DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Who Got Pwned Overnight: Fortinet Deadline Today, Sedgwick Update, and 1,700 Poisoned Packages

Patrick Duggan
2 days ago
4 min read

This is your morning sweep. Everything that matters from overnight. IOCs at the bottom. Free STIX feed link at the bottom. If your SIEM pulled our feed last night, some of these were already blocked before you read this sentence.

If it didn't — keep reading.

CISA Deadline: Today. Right Now.

CVE-2026-35616 — Fortinet FortiClient EMS. Pre-authentication API access bypass leading to privilege escalation. CVSS 9.1. CISA added it to the KEV catalog on April 6 and gave federal agencies until today — April 9 — to patch.

If you run FortiClient EMS versions 7.4.5 through 7.4.6, the patch window closed at midnight. Zero-day exploitation was observed by Defused Cyber earlier this week. Emergency hotfixes are available. Full patch expected in v7.4.7.

Our exploit harvester caught the 0xBlackash PoC repo on GitHub. That means the exploit code is public, documented, and in our index. Script kiddies have it. APTs had it first.

The Sedgwick Update

We wrote about this in January. "The Gap Is The Mission" — TridentLocker hit Sedgwick Government Solutions on New Year's Eve 2025. Sedgwick handles worker's comp claims for DHS, ICE, CBP, USCIS, DOL, and CISA.

Here's what we know now that we didn't in January:

Initial access was November 16, 2025 — through an SFTP vulnerability. Eighteen days before detection. 3.4 GB exfiltrated including SSNs, medical records, PHI, and completed World Trade Center Health Program forms. Breach notification didn't go out until February 11 — nearly three months after compromise.

The World Trade Center Health Program. That's 9/11 first responders. Their medical records are now on a ransomware gang's leak site.

CISA — the agency that tells everyone else to patch — had their own vendor breached. CISA did not respond to requests for comment.

TridentLocker now has 12+ victims including Belgium's national postal service (bpost, 30 GB stolen). Still no public IOCs from the threat intel community. We flagged this gap in January. It's still open.

1,700 Poisoned Packages — North Korea's Contagious Interview

The DPRK's Contagious Interview campaign has published 1,700 malicious packages across npm, PyPI, Go, and Rust. As of yesterday.

This is the supply chain play. Same pattern we've been documenting since Pattern 38 — except this is nation-state, not criminal. North Korean operators are poisoning the package managers that developers pull from every day. They don't need to breach your network. They need you to run npm install.

If you run automated builds that pull from public registries without pinning versions and verifying checksums, you are running North Korean code on your infrastructure. That's not hyperbole. That's the math.

Iran Password-Spraying Microsoft 365

Iran-nexus actors running password-spraying campaigns against Microsoft 365 tenants in Israel and the UAE. Three documented attack waves: March 3, 13, and 23. CISA issued a joint advisory yesterday on ongoing cyber exploitation of internet-connected OT devices. The Iran OT advisory lands while Handala is still racking up victims — 23 in March alone, 33 total in 2026. Our Handala wiper post is still the top-performing post on the blog at 1,817 views.

Russia: 18,000 Networks, Auth Tokens

Russian military intelligence units are exploiting known flaws in older internet routers to mass-harvest Microsoft Office authentication tokens. 18,000+ networks affected. They're not using zero-days. They're using the patches you didn't apply.

The Broader Damage Report

Breaches confirmed overnight:

CareCloud — millions of patient medical records accessed. Intellihartx — 500,000+ patients, SSNs included. DocketWise — 116,000 law firm records exposed via valid credential abuse. Drift (Solana DEX) — $285 million drained. NAFCO — Worldleaks ransomware, 13 million support tickets and 15,000 employee records. Hims and Hers — customer support tickets stolen via third-party platform. Ericsson US — data breach after service provider compromise.

The healthcare sector is getting shredded. CareCloud, Intellihartx, the Sedgwick WTC data, the Baltimore Medical System SSN exposure — four healthcare-adjacent breaches in one sweep. If you're in healthcare IT and your SIEM isn't pulling threat feeds, you are not doing your job. That sounds harsh. It's also true.

CVEs You Need to Know About Right Now

CVE-2026-35616 — Fortinet FortiClient EMS. CVSS 9.1. CISA deadline today. Patch or perish.

CVE-2026-20131 — Cisco Secure Firewall Management Center. CVSS 10.0. Interlock ransomware exploited this as a zero-day since January 26. Pre-authentication RCE via insecure deserialization.

CVE-2026-5281 — Chrome zero-day. Use-after-free in Dawn. CISA KEV deadline April 15.

CVE-2025-59528 — Flowise AI platform. CVSS 10.0. Code injection enabling RCE. 12,000+ exposed instances. We ingested the IOCs last week.

CVE-2026-5027 — Langflow. Path traversal to cron injection. Two weaponized PoCs on GitHub. We published on this last night — three Langflow CVEs in two weeks.

CVE-2025-55182 — Next.js React2Shell. CVSS 10.0. 766 hosts compromised in credential harvesting operation targeting AWS secrets, SSH keys, Stripe API keys, and GitHub tokens. Our own research found this one.

The Feed Argument

Every IOC in this post is in our STIX feed. The Langflow exploiter IPs, the Fortinet PoC detection rules, the Flowise indicators — all indexed, all available, all free under 500 queries a day.

If Sedgwick's monitoring stack had been pulling a threat feed that indexed TridentLocker infrastructure, they might have caught the SFTP exploitation before 18 days elapsed. If healthcare organizations running Langflow or Flowise had been blocking the IPs in our index, they would have stopped the reconnaissance before the exploitation.

We're not saying our feed would have stopped every breach in this post. We're saying that automated IOC consumption is the difference between finding out from a blog post and finding out from your SIEM. One of those timelines ends with a breach notification to 500,000 patients. The other ends with a blocked connection in a firewall log.

The feed is free. The IOCs are current. The alternative is reading about it in the morning news and hoping you weren't one of the targets.

analytics.dugganusa.com/api/v1/stix-feed

CSV exports for SIEMs that can't parse STIX:

analytics.dugganusa.com/api/v1/stix-feed/ips.csv
analytics.dugganusa.com/api/v1/stix-feed/hashes.csv
analytics.dugganusa.com/api/v1/stix-feed/domains.csv

OPNsense-compatible blocklists are also available.

1,058,540 IOCs indexed as of this morning. Pull from a script. Block at the firewall. The cost of the block is zero. The cost of the breach is everything.

-- DugganUSA LLC, Minneapolis MN