DugganUSA Threat Intel Scanner for VS Code
Scan your code for threat indicators in real-time. 1,080,000+ IOCs. Cross-platform. Free.
What It Does
Every IP address, domain, SHA256 hash, and CVE ID in your code is a potential indicator of compromise. This extension finds them automatically and checks each one against the DugganUSA threat intelligence index — the same STIX 2.1 feed trusted by 275+ organizations across 46 countries, including Fortune 500 security teams.
Open a file. Save a file. The scanner runs. Known-bad indicators appear as inline warnings with enrichment details — malware family, threat type, source, and cross-index hit count. No context switching. No browser tabs. No copy-paste into VirusTotal. The intelligence is in your editor where the code already is.
Example
You open a config file. Line 42 has a hardcoded IP: 185.39.19.176. The extension highlights it:
DugganUSA: 185.39.19.176 — IOC: Cobalt Strike C2 (via SSLBL) | Blocked 47x | In 3 OTX pulse(s) (12 cross-index hits)
Right-click, "View in DugganUSA" opens the full correlation in your browser.
Who It's For
- Security engineers reviewing infrastructure code, Terraform configs, Ansible playbooks — catch hardcoded C2 IPs before they ship
- SOC analysts triaging incident reports — paste an indicator, get instant enrichment without leaving the editor
- DevSecOps teams building CI/CD pipelines — scan PRs for known-bad indicators as part of code review
- Threat researchers writing reports — validate IOCs inline while documenting
- Anyone who touches config files, log snippets, or threat intelligence data in VS Code
Features
| Feature |
Description |
| Auto-scan on save |
Every saved file is scanned for IOC patterns |
| Auto-scan on open |
Files are checked when you open them |
| Right-click lookup |
Select any text, right-click, "DugganUSA: Look Up Selected Text" |
| Workspace scan |
Scan up to 50 files across your project in one command |
| Inline diagnostics |
Yellow squiggly warnings with enrichment in the Problems panel |
| Cross-index correlation |
Each indicator checked against IOCs, block events, OTX pulses, adversary profiles, CISA KEV, and more |
| Smart filtering |
Skips known-safe IPs (localhost, DNS resolvers) and common domains |
| 5-minute cache |
Results cached locally to minimize API calls |
| First-run setup |
Welcome walkthrough guides you through API key configuration |
| Prerequisite checks |
Validates API connectivity and key format on activation |
| Privacy-first |
Only IOC values are sent to the API — never source code, file paths, or file contents |
| AIPM Audit |
Audit any domain's AI presence right inside VS Code — 5 models, 7 signals, 15 seconds |
| STIX Feed access |
Browse STIX feed pricing and registration without leaving your editor |
Getting Started
1. Install the Extension
From VS Code:
- Open Extensions (Ctrl+Shift+X / Cmd+Shift+X)
- Search for "DugganUSA Threat Intel"
- Click Install
From the command line:
code --install-extension DugganUSALLC.dugganusa-threat-intel
For more on installing extensions, see the VS Code Extension Marketplace docs.
2. Get Your API Key (Free)
Visit analytics.dugganusa.com/stix/register. No credit card. No login. Takes 30 seconds.
The extension works without a key at reduced rate limits, but an API key unlocks full query volume.
Open VS Code Settings (Ctrl+, / Cmd+,) and search for "DugganUSA":
| Setting |
Description |
Default |
dugganusa.apiKey |
Your API key (dugusa_... format) |
(empty) |
dugganusa.scanOnSave |
Auto-scan files when saved |
true |
dugganusa.scanOnOpen |
Auto-scan files when opened |
true |
dugganusa.apiUrl |
API base URL (change only for on-prem) |
https://analytics.dugganusa.com/api/v1 |
Or edit settings.json:
{
"dugganusa.apiKey": "dugusa_YOUR_KEY_HERE",
"dugganusa.scanOnSave": true,
"dugganusa.scanOnOpen": true
}
See VS Code User and Workspace Settings.
4. Start Coding
Open a file with IPs, domains, hashes, or CVEs. Check the Problems panel (Ctrl+Shift+M / Cmd+Shift+M).
Commands
Open the Command Palette (Ctrl+Shift+P / Cmd+Shift+P):
| Command |
Description |
DugganUSA: Scan Current File |
Scan the active file now |
DugganUSA: Scan Entire Workspace |
Scan up to 50 project files |
DugganUSA: Look Up Selected Text |
Right-click or palette lookup |
DugganUSA: AIPM Audit |
Audit any domain's AI presence — opens inside VS Code |
DugganUSA: Open STIX Feed & Pricing |
Browse STIX feed tiers in-editor |
What It Detects
| Pattern |
Example |
Detection |
| IPv4 |
185.39.19.176 |
Cobalt Strike C2, 12 hits |
| Domains |
welcome.supp0v3.com |
STX RAT C2, CPUID supply chain |
| SHA256 |
52862b538459c8... |
STX RAT payload, 3 hits |
| CVE IDs |
CVE-2026-21643 |
Fortinet EMS SQLi, CISA KEV |
Pricing
The extension is free and open source (MIT). The API has tiered rate limits:
| Tier |
Queries/Day |
Price |
| Free |
500 |
$0 |
| Starter |
1,000 |
$45/mo |
| Researcher |
2,000 |
$145/mo |
| Professional |
5,000 |
$495/mo |
| Medusa Suite |
50,000 |
$8,995/mo |
| Enterprise |
Unlimited |
$24,995/mo |
Register at analytics.dugganusa.com/stix/register.
Prerequisites
- VS Code 1.85+
- Internet connectivity (degrades gracefully offline)
- Free API key recommended
Fully cross-platform — no native dependencies. Works on:
Windows, macOS, Linux, WSL, Remote SSH, GitHub Codespaces, vscode.dev.
What's In The Index
1,080,000+ indicators from:
Cross-correlated across 44 indexes.
Also available as STIX 2.1 JSON, IP blocklist CSV, Domain CSV, Hash CSV.
Privacy
- Only IOC values sent to the API — never source code, file paths, or workspace metadata
- No telemetry beyond API lookups
- HTTPS only (TLS 1.2+)
- Local cache only — never persisted to disk
- Open source — inspect the code
Compatibility
This extension works out of the box on VS Code and VS Code forks:
Planned Integrations — Same Engine, More Surfaces
The DugganUSA threat intel scanning engine is designed to run anywhere developers and security teams work. The same IOC detection + API correlation pattern ports to every platform below. Contributions welcome.
IDEs & Editors
Browsers
| Platform |
Marketplace |
Status |
Notes |
| Chrome |
Chrome Web Store |
Planned |
Every webpage becomes an IOC scanner. Highlights indicators on any page you read — including competitor blogs. |
| Firefox |
Firefox Add-ons |
Planned |
Same extension, WebExtension API compatible. |
| Safari |
Safari Extensions |
Planned |
macOS/iOS coverage. |
Collaboration & Workflow
| Platform |
Marketplace |
Status |
Notes |
| Slack |
Slack App Directory |
Planned |
Paste an IP in any channel, bot responds with enrichment. Enterprise-viral. |
| Microsoft Teams |
AppSource |
Planned |
We already see 23 Teams referrer sessions — people WANT this. |
| Jira |
Atlassian Marketplace |
Planned |
We see jira.cs.sys referrers. Enrich security tickets with IOC context automatically. |
| ServiceNow |
ServiceNow Store |
Planned |
Enterprise ITSM integration. |
| Obsidian |
Community Plugins |
Planned |
OSINT researchers write notes in Obsidian. Paste an IP, get enrichment inline. |
| Notion |
API integration |
Planned |
Research documentation with inline IOC validation. |
Data & Productivity
| Platform |
Marketplace |
Status |
Notes |
| Google Sheets |
Workspace Marketplace |
Planned |
Add-on that enriches columns of IOCs in bulk. SOC analysts export to spreadsheets constantly. |
| Excel |
AppSource |
Planned |
Same bulk enrichment for Microsoft shops. |
| n8n / Zapier / Make |
Native integrations |
Planned |
Trigger workflows on new IOCs, auto-block in firewall, alert on critical. |
CLI & DevOps
| Platform |
Distribution |
Status |
Notes |
| CLI tool |
npm |
Planned |
npx dugganusa-lookup 185.39.19.176 — works in any terminal, any OS, any CI pipeline. |
| GitHub Action |
GitHub Marketplace |
Planned |
PR checks that scan committed code for IOCs before merge. |
| GitLab CI |
GitLab CI template |
Planned |
Same scanning in GitLab pipelines. |
| Docker |
Docker Hub |
Planned |
Containerized scanner for CI/CD integration. |
Desktop Launchers
| Platform |
Distribution |
Status |
Notes |
| Raycast |
Raycast Store |
Planned |
macOS — type an IP, get enrichment instantly. |
| Alfred |
Alfred Gallery |
Planned |
macOS workflow for power users. |
Want to Help Build One?
Every integration above uses the same core pattern: extract IOC → call API → render result. The DugganUSA correlation API is open and documented. If you want to build one of these integrations, open an issue or PR.
API docs: analytics.dugganusa.com/api/v1/search/stats
Free API key: analytics.dugganusa.com/stix/register
Development
See CONTRIBUTING.md for setup, testing, and publishing.
git clone https://github.com/pduggusa/dugganusa-vscode.git
cd dugganusa-vscode
code .
# Press F5 to launch Extension Development Host
See VS Code Extension API and Publishing Extensions.
Links
License
MIT — DugganUSA LLC, Minneapolis, MN.
Built by two people, one AI partner, and $75/month in infrastructure.
