top of page
Search

We Just Put 1 Million Threat Indicators Inside Your Code Editor. It's Free.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 52 minutes ago
  • 4 min read

There are 1,080,000 indicators of compromise in our database right now. IPs running Cobalt Strike C2 servers. Domains serving STX RAT payloads. SHA256 hashes of ransomware samples. CVE IDs with weaponized proof-of-concept code live on GitHub.


As of today, all of them are searchable from inside your VS Code editor without opening a browser.


The DugganUSA Threat Intel Scanner is live on the VS Code Marketplace. Install it. Open a file. Every IP, domain, hash, and CVE in your code gets checked against our index in real-time. Known-bad indicators show up as yellow warnings with enrichment details — malware family, threat type, source, cross-index hit count. Right-click any text for instant lookup.






Why This Exists


Security teams use one set of tools. Developers use another. The threat intelligence lives in SIEM dashboards and PDF reports. The code that contains hardcoded IPs, domains, and hashes lives in VS Code. Nobody connects them.


Until now, if you wanted to check whether an IP in your Terraform config was a known C2 server, you had to copy it, open a browser, paste it into VirusTotal or our search API, read the result, and go back to your editor. Four context switches for one lookup. Multiply that by every IP in every config file in every repo your team maintains.


The extension eliminates all four context switches. The intelligence is in the editor. The lookup happens on save. The result appears inline. You never leave your code.





What It Actually Does


You open a file. The extension scans the text for four pattern types:


  • IPv4 addresses — every IP that isn't localhost or a common DNS resolver

  • Domains — every domain that isn't google.com or github.com

  • SHA256 hashes — every 64-character hex string

  • CVE IDs — every CVE-YYYY-NNNNN pattern

Each candidate gets checked against our cross-index correlation API — the same API that 275+ organizations use via our STIX feed. The API searches across 44 indexes: IOCs, block events, OTX pulses, adversary profiles, CISA KEV, behavioral sessions, and more.


If there's a match, you see a yellow squiggly warning on the line with a tooltip:


"DugganUSA: 185.39.19.176 — IOC: Cobalt Strike C2 (via SSLBL) | Blocked 47x | In 3 OTX pulse(s) (12 cross-index hits)"


Click the diagnostic code to open the full correlation in your browser. Or just read the tooltip and keep coding.





Who Needs This


Security engineers reviewing infrastructure code. Your Ansible playbooks, Terraform configs, Kubernetes manifests, and CI/CD pipelines contain IP addresses and domains. Some of them were hardcoded six months ago when they were clean. They might not be clean anymore. The extension catches the drift.


SOC analysts writing incident reports. You're documenting IOCs in a markdown file or a ticket. Every indicator you type gets validated in real-time. No more publishing a report with a typo'd IP that doesn't match anything.


DevSecOps teams building secure pipelines. Add the extension to your team's recommended extensions list. Every developer on the team gets passive IOC scanning on every file they touch. Supply chain indicators in committed code get caught before the PR merges.


Threat researchers writing analysis. You're documenting a campaign in VS Code. Every domain and hash in your writeup gets cross-referenced against 1.08 million indicators as you type. Your research is self-validating.





The Supply Chain Angle


This is Pattern 38 defense built into the IDE.


We've documented eleven supply chain attacks in four months — trojanized packages, poisoned download links, weaponized GitHub repositories. The common thread: an attacker embeds a malicious IP or domain in code that looks legitimate. The developer doesn't check because checking is a context switch. The indicator ships to production.


The extension makes the check automatic. If someone submits a PR that contains a hardcoded IP matching a known Cobalt Strike C2, the warning appears in the Problems panel before the reviewer reads the first line of the diff.


That's not a security audit. That's a spell-checker for threat indicators.





It's Free. Here's Why.


The extension is MIT licensed and open source on GitHub. The API has a free tier at 500 queries per day — enough for any individual developer. Paid tiers exist for teams that need higher volume.


We make the extension free because every install is a distribution point. Every developer who installs the scanner is a potential STIX feed customer, AIPM auditor, or enterprise lead. The extension is the POM in the fridge — the product placed where the audience already is, so naturally that using it doesn't feel like a sales pitch.


275+ organizations already consume our STIX feed. Microsoft, AT&T, and Starlink pull it daily. The VS Code extension is the same intelligence delivered to a different audience through a different channel. The data is the same. The distribution is new.





Install It


Three ways:


From VS Code: Open Extensions (Ctrl+Shift+X), search "DugganUSA Threat Intel", click Install.



From the command line: code --install-extension DugganUSALLC.dugganusa-threat-intel


Get a free API key at analytics.dugganusa.com/stix/register for the best experience. The extension works without one at reduced rate limits.






What's Next


The VS Code extension is the first IDE integration. The same scanning engine works anywhere developers work:


  • GitHub Action — PR checks that scan committed code for IOCs before merge

  • JetBrains plugin — IntelliJ, PyCharm, WebStorm, GoLand

  • Neovim / Vim plugin — for the terminal crowd

  • Browser extension — scan any webpage for IOCs as you read

Each one is another fridge in another room. The intelligence is the same. The distribution keeps expanding.


1,080,000 indicators. 275+ organizations. 46 countries. Now in your editor.


— Patrick




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page