DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Your Browser Extensions Have More Access Than Your Malware

Patrick Duggan
Jan 16
3 min read

842,000 Reasons to Audit Your Extensions Right Now

This week, security researchers disclosed two separate browser extension campaigns that collectively compromised over 842,000 users. The attacks share a common thread: your browser extensions have more access to your data than most malware could ever dream of.

And you installed them yourself.

GhostPoster: Five Years, 840,000 Installs, Zero Detection

The GhostPoster campaign ran for five years across Chrome, Firefox, and Edge before anyone noticed. The technique was elegant: hide malicious JavaScript inside PNG icon files using steganography.

Here's how it works:

Extension loads its own icon (normal behavior)
Instead of rendering, it reads the raw bytes of the PNG
Scans for a marker sequence (===)
Everything after the marker is executable JavaScript
Payload activates 6+ days after install
Phones home every 48 hours, but only executes 10% of the time

That last part is the killer. By introducing randomness, the malware makes network monitoring unreliable. An infected extension might appear completely clean during a security review.

What GhostPoster Does

Once active, the malware:

Hijacks purchase commissions (affiliate fraud)
Tracks user behavior across all sites
Removes security headers (CSP, X-Frame-Options)
Injects hidden iframes
Bypasses CAPTCHA protections

Known Bad Extensions

Extension	Installs
Free VPN Forever	16,000+
screenshot-saved-easy	Unknown
weather-best-forecast	Unknown
google-translate-pro-extension	Unknown
dark-reader-for-ff	Unknown

Mozilla and Microsoft have removed these from their stores. But here's the problem: already-installed extensions remain active until manually removed.

The Enterprise Attack: Workday and NetSuite Hijacking

While GhostPoster targeted consumers, a separate campaign went after enterprise users. Five malicious Chrome extensions impersonated HR and ERP platforms like Workday, NetSuite, and SuccessFactors.

These extensions work together to:

Steal authentication tokens
Block incident response capabilities
Enable complete account takeover via session hijacking

The Clever Part

One extension (Tool Access 11) prevents access to 44 administrative pages within Workday by erasing page content and redirecting to malformed URLs. It blocks:

Authentication management
Security proxy configuration
IP range management
Session control interfaces

Another extension (Data By Cloud 2) expands blocking to 56 pages, including:

Password changes
Account deactivation
2FA device management
Security audit log access

You can't fix what you can't access.

Why This Matters

Browser extensions operate with privileged access that most malware would kill for:

Read and modify all data on websites you visit
Access cookies and authentication tokens
Inject scripts into any page
Intercept network requests
Disable security features

And unlike traditional malware, they don't need to evade antivirus, exploit vulnerabilities, or establish persistence. Users grant all these permissions voluntarily during installation.

The Supply Chain Problem

Both campaigns represent supply chain attacks against the browser ecosystem. The Chrome Web Store and Firefox Add-ons marketplace are trusted distribution channels. When malware gets in, users have no reason to suspect it.

The GhostPoster campaign originated on Microsoft Edge, then expanded to Firefox and Chrome. The threat actor maintained infrastructure across all three platforms for years.

What To Do Right Now

For Individuals

Open your browser's extension manager
Remove any extension you don't actively use
Check for the known bad extensions listed above
Audit permissions - does a weather app need access to "all sites"?
Reset passwords from a clean browser if you had these installed

For Organizations

Implement browser extension allowlists
Use endpoint detection that monitors extension behavior
Audit Chrome enterprise policies
Check for unusual authentication patterns in Workday/NetSuite/SuccessFactors
Consider browser isolation for sensitive applications

The Bigger Picture

This week's disclosures are not anomalies. They're the visible tip of a much larger problem. The browser has become the primary interface for work, and browser extensions are the new attack surface.

Traditional security focused on the endpoint - the operating system, the file system, the network. But modern attacks increasingly target the browser layer, where users have been conditioned to click "Add to Chrome" without thinking.

Your browser extensions have more access than your malware. Act accordingly.

Sources

Her name is Renee Nicole Good.