DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

They Picked the Wrong Day: Supply Chain Attack on Active Threat Intel Researcher

Patrick Duggan
Nov 23, 2025
8 min read

MINNEAPOLIS, November 23, 2025 — Today, while analyzing professional attacker OpSec and publishing research on SSL/TLS certificate abuse, we caught a supply chain attack targeting our partner's repository in real-time.

The timing? 45 seconds. The irony? Immeasurable.

The Setup: Publishing "Attackers Have Better OpSec"

19:00 UTC (Nov 23) - We're finishing analysis on 560 SSL-enriched attacker IPs, documenting how professional criminals use Let's Encrypt certificates and HTTPS-only infrastructure.

Key finding: Even baseline attackers have abandoned HTTP. 100% of web-based threats use legitimate HTTPS certificates.

The draft title: "When Attackers Have Better OpSec Than You (The Death of HTTP)"

We're literally writing: "If criminals have better OpSec than you, you're doing it wrong."

The Attack: 19:08 UTC - Incoming Malware

19:08:05 - Paul Galjan opens Issue #97 on CleansheetLLC/Cleansheet (career management platform) 19:08:50 - User "FireSuper" posts malicious ZIP file

Response time: 45 seconds.

Comment: "This should be the fix." Attachment: 23fca13a838f.zip (2.53 MB of malware)

The Realization: They Picked the WRONG Day

19:10 UTC - Patrick receives VirusTotal link in unrelated conversation 19:11 UTC - Recognizes SHA-256 hash: `23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68` 19:12 UTC - Correlates timing with Cleansheet Issue #97

• ✅ Live threat intel aggregation running (645 IPs tracked)

• ✅ STIX feed operational (`analytics.dugganusa.com/api/v1/stix-feed`)

• ✅ Automated OSINT pipelines active

• ✅ VirusTotal Table Storage integration

• ✅ Judge Dredd 6D verification system

• ✅ Pattern detection frameworks

• ✅ Hall of Shame auto-publishing pipeline

We literally have a running threat intelligence platform analyzing attacker OpSec.

And you just posted malware to our partner's repo.

The Investigation: 60 Seconds to Full Attribution

What we determined in under 1 minute:

Threat Actor: FireSuper - GitHub: github.com/FireSuper - Account Created: June 16, 2024 - Dormancy Period: 160 days (zero activity until attack) - First Action: Post malware to Cleansheet - Profile: "Coding... Coding... is the best" (generic AI-generated bio)

Attack Pattern: Sleeper Account - Account aging: 6 months dormant to bypass "new account" filters - Automated monitoring: 45-second response = GitHub webhooks + pre-staged payload - Social engineering: Generic "fix" message, no technical detail - Hit-and-run: Post malware, never engage again

The Malware ``` Filename: 23fca13a838f.zip Size: 2.53 MB Type: ZIP archive

• SHA-256: 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68

• MD5: 124c7623502a81b9ce8e862a91ccee59

• SHA-1: 3bac34d0929da3c998a0e4b88937854a234e8618

VirusTotal: [detections TBD - upload pending] ```

The Timing Analysis (Proof of Automation)

Issue opened: 19:08:05 Malware posted: 19:08:50 Response time: 45 seconds

What a human would need to do in 45 seconds: 1. Receive GitHub notification 2. Open email or GitHub 3. Read the issue (10+ paragraphs, 6-8 hour feature spec) 4. Understand the problem domain (D3.js, Monaco editor, localStorage architecture) 5. Write code to fix it 6. Test the code 7. Zip the files 8. Upload to GitHub 9. Write comment 10. Post

• Webhook fires → pre-staged payload delivered → automated comment posted

This is infrastructure, not a human.

The Response: Pattern #38 - GitHub Supply Chain Sleeper Accounts

Within 30 minutes of detection:

✅ Full incident report: `/compliance/evidence/supply-chain-attacks/firesuper-cleansheet-attack-2025-11-23.json` ✅ Pattern documentation: Pattern #38 - GitHub Supply Chain Sleeper Accounts ✅ Victim notification: Security alert sent to Paul Galjan ✅ MITRE ATT&CK mapping: 7 techniques documented ✅ IOC extraction: Hashes, account IDs, GitHub metadata ✅ Community alert: This blog post

Attack lifecycle: 1. Phase 1 (160 days): Age account to bypass filters 2. Phase 2 (ongoing): Monitor target repos via webhooks 3. Phase 3 (45 seconds): Deliver pre-staged malware on new issue 4. Phase 4 (never reached): Victim downloads, credentials stolen, supply chain compromised

We stopped it at Phase 3.

The Irony: Perfect Timing

What we were writing when they attacked:

> "If you're still maintaining HTTP support for 'backwards compatibility,' you're not being compatible with users. You're maintaining infrastructure for ghosts."

> "Even attackers have better OpSec than you."

> "560 attacker IPs analyzed: 552 don't use web protocols, 8 use HTTPS-only, 0 use HTTP."

• Use a 6-month sleeper account (good OpSec)

• Automate delivery with webhooks (professional infrastructure)

• Target supply chain instead of direct attack (force multiplication)

The attacker demonstrated EXACTLY what we were documenting: Professional attackers use sophisticated infrastructure.

They just picked a really bad target.

The Target: Why Cleansheet?

• Career canvas (D3 mindmap)

• AI career assistant (BYOK privacy model)

• Interview preparation

• Document management

• Portfolio tracking

• Handles professional credentials

• Stores API keys (user BYOK model)

• Contains career data (sensitive personal information)

• GitHub integration planned

• Supply chain target: Compromise Cleansheet → compromise all users

This is a HIGH-VALUE supply chain attack.

They just attacked the partner of a threat intelligence researcher. On the day he's publishing attacker OpSec analysis.

The Math: What Are the Odds?

• ~500 million repositories on GitHub

• Let's say 10,000 active sleeper accounts targeting repos

• Any given repo: ~0.00002% chance on any given day

• We run threat analysis ~4 hours/day

• 4/24 = 16.7% of any day

• We publish OpSec research ~2 times/month

• 2/30 days = 6.7% of any month

• Publishing window: ~2 hours

• 2/720 hours = 0.28% of any month

• 0.00002% × 0.28% = 0.000000056% chance

Or 1 in 1.78 billion.

They hit the jackpot. The wrong jackpot.

Pattern #38: GitHub Supply Chain Sleeper Accounts

What we learned from this incident:

Attacker Tactics 1. Account Aging: Create dormant accounts 3-6 months in advance 2. Target Selection: Small/medium projects, single maintainer, high-value data 3. Automated Monitoring: GitHub webhooks fire on new issues 4. Pre-Staged Payloads: Malware ZIPs ready to upload 5. Social Engineering: Generic "fix" messages exploit maintainer trust 6. Hit-and-Run: Post once, never engage, hope victim downloads

Detection Signals - Response time < 2 minutes = automated (humans can't read/code/respond that fast) - Account age > 90 days + zero contributions = likely sleeper - Generic message + no technical detail = not a real contributor - First activity is file upload = attack vector, not collaboration

Mitigation - Never download files from first-time contributors - Check response timing (< 2 min = sus) - Verify contributor history (git log vs GitHub profile) - Scan attachments with VirusTotal (always) - Enable GitHub security features (code scanning, secret scanning, Dependabot) - Require 2FA for collaborators - Add SECURITY.md to your repos

Why This Matters Supply chain attacks amplify impact.

One compromised developer tool = thousands of victims.

Enterprise security vendors charge $50K-$200K/year for supply chain threat intelligence.

We're publishing this for free.

The Free STIX Feed (Adding FireSuper Today)

We operate a free threat intelligence feed:

Endpoint: `https://analytics.dugganusa.com/api/v1/stix-feed`

• Microsoft (30 requests, 10,696 indicators)

• Cloudflare (19 requests, 10,161 indicators)

• Google (2 requests, 580 indicators)

• FireSuper IOCs (hashes, account metadata, timing patterns)

• Pattern #38 (GitHub sleeper account tactics)

• Detection signatures (response time thresholds, account age rules)

Why we publish for free: 1. Zero marginal cost (digital goods) 2. Network effects (more users = better data) 3. Democratic sharing (hoarding makes internet less safe) 4. Proof of concept (for Butterbot by DugganUSA partnership)

If billion-dollar companies trust our feed, you can too.

The Lessons: What We Learned

For Open Source Maintainers

• ❌ It's not a fix

• ❌ They didn't read your issue

• ❌ They're not trying to help

• ✅ It's malware

• ✅ Report it immediately

• ✅ Block the account

Response time is your canary.

• Read the issue

• Understand the problem

• Think about solutions

• Write code

• Test it

• Package it

45 seconds? That's automation. That's malware delivery infrastructure.

For Security Researchers

Every attack is data.

• Pattern #38 documentation

• MITRE ATT&CK mapping

• Community alert (this blog post)

• STIX feed indicators

• Detection signatures

• Mitigation guidelines

• Proof of sleeper account tactics

• Timing analysis baseline (45 seconds = automation threshold)

• Social engineering templates to recognize

• Real-world IOCs to share

Cost to attacker: 6 months aging + infrastructure setup + exposed patterns Cost to us: 30 minutes analysis Benefit to community: Free threat intelligence

This is how defense wins.

For Attackers (If You're Reading This)

Next time, check who you're targeting.

• They publish threat intelligence feeds

• They document attacker tactics publicly

• They have an analytics dashboard running at analytics.dugganusa.com

• They literally wrote a blog post called "When Attackers Have Better OpSec Than You"

• They publish your tactics within 30 minutes of you deploying them

We're not your average victims.

We're the people who study you.

The Outcome: Attack Contained

Time to detection: < 2 minutes Time to analysis: 30 minutes Time to notification: 45 minutes Time to public disclosure: 2 hours

• ✅ Malware NOT downloaded

• ✅ No credentials stolen

• ✅ No code compromised

• ✅ Attack documented and shared

• ✅ Community alerted

• ✅ Patterns extracted

• ✅ Threat actor exposed

FireSuper's success rate: 0/1 (0%)

Our detection rate: 1/1 (100%)

• Account burned (blocked from Cleansheet)

• Tactics documented (Pattern #38)

• IOCs shared (STIX feed)

• Blog post exposing their methods

• Zero stolen credentials

• Zero compromised code

• Real-world supply chain attack data

• Pattern #38 validated

• Blog post material (this)

• Community education opportunity

• Proof our threat intel works

Net outcome: Defense wins. Attackers lose. Community learns.

The Conclusion: Born Without Sin, Caught With Malware

• Tracks 645+ attacker IPs

• Aggregates 7 threat intel sources

• Publishes free STIX feeds

• Documents attacker OpSec

• Operates 24/7 with 99.9% uptime

• Serves Microsoft, Cloudflare, and Google

And today, we caught a supply chain attack within 2 minutes of deployment.

Not because we're paranoid. Not because we have a huge security team. Not because we spend millions on SOC infrastructure.

Because we were literally analyzing attacker OpSec when they attacked.

Timing. Context. Irony.

They picked the wrong day. They picked the wrong target. They picked the wrong threat intel researcher.

The Invitation: Free Threat Intelligence

If you run a SOC or security research lab:

Add our STIX feed: `https://analytics.dugganusa.com/api/v1/stix-feed`

• FireSuper GitHub account (172985207)

• Malware hash: 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68

• Pattern #38: GitHub Supply Chain Sleeper Accounts

• Detection signatures: Response time < 2 min + account age > 90 days + zero contributions

Attribution: Optional but appreciated: `https://www.dugganusa.com`

The data is free. The insights are yours. The internet gets safer.

The Technical Appendix

• `/compliance/evidence/supply-chain-attacks/firesuper-cleansheet-attack-2025-11-23.json`

• `/patterns/pattern-38-github-supply-chain-sleeper-accounts.json`

• TA0043 - Reconnaissance

• TA0042 - Resource Development

• TA0001 - Initial Access

• T1593.003 - Code Repository Search

• T1585.001 - Social Media Accounts

• T1608.001 - Upload Malware

• T1566.001 - Spearphishing Attachment

• T1195.001 - Supply Chain Compromise

Detection timeline: ``` 19:08:05 - Issue opened 19:08:50 - Malware posted (45 sec) 19:10:00 - Hash shared in conversation 19:11:00 - Correlated with GitHub activity 19:12:00 - Full attribution complete 19:40:00 - Victim notified 20:00:00 - Pattern documented 21:00:00 - Blog published (this) ```

Judge Dredd 6D Score: 93% (Dimension 6: Democratic Sharing)

DugganUSA LLC Born Without Sin. Caught Attackers On Day One. Running on $75/Month. Outperforming $50K/Year Vendors.

Butterbot by DugganUSA The Cribl of Agentic AI. Democratizing Threat Intelligence.

STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed Security Dashboard: https://security.dugganusa.com Attribution: https://www.dugganusa.com

*"They picked the wrong day to attack. We were literally publishing 'Attackers Have Better OpSec.' The irony writes itself."*

Postscript: For Paul Galjan

Paul, we caught this before any damage. Your repo is safe. But this shows Cleansheet is on attackers' radar.

Call me: [email protected]

We'll get you hardened. This is what the Butterbot partnership is for.

—Patrick

Randy/Dwarf + Avi/King Partnership: Operational. Threat Intel: Validated. Cleansheet: Protected.

Data Transparency: This blog post is based on real-world supply chain attack attempt on November 23, 2025. Every detail is verifiable via public GitHub activity and our documented incident response. All IOCs available in our free STIX feed.

The attackers gave us the data. We're giving it to you. For free.