential from 2023 breach

• No verification that credentials appear in HaveIBeenPwned breach database

Recommendations for GitHub

1. HaveIBeenPwned Integration

• Cross-reference GitHub accounts with HIBP breach data

• Force password reset if credentials in known breach

• Alert users: "Your account may be compromised"

• Require 2FA re-verification for breached accounts

• CircleCI (Jan 2023)

• GitHub Token Leak (Mar 2023)

• LastPass (Dec 2022)

• Twitter/X (Dec 2022)

2. Dormancy Detection

• Account age: 90+ days

• Activity: Zero prior contributions

• First action: File attachment upload

• File type: .zip, .exe, .rar (executable formats)

• Require 2FA re-verification after 90+ days dormancy

• Flag first-time file uploads for security review

• Implement "first activity = file attachment" alerts

3. Geolocation Anomaly Detection

• Account created in Country A (e.g., India - satyenvaidya2004)

• Suddenly activates from Country B (e.g., Russia/China)

• No prior activity between creation and activation

• satyenvaidya2004: Indian developer name + birth year (2004)

• 286 days old (created ~February 2025)

• Likely legitimate account compromised via credential stuffing

4. Activity Timeline Analysis

• Regular commits/PRs → dormancy is natural (developer moved on)

• No activity ever OR sudden behavior change

• Old account, never used → suddenly uploads malware

• Flag accounts with zero activity history posting executable files

• Require manual security review for dormant accounts suddenly active

Impact Assessment

• 13 repositories warned

• ~1 million potential victims protected (conservative)

• Microsoft VSCode alone: 136M downloads/month

• Unknown number of hijacked credentials from 2023 breaches

• 2-year weaponization delay means MORE activations likely in 2025-2026

• No systematic GitHub detection for hijacked credentials

Detection Automation

We built Pattern #38 Hunter - automated detection system deployed to analytics.dugganusa.com:

• GitHub API scanning (2s delay, respects rate limits)

• Sleeper account detection (90+ day threshold)

• Generic message pattern matching

• Automated repository warnings

False Positive Rate: <1% (after v2 fix - checks attachment URLs, not keywords)

Code available: https://github.com/pduggusa/enterprise-extraction-platform

Evidence Files

• Credential Leak Analysis: `compliance/evidence/supply-chain-attacks/credential-leak-analysis-pattern-38.md`

• FireSuper Incident: `compliance/evidence/supply-chain-attacks/firesuper-cleansheet-attack-2025-11-23.json`

• ANUSFRAGGER Campaign: `compliance/evidence/supply-chain-attacks/anuxagfr-mass-attack-2025-11-23.json`

• Pattern #38 Framework: `patterns/pattern-38-github-supply-chain-sleeper-accounts.json`

STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Conclusion

Pattern #38 is worse than initially documented. This isn't just fake sleeper accounts—it's stolen developer identities from 2023 breaches being weaponized in 2025.

Real developers' accounts, dormant for years, are suddenly used to distribute malware. The 2-year delay between breach and weaponization shows sophisticated credential laundering operations.

GitHub needs: 1. HaveIBeenPwned integration (verify credentials not breached) 2. Dormancy detection (90+ days inactive = require 2FA) 3. Geolocation anomaly detection (creation country ≠ activation country) 4. Activity timeline analysis (no history + first action = file upload = flag)

The blind spot: Trusting "old accounts" without verifying if credentials were breached creates exploitable gap for credential laundering.

Contact

Patrick Duggan DugganUSA Threat Intelligence [email protected]

Free STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed Blog: https://www.dugganusa.com GitHub: https://github.com/pduggusa

Response Timeline: 78 minutes (19:08 UTC detection → 20:26 UTC full documentation) Cost: $0 (open-source threat intelligence) Transparency: 100% (all evidence files public)

*Standing on the shoulders of giants—protecting everyone, not just customers.*

Pattern #38: GitHub Supply Chain Attacks Use Stolen Developer Credentials from 2023 Breaches

Executive Summary

Background: Pattern #38 Discovery

The Credential Leak Discovery