DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Threat Update: Metro4Shell, GlassWorm, and China's UAT-8837

Patrick Duggan
Feb 4
2 min read

# Threat Update: Metro4Shell, GlassWorm, and China's UAT-8837

**Published:** February 4, 2026

**Author:** DugganUSA Threat Intelligence

**Classification:** TLP:WHITE

Critical: Metro4Shell (CVE-2025-11953) - CVSS 9.8

A critical vulnerability in the **Metro Development Server** bundled with React Native CLI is under active exploitation as of February 3, 2026.

| Detail | Value |

|--------|-------|

| CVE | CVE-2025-11953 |

| Name | Metro4Shell |

| CVSS | 9.8 (Critical) |

| Affected | React Native CLI npm package |

| Vector | Remote Code Execution |

**If you're running React Native development environments, patch immediately.**

Supply Chain: GlassWorm via Open VSX Registry

On February 2, 2026, researchers disclosed a supply chain attack targeting the **Open VSX Registry** - the open-source alternative to Microsoft's VS Code Marketplace.

Threat actors compromised a legitimate developer's publishing credentials and pushed malicious updates to existing extensions. The payload: **GlassWorm** - a multi-stage loader that establishes persistence and downloads secondary payloads.

This follows last week's ClawdBot/Moltbot supply chain attack on Microsoft's Marketplace. The pattern is clear: **AI coding tool ecosystems are now prime targets.**

Mitigation

- Audit recently updated VS Code extensions

- Pin extension versions in team environments

- Monitor for unexpected network connections from VS Code processes

APT Watch: UAT-8837 (China-Nexus)

Cisco Talos is tracking **UAT-8837**, a China-aligned APT focused on obtaining initial access to high-value organizations in North American critical infrastructure.

| Attribute | Assessment |

|-----------|------------|

| Origin | China (medium confidence) |

| Target | NA Critical Infrastructure |

| Objective | Initial Access |

| Active Since | 2025 |

This actor joins Linen Typhoon (APT27) and Violet Typhoon (APT31) in the growing roster of Chinese state-aligned threats targeting Western infrastructure.

New Tool: PeckBirdy C2 Framework

Security researchers have documented **PeckBirdy**, a JScript-based command-and-control framework used by China-aligned APT actors since 2023. Primary targets include:

- Chinese gambling industry operations

- Asian government entities

The framework's JScript implementation makes it harder to detect with traditional endpoint tools focused on PowerShell and binary payloads.

Our Perimeter

DugganUSA automated defenses continue blocking Chinese IP ranges aggressively. Today's highlight:

- **101.198.0.x range** - Beijing Qihu Technology (360 Security)

- Asshole scores: 118-130

- MITRE: TA0001 Initial Access, T1190 Exploit Public-Facing Application

These IPs are available in our STIX 2.1 feed.

Recommendations

1. **React Native devs:** Check for Metro4Shell patches, update React Native CLI

2. **VS Code users:** Audit extensions updated in the last 7 days

3. **Critical infrastructure:** Review network logs for UAT-8837 TTPs

4. **Block** the 101.198.0.x range if you have no China business requirement

IOC Feed

Real-time indicators: `https://analytics.dugganusa.com/api/v1/stix-feed`

*Questions? [email protected]*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*