DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Pattern 38 Impact: How We Protected 2 Million Open Source Users

Patrick Duggan
Dec 3, 2025
4 min read

--- title: "Pattern 38 Impact: How We Protected 2 Million Open Source Users" slug: pattern-38-impact-2-million-users-protected date: 2025-12-03 author: Patrick Duggan tags: [threat-intelligence, supply-chain, github, malware, impact-assessment] category: Threat Intelligence featured: true ---

TL;DR: Our Pattern 38 supply chain attack detection has protected an estimated 2-4 million open source users by identifying and reporting malware distribution campaigns targeting 194,000+ starred repositories.

The Numbers

═══════════════════════════════════════════════════════════════
          PATTERN 38 SUPPLY CHAIN IMPACT ASSESSMENT            
═══════════════════════════════════════════════════════════════

TOTAL GITHUB STARS PROTECTED: 194,604 ⭐ ESTIMATED USERS PROTECTED: 2-4 MILLION MALWARE ACCOUNTS REPORTED: 15 THREAT ACTORS SUSPENDED: 6 HIGH-VALUE REPOS DEFENDED: 8 ═══════════════════════════════════════════════════════════════ ```

High-Value Targets We Protected

These aren't random repos. These are critical open source infrastructure:

| Project | Stars | What It Does | Why Attackers Wanted It | |---------|-------|--------------|------------------------| | zed-industries/zed | 70,773 | Modern IDE | Developers = high-value targets | | oobabooga/text-generation-webui | 45,537 | AI/ML interface | AI researchers have GPU farms | | paperless-ngx | 34,640 | Document management | Contains sensitive documents | | calibre-web | 16,011 | Ebook server | Self-hosters = technical users | | esphome | 10,154 | IoT firmware | Access to home networks | | atproto (Bluesky) | 8,938 | Social protocol | Developer credentials | | Ultimaker/Cura | 6,788 | 3D printing | Maker community | | ScoopInstaller | 1,763 | Windows packages | Package manager = trust |

The Attack Pattern

Pattern 38 is elegantly simple:

mermaid
flowchart TD
    A[Create GitHub Account] --> B[Fork Popular Repos]
    B --> C[Find Active Issues]
    C --> D[Post 'Helpful' Comment]
    D --> E[Include ZIP Download Link]
    E --> F[Victim Downloads]
    F --> G[Extracts & Runs]
    G --> H[Stealc/Rhadamanthys Executes]
    H --> I[Credentials Stolen]
    
    style E fill:#d73a49,color:#fff
    style H fill:#000,color:#fff

The attackers lurk in GitHub issues, waiting for frustrated users asking for help. Then they swoop in with "I had the same problem! This fixed it for me: [malicious ZIP]"

What We Found Today

Wave 1: The Heavy Hitters

| Account | Type | Reach | Status | |---------|------|-------|--------| | muneebwanee | Spyware dev | 537⭐, 492 followers | 🔴 ACTIVE | | MEIBOMUIS | Crypto drainer MaaS | Telegram sales | 🔴 ACTIVE | | BLACKHAWKS472 | Malware factory | 62 repos | 🔴 ACTIVE | | teslafunds | RedLine distributor | 7yr account | ✅ SUSPENDED |

Wave 2: Network Discovery

By following who follows who, we found a network:

mermaid
flowchart LR
    A[Sliaswrk<br/>HVNC Toolkit] -->|follower| B[saxophone007]
    B -->|hosts| C[Cobalt Strike Source]
    B -->|hosts| D[XWorm RAT Source]
    B -->|hosts| E[CVE Exploits]
    
    style A fill:#d73a49,color:#fff
    style B fill:#d73a49,color:#fff
    style C fill:#000,color:#fff

• APT29 (Russian SVR)

• APT41 (Chinese MSS)

• Conti, LockBit, BlackCat ransomware

The Full Malware Ecosystem

mermaid
mindmap
  root((Malware Network))
    Spyware
      muneebwanee
        Dash 537⭐
        InstaReporter 228⭐
    Crypto Drainers
      MEIBOMUIS
        Telegram @MIOBOMUIS
        5 drainer repos
      Thrbvbb
        Created yesterday
        OKX/Exodus/MetaMask
    RATs
      Trinitysudo
        HALCYON-RAT
        AV Evasion
      Sliaswrk
        ICARUS-HVNC
        S500-RAT
        Pandora-HVNC Source
    APT Tooling
      saxophone007
        Cobalt Strike Beacon
        XWorm v5.6 Source
    Malware Factory
      BLACKHAWKS472
        62 repos
        cyberstealer.vft
        FukedxRat.vft

How We Calculate Impact

GitHub Stars → Users multiplier: 10-20x

• Users who bothered to click a button

• A fraction of actual clones/downloads

• Nothing about npm/pip installs from these projects

• 45,537 stars

• But it's THE interface for running local LLMs

• Actual users easily 500,000+

What Happens When Pattern 38 Succeeds

The Stealc/Rhadamanthys payload steals:

✓ Browser passwords (Chrome, Firefox, Edge, Brave)
✓ Crypto wallets (MetaMask, Exodus, Coinbase, 40+ others)
✓ Discord tokens (account takeover)
✓ Telegram sessions
✓ VPN configs (NordVPN, ProtonVPN, OpenVPN)
✓ FTP credentials
✓ SSH keys
✓ 2FA backup codes

• GitHub tokens

• AWS/GCP/Azure credentials

• npm/PyPI publish tokens

• Private SSH keys

• `.env` files with API keys

Our Detection Pipeline

mermaid
flowchart TD
    subgraph "Daily Scan (06:00 UTC)"
        A[Pattern 38 Scanner] --> B[GitHub API]
        B --> C[Account Analysis]
        C --> D[Cultural Signatures]
        D --> E[Bot Detection]
    end
    
    subgraph "Enrichment"
        E --> F[OSINT Gathering]
        F --> G[VirusTotal Lookup]
        G --> H[Network Mapping]
    end
    
    subgraph "Response"
        H --> I[GitHub Report]
        H --> J[OTX Pulse]
        H --> K[STIX Bundle]
        H --> L[Blog Post]
    end
    
    style I fill:#28a745,color:#fff
    style J fill:#0088cc,color:#fff

The Suspension Scoreboard

| Account | Reported | Suspended | Time to Action | |---------|----------|-----------|----------------| | FireSuper | Nov 23 | Nov 24 | ~24 hours | | rampubg14-cmyk | Nov 23 | Nov 24 | ~24 hours | | anuxagfr | Nov 23 | Nov 24 | ~24 hours | | winchmrsmilegodsgf | Nov 23 | Nov 24 | ~24 hours | | teslafunds | Dec 3 | Dec 3 | Same day! |

GitHub is responding. When we send detailed reports with evidence, they act.

Today's Reports Sent

10 individual reports to [email protected]:

1. `DUSA-2025-1203-MUNEEB-001` - muneebwanee (Spyware) 2. `DUSA-2025-1203-MEIBO-001` - MEIBOMUIS (Crypto Drainer MaaS) 3. `DUSA-2025-1203-TRIN-001` - Trinitysudo (HALCYON-RAT) 4. `DUSA-2025-1203-BHAWK-001` - BLACKHAWKS472 (62 repo malware factory) 5. `DUSA-2025-1203-WINNTI-001` - getlook23 (Potential APT C2) 6. `DUSA-2025-1203-REDLINE-001` - teslafunds (RedLine) ✅ SUSPENDED 7. `DUSA-2025-1203-THRBVBB-001` - Thrbvbb (Crypto Drainer) 8. `DUSA-2025-1203-SLIASWRK-001` - Sliaswrk (HVNC Toolkit) 9. `DUSA-2025-1203-BATCH2-001` - 4 new accounts 10. `DUSA-2025-1203-SAX007-001` - saxophone007 (Cobalt Strike)

Get the IOCs

OTX: otx.alienvault.com/user/pduggusa

STIX Feed: analytics.dugganusa.com/api/v1/stix-feed

• Pattern 42 Reblessing: GitHub Malware Developer Network

• GitHub Malware Distribution - Dec 2-3, 2025 (Pattern 38)

• Pattern 41+38 Hybrid: Zeeeepa Bot Farm + Malware Factory

• GitHub RAT Builder Ecosystem

The Philosophy

> "Feed subscribers get IOCs first. Bad actors get public shaming second."

We publish IOCs immediately to OTX and our STIX feed. Defenders get actionable intelligence before we write blog posts. The goal is protection, not clout.

What You Can Do

1. Star hygiene: Don't trust repos just because they have stars 2. Issue skepticism: Be wary of "helpful" comments with download links 3. ZIP paranoia: Never run executables from GitHub issue comments 4. Report suspicious activity: [email protected] actually responds

*Pattern 38 detection is automated and runs daily at 06:00 UTC. Results feed into OTX within minutes. This is what "threat intelligence at machine speed" looks like.*

DugganUSA LLC - Minnesota-based threat intelligence

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]