☕ Good Morning Security Gang,

Today’s episode is one of those that hits every layer of the stack from SaaS breaches to AI exploitation, from ransomware evolution to geopolitical cyber pressure.

And if there’s one theme that ties everything together today, it’s this:
👉 Attackers are targeting both the systems that run your environment and the people who have access to them.

Double espresso in hand, let’s dive in.

Subscribe now

🧭 Executive Summary

Today’s episode highlights a convergence of SaaS supply chain breaches, CI/CD vulnerabilities, AI gateway exploitation, and evolving ransomware tactics. At the same time, nation-state actors are doubling down on long-term social engineering campaigns, while governments begin aligning policy and regulation around AI security.

The risk environment is no longer siloed identity, automation, AI, and human behavior are now interconnected attack surfaces, and attackers are exploiting them simultaneously.

📰 Top Stories & Deep Dive Analysis

🎥 Vimeo Breach – Third-Party Risk Continues to Expand

Vimeo confirmed a breach stemming from a compromise of its third-party analytics vendor, Anodot, exposing customer data including emails, video metadata, and technical information. ShinyHunters has set a public deadline for ransom payment, threatening to release the data if demands are not met.

This is part of a broader campaign we’ve been tracking across multiple organizations, where attackers compromise SaaS ecosystems through third-party integrations rather than direct attacks. The real risk here isn’t just the exposed data, it’s the follow-on attacks. Metadata and email exposure enable highly targeted phishing campaigns, especially against content creators and enterprise users relying on Vimeo workflows.

💻 GitHub RCE – One Push to Compromise the System

A critical command injection vulnerability in GitHub’s git push pipeline allows authenticated users with push access to execute remote code on the instance with a single command. While GitHub.com deployed a rapid fix, self-hosted and enterprise environments remain at risk until patched.

This vulnerability represents a direct threat to the software development lifecycle. CI/CD pipelines are designed for automation and speed, but this same efficiency becomes a liability when exploited. Attackers gaining control of these pipelines can inject malicious code, access secrets, and compromise production environments without needing traditional lateral movement.

🤖 LiteLLM Exploit – AI Gateway Becomes Data Exfiltration Tool

Attackers began exploiting a pre-authentication SQL injection vulnerability in LiteLLM just 36 hours after disclosure. As a gateway platform connecting multiple AI providers, LiteLLM stores API keys and credentials, making it a high-value target.

The vulnerability allows attackers to extract sensitive data directly from backend databases, including cloud credentials and API keys. This highlights a growing issue AI orchestration layers are being deployed without the same security rigor as traditional infrastructure, creating new high-risk entry points into enterprise environments.

💣 VECT Ransomware – When Encryption Becomes Destruction

Checkpoint Research analyzed VECT ransomware, revealing that its encryption process is fundamentally flawed. Instead of enabling decryption after payment, the malware discards critical data during encryption, effectively making recovery impossible.

This transforms ransomware into a wiper event disguised as extortion. Organizations impacted by VECT cannot recover data even if they pay, shifting the focus entirely to prevention and resilience. This represents a dangerous evolution where attackers either don’t care about recovery—or are unable to provide it.

🧠 North Korea Campaign – Six Months of Social Engineering

A North Korea-linked group conducted a six-month campaign targeting Web3 executives, using sophisticated social engineering techniques to gain access to wallets, admin panels, and private keys.

The campaign culminated in a major crypto theft, demonstrating the effectiveness of long-term, relationship-based attacks. Unlike traditional phishing, these operations build trust over time, making them far more difficult to detect and prevent. This reinforces that humans remain one of the most critical and vulnerable attack surfaces.

🚇 Singapore Infrastructure Incident – Supply Chain in Critical Systems

A cybersecurity incident affecting a contractor involved in Singapore’s MRT rail and water infrastructure highlights the risk of third-party access to critical systems.

Even though public-facing data may be available elsewhere, the contractor’s access to internal systems introduces a potential pathway for attackers into sensitive infrastructure environments. This underscores the importance of tight access control and monitoring for vendors operating within critical sectors.

🏛️ White House AI Cyber Huddle – Policy Meets Technology

Senior U.S. officials convened a cybersecurity summit with leading AI and tech executives to address risks associated with advanced AI systems ahead of upcoming releases like Anthropic’s Mythos.

This signals a shift where AI security is no longer just a technical issue—it’s a national priority. Organizations should expect increased scrutiny, regulatory requirements, and board-level discussions around AI risk management in the near future.

📜 AI Regulation Advances – Bipartisan Momentum Builds

New bipartisan legislation aims to regulate AI chatbot usage, focusing on fraud prevention, parental controls, and transparency.

This aligns with broader federal efforts to establish guardrails around AI deployment. For organizations, this means preparing for compliance requirements, data transparency expectations, and enhanced fraud detection responsibilities tied to AI systems.

📊 Cyber Insurance Data – MFA Misconfiguration Leads Losses

Cyber insurance data reveals that misconfigured MFA accounts for nearly 26% of total losses, making it the single largest contributor to financial impact. Meanwhile, ransomware represents a smaller portion of incidents but drives the majority of financial damage.

“Cyber risk isn’t just technical anymore, it’s financial, human, and regulatory all at once.”

This provides a clear, data-driven insight: basic security controls, when misconfigured, can have outsized financial consequences. It also highlights how boards respond more effectively to financial metrics than technical risk descriptions.

🛠️ Action Items for Security Leaders

• 🔐 Rotate credentials and tokens tied to SaaS and AI integrations

• 💻 Patch GitHub Enterprise and audit push access permissions immediately

• 🤖 Upgrade and secure LiteLLM deployments; rotate exposed API keys

• 💾 Treat ransomware scenarios as potential wiper events; validate backups

• 🧠 Implement phishing-resistant MFA, especially for executive accounts

• 🚇 Audit third-party access to critical infrastructure systems

• 🏛️ Prepare board-level briefings on AI security and regulatory risk

• 📜 Begin mapping AI data flows and compliance requirements

• 📊 Use cyber insurance data to justify budget and control investments

• 🔍 Monitor for abnormal activity in CI/CD and AI pipeline environments

Leave a comment

🧠 James Azar’s CISOs Take

What stood out to me today is how attackers are blending technical exploitation with human manipulation. The GitHub RCE and LiteLLM vulnerabilities show how easily automation layers can be compromised, while the North Korea campaign highlights how effective patient social engineering can be. When these two come together—technical access and human trust—the impact becomes exponential.

The second takeaway is that cybersecurity is no longer just about defense—it’s about alignment. Alignment between security and business, between technology and policy, and between risk and financial impact. The cyber insurance data makes it clear: when we frame risk in dollars, it resonates. And that’s how we drive real change at the executive level.

🔥 Stay Cyber Safe.

Today’s episode is one of those where you step back and realize just how fast everything is evolving and breaking at the same time.

We’ve got zero-click Windows exploitation, AI pipeline RCE, supply chain compromise hitting critical developer ecosystems, a massive spike in social engineering fraud, and even a pre-Stuxnet malware discovery rewriting cyber history.

👉 The theme today is simple: automation and trust are being weaponized simultaneously.

Double espresso ready, let’s go.

Subscribe now

🧭 Executive Summary

Today’s landscape reflects a convergence of identity abuse, developer ecosystem compromise, AI tooling risk, and large-scale financial fraud. Attackers are leveraging legitimate infrastructure, trusted platforms, and automation pipelines to operate at unprecedented speed and scale.

We’re also seeing regression in patching effectiveness, with incomplete fixes enabling zero-click exploitation, and a continued shift toward developer environments and AI pipelines as primary attack surfaces. Meanwhile, consumer fraud is reaching record levels, proving that cyber risk is no longer just enterprise, it’s societal.

Subscribe now

📰 Top Stories & Deep Dive Analysis

🏥 Medtronic Breach – ShinyHunters Expands the SaaS Playbook

Medtronic confirmed unauthorized access to corporate IT systems after ShinyHunters claimed over 9 million records and terabytes of internal data. The company executed its incident response plan, and the leak listing has since disappeared typically a signal of ransom negotiations or payment.

What matters here is the pattern. This aligns with previous breaches targeting SaaS ecosystems phishing identity providers and pivoting into platforms like Salesforce. Even if no medical devices or patient systems were impacted, the exposure of corporate workflows and PII creates a downstream risk for targeted phishing against healthcare providers and field engineers, expanding the blast radius beyond the initial breach.

📩 Robinhood Phishing Abuse – Legitimate Infrastructure Turned Weapon

This is one of the most creative attacks we’ve seen.

Attackers created Robinhood accounts using email variations (leveraging Gmail’s dot normalization), triggering legitimate login notifications sent from Robinhood’s own infrastructure. These emails passed all authentication checks—SPF, DKIM, DMARC, but included a malicious link embedded within user-controlled fields.

This marks a shift from spoofing to platform abuse, where attackers weaponize trusted communication channels themselves. The risk is significant because traditional email defenses are bypassed entirely making detection reliant on application-layer validation and user awareness rather than technical controls alone.

💰 $2.1 Billion Social Media Scam Surge – Cybercrime at Scale

The FTC reported that Americans lost over $2.1 billion to social media-driven scams in 2025, an eightfold increase since 2020. Investment scams alone accounted for more than half of that total.

This isn’t just a statistic, it’s a signal. Social platforms have become the primary entry point for fraud, with attackers leveraging trust, relationships, and financial pretexts to drive engagement.

The real takeaway is that cyber risk is no longer confined to enterprise systems. It’s now deeply embedded in consumer behavior, social interaction, and financial decision-making, making awareness and education just as critical as technical controls.

🔓 Checkmarx Breach Escalation – Source Code Hits the Dark Web

Checkmarx confirmed that data from its GitHub repositories, compromised during a March supply chain attack, has now been published on the dark web.

This escalation removes any ambiguity the exposure is now global and permanent. Attackers previously injected credential-stealing code into GitHub Actions workflows, meaning any environment that interacted with those pipelines may have leaked sensitive tokens or credentials.

This is a critical moment for defenders: once data is public, response shifts from containment to damage control and credential rotation at scale.

🧩 73 Malicious VS Code Extensions – Developer Layer Under Attack

Researchers identified 73 fake extensions in the Open VSX marketplace linked to the Glass Worm operation. These extensions initially appeared benign, building trust before later updates introduced malicious payloads.

The attack chain includes:

• Typosquatting popular extensions

• Delayed activation (“sleeper” model)

• Secondary payload delivery via GitHub-hosted components

This is a direct attack on the developer ecosystem. A single compromised extension can expose source code, credentials, and SSH keys, turning a developer workstation into a high-value entry point for attackers.

🧬 PyPI Package Hijack – Supply Chain Risk in Data Engineering

The widely used “elementary-data” package (1.1M monthly downloads) was hijacked, with attackers publishing a malicious version that exfiltrated credentials, environment variables, and crypto wallets.

The attack leveraged GitHub Actions script injection to gain access, forge legitimate commits, and distribute compromised builds.

This highlights a growing trend: attackers targeting CI/CD pipelines and package registries simultaneously, enabling rapid propagation across developer environments and production systems.

🪟 Windows Zero-Click Vulnerability – Patch Regression Exploited

Akamai revealed that a recent Windows vulnerability (CVE-2026-32202) stems from an incomplete patch to a previous flaw, enabling zero-click exploitation via malicious LNK files.

Attackers can now trigger NTLM authentication or bypass security prompts simply by having the file present—no user interaction required.

This is particularly concerning because it demonstrates patch regression risk, where incomplete fixes create new attack paths. It also reinforces that patching alone is not a guarantee of security.

🤖 Gemini CLI RCE – AI Pipeline Becomes Attack Vector

A critical vulnerability in Google’s Gemini CLI allows remote code execution in CI environments by abusing trusted workspace configurations and environment variables.

In headless or automated environments, the CLI implicitly trusts local files and settings, allowing attackers to embed malicious configurations in repositories that execute upon pipeline invocation.

This turns AI tooling into a remote execution layer within CI/CD pipelines, expanding the attack surface into automated workflows that often lack human oversight.

🇨🇳 Silk Typhoon Extradition – State Actors Face Consequences

A suspected Chinese cyber operative linked to Silk Typhoon was extradited to the U.S., facing charges tied to the mass exploitation of Microsoft Exchange vulnerabilities.

This marks a rare but significant development in holding state-aligned actors accountable. While it may not deter all activity, it signals increasing willingness to pursue legal action against cyber operators globally.

🧠 Pre-Stuxnet Malware Discovery – Cyber Warfare Started Earlier Than We Thought

SentinelLabs uncovered a malware strain predating Stuxnet by at least five years, targeting engineering and simulation platforms used in nuclear research.

This discovery rewrites the timeline of cyber warfare, showing that sophisticated sabotage capabilities existed as early as 2005.

The implication is profound: cyber operations as strategic tools have been evolving far longer than most organizations have been defending against them.

🛠️ Action Items for Security Leaders

• 🔐 Rotate all credentials tied to Checkmarx and compromised CI pipelines

• 📩 Audit transactional email templates for user-controlled input injection

• 🧩 Restrict developer environments to approved extensions and package sources

• 🧬 Pin and verify all dependencies in npm and PyPI ecosystems

• 🪟 Apply Windows patches and monitor for abnormal NTLM authentication activity

• 🤖 Secure AI tooling in CI/CD pipelines and restrict environment trust boundaries

• 💰 Implement organization-wide awareness training on social media scams

• 🔍 Monitor SaaS platforms for phishing-based identity compromise patterns

• 📊 Enhance detection for OAuth abuse and API-based data exfiltration

• 🌍 Incorporate geopolitical cyber activity into risk modeling and response plans

Leave a comment

🧠 James Azar’s CISOs Take

What stood out to me today is how attackers are leveraging trust at every level from email infrastructure to developer tools to AI pipelines. We’ve spent years building systems to automate and simplify workflows, but in doing so, we’ve also created pathways that attackers can exploit with minimal friction. The Robinhood case and the Gemini CLI vulnerability are perfect examples of how legitimate systems can be turned into attack vectors.

The second takeaway is speed. Supply chain attacks, phishing campaigns, and fraud operations are all happening faster than ever before. By the time we detect an issue, attackers have already pivoted, propagated, and monetized. That means our defenses need to evolve not just to prevent compromise, but to detect and respond in near real time. Because in this environment, the organizations that can’t keep up won’t just fall behind, they’ll become targets.

🔥 Stay Cyber Safe.

We’re kicking off the week with a packed 10-story rundown that hits everything from federal edge compromises to SaaS breach chains, supply chain worms, and even a 12-year-old Linux root flaw still alive and well.

If last week was about trust breaking, this week is about exposure at speed. Attackers are moving faster, pivoting across ecosystems, and exploiting anything left unpatched, unsegmented, or simply forgotten.

Double espresso ready; let’s get into it.

Subscribe now

🧭 Executive Summary

Today’s stories highlight two critical realities:

1. Exposure is everywhere—from SaaS identity chains to federal firewalls to developer ecosystems

2. Tempo is accelerating—attackers are chaining exploits, pivoting faster, and monetizing access almost immediately

We’re seeing convergence across edge infrastructure compromise, SaaS phishing chains, supply chain propagation, and legacy system exploitation, all amplified by a pace that most organizations struggle to match operationally.

🛡️ CISA KEV Additions – Remote Access Tools Become Enterprise Gateways

CISA added multiple actively exploited vulnerabilities to the KEV catalog, including flaws in SimpleHelp, Samsung MagicINFO, and D-Link routers.

What makes this particularly dangerous is the role these systems play. SimpleHelp, for example, is widely used as a remote support tool. A compromised technician account doesn’t just impact one system—it can cascade across every client environment that tool touches.

This is a recurring pattern: attackers aren’t targeting endpoints—they’re targeting tools that manage endpoints, turning a single foothold into multi-tenant compromise.

🔥 Firestarter Backdoor – Federal Cisco ASA Compromise Persists

A Linux-based backdoor dubbed Firestarter was discovered on a federal Cisco ASA firewall, persisting even after firmware updates.

The malware survives by intercepting termination signals and relaunching itself, meaning standard patching or rebooting does nothing to remove it.

This changes the playbook. Instead of patching, organizations must fully power down, reimage, and rotate all credentials tied to the device.

The broader implication is serious: edge infrastructure is now a long-term persistence layer for attackers, not just an entry point.

🏠 ADT Breach – Phishing to SaaS Chain Hits Again

ADT disclosed a breach involving unauthorized access to cloud environments, with attackers leveraging phishing against Okta to gain entry and pivot into Salesforce.

This is now a well-established attack chain:

• Phishing → Identity provider compromise

• Pivot → SaaS platform access

• Extract → Customer data at scale

With a 10 million record leak potentially imminent, this case reinforces that SaaS ecosystems are only as secure as the identity layer protecting them.

And attackers know it.

🧩 Checkmarx Supply Chain Attack – CI/CD Integrity at Risk

Checkmarx was hit again, with attackers compromising Docker images and VS Code extensions tied to its KICS analysis tool.

Although exposure lasted less than 90 minutes, that’s more than enough time in modern pipelines. Any system pulling updates during that window could now be compromised.

This highlights a key issue: CI/CD pipelines operate at machine speed, but security validation often lags behind, creating a window attackers can exploit repeatedly.

🐧 Pack2TheRoot – 12-Year Linux Privilege Escalation Flaw

A privilege escalation flaw present since 2014 has been confirmed exploitable across major Linux distributions.

This vulnerability allows a low-privileged user to escalate to root through PackageKit, meaning any malware landing on a Linux endpoint can immediately gain full control.

This is not a zero-day, it’s worse. It’s a decade-old design flaw that went largely unnoticed, proving that legacy components remain one of the biggest risks in modern environments.

⚡ Itron Breach – Utility Supply Chain Risk Expands

Itron disclosed unauthorized access to corporate IT systems, though no customer environments were impacted.

Even so, the implications are significant. Itron operates in the utility and grid-edge ecosystem, meaning any compromise raises concerns about downstream risk to critical infrastructure.

This reinforces a key shift: attackers are increasingly targeting vendors and suppliers as indirect entry points into high-value environments.

🧬 NPM → PyPI Worm – Cross-Ecosystem Supply Chain Attack

The supply chain worm we’ve been tracking continues to evolve, now spreading across both npm and PyPI ecosystems.

This worm:

• Harvests credentials from developer environments

• Uses stolen tokens to publish malicious packages

• Propagates automatically across repositories

This is supply chain compromise at industrial scale. One compromised developer machine can now infect multiple ecosystems within hours, making containment extremely difficult.

💾 Vercel Data Leak – Breach Data Hits Underground Markets

Data from the earlier Vercel breach has now surfaced for sale, including access keys, source code, and internal databases.

Although the listing was removed, the assumption must be that the data is already circulating.

The attack chain starting with infostealer malware and OAuth token theft—shows how endpoint compromise can quickly escalate into cloud environment exposure.

📱 Apple App Store – 26 Fake Crypto Wallet Apps Discovered

Kaspersky identified 26 malicious crypto wallet apps on Apple’s App Store, impersonating major platforms like Coinbase and MetaMask.

These apps harvested recovery phrases and even used OCR to extract sensitive data from screenshots.

This challenges a long-held assumption: app stores are no longer a reliable trust boundary, especially for financial applications.

🌍 Iran Threat Model – From Destruction to Influence

Industry leaders are reframing Iran’s cyber posture, suggesting a shift from large-scale infrastructure attacks to targeted opportunistic breaches amplified through information operations.

Instead of shutting down power grids, the focus is now:

• Breach a target

• Publicize it

• Amplify impact through media

This aligns with broader geopolitical trends where perception and narrative are as valuable as technical impact.

🎯 Key Takeaway

👉 Exposure + Speed = Modern Cyber Risk

Attackers are no longer waiting. They’re exploiting, pivoting, and monetizing in real time.

🛠️ Action Items for Security Leaders

• 🔐 Patch all KEV-listed vulnerabilities immediately

• 🔥 Reimage and hard reset compromised edge devices (do not rely on patching alone)

• 🧩 Enforce phishing-resistant MFA across identity providers

• 🔍 Audit SaaS integrations, especially Okta and Salesforce chains

• 🚀 Validate CI/CD pipelines and restrict external dependency pulls

• 🐧 Patch Linux systems and monitor for privilege escalation activity

• 🧬 Rotate all npm and PyPI tokens and enforce strict credential hygiene

• ⚡ Conduct vendor risk assessments for critical infrastructure suppliers

• 📱 Restrict unverified mobile app installations through MDM policies

• 🌍 Prepare incident response playbooks for reputational and information warfare scenarios

Leave a comment

🧠 James Azar’s CISOs Take

What stood out to me today is how much of our risk is tied to systems we assume are already secure. Whether it’s a firewall that survives patching, a SaaS chain built on identity trust, or a Linux component that’s been around for over a decade, attackers are finding value in what we’ve stopped questioning. That’s the real challenge, we’re defending what we see, while attackers exploit what we’ve forgotten.

The second takeaway is tempo. Every story today reflects a faster cycle from compromise to propagation to monetization. Supply chain worms spread in hours. SaaS breaches turn into data leaks within days. If our detection and response don’t match that speed, we’re always going to be behind. The future of security isn’t just about control it’s about keeping up.

🔥 Stay Cyber Safe.

James is settling into new-parent mode — running on three hours of sleep and double espresso, which, as he puts it, is excellent preparation for a career in cybersecurity incident response. Welcome to the party, baby Azar.

This week’s briefing comes at you from a threat environment that is, frankly, firing on every cylinder simultaneously. Let’s set the stage:

France’s national identity agency confirmed a breach exposing up to 19 million records names, birthdates, addresses, civil status, a foundational identity dataset now in attacker hands. A self-propagating npm worm is autonomously spreading malicious code across developer ecosystems, targeting both npm and PyPI in a single chain. Microsoft issued an emergency out-of-band patch for an ASP.NET Core authentication forgery flaw. Cisco’s SD-WAN control plane vulnerability landed on CISA’s KEV list with a hard federal deadline. The Vercel breach confirmed exactly how AI OAuth integrations create insider-equivalent access through third-party tools. And Lotus wiper malware is actively burning Venezuelan energy infrastructure no ransomware, no negotiation, just destruction.

Meanwhile, April 2026 is on pace to be the worst month for crypto theft since February 2025, with over $606 million lost in 18 days including Lazarus Group’s $290 million KelpDAO exploit. North Korea is running a financial operation that functions less like a hacking group and more like a nation-state treasury department.

The through-line across every story this week is trust. Every attack exploited something that was supposed to be safe an authentication cookie, an OAuth grant, a sandboxed AI environment, a national identity database, a ransomware negotiation firm. Once attackers compromise trust at any layer, everything built on top of it inherits the risk.

Coffee cup cheers. Let’s get into it.

Subscribe now

🌐 Geopolitical Cyber Warfare

Lotus Wiper Malware Targets Venezuelan Energy Infrastructure

Lotus wiper malware is actively targeting energy and utility organizations in Venezuela, operating at a low level to erase data, eliminate recovery mechanisms, and render systems unrecoverable. Unlike ransomware, there is no negotiation, no ransom demand, and no recovery path. The intent is permanent operational disruption specifically targeting power generation and distribution infrastructure. This is cyber operations being deployed as a tool of strategic disruption, not financial crime. Wiper attacks don’t negotiate. They erase.

ZionSiphon Malware Targets Water Treatment and Desalination Systems

ZionSiphon malware is targeting water treatment and desalination infrastructure, with code that specifically references chlorine handling processes and water purification systems including references to water supply manipulation. This isn’t theoretical. Early-stage OT malware with real-world consequence potential is already in the wild. We saw what nearly happened in Oldsmar, Florida, where a single analyst prevented a chlorine dosing attack. This is that playbook evolving. Baseline OT behavior and monitor for any unauthorized process changes immediately.

Sweden Attributes Heating Plant Attack to Russian-Linked Actors

Swedish officials confirmed attribution of a cyberattack on a district heating plant to a pro-Russian group connected to Russian intelligence. The attack failed operationally. But intent is the story. Civilian infrastructure heating, power, water is being targeted not to destroy, but to create societal pressure and psychological instability. Gray-zone warfare doesn’t require success to be effective. The attempt alone achieves its geopolitical objective.

Iranian Reconnaissance: 12,000 Systems Scanned

More than 12,000 systems were scanned in a campaign mirroring Iranian reconnaissance patterns. Combined with nearly 4,000 U.S. industrial devices remaining internet-exposed, this represents active pre-positioning at scale. Scanning is preparation, not attack. The attack comes later with precision, against targets already mapped.

AgingFly Malware Targets Ukrainian Government and Hospitals

The AgingFly malware strain continues targeting Ukrainian government agencies and healthcare systems a deliberate campaign against the institutions that sustain public life during conflict. Disrupting hospitals and government services doesn’t require military action. It just requires persistence and the right malware.

💥 Destructive Attacks & Ransomware

NHS Ransomware: Two Years Later, Still Broken

Nearly two years after a ransomware attack, NHS healthcare services in London are still dealing with operational fallout thousands of delayed procedures, disrupted diagnostics, and persistent system degradation. This is the story the headlines missed when the initial incident faded. Ransomware is not a data problem with a recovery timeline. It is a multi-year operational crisis, and in healthcare, that crisis is measured in patient outcomes. Cyber incidents don’t end when systems come back online. They end when operations fully recover and in healthcare, that may take years.

Gentleman Ransomware and SystemBC: Reading the Pre-Attack Signals

Ransomware groups are deploying SystemBC malware as the pre-attack staging layer establishing proxy tunnels, encrypted C2 channels, and persistent access before ransomware is ever deployed. By the time encryption begins, attackers have already mapped the environment, harvested credentials, and established control. The real opportunity to stop ransomware is at this stage. Detecting SystemBC is detecting the attack before it completes.

Akira Ransomware Hits Defense Supply Chain Manufacturers

Akira continues targeting manufacturing and engineering firms that serve as suppliers to larger enterprises in aerospace and defense. A breach at this tier doesn’t stay contained, it cascades through dependencies, exposing sensitive design data and disrupting production across interconnected supply chains. Supply chain ransomware risk is ecosystem risk, not single-organization risk.

Insider Threat: Ransomware Negotiator Sold Victim Data to BlackCat

A ransomware negotiation consultant pleaded guilty to collaborating with attackers providing BlackCat with negotiation strategies and victim data from clients who trusted them with incident response. Third-party vendors, consultants, and incident responders often have deeper access than internal staff during a crisis. That access must be governed like privileged access with monitoring, segmentation, and time-limited grants not trusted on the basis of relationship alone.

🔓 Data Breaches & Identity Exposure

France National ID Breach: 19 Million Records

France’s national identity agency ANTS confirmed a breach exposing up to 19 million records full names, birthdates, addresses, and civil status. This is not a breach of a loyalty program or a retail database. This is a foundational identity dataset, and its exposure cascades into every system that relies on identity verification for years. The French government has already warned citizens to anticipate smishing and phishing campaigns built from this data. For any organization operating in France or authenticating French users, this is a direct inherited risk. Identity verification confidence across this population has degraded.

AI Threat to Global Banking: Speed vs. Oversight

Financial leaders issued warnings this week that advanced AI models could destabilize portions of the global banking system not through dramatic hacks, but through the gap between AI-driven fraud velocity and human oversight capacity. AI is enabling automated fraud, accelerating attack decision-making, and executing at speeds that regulated institutions cannot match with manual review processes. The risk is systemic fraud operating faster than detection and response. Human approval gates for high-risk AI-driven financial transactions are a necessary architectural control.

Vercel Breach via AI OAuth Integration

The Vercel breach is the most important AI supply chain case study of the week. Attackers did not breach Vercel directly. They compromised a third-party AI tool Context AI harvested credentials from an employee there, and used the OAuth permissions that tool had been granted to access Vercel’s internal environment. OAuth grants are often broad, persistent, and uninspected. Once inside, the attacker reached environment variables, API keys, and internal infrastructure operating with legitimate access, triggering no alerts. An AI tool with unrestricted OAuth scope is functionally indistinguishable from an insider.

McGraw-Hill Salesforce Misconfiguration: ShinyHunters Claims 45 Million Records

ShinyHunters continues its Salesforce-centric campaign with McGraw-Hill as the latest documented victim, claiming 45 million records from a misconfigured Salesforce-hosted web page rather than the core enterprise tenant. The campaign has also touched 7-Eleven, Pitney Bowes, Canada Life, and Aman Resorts within the same two-week window. SaaS misconfigurations do not confine their blast radius to the page they’re located on. Audit every externally reachable SaaS integration not just the primary tenant.

DraftKings Credential Stuffing: 60,000 Accounts, No Zero-Days Required

The DraftKings credential stuffing case involved 60,000 compromised accounts monetized using nothing more than reused passwords from prior breaches. No zero-days. No advanced techniques. Just the persistent reality that credential reuse remains one of the most effective attack methods in existence. The attack is as old as breach databases. It keeps working because password hygiene still fails at scale.

Booking.com and Rockstar Gaming: Trust-Based Cloud Access

Booking.com confirmed a breach tied to credential or support workflow compromise rather than infrastructure attack. Rockstar Games data was accessed via a compromised Snowflake environment through a third-party analytics platform. Both cases follow the same pattern: no forced entry, legitimate access used maliciously, no immediate detection. Cloud and SaaS security monitoring must include behavioral anomaly detection for API and integration access not just perimeter controls.

🕵️ Nation-State & Advanced Persistent Threats

Lazarus Group: $290 Million KelpDAO Exploit

North Korea’s Lazarus Group specifically the TraderTraitor cluster executed a $290 million exploit against KelpDAO through a multi-stage attack chain: compromising the downstream RPC endpoint that a decentralized verifier network relied on, using DDoS to force failover to the poisoned endpoint, then spoofing cross-chain messages through KelpDAO’s single-verifier configuration. April 2026 is now the worst month for crypto theft since February 2025, with over $606 million lost across 18 days. North Korea’s crypto operations have crossed from crime into nation-state-scale financial warfare. The Bybit playbook is being refined and repeated.

APT Using Microsoft Outlook Inboxes for Command-and-Control

A sophisticated APT group is using Microsoft Outlook inboxes as a covert C2 channel. The malware authenticates via Azure AD, retrieves encrypted commands from designated mail folders, executes them locally, and returns results through the same channel all over legitimate Microsoft infrastructure. Traditional network filtering and reputation-based detection are ineffective because the traffic is indistinguishable from normal Outlook usage. This is living-off-trusted-cloud at its most operationally sophisticated.

Scattered Spider Guilty Plea: Social Engineering at Scale

A Scattered Spider member pleaded guilty to attacks that used phishing, SIM swapping, and identity manipulation to breach major platforms and extract millions in financial assets. The techniques worked not because of technical sophistication but because human-layer attacks consistently bypass technical controls. Law enforcement is catching up. The techniques, however, continue to evolve and are being adopted broadly across threat actor communities.

North Korea’s $280 Million Drift Theft: Full Post-Mortem

The Drift crypto theft post-mortem confirms the operation involved fake companies, sustained relationship-building over months, physical conference attendance, and social engineering before any technical exploitation occurred. North Korea is operating cybercrime as a corporate function patient, organized, and designed for maximum yield. Security models that don’t account for this level of persistence and organizational investment are not modeling the actual threat.

🛡️ Vulnerabilities & Active Exploitation

Microsoft Defender Zero-Days: Security Tools as Attack Vectors

Microsoft issued emergency patches for three actively exploited zero-days in Defender for Endpoint that allowed attackers to tamper with detection mechanisms effectively disabling security visibility while remaining on the endpoint. EDR is no longer just a defensive layer. It has become part of the attack surface. Organizations operating with a single EDR solution are operating with a single point of failure. Layer endpoint security products. If attackers can silence Defender, they cannot simultaneously silence a second independent product.

Microsoft ASP.NET Core Emergency Patch: Authentication Cookie Forgery

Microsoft issued an out-of-band emergency patch for a critical ASP.NET Core vulnerability allowing attackers to forge authentication cookies through improper HMAC validation. No phishing, no token theft just a forged cookie and full authenticated access. For public-facing applications relying on ASP.NET Core, patch immediately and rotate all data protection keys generated by vulnerable versions.

Microsoft Domain Controller Patch Failure: Cascading Identity Disruption

Microsoft’s April patch cycle introduced instability in domain controllers triggering reboot loops and cascading authentication failures across login systems, VDI environments, and identity infrastructure. Identity systems must have controlled deployment pipelines with staged rollout and pre-deployment validation. Patching identity infrastructure with the same urgency and process as workstation endpoints creates systemic operational risk.

Cisco SD-WAN CVE-2026-20133: CISA KEV, Federal Deadline Active

CISA added Cisco SD-WAN CVE-2026-20133 to the Known Exploited Vulnerabilities catalog with a rapid federal patch deadline. The vulnerability allows unauthenticated attackers to extract sensitive data from the SD-WAN manager the centralized control plane governing routing, segmentation, and policy enforcement across all branch locations. Compromising this system is not lateral movement. It is centralized network dominance. Patch by the federal deadline, or before it.

MOVEit WAF and Kemp LoadMaster: Breaking the Shield

Progress Software patched multiple vulnerabilities in MOVEit WAF and Kemp LoadMaster, including command injection flaws and a WAF bypass allowing crafted requests to evade inspection. These are systems designed to protect enterprise edges and the vulnerabilities turn them into entry points. Given MOVEit’s history with mass exploitation campaigns, enterprise patching urgency here should match federal agency timelines.

Spinnaker RCE: Unauthenticated Access to Production Pipelines

Two unauthenticated remote code execution vulnerabilities in Spinnaker the continuous delivery platform managing cloud deployments allow attackers to execute commands within cloud driver components. Spinnaker has access to deployment logic, credentials, and production infrastructure. Exploitation is not just a breach of infrastructure it is a compromise of software delivery integrity with downstream impact on everything Spinnaker touches.

Marimo RCE: AI Tooling Exploited Within Hours of Disclosure

The Marimo remote code execution vulnerability was exploited within hours of disclosure, with attack chains incorporating Hugging Face as a staging platform and decentralized C2 infrastructure. AI development tools are now enterprise attack surfaces operating without the security rigor applied to traditional infrastructure. Isolation, network egress restriction, and patching for AI tooling must match enterprise security standards.

AI Sandbox Escape: Terrarium Vulnerability Enables Root Access

A critical vulnerability in Cohere’s open-source Terrarium project allows sandboxed AI-generated code to escape containment and execute at the host level with root privileges through improper WebAssembly and JavaScript prototype handling. Terrarium is widely deployed to execute AI-generated code safely. This vulnerability eliminates that safety boundary entirely. Any untrusted AI-generated script in a vulnerable Terrarium environment can compromise the host, extract secrets, and move laterally. AI infrastructure is being deployed with pre-2010 security assumptions.

Fortinet Sandbox: Unauthenticated Root Command Execution

A critical Fortinet Sandbox vulnerability allows unauthenticated command execution as root, with public exploit code already available. Security appliances with public exploits become trusted footholds with administrative access the moment they are successfully targeted. Patch immediately and treat every security tool as part of the attack surface, not just the defense.

Apache ActiveMQ: Old Bugs, Active Exploitation

Apache ActiveMQ vulnerabilities are being actively exploited, often chained with default credentials and legacy flaws. Middleware sitting deep in application environments is a persistent, quiet attack surface. Default credentials must be eliminated across every middleware component in enterprise environments. There is no acceptable reason for default credentials to survive past deployment.

Anthropic MCP: Architectural RCE Risk Across AI Development Tools

A critical design flaw in Anthropic’s Model Context Protocol introduces remote code execution risk across a wide ecosystem of AI development tools with millions of downloads and hundreds of thousands of instances in scope. The vendor’s position that the behavior is “by design” raises serious concerns about security maturity in AI framework development. Audit and restrict all MCP integrations and AI agent frameworks for scope, permissions, and network access.

ICS Patch Tuesday: OT Exposure Continues

Siemens, Schneider Electric, Rockwell, and five additional major industrial vendors released advisories. OT environments accumulate vulnerability over time through operational continuity constraints and infrequent patching cycles. Dedicated OT vulnerability management processes separate from IT patch workflows are required to address this accumulating risk.

Mirai Botnets: End-of-Life D-Link Routers Actively Exploited

Two Mirai botnet campaigns are actively exploiting command injection vulnerabilities in discontinued D-Link routers. End-of-life devices that are never inventoried, never retired, and never replaced become permanent participants in attacker infrastructure. Asset visibility for all network-connected devices including legacy and end-of-life equipment is a foundational security requirement, not a maturity milestone.

Oracle: 481 Patches Across 28 Product Families

Oracle released 481 security patches in one of the largest patch cycles in its history arriving in the same week as Microsoft’s emergency patches and the broader vendor patch deluge. The risk here is not just vulnerability. It is patch fatigue. When security teams are overwhelmed, prioritization degrades and critical fixes are delayed or missed. Triage ruthlessly by attack surface exposure and business criticality.

🤖 AI, Supply Chain & Developer Threats

Self-Propagating npm Worm: Autonomous Cross-Ecosystem Spread

A malicious npm package targeting the widely used “pg” database ecosystem includes a self-propagating worm that steals developer tokens and republishes malicious versions autonomously across accessible packages. Once it finds a valid npm token, it enumerates accessible packages, injects malicious code, publishes new versions, and repeats cascading through the ecosystem within hours. The worm also targets PyPI, making this a cross-ecosystem supply chain attack. One compromised developer environment can infect the broader ecosystem before a human analyst has time to respond. Revoke and rotate all npm and PyPI tokens across every developer environment immediately.

Cisco Talos Q1 2026 Report: Phishing Reclaims Top Spot

Cisco Talos’ Q1 2026 Incident Response report confirms phishing has re-emerged as the leading initial access vector, accounting for over one-third of incidents. What changed is not the technique it’s the effectiveness. Adversary-in-the-middle phishing kits and real-time MFA bypass capabilities have fundamentally elevated phishing success rates. User awareness training developed even twelve months ago does not reflect the current threat. Update training programs to explicitly address MFA bypass techniques.

Glassworm: Zig-Based Dropper Targets Developer IDEs

Glassworm evolved with a new variant using a Zig-based dropper to target developer environments and IDE ecosystems. Attackers moving into the development lifecycle mean they influence what gets built not just what runs in production. Enforce signed plugin requirements, approved extension lists, and strict access controls across all developer tooling environments.

BlueSky DDoS: Availability as a Security Dimension

A multi-day DDoS attack against BlueSky disrupted core platform functionality for an extended period. Availability is a security property and as organizations and users adopt decentralized architectures and alternative platforms, the DDoS threat surface expands. Pre-defined DDoS mitigation plans and tested response procedures must be in place before the attack begins.

2.4 Million Exposed FTP Servers: Basic Hygiene Still Failing

Over 2.4 million internet-facing FTP servers continue to operate without encryption providing cleartext credential transmission to any attacker willing to look. This is not a sophisticated threat. It is a global-scale failure of basic security hygiene that has persisted for years. Eliminate cleartext protocols. Enforce encryption across all services. There is no operational justification for unencrypted FTP in 2026.

⚖️ Law Enforcement & Policy

Scattered Spider Guilty Plea: Tyler B Sentenced

A Scattered Spider member pleaded guilty to charges involving approximately $8 million in SIM-swap-driven fraud and data theft. Law enforcement is demonstrating meaningful enforcement capability against technically sophisticated social engineering actors. The techniques, however, are spreading to broader threat actor communities faster than enforcement can deter them.

DDoS-for-Hire Network Disrupted: 75,000 Users Warned

Law enforcement disrupted a DDoS-for-hire infrastructure, seizing domains and issuing warnings to over 75,000 registered users. Disruption creates friction and raises cost for criminal operators. It does not permanently eliminate the capability — cybercrime ecosystems rebuild on new infrastructure. Continuous monitoring remains essential.

North Korean IT Worker Sentencing

Two individuals were sentenced for supporting North Korea’s fake IT worker scheme the regime-funded operation placing operatives inside global companies as legitimate remote employees. These enforcement actions represent meaningful progress in attributing and prosecuting an operation that has been running for years. The threat, however, continues.

FCC Cybertrust Mark: IoXT Alliance Named Lead Administrator

The FCC Cybertrust Mark program for connected device security has a new lead administrator in the IoXT Alliance, putting the consumer IoT security baseline program back on track after UL’s withdrawal. Any policy framework that raises the minimum security floor for connected devices has direct defensive value given the persistent exploitation of routers and IoT endpoints.

✅ This Week’s Priority Action List

Immediate (Do This Now)

• Patch Cisco SD-WAN CVE-2026-20133 — CISA KEV with federal deadline, unauthenticated control plane access

• Patch Microsoft ASP.NET Core authentication cookie forgery — emergency out-of-band patch, rotate all data protection keys immediately

• Patch Microsoft Defender for Endpoint zero-days — EDR tampering enabling silent attacker persistence

• Revoke and rotate ALL npm and PyPI developer tokens — self-propagating worm is actively spreading

• Patch MOVEit WAF and Kemp LoadMaster — WAF bypass and command injection with public exposure

• Patch Spinnaker RCE — unauthenticated access to production deployment pipelines

• Patch Fortinet Sandbox — public exploit code available for unauthenticated root execution

• Patch Marimo and audit all Hugging Face integrations for indicators of compromise

Short-Term (This Month)

• Audit ALL OAuth grants across Microsoft 365 and Google Workspace, Vercel breach is the template for AI OAuth pivot attacks

• Layer endpoint security with a second independent EDR product single EDR creates single point of failure

• Implement staged deployment pipelines for identity infrastructure patches separate from workstation cycles

• Enforce just-in-time access and session recording for all third-party incident response and consulting access

• Implement object-level authorization testing in all application security release gates

• Enforce cryptographic signature verification before any software installation in enterprise environments

• Update phishing awareness training to explicitly include MFA bypass and adversary-in-the-middle techniques

• Replace or isolate all end-of-life D-Link routers and unmanaged network devices

• Eliminate all cleartext FTP services 2.4 million exposed servers is a collective failure, don’t be part of it

• Implement human approval gates for high-risk AI-driven financial transactions

Strategic (This Quarter)

• Establish dedicated OT vulnerability management processes independent of IT patch cycles

• Conduct comprehensive audit and restriction of all MCP integrations and AI agent framework permissions

• Isolate AI execution environments with network egress restrictions and runtime monitoring

• Enforce multi-verifier models in all blockchain and DeFi architectures single verifier is a single point of failure

• Build dedicated fast-lane patch processes for internet-facing infrastructure separate from workstation cadence

• Plan post-breach identity degradation response for regions with national identity database exposure (France)

• Stress test offline backup integrity and recovery procedures — wiper malware eliminates recovery paths

Leave a comment

🎙️ James Azar’s CISO’s Take

When I look at this week in its entirety, every story ties back to the same root cause: trust being extended to systems, tools, integrations, and people without continuous validation and attackers exploiting exactly that gap. France’s national identity database. Authentication cookies. OAuth grants to AI tools. Outlook inboxes used as C2 channels. A ransomware negotiator feeding victim intelligence to BlackCat. These aren’t exotic attacks. They are the logical consequence of building systems on trust assumptions that were never designed to be verified continuously. And in 2026, that design assumption is the vulnerability. Control planes are the target this week SD-WAN managers, WAF admin APIs, Spinnaker pipelines, OAuth tokens all one unauthenticated bug or over-scoped consent grant away from total compromise.

The second takeaway is speed. The npm worm demonstrates how quickly compromise propagates when supply chain security is absent. The ASP.NET forgery flaw shows how quickly authentication can be bypassed once a flaw is in the wild. The APT using Outlook for C2 shows how long patient adversaries can persist when detection depends on network indicators instead of behavioral ones. We are operating in an environment where time is the deciding factor, and organizations that cannot detect and respond within the attacker’s operational window will absorb the full impact. Patch the CVE-2026-20133 today. Audit your OAuth grants this week. Stress test your offline backups before you need them. That is how you reduce the blast radius when not if the next trust assumption fails.

Stay Cyber Safe. 🔐

Today’s episode is absolutely loaded, this is one of those “everything is breaking at once” kind of days.

We’ve got a national identity breach, an AI sandbox escape, a Microsoft emergency patch, Mirai botnets, a self-propagating npm worm, an APT abusing Outlook for command-and-control, and more.

If there’s one theme across every story today, it’s this:
👉 The systems we trust to prove identity and enforce boundaries are failing.

Double espresso in hand—let’s get into it.

Subscribe now

Today’s threat landscape highlights a systemic breakdown in identity, trust validation, and software supply chains. From a breach exposing millions of national identities in France to AI sandbox failures enabling root access, attackers are exploiting foundational systems that underpin authentication, execution, and trust.

At the same time, we’re seeing acceleration in automated propagation (npm worm), credential abuse (ASP.NET flaw), and stealthy persistence (APT via Outlook). Combined with large-scale patch cycles and unpatched legacy infrastructure, the result is a highly volatile environment where one weak trust layer can cascade into widespread compromise.

🇫🇷 France National ID Breach – 19 Million Records Exposed

France’s national identity agency (ANTS) confirmed a breach impacting up to 19 million individuals, exposing highly sensitive data including full names, birthdates, addresses, and civil status. This isn’t just another data breach, it’s a foundational identity dataset leak.

The real danger lies in downstream impact. With this level of data, attackers can conduct highly targeted phishing, impersonation, tax fraud, healthcare fraud, and even banking account takeovers for years to come. The French government has already warned citizens to expect smishing and phishing campaigns tied directly to this data.

From a practitioner standpoint, this is a nightmare scenario. Identity is the backbone of authentication systems, and when it’s compromised at a national level, every organization interacting with those users inherits risk.

🤖 AI Sandbox Escape – “Terium” Vulnerability Breaks Containment

A critical vulnerability in Cohere’s open-source Terium project allows sandboxed AI-generated code to escape containment and execute at the host level with root privileges.

This flaw exists in the WebAssembly layer, where improper handling of JavaScript prototypes allows attackers to pivot from a supposedly isolated environment into the underlying Node.js runtime.

This is significant because Terium is widely used to execute AI-generated code safely. With this vulnerability, there is effectively no sandbox, meaning any untrusted AI-generated script can compromise the host system, extract secrets, and move laterally.

This reinforces a growing pattern: AI infrastructure is being deployed with pre-2010 security assumptions, and attackers are catching up fast.

🪟 Microsoft ASP.NET Core Emergency Patch – Authentication Forgery Risk

Microsoft issued an out-of-band patch for a critical ASP.NET Core vulnerability that allows attackers to forge authentication cookies and elevate privileges without valid credentials.

The flaw lies in improper HMAC validation during cookie handling, effectively allowing attackers to bypass authentication entirely. No phishing, no token theft—just a forged cookie and access granted.

This is particularly dangerous for public-facing applications relying on ASP.NET Core, as it directly undermines the integrity of authentication mechanisms.

The urgency here is clear: patch immediately and rotate all data protection keys generated by vulnerable systems.

🌐 Mirai Botnets Return – Exploiting End-of-Life Routers

Two separate Mirai botnet campaigns are actively exploiting vulnerabilities in discontinued D-Link routers, which no longer receive security updates.

Attackers are leveraging command injection flaws to deploy botnet payloads, turning vulnerable devices into part of a distributed attack infrastructure.

The bigger issue here isn’t just the botnet, it’s asset visibility. Organizations often fail to inventory or retire end-of-life devices, leaving them exposed indefinitely.

These devices don’t just sit idle they become active participants in attacks.

🧬 Self-Spreading npm Worm – Supply Chain Attack Goes Autonomous

This is one of the most concerning developments of the day.

A malicious npm package targeting the widely used “pg” ecosystem includes a self-propagating worm that steals developer tokens and republishes itself across other packages.

Once it finds a valid npm token, it:

• Enumerates accessible packages

• Injects malicious code

• Publishes new versions

• Repeats the cycle

This creates a cascading effect where one compromised developer environment can infect the broader ecosystem within hours.

Even more concerning, the worm also targets PyPI, making it a cross-ecosystem supply chain attack.

This is the industrialization of software compromise.

📊 Cisco Talos IR Report – Phishing is Back at the Top

Cisco Talos’ Q1 2026 report shows phishing has re-emerged as the leading initial access vector, accounting for over one-third of incidents.

What’s changed isn’t phishing itself, it’s effectiveness. Adversary-in-the-middle kits and MFA bypass techniques have made phishing campaigns far more successful.

At the same time, exploitation of public-facing applications especially SharePoint continues to drive initial access.

The takeaway is simple: user awareness training from even a year ago is already outdated.

📧 APT Using Outlook for Command-and-Control

A sophisticated APT group is using Microsoft Outlook inboxes as a command-and-control channel.

The malware authenticates via Azure AD, accesses specific mail folders, retrieves encrypted commands from emails, executes them locally, and responds with results.

This technique leverages trusted Microsoft infrastructure, making detection extremely difficult. Traditional network filtering and reputation-based controls are ineffective because the traffic appears legitimate.

This is a prime example of living off trusted cloud services for stealthy operations.

💰 DeFi Exploit – Ownership Validation Bypassed

A DeFi platform was drained of millions after attackers exploited a flaw that incorrectly validated ownership of vault assets.

Unlike typical exploits involving private keys or reentrancy bugs, this attack manipulated logic to convince the system that the attacker was the legitimate owner.

This highlights a critical issue in decentralized finance: trust in smart contract logic is often misplaced, and small validation flaws can lead to massive financial loss.

🧱 Oracle Patch Drop – 481 Fixes Overwhelms Teams

Oracle released 481 security patches across 28 product families, one of the largest patch cycles in its history.

This comes on top of Microsoft’s patch load and emergency fixes, creating a significant operational challenge for security teams.

The risk here isn’t just vulnerability it’s patch fatigue. When teams are overwhelmed, prioritization suffers, and critical fixes can be delayed or missed entirely.

🛠️ Action Items for Security Leaders

• 🔐 Rotate credentials and enforce phishing-resistant MFA across all users

• 🧩 Patch ASP.NET Core immediately and rotate authentication keys

• 🤖 Isolate AI execution environments and restrict network egress

• 🧬 Revoke and rotate all npm and PyPI tokens across developer environments

• 🚫 Block malicious package versions and enforce dependency validation

• 🌐 Replace or isolate all end-of-life networking equipment

• 📧 Monitor Microsoft Graph and Outlook API activity for anomalies

• 🧠 Update phishing training to include MFA bypass techniques

• 💰 Conduct smart contract audits with focus on ownership validation logic

• 🧱 Prioritize patching for internet-facing and high-risk Oracle systems

Leave a comment

🧠 James Azar’s CISOs Take

What stood out to me today is how every single story ties back to trust. Whether it’s a national identity database, an AI sandbox, a software package registry, or an authentication cookie, attackers are going after the mechanisms that define who and what is trusted. And once they compromise that, everything built on top of it becomes vulnerable.

The second takeaway is speed. The npm worm shows how quickly compromise can spread. The ASP.NET flaw shows how quickly attackers can exploit authentication. The APT using Outlook shows how long attackers can persist undetected. We are operating in an environment where time is the deciding factor and organizations that cannot detect and respond quickly will fall behind.

🔥 Stay Cyber Safe.

Today’s episode hits differently. This isn’t just another day of vulnerabilities and breaches, this is a shift in where attackers are focusing. They’re no longer knocking on the front door…

👉 They’re going straight for the control systems that run everything.

Think SD-WAN controllers. Think CI/CD pipelines. Think OAuth integrations.

💡 If it manages your environment, it’s now a primary target.

Double espresso ready, let’s dive in. Coffee Cup Cheers,

🧭 Executive Snapshot

Today’s stories all point to one uncomfortable truth:
Attackers are scaling access by targeting orchestration layers, not endpoints.

• 🎯 Control planes are being exploited

• 🤖 AI integrations are becoming insider threats

• 🏭 OT systems remain dangerously exposed

• 💣 Destructive malware is back on the table

This isn’t about isolated incidents anymore, it’s about systemic exposure across modern architectures.

Subscribe now

🌐 Cisco SD-WAN Vulnerability – Control of the Network Itself

CISA’s addition of the Cisco SD-WAN vulnerability (CVE-2026-20133) to the KEV catalog with a rapid federal patch deadline highlights just how critical this issue is. This flaw allows unauthenticated attackers to extract sensitive data directly from the SD-WAN manager, which acts as the centralized control plane for enterprise connectivity. In practical terms, this system governs routing, segmentation, and policy enforcement across all branch locations. Once compromised, attackers can gain visibility into network topology, harvest credentials, and potentially manipulate traffic flows. This is not lateral movement, it’s centralized dominance of the network, making it one of the most dangerous classes of vulnerabilities we see today.

🧱 MOVEit WAF & Load Balancer Vulnerabilities – Breaking the Shield

Progress Software’s patching of multiple vulnerabilities in MOVEit WAF and Kemp LoadMaster is particularly concerning because these systems are designed to protect enterprise edges. Among the flaws are command injection vulnerabilities and a WAF bypass that allows crafted requests to slip through inspection mechanisms. The implication is severe: attackers can execute commands or bypass defenses without triggering alerts, effectively turning a protective control into an entry point. Given MOVEit’s history with mass exploitation campaigns, this reinforces that edge security appliances remain high-value and high-risk targets, especially when they sit between external traffic and internal systems.

🤖 Vercel Breach via AI OAuth – Trust Exploited Through Integration

The Vercel breach is one of the most important case studies of modern cyber risk. Attackers didn’t exploit Vercel directly—they compromised a third-party AI tool (Context AI), harvested credentials, and leveraged OAuth permissions to gain access to Vercel’s internal environment. Because OAuth grants are often broad and persistent, the attacker effectively operated with legitimate access, reaching environment variables, API keys, and internal systems. This attack demonstrates how AI tools and SaaS integrations blur the line between external and internal access, creating blind spots in security monitoring. It also reinforces that OAuth is no longer just a convenience feature, it is a critical identity boundary that must be governed like privileged access.

🚀 Spinnaker RCE – Direct Path to Production Environments

The disclosure of two unauthenticated remote code execution vulnerabilities in Spinnaker introduces risk directly into the software delivery pipeline. Spinnaker is widely used to manage continuous delivery across cloud environments, meaning it has access to deployment logic, credentials, and production systems. Exploiting these vulnerabilities allows attackers to execute commands within cloud driver components, potentially exposing secrets, altering deployments, or injecting malicious code into production. This is not just a breach of infrastructure, it’s a compromise of software integrity and trust in application delivery, which can have downstream effects across customers and users.

🏭 OT “Bridge Break” Vulnerabilities – The Weak Link Between IT and OT

Forescout’s disclosure of 22 vulnerabilities in serial-to-Ethernet converters highlights a persistent and dangerous issue in industrial environments. These devices act as bridges between operational technology (OT) and traditional IT networks, often enabling remote monitoring and control of physical systems. Because they are frequently exposed to the internet and lack modern security controls, they become ideal entry points for attackers. Exploitation could allow manipulation of sensor data, disruption of industrial processes, or lateral movement into broader networks. This is particularly concerning in sectors like manufacturing, utilities, and healthcare, where these systems underpin critical operations. The reality is that OT environments continue to inherit risk from legacy design assumptions that no longer hold true.

💣 Lotus Wiper Malware – Destruction Over Disruption

The Lotus wiper malware represents a different class of threat—one focused on destruction rather than financial gain. Targeting energy and utility organizations in Venezuela, this malware operates at a low level to erase data, remove recovery mechanisms, and corrupt systems beyond repair. Unlike ransomware, there is no negotiation or recovery path. The intent is to permanently disrupt operations, potentially impacting power generation and distribution. This aligns with broader geopolitical tensions and demonstrates that cyber operations are increasingly being used as tools of strategic disruption, not just crime.

🧠 Gentleman Ransomware & SystemBC – The Signals Before the Storm

The use of SystemBC malware by ransomware groups provides a valuable insight into how attacks unfold. SystemBC establishes proxy tunnels and encrypted communication channels, allowing attackers to maintain persistent access while preparing for later stages of the attack. This phase often includes reconnaissance, credential harvesting, and lateral movement. By the time ransomware is deployed, the attacker has already mapped the environment and established control. This underscores the importance of detecting early indicators, as the real opportunity to stop ransomware is before encryption begins, not after.

🏭 Akira Ransomware – Supply Chain Risk Amplified

Akira’s continued targeting of manufacturing and engineering firms highlights the growing importance of supply chain risk. Many of these organizations serve as suppliers to larger enterprises, including those in aerospace and defense. A breach at this level can expose sensitive data, disrupt production, and create cascading effects across industries. This is no longer about a single organization being compromised, it’s about entire ecosystems being impacted through interconnected dependencies.

⚖️ Insider Threat – When Trust Becomes the Vulnerability

The case of a ransomware negotiator pleading guilty to collaborating with attackers is a stark reminder that insider risk extends beyond employees. Third-party vendors, consultants, and incident response providers often have deep access to sensitive information. In this case, that trust was exploited to provide attackers with negotiation strategies and victim data. This highlights the need for strict controls, monitoring, and segmentation even within trusted relationships, as insider threat is often a function of access, not intent.

👮 Scattered Spider – Social Engineering at Scale

The guilty plea of a Scattered Spider member reinforces the effectiveness of social engineering-driven attacks. This group leveraged phishing, SIM swapping, and identity manipulation to gain access to major platforms and financial assets. Their success demonstrates that even advanced organizations remain vulnerable to human-layer attacks, which often bypass technical controls entirely. While law enforcement actions are a positive development, the techniques used by these groups continue to evolve and proliferate.

Priority Actions

Priority Action

🔴 FridayPatch Cisco SD-WAN CVE-2026-20133

🔴 CriticalPatch MOVEit WAF/Kemp LoadMaster

🔴 CriticalUpgrade Spinnaker

🟠 HighAudit ALL OAuth grants in Workspace/M365

🟠 HighMicrosegment Lantronix/Silex OT gateways

🟡 MediumBlock SystemBC C2 at egress

CISO’s Take

Control planes are the target this week: SD-WAN managers, WAF admin APIs, Spinnaker pods, OAuth tokens, all one unauthenticated bug or over-scoped consent away from compromise. The Vercel breach is the clearest example of AI supply chain risk we’ve seen: a third-party AI tool’s compromised employee led to OAuth pivot into Vercel’s environment. An AI tool with unrestricted OAuth scope is indistinguishable from an insider.

The other thread: destructive intent and insider accountability. Lotus burning Venezuelan energy infrastructure shows wipers don’t ransom—they take generation offline. Akira hitting defense supply chain parts manufacturers creates exposure beyond single victims. And courtrooms are catching up: a ransomware negotiator selling victim data to BlackCat, Scattered Spider’s Tyler B owning up to $8M in sim swaps. If you do three things today: patch CVE-2026-20133 before Friday, audit your OAuth grants, and stress test your offline backups.

Stay Cyber Safe

Share

Today’s show is one of those rare moments where multiple fault lines in cybersecurity crack at the same time. We’re not looking at isolated incidents we’re seeing systemic stress across endpoint security, AI tooling, patch management, and financial ecosystems. The common thread is clear: the controls we trust most are now being actively exploited.

Today’s episode highlights a convergence of risks across enterprise environments. Attackers are no longer focused on bypassing defenses—they are repurposing trusted systems as attack vectors. From Defender zero-days disabling detection capabilities, to AI frameworks introducing remote code execution risks by design, to crypto theft reaching industrial scale, the modern threat landscape is defined by speed, scale, and trust exploitation.

Organizations must shift from a prevention-first mindset to one centered on resilience, validation, and layered defense, particularly across identity, AI, and developer ecosystems.

Subscribe now

Microsoft Defender Zero-Days – Security Tools as Attack Vectors

Microsoft issued emergency patches for three actively exploited zero-days in Defender for Endpoint. These vulnerabilities allowed attackers to tamper with detection mechanisms, effectively disabling security visibility.

This marks a critical shift. Endpoint Detection and Response (EDR) is no longer just a defensive layer, it has become part of the attack surface. If attackers can neutralize your detection stack, they gain time, persistence, and operational freedom.

The implication is significant: organizations relying on a single EDR solution are operating with a single point of failure.

“Attackers aren’t bypassing your defenses—they’re turning them into theirs.” James Azar and continues "That's why you need two endpoint products, not just one. It's a sad truth, but you've got to layer them. They might be able to silence Defender, but they can't silence SentinelOne or CrowdStrike. Attackers are no longer just evading endpoint security, they're actively weaponizing it."

Domain Controller Patch Failure – Operational Risk from Remediation

Simultaneously, Microsoft’s April patch cycle introduced instability in domain controllers, triggering reboot loops and widespread authentication failures.

This resulted in cascading operational disruptions, including login failures, VDI outages, and identity system degradation.

This is the paradox of modern security operations: patching is essential, but poorly validated patches can introduce systemic risk. Identity infrastructure must be treated as mission-critical systems requiring controlled deployment pipelines.

AI Supply Chain Exploitation – Marimo and Hugging Face

The Marimo RCE vulnerability, exploited within hours of disclosure, demonstrates how quickly attackers are operationalizing weaknesses in AI tooling.

Attack chains now include trusted platforms like Hugging Face, combined with decentralized command-and-control infrastructure, making mitigation more complex.

This signals a new reality: AI development environments are now enterprise attack surfaces, often deployed without the rigor applied to traditional infrastructure.

Anthropic MCP Vulnerability – Systemic AI Risk

A critical design flaw in Anthropic’s Model Context Protocol (MCP) introduces remote code execution risk across a wide ecosystem of AI development tools.

The scale of exposure millions of downloads and hundreds of thousands of instances—combined with the vendor’s stance that the behavior is “by design,” raises serious concerns about security maturity in AI frameworks.

This is not a bug. It is an architectural risk.

Lazarus Group Crypto Heist – Industrialized Financial Attacks

North Korea’s Lazarus Group executed a $290 million exploit against KelpDAO, leveraging weaknesses in cross-chain bridge architecture.

This follows a repeatable playbook: compromise infrastructure, manipulate trust assumptions, and extract value at scale.

Layer Zero is attributing the attack to North Korea’s Lazarus Group, specifically the TraderTraitor cluster.

The attack chain:

1. Compromised the downstream RPC endpoint that DVN relied on

2. Used DDoS to force failover to the poisoned endpoint

3. Spoofed cross-chain messages through KelpDAO’s single verifier setup

KelpDAO is disputing the narrative, arguing the single verifier configuration was Layer Zero’s own default rather than an unusual choice.

This correlates with Bybit’s $1.5 billion heist playbook and the broader DPRK revenue engine we’ve been tracking. April 2026 is now the worst month for crypto hacks since February 2025, with over $606 million lost in 18 days.

The volume of crypto theft in April alone underscores a critical trend financial cybercrime is now operating at nation-state scale and efficiency.

Salesforce Campaign – ShinyHunters Expands Targeting

ShinyHunters continues its campaign targeting Salesforce environments, now focusing on high-value organizations like Aman Resorts.

The Aman Resorts story is short but sharp, and the clock is ticking. Ransomware.live and Hookfish report Shiny Hunters added the ultra-luxury hospitality brand Amman Resorts to its leak portal on April 19th, claiming 500,000 Salesforce records of PII with an April 21st deadline to pay or see the data posted publicly.

This listing is the latest in Shiny Hunters’ active Salesforce-centric campaign that has also touched 7-Eleven, Pitney Bowes, Canada Life Assurance Company, and Marcus & Millichap in the last two weeks.

Rather than exploiting platform vulnerabilities, attackers are abusing integrations, OAuth scopes, and API access.

This reflects a broader shift toward identity and integration layer exploitation, where traditional perimeter defenses offer little protection.

Subscribe now

BlueSky DDoS – Availability as a Primary Target

A multi-day DDoS attack against BlueSky disrupted core platform functionality, reinforcing that availability remains a critical component of security.

As organizations adopt decentralized architectures, mitigating volumetric and application-layer attacks becomes increasingly complex.

Internet Exposure – FTP as a Persistent Weakness

Despite years of awareness, over 2.4 million internet-facing FTP servers still operate without encryption. This is not a sophisticated threat, it is a failure of basic security hygiene at global scale.

Cleartext protocols continue to provide attackers with effortless access to credentials and sensitive data.

Key Action Items

• Deploy layered endpoint security controls to mitigate EDR tampering risks

• Implement staged patching and validation for identity infrastructure

• Secure AI and data science environments with enterprise-grade controls

• Audit and restrict AI agent frameworks and MCP integrations

• Enforce multi-verifier models in blockchain and DeFi architectures

• Review SaaS integrations, OAuth scopes, and API access patterns

• Strengthen DDoS response strategies with pre-defined mitigation plans

• Eliminate cleartext protocols and enforce encryption across all services

• Monitor for credential theft and privilege escalation indicators

• Continuously validate trust assumptions across all systems

Leave a comment

James Azar’s CISOs Take

What we’re seeing today is not a series of independent failures, it’s a systemic shift in how cyber risk manifests. Endpoint protection, AI tooling, patching processes, and financial systems are all being tested simultaneously. This isn’t coincidence. It’s the result of attackers identifying where trust has been overextended and exploiting it at scale.

The path forward requires a fundamental change in approach. Security can no longer rely on static controls or assumptions of safety. Every system must be treated as potentially compromised, every integration as a risk vector, and every layer as something that must be continuously validated. Organizations that embrace this mindset will adapt. Those that don’t will continue reacting to incidents rather than preventing impact.

Stay Cyber Safe

Today’s show is one of those where you can clearly see the convergence of everything we’ve been talking about AI risk, supply chain compromise, critical infrastructure targeting, and long-tail operational damage.

And if there’s one theme that cuts across every single story today, it’s this: attackers are abusing trust faster than defenders can validate it.

Double espresso in hand, let’s get into it. Coffee Cup Cheers

Subscribe now

AI Threat to Global Banking: Speed vs. Control

We kick things off with financial leaders warning that advanced AI models could destabilize parts of the global banking system. This isn’t about hallucinations or bad outputs, it’s about scale and speed.

AI is enabling fraud, automating attacks, and accelerating decision-making faster than human oversight can keep up. And in banking, where regulation slows everything down, that gap becomes dangerous.

The real risk here is systemic fraud happening faster than institutions can detect or respond, potentially leading to financial instability.

This is where AI shifts from a tool to a threat multiplier.

Vercel Breach: Developer Infrastructure Under Fire

Next, Vercel confirmed a breach involving unauthorized access to internal systems, with attackers claiming access to source code, tokens, and internal dashboards.

This is a direct hit on developer infrastructure and CI/CD environments.

“Attackers don’t need to break trust, they just need to use it better than we protect it.”

And that matters because these systems aren’t just internal, they’re gateways into production environments and customer data. The risk here isn’t just what was accessed, it’s what can be accessed next through stolen tokens and deployment pipelines.

This is supply chain risk in real time.

Crypto Exchange Hack: Blame vs. Reality

A crypto exchange suffered a $13.7 million hack and blamed Western intelligence agencies. Regardless of attribution, the reality is simple, the funds are gone.

This highlights a recurring issue in crypto incidents: geopolitics often clouds transparency. But users don’t care about attribution, they care about access to their funds.

The risk is erosion of trust in platforms where accountability becomes secondary to narrative.

NHS Ransomware Fallout: Two Years Later, Still Broken

The NHS story is one of the most important today—and the most overlooked.

Nearly two years after a ransomware attack, healthcare services in London are still dealing with the fallout thousands of delayed procedures, disrupted diagnostics, and ongoing operational issues.

“Cyber incidents don’t end when systems come back online—they end when operations fully recover.” James Azar

This is the long tail of cyber incidents. Ransomware isn’t just a data problem, it’s a multi-year operational crisis. And healthcare, more than any other sector, feels that impact directly in patient care.

ZionSiphon Malware Targets Water Infrastructure

This is one of the most concerning stories of the day. ZionSiphon malware is targeting water treatment and desalination systems, specifically looking for processes related to chlorine handling and water purification.

It even includes references to poisoning water supplies. This isn’t theoretical.

This is early-stage OT malware with real-world consequences.

Even if incomplete, it’s enough to cause damage—and that’s what makes it dangerous. We’ve seen this before. Oldsmar, Florida. One analyst prevented disaster. This is that same playbook evolving.

Apache ActiveMQ Exploited: Old Bugs, New Campaigns

ActiveMQ vulnerabilities are now being actively exploited, often chained with default credentials and older bugs. This is a recurring theme:

Old vulnerabilities + weak configurations = new attacks. Middleware like ActiveMQ sits deep in application environments, making it a perfect foothold for attackers.

Quiet. Persistent. Dangerous.

Fortinet Sandbox Flaw: Security Tools Become Attack Vectors

A critical Fortinet Sandbox vulnerability allows unauthenticated command execution as root with public exploit code already available. This is a reminder that security tools themselves are part of the attack surface.

If compromised, they become trusted footholds for attackers. The irony is real and so is the risk.

Apple Alert Phishing: When Real Becomes the Threat

Attackers are abusing legitimate Apple account notifications to deliver phishing messages. These emails pass all authentication checks, SPF, DKIM, DMARC, because they’re actually sent by Apple.

This is next-level phishing. No fake domains. No obvious red flags. Just trusted communication turned into an attack vector.

Good Guys Prevail: DDoS Crackdown and North Korea Sentencing

On the positive side, law enforcement disrupted a DDoS-for-hire network, seizing domains and warning over 75,000 users. Additionally, two individuals were sentenced for supporting North Korea’s fake IT worker scheme.

These are wins—but they’re temporary. Cybercrime ecosystems adapt quickly. Disruption creates friction, not elimination.

DraftKings Credential Stuffing Case: Old Tactics Still Work

Finally, the DraftKings case reminds us that credential stuffing is still highly effective. Attackers used reused credentials from other breaches to access 60,000 accounts and monetize them.

No zero-days. No advanced techniques. Just reused passwords.

Sometimes the biggest risks are still the simplest.

Action Items for Security Leaders

• Introduce human approval gates for high-risk AI-driven financial workflows

• Treat CI/CD and developer platforms as production-grade assets

• Enforce rapid token rotation and eliminate static credentials

• Demand transparency and proof-of-reserve in crypto platforms post-incident

• Build healthcare recovery plans around clinical workflows, not just IT systems

• Baseline OT behavior and monitor for unauthorized process changes

• Remove default credentials and patch middleware like ActiveMQ immediately

• Patch and audit security appliances as high-priority infrastructure

• Train users to verify alerts directly from official apps—not email links

• Strengthen defenses against credential stuffing and automated abuse

Leave a comment

James Azar’s CISOs Take

What stood out to me today is how interconnected everything has become. AI, cloud, OT systems, and user behavior are no longer separate domains—they’re all part of the same attack surface. When attackers exploit trust in one area, it cascades into others. That’s why we’re seeing incidents that start in one place and end somewhere completely different.

The second takeaway is the importance of resilience. Too many organizations still think in terms of prevention, but today’s stories especially NHS and water infrastructure show that recovery and continuity are just as critical. We need to design systems not just to stop attacks, but to survive them. Because in today’s environment, survival is the real measure of security.

Stay Cyber Safe.

We’re back and yes, the Azar family grew by one beautiful baby boy this week. Sleep is rare. Coffee is mandatory. And James is back in the saddle with the double espresso running and the full Security Gang energy you’ve come to expect.

If this week’s stories have a common thread, it’s this: the most dangerous cyber threats aren’t the loudest ones. Sweden was nearly hit by a Russian attack on its heating infrastructure, and that attack failed, but the intent was unmistakable. Ukrainian hospitals and government agencies are being targeted with malware specifically designed to disrupt societal stability. Twelve thousand systems in the Middle East were scanned in an Iranian-style reconnaissance campaign.

And Patch Tuesday arrived with what may be the second-largest Microsoft patch cycle ever 167 vulnerabilities, including an exploited SharePoint zero-day arriving the same week as critical patches from Fortinet, SAP, Adobe, Ivanti, and eight major industrial vendors.

Meanwhile, the week’s breach stories reinforced a pattern we’ve been tracking for months: attackers exploiting trust rather than force. Booking.com, Rockstar Games via Snowflake, McGraw-Hill via a Salesforce misconfiguration, a Kraken insider threat, and supply chain compromises in GitHub, Jira, and npm all shared the same fingerprint legitimate access, trusted platforms, and no alarm bells until it was too late.

James opened one of this week’s shows with a reflection on Yom HaShoah Holocaust Remembrance Day and the quiet, slow erosion that precedes catastrophe. It was a reminder that whether in society or in cybersecurity, the warnings come long before the breaking point. The question is whether we’re paying attention.

“Attackers keep winning by abusing things we already trust — SaaS pages, support workflows, app authorization, collaboration platforms, and even our own security appliances, ERP systems, and VPN clients. The defensive move is not magic. It is knowing which trusted systems have the highest blast radius and hardening those first. That is how you reduce risk.”

Let’s get into it.

Subscribe now

🌐 Geopolitical Cyber Warfare

Sweden Attributes Heating Plant Attack to Russian-Linked Group

Swedish officials attributed a cyberattack on a district heating plant to a pro-Russian group with ties to Russian intelligence. The attack failed operationally but that’s not the lead. The intent is. This fits a sustained European pattern of targeting civilian infrastructure not to destroy it, but to create instability and psychological pressure on populations. Heating. Power. Water. These aren’t military targets they’re societal pressure points. Gray-zone warfare doesn’t need to succeed to succeed. The attempt alone achieves its goal.

“If we treated our power plants the way pilots treat an airplane, we would likely have less of these events on the engineering side. As security practitioners, we ought to be planning for the day after. That day after is network obfuscation. That day after is inline data encryption even within your air-gapped networks.”

AgingFly Malware Targets Ukrainian Government and Hospitals

A new malware strain AgingFly is actively targeting Ukrainian government organizations and healthcare systems. This is not opportunistic cybercrime. It is deliberate targeting of the institutions that sustain public life. Hospitals and government agencies are being hit because disrupting them destabilizes society without requiring kinetic escalation. Cyber resilience in healthcare and public sector environments is no longer an IT goal, it is a national security imperative.

12,000 Systems Scanned in Iranian-Style Reconnaissance Campaign

More than 12,000 systems in the Middle East have been scanned in a campaign mirroring Iranian reconnaissance tactics. Scanning is not the attack, it’s the preparation for one. This is patient, methodical threat actor behavior: map the environment, identify weaknesses, and return with precision. This aligns directly with prior reporting on Iranian pre-positioning across U.S. industrial and critical infrastructure. Today’s scan is tomorrow’s disruption.

4,000 U.S. Industrial Devices Remain Exposed to Iranian Targeting

Nearly 4,000 U.S. industrial devices remain directly internet-exposed and vulnerable to Iranian-linked activity. These are operational technology systems, they control physical processes. Leaving them exposed is not a misconfiguration. It is an open invitation in a high-risk neighborhood. The question is no longer whether someone will walk through that door, it’s when.

Iranian Cyber Threats Target U.S. Energy Infrastructure

CISA and NERC continue to issue warnings around Iranian-linked activity targeting U.S. critical infrastructure, with particular focus on energy systems. The current activity remains focused on reconnaissance and persistence rather than immediate disruption. But in the Iranian threat model, today’s foothold is tomorrow’s leverage. OT environments with any internet exposure should treat this as an active threat, not a theoretical one.

💥 Stryker Fallout: Cyber Becomes a Business Event

Stryker Confirms Material Q1 Earnings Impact from Iran-Linked Attack

Stryker confirmed this week that the March 11 Iran-linked attack had a material impact on Q1 earnings. The Handala group gained access to Microsoft Intune, wiped more than 200,000 devices, and disrupted the company’s ordering and supply chain systems. Operations have since been restored — but the damage was real, measurable, and reported to investors.

This is the clearest example in recent memory of cyber leaving the SOC and landing on a hospital floor, and then in an earnings release. Medical staff adapted under constrained equipment conditions. Hospitals extended the use of existing devices. And a publicly traded company disclosed financial harm directly attributable to a nation-state-linked cyber operation. For CISOs still struggling to quantify cyber risk in business terms, this is the case study.

🔓 Data Breaches & Exposures

Booking.com Breach: Identity and Access, Not Infrastructure

Booking.com confirmed a breach affecting user data, likely tied to compromised credentials or third-party access workflows rather than a direct infrastructure intrusion. This is the modern breach pattern: no forced entry, just trusted access used incorrectly. Travel and hospitality platforms hold high-value identity data that fuels downstream fraud, social engineering, and impersonation at scale. For users, this is a direct reminder that passwords alone are insufficient MFA is non-negotiable on any platform holding financial or travel data.

Rockstar Games: Snowflake Environment Accessed via Third-Party Credentials

ShinyHunters claims access to Rockstar Games data stored in a Snowflake cloud environment via a compromised third-party analytics platform. The attack pattern is textbook: stolen credentials, legitimate API access, no alerts triggered. Once inside a cloud environment via valid credentials, attackers move at the speed of the platform itself. Cloud security monitoring must go beyond perimeter controls to include behavioral anomaly detection for API access patterns across every integrated third-party service.

McGraw-Hill Salesforce Misconfiguration: ShinyHunters Claims 45 Million Records

McGraw-Hill is the latest victim in ShinyHunters’ ongoing Salesforce campaign. The attackers reportedly exploited a misconfigured Salesforce-hosted web page not the core enterprise tenant, and are claiming 45 million records and threatening to leak if not paid. McGraw-Hill stated that core systems, customer databases, and student platforms were not accessed. But the blast radius of SaaS misconfigurations regularly extends far beyond what organizations initially assume. Every externally reachable SaaS-hosted page requires explicit access control validation, not just the main platform tenant.

Kraken Insider Threat: Support Employees Enable Extortion Attempt

Kraken disclosed that a cybercrime group attempted to extort the exchange using videos allegedly showing internal systems. At the root: two support employees accessed limited customer data improperly. Client funds were not at risk. But the incident demonstrates a consistent pattern, when externally hardened environments are difficult to breach, attackers pivot to the human layer. Support functions with access to customer data are high-value social engineering targets, particularly where wage disparities create vulnerability to outside influence. Just-in-time access and session recording for support teams are essential controls.

CPU-Z Trojanized Downloads: Supply Chain at Distribution Level

Attackers compromised the CPUID website to distribute trojanized versions of CPU-Z and HWMonitor. This is supply chain compromise at the final distribution point trusted tools from a recognized domain, delivering malware to users who never suspected anything was wrong. Most users will not verify cryptographic signatures before installing a familiar utility. That’s the gap attackers are exploiting. Enforce signature verification as a baseline requirement before any software installation in enterprise environments.

RCI Hospitality IDOR Vulnerability Exposes Contractor Data

RCI Hospitality disclosed an insecure direct object reference vulnerability in their web application that exposed contractor data without triggering traditional security alerts. IDORs are unglamorous but brutally effective the application hands attackers the data without any exploitation of authentication systems. Object-level authorization testing must be part of every application security release gate, particularly for portals handling workforce and contractor records.

🕵️ Nation-State Activity & Advanced Threats

North Korea’s $280 Million Crypto Theft: Corporate-Grade Operations

The post-mortem on the Drift crypto theft reveals an operation that reads less like a hack and more like a business. North Korea orchestrated a $280 million theft using fake companies, sustained relationship-building, social engineering, and physical presence at industry conferences. This was not remote exploitation, it was long-game infiltration. Fake identities. Real relationships. Trust built over months before a payload was ever deployed. If your security model doesn’t account for adversaries who operate at this level of patience and organizational sophistication, it is not accounting for the actual threat.

North Korea’s APT37: Facebook-Based Social Engineering Campaign

APT37 is running an active social engineering campaign using fake Facebook personas to build relationships with targets before deploying malware payloads. This is patience over speed, psychology over technology. Attackers establish trust across weeks or months before any technical action is taken. This is where most defenses still fall short, because they are built to detect technical indicators, not human behavioral manipulation. Employee awareness of relationship-building social engineering is a required defensive layer.

🛡️ Vulnerabilities & Patch Tuesday

Microsoft Patch Tuesday: SharePoint Zero-Day + 167 Fixes — Second Largest Ever

Microsoft addressed 167 vulnerabilities this month, the second largest Patch Tuesday by CVE count on record including an actively exploited SharePoint zero-day (CVE-2026-29231) that was publicly known before patches were released. Collaboration and content platforms continue to draw the most adversarial attention. Internet-facing systems like SharePoint must have a dedicated fast-lane patch process, they cannot wait in the same queue as routine workstation updates.

Fortinet: CVE-2026-27813 Across Multiple Products

Fortinet released a broad patch set with clear prioritization around CVE-2026-27813, affecting FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitch Manager. The perimeter and management plane continue to be primary targets. Every security appliance should be treated as production infrastructure and patched according to attack surface priority, not product popularity.

SAP: 19 Security Notes Including Critical CVSS 9.9 SQL Injection

SAP released 19 new security notes covering more than a dozen products, including CVE-2026-27681, a CVSS 9.9 SQL injection vulnerability in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution. ERP and core business systems must be treated as crown jewel infrastructure. Attackers who land in SAP don’t just steal data they learn how the business operates. Prioritize SAP remediation based on process criticality and direct business exposure.

Adobe: 55 Vulnerabilities Including Critical ColdFusion Flaw

Adobe patched 55 vulnerabilities across 11 products, with a critical ColdFusion vulnerability representing the highest real-world exploitation risk. ColdFusion has a consistent history of showing up in attack chains precisely because it sits in the internet-facing application layer. If ColdFusion is still running in your environment, place it behind additional network controls and treat it as a high-risk exception requiring active monitoring.

Ivanti: RCE and Authentication Bypass Return

Ivanti surfaced again this week with two new vulnerabilities — a remote code execution flaw and an authentication bypass. Platforms that broker access and manage systems sit in the critical flow of enterprise trust. Ivanti’s recurring presence in the threat landscape is not a coincidence it reflects consistent adversarial interest in control-plane compromise. Patch immediately and validate that no previous exploitation paths remain active.

CISA Flags Windows Task Host Privilege Escalation Under Active Exploitation

CISA flagged a Windows Task Host vulnerability as actively exploited, allowing attackers to escalate to SYSTEM-level access. Privilege escalation is where initial access becomes full control. Once an attacker reaches SYSTEM on a shared or high-value system, the scope of compromise expands rapidly. This vulnerability warrants immediate remediation prioritization.

NGINX UI Zero-Day: Management Interface Compromise

Active exploitation of a critical NGINX UI zero-day continues. Exposed administrative interfaces remain one of the most consistently effective attack vectors — not because they’re sophisticated, but because convenience keeps winning over security. Management panels left accessible to the internet are an open invitation. Remove or restrict all exposed administrative interfaces immediately.

ICS Patch Tuesday: Eight Major Industrial Vendors

Siemens, Schneider Electric, Rockwell, and five additional industrial vendors released advisories in this month’s ICS Patch Tuesday. OT environments accumulate risk over time long-lived systems, infrequent patching, and operational continuity constraints combine to create compounding vulnerability. Establish dedicated OT vulnerability management processes that account for the unique operational constraints of industrial environments.

Synology SSL VPN Client: Remote Access Vulnerabilities

Synology released updates for SSL VPN client vulnerabilities. Vendor guidance specifies upgrading to version 1.4.5-0684 or newer and calls for active monitoring of configuration changes and unusual traffic behavior. VPN configuration changes should be monitored with the same urgency as failed login attempts remote access is where trust and network access intersect most dangerously.

Juniper and Chrome Continue Steady Patch Cycles

Juniper patched dozens of Junos OS vulnerabilities, and Chrome released version 147 with 60 fixes including two critical. Neither is a single dramatic event both reflect the ongoing maintenance reality of foundational infrastructure. Browsers and network devices are prime targets precisely because they are ubiquitous and trusted. Keep them current automatically.

🤖 AI, Supply Chain & Developer Threats

Cloud Security Alliance Releases Mythos AI Threat White Paper

The Cloud Security Alliance, led by Gadi Evron, published a white paper on Anthropic’s Mythos AI model and its implications for the cybersecurity threat landscape reviewed by over 100 CISOs. The core concern: AI tools like Mythos dramatically accelerate both vulnerability discovery and exploit development, compressing the timeline between disclosure and weaponization in ways the industry has not yet calibrated for. This is required reading for security leadership. Download it at cyberhubpodcast.com.

OpenAI Caught in Axios npm Supply Chain Compromise

OpenAI was caught in the blast radius of the Axios npm package supply chain compromise. This confirms a pattern: supply chain attacks don’t stop at developers they propagate through enterprise apps, AI platforms, and into production systems. Once trust is compromised at the package level, everything downstream inherits that risk. Software composition analysis is foundational security hygiene, not an advanced practice.

Glassworm Evolves: Zig-Based Dropper Targets Developer IDEs

Glassworm returned with a new variant using a Zig-based dropper to target developer environments and IDE ecosystems. Attackers are moving upstream into the development lifecycle because controlling the developer environment means influencing what gets built. Supply chain compromise at the IDE layer is persistent, quiet, and extraordinarily difficult to detect after the fact. Lock down developer environments with signed plugins, approved extension lists, and access controls.

PHP Composer Flaws Enable Arbitrary Command Execution

New vulnerabilities in PHP Composer enable arbitrary command execution within software build workflows. This is the same threat surface the Team PCP group exploited in expanding across developer toolchains. Pin Composer and all build chain tooling to approved internal baselines rather than allowing developer environments to drift toward the latest available version.

GitHub and Jira Notification Abuse for Malware Delivery

Attackers are abusing GitHub and Jira notification systems to deliver malicious links inside expected, trusted workflow communications. Users don’t question notifications from platforms they rely on daily and attackers have learned to exploit exactly that behavioral pattern. Extend phishing inspection to collaboration platform notifications, not just email. Security teams often overlook these channels entirely.

⚖️ Policy, Regulation & Industry

FCC Cybertrust Mark: IoXT Alliance Named New Lead Administrator

The FCC Cybertrust Mark program, a consumer-facing security certification for connected devices has a new lead administrator after UL withdrew. The non-profit IoXT Alliance takes over, putting the program back on track. Given the persistent exploitation of routers, IoT devices, and unmanaged endpoints, any policy initiative that raises the baseline security floor for connected devices has real-world defensive value. This program matters.

FCC Grants Netgear Exemption in Router Certification Rules

The FCC granted Netgear an exemption related to router certification requirements and foreign-owned testing labs. This sits at the intersection of cybersecurity, geopolitics, and supply chain policy. Hardware certification decisions directly influence how secure or insecure network infrastructure becomes at the consumer and enterprise level alike. Policy decisions are now security decisions.

Privacy Research: Tracking Persists After User Opt-Outs

New research indicates major technology companies can continue tracking users even after opt-out mechanisms are activated. The security implication is not just privacy: if controls don’t behave as documented, then compliance assumptions break down. Defenders cannot rely solely on vendor claims. Validate privacy and tracking controls independently including within your own environment.

Leave a comment

✅ This Week’s Priority Action List

Immediate (Do This Now)

• Patch Microsoft SharePoint CVE-2026-29231 immediately — publicly known before patches released, active exploitation likely

• Patch SAP CVE-2026-27681 (CVSS 9.9) — arbitrary code execution in ERP core infrastructure

• Patch Fortinet CVE-2026-27813 across FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiPAM, FortiSwitch Manager

• Patch Ivanti RCE and authentication bypass vulnerabilities — control plane compromise risk

• Patch Windows Task Host privilege escalation — CISA confirmed active exploitation, SYSTEM access at stake

• Remove or restrict all exposed NGINX UI management interfaces — active zero-day exploitation underway

• Patch Synology SSL VPN client to 1.4.5-0684 or newer and monitor for configuration anomalies

Short-Term (This Month)

• Audit every externally reachable SaaS-hosted page and Salesforce integration — McGraw-Hill is not an isolated incident

• Implement just-in-time access and session recording for all support functions touching customer data

• Enforce cryptographic signature verification for all software downloads in enterprise environments

• Add object-level authorization testing to application security release gates

• Eliminate direct internet exposure for all OT, industrial, and ICS systems 4,000 U.S. devices remain exposed

• Deploy behavioral anomaly detection for cloud API access across all third-party SaaS integrations

• Review and pin PHP Composer and developer build tooling to approved internal baselines

• Extend phishing inspection to GitHub, Jira, and all collaboration platform notification channels

Strategic (This Quarter)

• Establish dedicated OT vulnerability management processes separate from IT patch cycles

• Download and review the Cloud Security Alliance Mythos white paper — calibrate your AI threat timeline assumptions

• Build dedicated fast-lane patch processes for internet-facing collaboration platforms separate from workstation cycles

• Treat SAP and ERP systems as crown jewel infrastructure with process-criticality-based patching priority

• Implement network obfuscation and inline data encryption for critical infrastructure environments

🎙️ James Azar’s CISO’s Take

When I look across this week’s stories, the most important thing I see is how much risk sits below the surface — quiet, patient, and methodical. Sweden’s heating plant, Ukrainian hospitals, Iranian reconnaissance across 12,000 systems, a SharePoint zero-day already known to attackers before patches dropped. These are not loud, chaotic events. They are deliberate campaigns against the systems that keep society functioning. And that’s exactly what makes them dangerous — they accumulate unnoticed until the disruption is unavoidable. Stryker hitting a quarterly earnings report is the clearest signal yet that cyber risk is no longer an IT budget line. It is a business event, a financial event, and a human event.

The second takeaway is about the pace of change. The Cloud Security Alliance’s Mythos white paper, Jason Clinton and Kevin Mandia’s commentary, and this Patch Tuesday’s record-setting CVE count all point to the same reality: AI is compressing vulnerability discovery and exploit development into timelines defenders have never had to operate against before. The answer isn’t panic — it’s prioritization. Know which trusted systems carry the highest blast radius. Harden those first. Build resilience into how you operate, not just how you prevent. Because at the scale and speed this threat environment is moving, perfection isn’t achievable but preparedness is.

📋 Week in Summary

This was a week that reminded practitioners of something easy to lose sight of under the volume of daily threat intelligence: cybersecurity is not about protecting dashboards. It’s about protecting the systems that keep hospitals running, supply chains moving, heating plants operating, and governments functioning. Sweden, Ukraine, and Stryker all told the same story from different angles when cyber operations are targeted not at data but at operational continuity, the consequences extend far beyond the perimeter and into people’s lives.

Technically, the week was defined by volume and trust exploitation at scale. The second-largest Patch Tuesday ever. Critical patches from SAP, Fortinet, Adobe, Ivanti, and eight industrial vendors simultaneously. And breach after breach — Booking.com, Rockstar, McGraw-Hill, Kraken — sharing the same fingerprint: no forced entry, just trusted access misused, misconfigured, or manipulated through the human layer. The defensive posture this demands is not more tools or more rules. It is continuous validation of every trust assumption in your environment, prioritized by blast radius, executed with the speed the threat environment now requires.

Stay informed. Stay prepared. Stay Cyber Safe. 🔐

© CyberHub Podcast | Subscribe on Substack | Watch on YouTube | Follow on LinkedIn

Today’s episode is one of those that reminds us cybersecurity isn’t just about alerts and dashboards, it’s about heating plants, hospitals, industrial systems, and the very infrastructure that keeps society running.

What we’re seeing today is not loud ransomware headlines, it’s something far more dangerous: low-visibility, high-impact activity targeting the systems people rarely think about but depend on every day.

“You’re not waiting to be attacked, you’re already on someone’s scan list.”

Coffee cup cheers, let’s dive in.

Subscribe now

Sweden Blames Russia for Energy Infrastructure Attack

We begin in Sweden, where officials have attributed a cyberattack on a heating plant to a pro-Russian group linked to intelligence services.

The attack itself failed, but that’s not the story. The story is intent.

This fits a broader European pattern: probing civilian infrastructure heating, power, utilities not necessarily to destroy, but to create instability and psychological pressure.

These aren’t battlefield operations. These are societal pressure campaigns.

The risk is clear: disruption of everyday life systems without triggering full-scale conflict. And that’s exactly the kind of gray-zone warfare we’re seeing more of.

AgingFly Malware Targets Ukrainian Government and Hospitals

Next, we move to Ukraine, where a new malware strain—AgingFly—is actively targeting government organizations and healthcare systems.

This is not opportunistic cybercrime. This is deliberate targeting of public service continuity.

Hospitals and government agencies are being hit because they represent stability. Disrupt them, and you disrupt society. This is cyber warfare in its purest form, pressure without kinetic escalation.

The takeaway here is that resilience in healthcare and public sector systems is no longer optional, it’s strategic.

12,000 Systems Scanned in Iranian-Style Recon Campaign

In the Middle East, more than 12,000 systems have been scanned in what mirrors Iranian reconnaissance tactics.

And this number matters. Because scanning is the beginning not the end.

This is patient threat actor behavior: map the environment, identify weaknesses, and come back later with precision. This aligns with everything we’ve been saying about pre-positioning. Attackers aren’t rushing, they’re preparing.

The risk is that today’s scan becomes tomorrow’s disruption.

CISA Flags Windows Task Host Flaw Under Active Exploitation

CISA has flagged a Windows Task Host vulnerability as actively exploited, allowing attackers to escalate privileges to SYSTEM.

This is a classic move. Initial access is just step one. Privilege escalation is where the real control begins.

Once attackers reach SYSTEM-level access, they own the box, and often the network. This is a reminder that even “local” vulnerabilities matter, especially in shared or high-value environments.

NGINX UI Zero-Day Under Active Exploitation

We also have active exploitation of a critical NGINX UI vulnerability.

And this one is painfully familiar. Management interfaces exposed to the internet. Admin panels left accessible. These are some of the easiest entry points for attackers, and they keep working.

Why? Because convenience keeps winning over security.

The risk is full server compromise through exposed administrative tooling.

Ivanti Vulnerabilities Continue to Surface

Ivanti is back again with two new vulnerabilities, including an RCE and an authentication bypass. At this point, this isn’t surprising, it’s expected.

Platforms that broker access and manage systems sit directly in the flow of trust. That makes them prime targets. And attackers know it.

The risk is control of the control plane, visibility, automation, and access all in one place.

ICS Patch Tuesday: Industrial Giants Face Ongoing Risk

Eight major industrial vendors, including Siemens, Schneider Electric, and Rockwell, released new advisories in ICS Patch Tuesday.

This highlights a persistent issue: OT environments are long-lived, hard to patch, and often ignored. Unlike IT systems, these environments accumulate risk over time.

“If it runs the physical world, attackers are already looking at it.”

And when vulnerabilities are finally exploited, the impact isn’t just data—it’s physical operations.

Privacy Research: Tracking Persists Despite Opt-Outs

New research suggests that major tech companies can still track users even after opt-out mechanisms are used. This isn’t just a privacy issue, it’s a trust issue.

If controls don’t behave as expected, then assumptions about compliance and protection break down. For defenders, this means we can’t just trust vendor claims, we have to validate them.

FCC Grants Netgear Exemption in Router Certification Rules

Finally, the FCC granted Netgear an exemption related to router certification rules tied to foreign-owned test labs. This may seem administrative, but it’s not.

It sits at the intersection of cybersecurity, geopolitics, and supply chain. Policy decisions now directly impact how secure or insecure, our infrastructure becomes.

Action Items for Security Leaders

• Eliminate internet exposure for OT and industrial control systems

• Implement network obfuscation and segmentation for critical infrastructure

• Isolate healthcare and government systems from public-facing networks

• Prioritize patching of privilege escalation vulnerabilities on key systems

• Remove or restrict access to exposed management interfaces

• Segment ITSM and administrative platforms from broader environments

• Establish dedicated OT vulnerability management processes

• Validate privacy and tracking controls independently of vendor claims

• Monitor large-scale scanning activity as early indicators of future attacks

• Plan for resilience—not just prevention—in critical infrastructure environments

Leave a comment

James Azar’s CISOs Take

What stands out to me today is how much of the risk we face sits below the surface. These aren’t flashy ransomware attacks or headline-grabbing breaches. These are quiet, methodical campaigns targeting the systems that keep society functioning. And that’s what makes them dangerous, because they often go unnoticed until it’s too late.

The second takeaway is that we have to stop thinking about cybersecurity as purely digital. When attacks impact heating plants, hospitals, and industrial systems, the consequences are physical, human, and immediate. Our job as practitioners isn’t just to prevent compromise, it’s to ensure continuity. Because in today’s world, cyber resilience is societal resilience.

Stay Cyber Safe.

It’s Patch Tuesday, and today’s episode is exactly what you’d expect when everything hits at once breaches, insider threats, SaaS exposure, and one of the largest patch cycles we’ve seen in a while.

If there’s one thing that stood out today, it’s this: attackers are no longer trying to break your defenses, they’re exploiting the systems you already trust to operate your business.

Double espresso in hand—let’s break it all down.

Subscribe now

McGraw-Hill Salesforce Breach: Shiny Hunters Claims 45 Million Records

We start with McGraw-Hill because it fits a pattern we’ve been talking about for weeks: attackers are not always breaching the company you think they are. Reports say the attackers exploited a Salesforce misconfiguration and accessed data from a web page hosted on the Salesforce platform.

While the company emphasized that its Salesforce accounts, customer databases, courseware, and internal systems were not accessed, McGraw-Hill also said the exposed information did not include social security numbers, financial account information, or student platform data. But Shiny Hunters is claiming they hold 45 million Salesforce records and they’re threatening to leak the data if they don’t get paid.

This correlates directly with how the Shiny Hunters Salesforce campaign has played across other victims. That blast radius often starts in a shared SaaS layer, not the victim’s core environment.

The risk is trusted SaaS pages and integrations exposing sensitive business data without a full enterprise compromise. Inventory every externally reachable SaaS-hosted page and validate access control on each one—not just the main platform tenant.

RCI Hospitality IDOR Vulnerability Exposes Contractor Data

Anyone here go to nightclubs? I haven’t in ages. I don’t even go to the nightclub parties during hacker summer camp in Vegas. I don’t like the club scene call me old, but I never really liked it to begin with.

RCI Hospitality is the second example of how small web app flaws can create very real business exposure. Reports say the company disclosed in an SEC filing that an IDOR vulnerability in their RCI Internet Services exposed contractor data.

This matters because IDORs are not glamorous, but they are brutally effective when no one is watching object-level authorization closely. This correlates with recent customer and employee data incidents in retail and hospitality. Attackers do not always need malware or ransomware if the application will simply hand them the data.

Direct object reference flaws exposing business records to unauthorized parties without tripping traditional alarms is a key risk and blind spot. Add authorization testing for object-level access into your application security release gate, especially for portals that handle workforce and contractor records.

Kraken Insider Threat: Cybercrime Group Extortion Attempt

My friends over at Kraken are in the news, and this one is a useful reminder that not every crypto incident starts with a smart contract bug or wallet exploit. This one is insider.

Kraken disclosed that a cybercrime group tried to extort the exchange by threatening to release videos showing internal systems hosting client data. Kraken’s CSO said the incident involved two instances of improper access to limited customer data by support employees. Importantly, Kraken said client funds were not at risk and described the case as an insider threat issue.

This lines up with the theme we keep coming back to: when sensitive environments are heavily instrumented and externally hardened, attackers often pivot to support, process, and people. People will sell you out, especially in a globalized workforce where wage disparities become targets for social engineering through LinkedIn and other platforms.

Insider-enabled exposure of customer information becoming extortion leverage even when core financial systems stay intact carries significant risk. Apply just-in-time access and strong session recordings on support functions that can touch customer data.

Microsoft Patch Tuesday: SharePoint Zero-Day + 167 Fixes Second Largest Ever

Patch Tuesday is the other major lead today. Microsoft fixed an exploited SharePoint zero-day plus 167 other vulnerabilities. Security Week is calling it the second largest Microsoft Patch Tuesday ever based on CVE count alone. That should tell you the tempo is not slowing down.

Jason Clinton (CISO for Anthropic) and Kevin Mandia (the legend, founder of Mandiant, now with a new startup) both said something very smart I’ve heard them say over the last six months: the next two to three years for practitioners are going to be a punching bag day after day, month after month, as more AI tools like Mythos just increase the scale of finding vulnerabilities. And then AI helps build exploits for those vulnerabilities at scale we’ve never seen before.

We’ve been saying for months that identity, collaboration, and management platforms are drawing the most heat. SharePoint living on that list is no surprise at all.

The SharePoint Zero-Day (CVE-2026-29231) was publicly disclosed before patches were released. Exposed collaboration and content systems becoming initial access or privilege escalation footholds before organizations can catch up is a significant risk.

Maintain a separate fast lane for patching internet-facing collaboration platforms so they don’t wait on the same cycle as ordinary workstation updates.

Adobe Patches 55 Vulnerabilities—ColdFusion Critical

Adobe is patching 55 vulnerabilities across their stack. No zero-day headline, but the patch covers 11 products with a critical ColdFusion vulnerability being most likely to get hit in real-world attacks.

That tracks with ColdFusion’s history, it keeps showing up because it sits in exactly the kind of internet-facing application layer that attackers absolutely love.

Legacy application platforms serving as remote code execution paths in otherwise modern environments is the risk. If you still run ColdFusion, put it behind additional network controls and treat it as a high-risk exception, not just another application server.

Fortinet Broad Patch Set: CVE-2026-27813 Across Multiple Products

The Fortinet security vendor patch set is broad, but there’s clear prioritization. Defenders should patch CVE-2026-27813 across FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitch Manager.

That matches the Fortinet drumbeat we’ve been covering across multiple weeks. The perimeter and management plane are still where the blood is in the water.

Compromise of security appliances and management products giving attackers visibility and leverage at the control layer is a significant risk. Treat every security appliance as production infrastructure patch by attack surface, not by product popularity.

SAP Releases 19 Security Notes Critical SQL Injection CVE-2026-27681

SAP deserves airtime because the company released 19 new security notes covering more than a dozen products, including a critical ABAP vulnerability.

We’ve talked many times about how ERP and core business platforms are too often patched like back-office software when they should be treated like crown jewel infrastructure. If an attacker lands in SAP, they are not just stealing data—they are learning how your business runs.

Exploitation of enterprise business logic platforms leading to financial, operational, and identity impact all at once is the risk. Prioritize SAP remediation based on process criticality and direct business exposure, not just CVSS.

The biggest one is CVE-2026-27681, a CVSS score of 9.9. It’s an SQL injection bug in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution. That’s the one you want to pay the most attention to.

Synology SSL VPN Client Flaws—Remote Access Risk

If Synology is your thing, Synology’s SSL VPN client flaws are another reminder that remote access remains one of the easiest ways to turn a user problem into a network problem.

Vendor guidance pushes customers to upgrade to version 1.4.5-0684 or newer and specifically calls out the need to monitor for unauthorized configuration changes and odd traffic behavior.

The correlation is easy to draw: from VPN credential theft to device code phishing to fake support flows, attackers keep going where trust and remote access meet.

Monitor VPN configuration changes with the same urgency you monitor failed logins and brute force attempts.

PHP Composer Flaws Enable Arbitrary Command Execution

PHP Composer is another developer ecosystem story that matters more than it may sound. The Hacker News reports that new Composer flaws can enable arbitrary command execution and patches are available.

We’ve already seen Team PCP move from open source compromise into cloud and build environments. Tooling vulnerabilities inside the dependency chain are exactly how that kind of compromise keeps scaling.

Compromise of software build or dependency management workflows leading to code or credential theft is the risk. Pin Composer and other build chain tooling to approved internal baselines rather than letting developer environments drift.

"Attackers keep winning by abusing things we already trust, SaaS pages, support workflows, app authorization, collaboration platforms, and even our own security appliances, ERP systems, and VPN clients. The defensive move is not magic. It is knowing which trusted systems have the highest blast radius and hardening those first. That is how you reduce risk." James Azar

Cloud Security Alliance Releases Mythos AI Threat White Paper

Before we get into the FCC story, let’s talk about what Gadi Evron and the team at Cloud Security Alliance put together in a matter of days. I’m part of the group, unfortunately, newborn in the house, very busy with work stuff and catching up, so I wasn’t able to participate. But Gadi brought in all the heavy hitters around cyber to talk about Anthropic’s Mythos, the AI model that the industry’s panicking about because of its ability to supercharge cyber attacks.

Cloud Security Alliance and Gadi started the conversation with John Yeoh and some really great people. They put together a phenomenal white paper. If you haven’t seen it, you should go download it right now I’ll put the link at cyberhubpodcast.com.

This is significant. It’s how we should be looking at Mythos, how teams should be looking at it from a staffing perspective, from a patching perspective, and so much more. It was reviewed by over 100 CISOs. I would have desperately wanted to be part of anything Gadi puts his hands on because it’s gold. But personal life took precedent, I don’t regret it. Gadi doesn’t need me to be brilliant. A hundred CISOs don’t need James Azar to be brilliant because they’re all brilliant in their own way, fantastic contributors helping us understand how fast AI is evolving and how fast it evolves our ability to prepare.

FCC Cybertrust Mark Gets New Administrato IoXT Alliance

The FCC Cybertrust mark is worth watching because it signals government still wants a consumer-facing baseline for connected device security. According to reports, the FCC’s selection of a new lead administrator for the Cybertrust mark puts the program on a path to success, tied directly to both consumer protection and national security.

Before, it was with UL under the Biden administration. UL pulled out after they went under investigation by the Trump administration for some of their practices. Everyone thought it was going to die, but the FCC picked the non-profit IoXT Alliance to be the new lead.

This matters because we keep covering router, IoT, and unmanaged device exploitation. Just the other day we talked about how the FBI was asking people to restart their SOHO routers. Anything that raises the floor on connected device security helps. Glad to see this program back up and running.

Action Items for Security Leaders

• Inventory and secure all externally accessible SaaS components and integrations

• Implement object-level authorization testing in application development pipelines

• Enforce just-in-time access and session monitoring for support teams

• Prioritize patching for internet-facing collaboration platforms like SharePoint

• Treat ERP and business systems like SAP as crown jewel infrastructure

• Harden security appliances and management platforms as critical assets

• Monitor VPN configurations and remote access systems for anomalies

• Lock down developer pipelines with strict dependency and execution controls

• Prepare for AI-driven threat acceleration with faster patch and response cycles

• Support baseline security improvements for IoT and unmanaged devices

Leave a comment

James Azar’s CISOs Take

What stood out to me today is how interconnected risk has become. Every story—from McGraw-Hill to Kraken to SharePoint, points to the same reality: our environments are no longer isolated systems. They’re ecosystems. And attackers are exploiting the connections between them, not just the components themselves.

The second takeaway is the pace of change. Between AI accelerating vulnerability discovery and the sheer volume of patches we’re seeing, defenders are under more pressure than ever. This isn’t about working harder it’s about working smarter. Prioritizing based on blast radius, focusing on trusted systems, and building resilience into how we operate. Because at this scale, perfection isn’t possible but preparedness is.

Stay Cyber Safe.

Today’s episode was packed but also personal. Before diving into the news, I took a moment to reflect on something bigger than cybersecurity, how history teaches us that dehumanization, not technology, is often the root cause of collapse.

Today in Israel is Yom HaShoah Holocaust Remembrance Day, a day where we remember the six million Jewish men, women, and children who were murdered, not for anything they did, but simply for being Jewish. Every year we ask the same question: how did the world let that happen? How did humanity reach a point where over ninety million people died in World War Two and that was acceptable?

The truth is it didn’t start with the war. The war was just the ending. It started with something much quieter: dehumanization. It started when people stopped seeing others as humans, when language changed, when division became acceptable, when disagreements turned into hatred rather than simple disagreements.

If we’re being honest, we’re seeing pieces of that again today in our society. We see it in how quickly people label each other based on an opinion—right versus left, us versus them. We see it in rising anti-Semitism. We see it in global conflicts. We see it in how easily people justify excluding others from dignity on each and every single side.

History did not collapse overnight in 1938. It eroded slowly until people stopped questioning what was happening and just accepted it. Once that line is crossed, everything else becomes possible.

This show isn’t about politics—it’s not. This isn’t about ideology. It’s about a simple truth: if we allow ourselves to dehumanize people we disagree with, we’re walking down a path we’ve already seen before. History has shown us exactly where that path leads.

Today is not just about remembering the six million. It’s about remembering the warnings. I pray we recognize it in time. I pray we choose to see each other as humans first, even in our fiercest disagreements. I pray we don’t repeat the mistakes of our past.

Because whether it’s society or cybersecurity, it always starts with people.

Subscribe now

Now, bringing it back to why you’re here, today’s stories reinforce one thing: attackers are no longer forcing their way in. They’re leveraging trust, identity, and platforms we rely on every single day.

Coffee cup cheers, let’s get into it.

Booking.com Breach: Identity and Access, Not Infrastructure

We start with Booking.com confirming a breach impacting user data, likely tied to compromised internal systems or third-party access rather than a direct infrastructure hack.

And that right there is the shift.

Attackers aren’t breaking systems—they’re accessing them through people, credentials, and support workflows.

This aligns with a broader trend across hospitality and travel platforms where attackers target high-volume identity ecosystems. If you can access the people managing the system, you don’t need to break the system itself.

The real risk here isn’t just data exposure—it’s downstream fraud. Travel data is incredibly valuable for social engineering, impersonation, and financial scams.

For users, this is a wake-up call: passwords alone are dead. MFA isn’t optional anymore.

Rockstar Breach: Cloud is the New Battleground

Next, we looked at Rockstar Games, where the ShinyHunters group claims access to data stored in a Snowflake environment via a third-party analytics platform.

This is a textbook cloud attack.

Compromise credentials → access cloud environment → operate as a legitimate user.

No alarms. No noise. Just quiet data access. This is what modern attacks look like credential-driven, API-based, and fast.

And the risk here is massive: once attackers are inside your cloud environment, they don’t need to escalate, they already have what they need.

Iranian Cyber Threats Target U.S. Infrastructure

We’re continuing to see warnings from CISA and NERC around Iranian-linked cyber activity targeting U.S. critical infrastructure, especially energy systems.

And here’s the key insight, this isn’t about immediate destruction.

This is about positioning.

Reconnaissance. Footholds. Preparation.

Nearly 4,000 exposed industrial devices from prior reporting fit directly into this narrative. Attackers are mapping the terrain now for potential future disruption. If your OT environment is exposed, you’re not a target, you’re an opportunity.

OpenAI Caught in Axios Supply Chain Attack

OpenAI showed up again, this time as part of the Axios npm supply chain compromise. This confirms something we’ve been talking about repeatedly: supply chain attacks don’t stop at developers.

They propagate.

From open source → to enterprise apps → to AI platforms → to production systems.

Once trust is compromised at the package level, everything downstream inherits that risk. This is why software supply chain security is no longer optional—it’s foundational.

NGINX and Grafana Vulnerabilities: Quiet but Dangerous

On the vulnerability front, NGINX updates addressed multiple issues in one of the most widely deployed web servers globally. These aren’t flashy zero-days but that’s what makes them dangerous.

Widespread infrastructure means even moderate vulnerabilities can have internet-scale impact.

Meanwhile, Grafana introduced a different kind of risk a zero-click AI-related vulnerability capable of leaking sensitive data without user interaction. No phishing. No execution. Just system interaction.

This is the next wave of risk—logic flaws in AI-driven features.

GitHub and Jira Abuse: Trusted Channels Turned Attack Vectors

Attackers are now abusing GitHub and Jira notification systems to deliver malicious links.

Why?

Because these are trusted platforms.

Notifications are expected. Users don’t question them. This is classic attacker behavior move into workflows where defenses are weakest. The risk here is silent delivery of phishing and malware through channels security teams often overlook.

CPU-Z Trojanized Downloads: Supply Chain Strikes Again

Attackers compromised the CPUID website to distribute trojanized versions of CPU-Z and HWMonitor. This is supply chain compromise at the distribution level.

Even trusted tools become weapons when the delivery channel is compromised. And most users won’t verify signatures—they’ll just download and install.

That’s the problem.

North Korea’s APT37 Social Engineering Campaign

APT37 is back, using Facebook-based social engineering to target victims with fake personas and relationship-building tactics. This is not smash-and-grab hacking.

This is patience. Persistence. Psychology. The attackers are building trust before deploying payloads.

This is where cybersecurity meets human behavior and where most defenses still fall short.

FBI Disrupts Russian Router Campaign

Finally, some good news—the FBI disrupted a Russian-linked campaign targeting routers and DNS infrastructure.

This type of attack is particularly dangerous because controlling the network layer gives attackers visibility and persistence. And here’s a practical takeaway sometimes the fix is simple.

Restart your router. You’d be surprised how often that breaks attacker persistence.

Action Items for Security Leaders

• Enforce MFA across all user-facing platforms, especially high-volume services

• Monitor cloud environments for anomalous API behavior and credential misuse

• Eliminate internet exposure of OT and critical infrastructure systems

• Implement software composition analysis for supply chain visibility

• Patch foundational infrastructure like NGINX as a standard operational practice

• Restrict sensitive data exposure in AI-driven features and validate outputs

• Inspect links and payloads from collaboration tools like GitHub and Jira

• Verify software integrity using cryptographic signatures before installation

• Train employees on social engineering risks across social media platforms

• Regularly reset and update network infrastructure, including routers

Leave a comment

James Azar’s CISOs Take

What stood out to me today is how consistently attackers are targeting trust as their primary entry point. Whether it’s Booking.com, Rockstar, or supply chain compromises, the pattern is the same identity and access are the new perimeter. If you’re still thinking about security in terms of firewalls and endpoints alone, you’re missing where the real battle is happening.

The second takeaway is that cybersecurity is no longer just technical, it’s human. Social engineering, workflow abuse, and trust exploitation are now at the center of most attacks. That means our defenses need to evolve beyond tools and into behavior, awareness, and continuous validation. Trust can no longer be assumed, it has to be earned, monitored, and verified every single time.

Stay Cyber Safe.

Subscribe now

Back in the saddle after a short break, and yes, the Azar family growing by one (sleep optional, coffee mandatory), we’re back to business.

The Azar gang did grow by one! A beautiful, amazing, great little boy who's just phenomenal with his older brother now. The family feels a bit bigger. Sleep is rarer. But I'll take it because there's nothing more gratifying than fatherhood—really, there isn't. Mom's doing great!

Thank you to the amazing team at Northside Hospital for a job well done keeping mom and baby safe. What a joy it is to be in the room to see a new life come into it. Quite a bundle of joy!

And today’s show? It’s a reminder that cybersecurity doesn’t live in dashboards, it lives in hospitals, factories, payroll systems, and people’s lives.

We’re not talking about theoretical risk anymore. We’re talking about real-world operational impact, financial damage, and human consequences.

Let’s get into it. Coffee Cup Cheers,

Subscribe now

Stryker Attack: When Cyber Hits the Earnings Report

We kick things off with Stryker confirming that the Iran-linked March 11 attack had a material impact on Q1 earnings. This wasn’t just a disruption—it was a full-blown business event.

The attackers, tied to the Handala group, inserted a malicious file into Microsoft Intune, wiping over 200,000 devices and disrupting ordering systems. While operations have now been restored, the real story here is what happened in between.

This wasn’t just IT downtime. This impacted hospital supply chains. Medical staff had to adapt, extend usage of equipment, and operate under constrained conditions.

This is what happens when cyber leaves the SOC and lands on a hospital floor.

And if you’re a CISO and you’re still struggling to quantify cyber risk in dollars this is your example.

North Korea’s $280M Crypto Theft: Corporate-Grade Cybercrime

Next, we dig into the Drift crypto theft post-mortem, and it reads less like a hack and more like a business operation.

North Korea orchestrated a $280 million theft using fake companies, social engineering, and even physical presence at industry conferences. Let that sink in—this wasn’t just keyboard warriors. This was relationship-building, long-game infiltration.

This is the evolution of cybercrime into full-scale enterprise operations.

They’re not exploiting systems, they’re exploiting trust, process, and human behavior.

If your security model doesn’t account for that level of persistence, you’re already behind.

4,000 U.S. Industrial Devices Exposed to Iranian Targeting

Now let’s talk about something that should make every critical infrastructure operator pause nearly 4,000 U.S. industrial devices remain exposed online, vulnerable to Iranian-linked activity.

This isn’t about immediate destruction. This is reconnaissance. Foothold building. Positioning.

And here’s the dangerous part, these are operational technology environments. We’re talking about systems that control physical processes.

The exposure of OT-adjacent devices is essentially leaving the front door open in a high-risk neighborhood and hoping no one walks in.

Spoiler alert: someone will.

Microsoft Finds Android Crypto Wallet Flaw

Microsoft uncovered a vulnerability that could have exposed millions of Android crypto wallet users, allowing malicious apps to steal sensitive wallet data.

And here’s the kicker no need to break blockchain security.

Just compromise the endpoint.

We keep saying it on the show: the endpoint is still the weakest link.

You can have the most secure system in the world, but if the device accessing it is compromised, game over.

Payroll Diversion Attacks Hit Canadian Employees

We’re also seeing a rise in payroll diversion attacks, targeting Canadian employees by manipulating direct deposit workflows.

This is cybercrime at its most efficient no ransomware, no noise, just quietly redirecting money.

And it works because payroll systems are trusted, routine, and rarely questioned.

This is where identity, HR systems, and financial controls intersect—and where attackers are increasingly focusing.

Glassworm Expands Supply Chain Attacks into Developer Environments

Glassworm is back, and it’s evolving—this time using a Zig-based dropper to target developer environments and IDE ecosystems.

This is a continuation of a trend we’ve been tracking: attackers moving upstream into the development lifecycle.

Why? Because if you control the developer environment, you control what gets built. This is supply chain compromise at scale.

Adobe Reader Zero-Day Exploited for Months

Adobe patched a Reader zero-day that had been exploited in the wild for months.

Let me repeat that months.

Document-based attacks continue to work because we trust them. PDFs are still one of the easiest delivery mechanisms for malware. And despite all the awareness, users still click.

This isn’t a tooling problem. It’s a trust problem.

Marimo RCE Under Active Exploitation

A critical pre-authentication RCE flaw in Marimo is now under active exploitation. This hits a growing category developer and data science tools exposed to the internet.

Convenience is killing security here. If your experimental tools are internet-facing without proper controls, you’re essentially inviting attackers in.

Juniper and Chrome Patch Cycles Highlight Ongoing Risk

Juniper patched dozens of Junos OS vulnerabilities, reinforcing the ongoing risk in network infrastructure. At the same time, Chrome released version 147 with 60 vulnerability fixes, including two critical ones.

Browsers and network devices remain prime targets because they sit at the intersection of trust and exposure. They’re not flashy but they’re foundational.

Action Items for Security Leaders

• Quantify cyber risk in business terms—tie incidents to revenue and operations

• Eliminate direct internet exposure for OT and industrial systems

• Enforce strict endpoint security for high-value assets like crypto wallets

• Implement multi-layer verification for payroll and financial workflows

• Lock down developer environments with signed plugins and access controls

• Patch aggressively—especially for document readers and edge systems

• Move experimental and developer tools behind authentication layers

• Treat supply chain security as a top-tier priority, not a secondary concern

Leave a comment

James Azar’s CISOs Take

What stood out to me today is how cyber incidents are no longer contained within the boundaries of technology. The Stryker story is the clearest example this wasn’t just a breach, it was a disruption to healthcare delivery and a hit to financial performance. That’s the reality we’re operating in now. Cybersecurity is no longer a support function. It’s a business function.

The second takeaway is that attackers are consistently targeting trust. Whether it’s payroll systems, developer tools, mobile devices, or industrial infrastructure, the common thread is exploitation of what organizations assume is safe. We need to rethink that assumption. Security today isn’t about protecting everything, it’s about validating everything, continuously.

Stay Cyber Safe

Some say that at the very beginning of life, chaos reigned and then order was brought into it.

I’ve always appreciated both.

Subscribe now

I enjoy the chaos as much as the next guy. There’s something real about it unfiltered, unscripted, unpredictable. But I also value routine. The structure. The balance. The daily rhythm of keeping the ship afloat.

Most of the time, life gives us the courtesy of operating somewhere in between the two. We plan. We prepare. We anticipate what’s coming next and convince ourselves that with enough structure, we can manage whatever comes our way.

And then life reminds you who’s really in charge.

As the saying goes: you make plans, and God laughs.

That’s been the last three weeks of my life.

There are seasons in life where everything feels like it should be simple. Moments we expect to experience in isolation pure joy, uninterrupted celebration, gratitude without weight.

And then life shows up differently.

It doesn’t separate emotions neatly. It doesn’t wait for the “right time.” It doesn’t give you space to process one chapter before the next begins.

Sometimes, it all comes at once.

And then life reminds us that it doesn’t work that way.

It doesn’t separate emotions neatly. It doesn’t wait for the “right time.” It doesn’t give us space to process one chapter before the next begins.

Sometimes, it all comes at once.

The last few weeks have been one of those seasons for me. Not defined by a single event, but by the collision of many, each carrying its own emotional gravity. The kind of stretch where life compresses time and forces you to hold opposing truths in the same breath.

As many of you know, my wife and I recently welcomed our second child together my third. A moment that should feel familiar, and yet, somehow, feels entirely new.

Because the truth is, there’s no such thing as becoming a “pro” at parenting.

Every child rewrites the experience. Every child brings a new perspective, a new rhythm, a new lesson. You don’t rely on experience as much as you think you relearn, you adapt, you grow. And in many ways, you’re reminded just how little control you actually have.

That realization, on its own, is humbling.

But life wasn’t done teaching lessons.

A few weeks ago, on a Saturday morning, I received a call that changed everything in an instant. One of my direct reports Jed Mercadante had passed away.

Just like that.

No warning. No time to prepare. No gradual realization.

I had spoken to him that same morning.

And then he was gone.

Jed wasn’t just a colleague. He was the kind of person you immediately connect with the kind that makes work feel less like work and more like shared purpose. Over the last five months, we built a strong partnership. There was trust, alignment, and a natural rhythm to how we worked together.

But more than that, he was someone who made people feel comfortable. Someone who built a team not just with skill, but with intention. The kind of leader whose impact is reflected in the people around him.

His passing left a silence that’s hard to describe. Not loud, not chaotic, but heavy. The kind that lingers. The kind that doesn’t resolve quickly.

And yet, life didn’t pause.

That same week, we celebrated my wife’s birthday. We prepared for the birth of our son. We entered Passover, a time rooted in reflection, renewal, and the enduring belief that even in darkness, there is light.

But this time, those moments weren’t experienced in isolation.

They were layered.

Joy existed but it shared space with grief.

Celebration was present but it carried weight.

And that’s where life becomes real.

Because the question isn’t how to separate those emotions, it’s how to carry them together.

There is no perfect way to grieve.

There is no universal timeline, no checklist, no defined process that applies to everyone. Grief is deeply personal. Some people need silence. Others need to talk. Some lean into routine, while others step away from it.

And all of it is okay.

What matters is that we allow space for ourselves and for others to experience loss in our own way.

In moments like these, what stands out most is not just the loss, but the response around it.

The community.

The people who show up, not because they have the right words, but because they understand that presence matters more than anything else. The messages, the calls, the quiet check-ins. The teammates who step in without being asked. The friends who don’t try to fix anything, they just stand beside you.

That’s where the strength is.

Not in avoiding hardship, but in how we carry each other through it.

There’s something powerful about realizing that even in the most difficult moments, you are not alone. That the weight you’re carrying is shared, even if just a little, by the people around you.

And in that shared space, something meaningful happens.

We begin to understand the true value of connection.

We begin to appreciate presence over perfection.

We begin to recognize that showing up, for others and for ourselves—is often the most important thing we can do.

This Passover felt different.

The story of moving from darkness to light wasn’t just symbolic—it felt immediate. Because sometimes darkness isn’t a distant concept or a historical reference.

Sometimes it’s right here, in your life, uninvited and unexpected.

And the light?

The light is in the moments we choose to hold onto. In the people we surround ourselves with. In the new life we welcome, even as we say goodbye to someone who mattered.

Over the past weeks, I found myself standing in that exact space.

Holding grief in one hand, and joy in the other.

The loss of someone who made an impact on my life.

And the arrival of a new life that changes everything.

That’s the circle of life, not as a concept, but as a lived experience.

It’s not clean. It’s not orderly. It doesn’t follow a script.

But it is real.

So if there’s one thing I’d share not as a professional, but simply as a person it’s this:

Be present.

For your family.
For your friends.
For your colleagues.
For yourself.

Say the things that matter now, not later.
Show appreciation when it counts, not when it’s convenient.
Make the call. Send the message. Take the time.

Because life doesn’t wait for the perfect moment.

It all comes together whether we’re ready or not.

And in those moments, what matters most isn’t what we planned.

It’s who we have.
It’s how we show up.
It’s the light we choose to hold onto and the light we choose to be for others.

Hold onto that.

Even when it stands right next to the dark.

There’s a moment in life where everything pauses not because the world slows down, but because you choose to.

For me, that moment is this week.

On Friday, the Azar clan grows by one. And with that, I’m doing something that doesn’t always come naturally in our line of work, I’m stepping away. No alerts, no dashboards, no late-night calls. Just time. Real time. The kind you don’t get back.

I’ll be spending this week with my wife and our two sons, soaking in the chaos, the laughter, the sleepless nights, and all the little moments that make up something much bigger. Because as much as we talk about building resilience, driving outcomes, and staying ahead of the next threat, none of that means much if we forget what we’re actually protecting.

And right now, for me, that’s family.

There’s something poetic about this happening during Passover.

Passover isn’t just about tradition, it’s about reflection, freedom, and renewal. It’s about remembering where we came from and being intentional about where we’re going. Around the Seder table, we tell stories of perseverance, of hardship, of faith. But we also celebrate growth, continuity, and the responsibility to pass something meaningful to the next generation.

That hits differently when you’re holding your newborn.

It puts things into perspective in a way no board meeting or quarterly review ever could. The noise fades. The urgency recalibrates. And you realize that sometimes, the most important move isn’t pushing harder, it’s stepping back.

We spend so much of our lives optimizing for efficiency, productivity, and impact. But life isn’t a system you harden. It’s something you experience.

And these moments, the birth of a child, the expansion of a family, the quiet time at home they’re not interruptions to the mission. They are the mission.

So this week, I’m unplugging. Not because the work isn’t important, but because this is more important.

To my colleagues, peers, and the broader security community; we all preach balance, but rarely practice it. Consider this your reminder. Take the time. Be present. The threats will still be there when you get back.

But your kids won’t be this little again.

Chag Pesach Sameach to those celebrating. Happy Easter and take time this holiday to hug your family a little tighter this week.

I’ll see you all on the other side, recharged, refocused, and with a new perspective that only life can give.

See you Monday April 13th, 2026 back on your favorite platforms.

Stay Cyber Safe,

James

As I said on the show, if you’re not thinking in quarters, you’re not thinking like the business. Cybersecurity doesn’t operate in a vacuum. Revenue, projections, and economic signals all shape what we can defend and how fast we can respond.

Today’s episode wasn’t just packed—it was a clear signal of where the threat landscape is going. Identity is the front door. Supply chain is the hallway. Cloud is the vault. And attackers? They’re not hacking anymore, they’re logging in.

Let’s get into it.

Subscribe now

Stolen Credentials Fueling the Entire Threat Economy

I started the show with what I’d call the backbone of today’s cyber threat landscape—identity compromise. We’re seeing an industrial-scale economy around stolen credentials, where infostealer logs are being packaged, sold, and operationalized across ransomware groups and even nation-state actors.

High-privilege cloud credentials are now selling for thousands of dollars, not the pocket change they used to go for. That tells you everything about demand. Attackers don’t need to break in anymore—valid credentials give them direct access, and from there, it’s lateral movement, persistence, and impact.

This is the shift: malware is optional. Identity is everything.

The takeaway here is simple but uncomfortable—most organizations are still defending against break-ins, while attackers are walking in through the front door.

Anthropic Source Code Leak: Not a Breach, Still a Problem

Next, I covered Anthropic accidentally leaking a massive amount of source code through an npm package. This wasn’t a breach, it was human error. But let’s be honest, attackers don’t care how the door opened.

Roughly half a million lines of code became reconstructable. No customer data was exposed, but that doesn’t mean there’s no risk. Source code exposure gives adversaries a blueprint, how systems work, where weaknesses might exist, and how to reverse engineer faster.

We’re seeing a pattern: not every incident is malicious, but every exposure is valuable to attackers.

Cisco Breach via Trivy Supply Chain Attack

Then we got into the Cisco story—and this one hits hard. A compromised security tool (Trivy) led to the theft of source code from over 300 repositories, including AI-related projects and customer-linked environments.

Let that sink in: a security tool became the entry point.

This is the evolution of supply chain attacks. It’s no longer about poisoning one package—it’s about chaining trust relationships. Open source → CI/CD → cloud → customer environments.

If your pipeline is compromised, your entire downstream ecosystem is exposed.

Axios npm Compromise: 400 Million Downloads at Risk

Staying in the supply chain lane, attackers compromised the npm account of a maintainer tied to Axios, a package with roughly 400 million downloads per month.

They inserted a malicious dependency with a post-install script capable of pulling additional payloads depending on the system. This is where scale becomes terrifying. One compromised dependency doesn’t just affect one company, it cascades across thousands.

The developer ecosystem is no longer fragmented. It’s one giant shared attack surface.

“Cybersecurity isn’t about stopping attacks. It’s about making yourself harder to attack than the next guy.” James Azar

Stryker Wiper Attack: Real-World Operational Impact

Switching gears to operational impact, Stryker is recovering from a destructive cyberattack that wiped systems and disrupted manufacturing.

This is where cybersecurity leaves the server room and hits the real world. Production delays, shipment disruption, and downstream effects on healthcare systems—this is no longer about data loss.

It’s about business continuity. And recovery isn’t quick. As I pointed out, manufacturing environments take months not days to fully restore.

TeamTNT/Team PCP Expands into AWS Environments

We also saw an evolution in attacker behavior with Team PCP moving from open-source compromise into AWS environments using stolen credentials.

This isn’t random. It’s strategic chaining: Compromise credentials → Validate them → Pivot into cloud → Expand access.

This is what modern attacks look like—multi-stage, identity-driven, and built on trust abuse.

Quantum Threat Timeline Just Got Shorter

On the research side, Google is now suggesting that breaking elliptic curve cryptography (used in Bitcoin and Ethereum) may require significantly fewer qubits than previously estimated. No, your crypto wallet isn’t getting cracked tomorrow—but the timeline is shrinking.

And that matters. Because “harvest now, decrypt later” is very real. Data being stolen today could be decrypted in the future once quantum capabilities mature.

CISA Orders Immediate Citrix NetScaler Patching

On the defensive front, CISA is urging immediate patching of a critical Citrix NetScaler vulnerability already showing signs of exploitation. We’ve seen this movie before Citrix edge vulnerabilities become initial access points for ransomware and nation-state actors.

If it’s exposed, it’s already being targeted.

$53M Crypto Hack: One Line of Code, Massive Impact

Finally, we looked at the Uranium Finance hack, where attackers exploited two smart contract flaws one of them a single-character coding error.

That mistake enabled attackers to drain nearly 90% of assets across multiple liquidity pools over $53 million. bLet me say that again: one character. In crypto, precision isn’t optional, it’s everything.

Key Takeaway from Today’s Show

"The thread today is trust. Trusted identities, trusted packages, trusted pipelines, trusted gateways, trusted cloud accounts. Attackers keep winning by finding the shortest path through systems we already trust way, way too much. Shrink the trust, shorten the credential life, verify the package, isolate the pipeline, and don't assume security software is automatically secure." James Azar

Action Items for Security Leaders

• Prioritize Identity Threat Detection and Response (ITDR)

• Enforce short-lived credentials and eliminate static secrets

• Block direct external package pulls; use internal mirrors

• Add release pipeline checks to prevent source code leakage

• Segment and isolate CI/CD environments from production and customer data

• Harden OT and manufacturing environments with network obfuscation

• Begin inventorying cryptographic dependencies for post-quantum readiness

• Patch edge infrastructure immediately—especially Citrix and VPNs

• Require formal verification and adversarial testing for smart contracts

Leave a comment

James Azar’s CISO Take

If you’re still thinking about security in terms of tools, you’re already behind. Today’s stories reinforce something I’ve been saying for a while—security is no longer about perimeter defense. It’s about trust management. Identity is your perimeter. Your software supply chain is your exposure. And your cloud is your blast radius.

We’re entering a phase where attackers are operating like businesses—efficient, scalable, and opportunistic. They’re not wasting time breaking in when they can log in. That means our strategy has to shift from prevention-only to continuous validation. Shorten trust, verify everything, and assume compromise is already in motion.

Stay Cyber Safe

Today’s episode brings together actively exploited edge vulnerabilities, supply chain compromises hitting trusted developer ecosystems, evolving social engineering techniques, healthcare exposure risk, and nation-state cyber pressure at scale.

If there’s one takeaway from today, it’s this attackers are not finding new doors. They’re walking through the ones we still haven’t closed.

Coffee cup cheers — let’s get into it.

Subscribe now

F5 BIG-IP Flaw Escalates to Critical RCE Under Active Exploitation

We start with a story that should immediately trigger incident response muscle memory. An F5 BIG-IP vulnerability originally disclosed as a denial-of-service issue has now been upgraded to a critical remote code execution flaw with active exploitation in the wild.

This is exactly how incidents begin, a vulnerability underestimated at first, then weaponized once attackers understand its full potential.

The flaw impacts BIG-IP APM deployments, which sit directly in the authentication and access layer of enterprise environments. That makes this especially dangerous, because compromising it gives attackers not just access, but control over identity flows.

The risk here is unauthenticated remote code execution on a perimeter system that brokers access into your entire enterprise. The only real move here is urgency, patch immediately and assume compromise until proven otherwise.

Fortinet EMS Vulnerability Exploited as Attackers Target Management Layers

Fortinet continues to take hits, with a critical FortiClient EMS vulnerability now actively exploited, alongside a broader pattern of Fortinet flaws being leveraged in ransomware campaigns. There’s a pattern here that’s impossible to ignore attackers love management systems.

Why? Because if you control the system managing endpoints, you control the endpoints themselves. This isn’t about one vulnerable server. It’s about what that server touches. The risk is lateral movement and enterprise-wide compromise originating from a trusted management platform.

Mitigation requires isolating these systems into dedicated administrative enclaves and eliminating unnecessary external exposure. Trust in these systems needs to be significantly reduced.

OpenAI Patches ChatGPT and Codex Vulnerabilities

OpenAI patched vulnerabilities affecting ChatGPT and Codex, including risks tied to data exfiltration and GitHub token exposure. This is an important moment AI platforms are no longer experimental tools. They are now privileged enterprise systems.

The concentration of data, automation, and access within AI workflows creates a higher-impact blast radius when things go wrong. The risk is clear: sensitive data leakage and source code exposure through platforms teams increasingly trust without question.

Organizations must begin treating AI tools with the same rigor as any other high-privilege SaaS platform, enforcing least privilege and controlling integrations tightly.

Team PCP Expands Supply Chain Attack via Telnyx SDK

The Team PCP campaign continues to evolve, now compromising the Telnyx Python SDK distributed via PyPI. This is not typosquatting or fake packages this is compromise of legitimate, trusted software.

That’s what makes this dangerous. Developers are doing exactly what they’ve been trained to do using official packages and still getting burned. This represents a shift toward deep supply chain compromise within trusted ecosystems, targeting developers directly as an entry point into enterprise environments.

The risk is credential theft and persistent access embedded in development workflows. Mitigation requires strict version pinning and the use of internal package repositories to control what enters production environments.

DeepLoad Malware Advances ClickFix Social Engineering

DeepLoad malware is the next evolution of ClickFix-style attacks, combining social engineering with fileless techniques like WMI persistence. This is where things get uncomfortable.

Attackers don’t need exploits if they can convince users to execute commands themselves. The user becomes the delivery mechanism. The malware operates without traditional signatures, relying on behavior and persistence techniques that evade standard detection.

The risk is durable compromise through user-assisted execution. Detection strategies must shift toward behavioral analysis, focusing on script execution and abnormal system activity rather than relying on known malware signatures.

CareCloud Incident Highlights Healthcare Aggregation Risk

CareCloud disclosed a cybersecurity incident involving its electronic health record platform, with potential exposure of patient data.

This is a classic example of aggregation risk. Attackers don’t need to breach individual hospitals when platforms like CareCloud centralize sensitive data across multiple organizations. One compromise can ripple across an entire healthcare ecosystem.

The risk is widespread exposure of patient data and operational disruption across dependent providers. Healthcare organizations must validate segmentation at the tenant level and understand exactly how data flows between environments.

UAE Faces Massive Cyber Pressure Amid Regional Tensions

The UAE is reportedly facing between 500,000 to 700,000 cyberattacks per day, driven in part by regional geopolitical tensions. This isn’t about one attack, it’s about sustained pressure.

AI is enabling attackers to scale campaigns faster, cheaper, and more effectively, creating constant noise that can overwhelm defenders. The risk is operational fatigue and missed signals within an overwhelming volume of activity.

Organizations operating in high-risk regions must prepare for sustained campaigns, not isolated incidents, with pre-staged response and monitoring strategies.

Apple Introduces macOS Protection Against ClickFix Attacks

Apple has introduced a new feature in macOS Tahoe that warns users when pasting potentially harmful terminal commands, directly targeting ClickFix-style attacks.

This is a subtle but important shift vendors are now defending against user workflow abuse, not just technical vulnerabilities. It’s a step in the right direction, but not a complete solution. Users may develop a false sense of security, assuming the OS will catch everything.

Training remains critical. Any command you don’t understand is still a threat, regardless of whether the system warns you.

Italian Bank Fined €31.8M for Insider Data Access Failures

An Italian bank was fined €31.8 million after an employee accessed thousands of customer records over a two-year period without detection. No external breach. No zero-day exploit.

Just insufficient monitoring of legitimate access. This reinforces one of the oldest truths in cybersecurity, insider risk is still one of the hardest problems to solve. The risk is prolonged unauthorized access that appears legitimate.

Organizations must implement behavioral monitoring and anomaly detection around sensitive data access, especially for privileged users.

Russian Carding Group Members Sentenced

A Russian military court sentenced 26 members of the Flint24 cybercrime group, including its leader, to prison terms of up to 15 years. This represents continued law enforcement pressure on cybercrime ecosystems.

But let’s not kid ourselves these ecosystems are resilient. Arrests disrupt operations temporarily, but successors and infrastructure quickly re-emerge.

The risk remains unchanged: persistent carding and fraud operations. Defenders must continue monitoring underground markets even after major enforcement actions.

"The pattern for today is pretty clear: perimeter systems are still getting burnt, management tools are still too trusted, healthcare platforms keep concentrating blast radiuses, and the AI stack is now firmly inside the enterprise threat model. Patch fast, trust less, watch your packages and pipelines, and remember that the attacker's favorite path is one your team already depends on." James Azar

Key Action Items for Security Teams

• Patch edge and perimeter systems immediately, especially F5 and Fortinet devices

• Isolate and secure endpoint and infrastructure management platforms

• Treat AI tools as privileged systems with strict access controls

• Enforce software supply chain security with version pinning and internal repositories

• Shift detection toward behavioral analysis for fileless and social engineering attacks

• Validate data segmentation in healthcare and other aggregated platforms

• Prepare for sustained cyber pressure in high-risk geopolitical regions

• Continue user training against social engineering, even with OS-level protections

• Implement behavioral monitoring for insider access to sensitive data

• Maintain visibility into underground markets despite law enforcement actions

Leave a comment

James Azar’s CISOs Take

What stands out to me today is how consistently attackers are targeting the same layers, edge systems, management tools, and trusted software pipelines. None of this is new, but the scale and speed at which it’s happening have changed dramatically. We’re seeing attackers industrialize what used to be opportunistic, and they’re doing it by focusing on trust — trust in software, trust in users, and trust in infrastructure.

The second takeaway is that prevention alone is no longer enough. Too many of these attacks succeed not because controls don’t exist, but because they’re not applied fast enough or monitored effectively. We have to shift toward real-time detection, behavioral visibility, and rapid response. Security today is about reducing the time between compromise and containment because compromise is no longer a question of if, but when.

Coffee Cup Cheers ☕️

Share

We’re closing out Q1 with a theme that’s been building all year: the collapse of traditional security boundaries.

Today’s episode brings together cloud compromise, personal account targeting of senior officials, active exploitation of edge devices, and deep nation-state espionage campaigns.

If there’s one thread tying all of this together, it’s this: attackers are going exactly where trust meets exposure and that’s where they’re winning.

Coffee cup cheers, let’s get into it.

Subscribe now

European Commission Breach Tied to AWS Identity Compromise

We kick things off with the European Commission investigating a breach linked to a compromised AWS account that potentially exposed sensitive data. This is a critical distinction in how modern cloud attacks actually happen. The cloud itself wasn’t breached the identity inside it was.

This follows a pattern we’ve seen repeatedly across incidents like Snowflake and OAuth token abuse. Attackers aren’t breaking into hardened infrastructure; they’re simply logging in using stolen credentials or hijacked tokens. That access gives them legitimate entry into sensitive environments without triggering traditional defenses.

The real risk here is unauthorized access to government systems and data through compromised identities. The mitigation isn’t flashy, but it’s essential eliminate long-lived credentials, enforce short-lived tokens, and continuously validate identity access across cloud environments.

Iranian Hackers Target FBI Director’s Personal Email

A pro-Iranian group claims to have compromised the personal email of FBI Director Kash Patel, along with several Israeli political and military figures. Whether the data is recent or even meaningful is almost beside the point.

This is about perception and influence.

Targeting personal accounts is a strategic move to blur the line between personal and professional exposure. Even limited access can create headlines, shake confidence, and serve as propaganda.

"Kash Patel is not someone who would have 33,000 emails on a private server that then somehow gets bleached and thrown out to a forest somewhere. Director Patel uses his FBI emails for that. These are what I call 'moral victory posts' we hacked your high-end guy's personal email! Yes, good, congratulations! But their guys are in the hospital with broken legs and in comas." James Azar

From a security standpoint, this reinforces the need for executive-level protection beyond corporate controls. High-profile individuals are now part of the attack surface, whether organizations formally account for that or not.

Citrix NetScaler Under Active Exploitation

Citrix NetScaler vulnerabilities are once again being actively exploited, continuing a long-standing trend of attackers targeting edge infrastructure.

These systems sit at the front door of enterprise environments, making them ideal entry points. The attack pattern hasn’t changed — exposed devices, unpatched systems, and automated scanning at scale.

What has changed is speed.

The time between vulnerability disclosure and exploitation has collapsed. Organizations that delay patching or leave management interfaces exposed are essentially leaving the door unlocked.

The risk is full network compromise through a single exposed edge device, and mitigation requires immediate patching and reducing direct internet exposure wherever possible.

Critical PTC Windchill Vulnerability Triggers Real-World Response

CISA flagged a critical vulnerability in PTC Windchill severe enough to trigger real-world consequences, including law enforcement mobilization.

This highlights how cyber risk is no longer theoretical. PLM systems manage sensitive manufacturing and operational data, and a remote code execution flaw in such systems opens the door to significant disruption.

The real concern here is the intersection of IT and OT environments. When those systems are compromised, the impact extends beyond data into physical operations.

Organizations must move quickly to patch, and where they cannot, implement compensating controls like virtual patching and network obfuscation to limit exposure.

macOS Targeted by New Infinity Stealer Malware

A new malware strain known as Infinity Stealer is targeting macOS users through social engineering techniques. Users are tricked into executing commands that ultimately lead to credential theft, browser data extraction, and even crypto wallet compromise.

This reinforces a reality many organizations have resisted macOS is no longer a safe haven. High-value users such as developers and executives are increasingly targeted, and attackers are adapting accordingly.

The focus here should be on restricting execution of untrusted code, enforcing application controls, and ensuring visibility into endpoint behavior across macOS environments.

China-Linked Telecom Espionage Campaign

China-linked actors are continuing their focus on telecom infrastructure, deploying Linux-based backdoors to maintain long-term persistence.

This is classic espionage quiet, patient, and strategic.

Telecom providers offer unparalleled visibility into communications and metadata, making them prime targets for intelligence collection. Once embedded, these backdoors allow ongoing surveillance without disruption.

The real risk is not immediate damage, but prolonged, undetected access. Organizations in this sector must prioritize integrity monitoring, behavioral analytics, and strict segmentation to detect and contain such activity.

Russian Disinformation Campaign Targets Latvia

Latvia has accused Russia of conducting a disinformation campaign tied to the Ukraine conflict, highlighting the evolution of cyber into the realm of information warfare.

This is no longer just about systems and networks it’s about shaping narratives. The objective is to erode trust, influence public perception, and destabilize societies without ever breaching a system.

Organizations must begin to recognize that cybersecurity now includes defending against manipulation of information, not just protection of infrastructure.

OpenAI Launches Bug Bounty for Abuse and Safety

OpenAI has launched a bug bounty program focused on abuse and safety risks, signaling a shift in how AI security is being approached.

Traditional vulnerabilities are only part of the equation. The real challenge lies in misuse, manipulation, and unintended consequences of AI systems.

This move acknowledges that securing AI requires a broader perspective one that includes human behavior, adversarial inputs, and systemic risks.

RedLine Malware Developer Extradited to the U.S.

The developer behind RedLine malware has been extradited to the United States and faces significant prison time. While this is a win for law enforcement, it does not eliminate the threat.

RedLine has already become deeply embedded in the cybercrime ecosystem. Its capabilities credential theft, session hijacking, and enabling downstream attacks will persist regardless of its creator’s fate.

The takeaway here is simple. Enforcement matters, but resilience matters more. Organizations must assume these tools will continue to evolve and remain in circulation.

Key Action Items for Security Teams

• Eliminate long-lived credentials and enforce short-lived cloud access tokens

• Implement executive-level personal security protections

• Patch edge devices immediately and remove public exposure

• Apply virtual patching where immediate fixes are not possible

• Enforce endpoint protection across macOS environments

• Monitor Linux systems for integrity and unauthorized changes

• Integrate identity threat detection across all access points

• Strengthen defenses against social engineering and phishing

• Monitor supply chain and dependency risks across environments

• Prepare for cyber threats that include information warfare

Leave a comment

James Azar’s CISOs Take

When I look at today’s stories, what stands out is how completely the lines have blurred. There’s no longer a clean separation between personal and corporate, between cloud and on-prem, or even between cyber and information warfare. Attackers have adapted faster than most organizations, and they’re exploiting the gaps created by those outdated distinctions.

The second realization is that security is no longer about building higher walls — it’s about controlling access and validating trust continuously. Identity has become the primary attack surface, and everything else connects to it. If we don’t shift our focus there, if we don’t move faster in detection and response, then we’re simply reacting to breaches instead of preventing impact.

Stay Cyber Safe

Pull up a chair and pour the Illy Espresso into a perfect double glass cup, this week’s briefing is going to earn it.

If last week was about trust as an attack vector, this week was about the industrialization of that strategy. Attackers are no longer just exploiting trust opportunistically they’re scaling it. Supply chain attacks now simultaneously target PyPI, Docker Hub, and VS Code extensions. Phishing kits are bypassing MFA in minutes. Initial access timelines have compressed from days to hours sometimes minutes. And AI tooling is being poisoned through the same trusted package repositories your developers are pulling into production pipelines right now.

The Stryker fallout continued, with new details confirming the attack was a hybrid operation combining living-off-the-land techniques with destructive malware payloads affecting not just the company but hospitals and emergency services downstream. The FBI seized Iranian-linked infrastructure tied to the attack and it was back online within days. Meanwhile, Foster City, California, remained paralyzed by a separate cyberattack while 50,000 cybersecurity professionals gathered 35 minutes away at RSA in San Francisco.

China continued its quiet, patient campaign against military systems in Southeast Asia. North Korean actors pivoted their fake resume attacks to target HR teams in French. HackerOne — a security platform — exposed vulnerability reports through an API misconfiguration. And CISA is reportedly being squeezed into a reactive posture by funding constraints, at exactly the wrong moment.

The theme this week, in James’s words: attackers aren’t breaking the systems. They’re using them exactly as designed just better than we are.

Let’s get into it.

🌐 Geopolitical Cyber Warfare

China-Linked Espionage Campaign Breaches Military Systems Across Southeast Asia

Chinese state-linked threat actors breached military systems across Southeast Asia in a long-term, quiet espionage campaign consistent with China’s established doctrine: persistent access over loud disruption. The objective isn’t to break things it’s to understand them. Response plans, operational readiness, infrastructure dependencies, and communication channels. This correlates directly with prior reporting on Chinese pre-positioning within critical infrastructure in regions aligned with U.S. defense strategy.

Long-term undetected access to military intelligence and operational planning systems represents one of the most dangerous threat scenarios because the damage accumulates invisibly. Organizations handling sensitive government or defense-adjacent data should treat continuous access validation and environment segmentation as non-negotiable baseline controls.

FBI Seizes Iranian-Linked Infrastructure — It Returns Within Days

The FBI and DOJ seized domains linked to the Handela hacking group, the Iranian-linked actors behind the Stryker attack. The infrastructure was back online within days. This is the operational reality of working against well-resourced, motivated adversaries: takedowns create friction, not elimination. The cost of re-establishing infrastructure for these actors is low. The cost of assuming they’re gone is high. Defenses must be designed around adversary persistence, not adversary removal.

Lockheed Martin Targeted by Pro-Iranian Hacktivists

A pro-Iranian hacktivist group claimed a breach of Lockheed Martin, alleging access to sensitive data including F-35-related information. Lockheed has not confirmed the breach. Claims of this nature typically mix real data with recycled or publicly available information to amplify credibility and psychological impact but even unconfirmed, they warrant monitoring. Organizations should actively track dark web leak sites and threat actor channels for early indicators of claimed exposure.

FCC Advances Ban on Chinese Routers

The FCC is moving forward with efforts to ban specific Chinese-manufactured routers from U.S. networks due to national security concerns over potential backdoor access. This reflects a broader and accelerating policy shift toward supply chain security and foreign technology risk reduction. Organizations should establish approved hardware procurement policies and formally assess supply chain risk across their networking infrastructure.

💥 Stryker Fallout & Destructive Operations

Stryker Attack Confirmed as Hybrid Operation: Living-Off-the-Land Plus Malware

New details on the Stryker attack confirm it was a hybrid operation not purely living-off-the-land as initially characterized. Attackers used legitimate administrative access to establish footholds and then deployed destructive malware payloads to execute the wipe at scale. This is the same playbook used in Ukraine and other geopolitical conflict environments. The operational impact extended beyond Stryker’s own systems: hospitals and emergency services were affected, with some forced to disconnect as a precautionary measure. Supply chains for medical equipment remain disrupted.

The lesson is not new but demands repeating: behavioral detection capable of identifying abnormal administrative activity not just known malware signatures is the only reliable defense against this class of attack. Organizations must also design segregated backup environments and recovery capabilities calibrated to actual business continuity SLAs.

Foster City Paralyzed by Cyberattack During RSA

Foster City, California, remained operationally paralyzed by a cyberattack this week — with municipal services disrupted across the board — while more than 50,000 cybersecurity professionals gathered 35 minutes away at RSA Conference in San Francisco. Local governments are consistently under-resourced for the threat environment they face. Incident response preparedness and resilience planning must be treated as core investments, not afterthoughts, for any organization that provides essential services to the public.

🔓 Data Breaches & Exposures

“Cybersecurity is no longer just about defending networks. It’s about protecting operations, identities, and trust itself. Attackers are evolving — they’re blending in, they’re abusing trusted systems, and they’re aligning with geopolitical objectives. And defenders? We need to think the same way: holistically, strategically, and always one step ahead of our adversaries.” James Azar

HackerOne API Misconfiguration Exposes Vulnerability Reports

HackerOne disclosed a data exposure incident in which an API access control misconfiguration allowed users to view vulnerability reports they were not authorized to access — including unpatched vulnerabilities still in remediation. This is a blueprint-level exposure: seeing vulnerabilities before they are fixed provides a direct roadmap into affected organizations. The incident impacted 287 employees and reinforces how security platforms themselves have become high-value targets. Strict API access controls, continuous auditing, and deep visibility into third-party platforms handling sensitive data are essential mitigations.

AstraZeneca Breach Exposes Source Code and Infrastructure Secrets

Pharmaceutical giant AstraZeneca disclosed a breach in which attackers accessed approximately three gigabytes of internal data, including source code and infrastructure configuration details. Customer data does not appear to have been impacted. However, source code and infrastructure secrets are among the most dangerous categories of intellectual property exposure providing attackers with detailed knowledge of internal systems and potential further attack paths. Role-based access controls for research environments and alignment to known threat actor TTPs targeting pharmaceutical IP are essential.

Navia Breach: 2.7 Million Individuals, Months of Undetected Access

A major breach at Navia compromised data tied to approximately 2.7 million individuals. The attacker dwell time from late December through mid-January before detection is the story here. Extended undetected access is the norm, not the exception, in these aggregation-layer attacks where centralized platforms holding large volumes of user data are targeted. Behavioral fraud detection systems are essential for identifying abnormal account activity and preventing downstream monetization of stolen data.

Crunchyroll Zendesk Breach: 6.8 Million Email Records

Crunchyroll is investigating a breach of its Zendesk support environment exposing approximately 6.8 million unique email records, names, email addresses, IP addresses, and support ticket contents. This was not a breach of the core platform. It was a breach of a support system, which in many ways is more valuable to attackers. Support data provides rich operational context enabling precision phishing and convincing social engineering. Third-party SaaS support platforms are an undermonitored attack surface across nearly every enterprise.

Mazda Breach: Supply Chain Intelligence Gathering

Mazda disclosed a breach tied to a warehouse operations management system connected to parts procurement in Thailand. Employee and partner data was exposed — not customer records, but organizational context: relationships, communication paths, and operational workflows. This is exactly the kind of intelligence attackers use to map supply chains and identify where to strike next. Segmentation of partner-connected systems and business process security controls must be treated with the same urgency as core infrastructure.

🕵️ Nation-State & Insider Threats

North Korean Campaign Targets HR Teams with French-Language Fake Resumes

North Korean threat actors have expanded their fake resume campaign, with new variants now localized in French to target HR teams across European organizations. Once opened, the malicious documents execute malware against the HR workstation. This is a direct evolution of the broader North Korean IT worker infiltration strategy and it demonstrates how HR has become a frontline attack surface. Document sandboxing for all inbound candidate materials and secure handling protocols for HR platforms are essential mitigations.

AI Technology Smuggling Case: Three Charged with Exporting to China

Three individuals were charged with attempting to smuggle advanced U.S. AI technology to China. As AI becomes a core strategic national asset, cybersecurity, legal enforcement, and export controls are converging around its protection. Organizations developing or deploying advanced AI systems must implement strict monitoring of sensitive data access and formal export control compliance frameworks.

🛡️ Vulnerabilities & Active Exploitation

Oracle Identity Manager: Emergency RCE Patch

Oracle issued an emergency patch for a critical remote code execution vulnerability in its Identity Manager platform. Identity systems are the primary attack surface in modern enterprise environments — compromising them grants control over authentication across the organization. This is the definition of a high-urgency patch. Isolate identity systems, enforce privileged access controls, and treat this with the same urgency as a perimeter firewall zero-day.

Critical Windchill PLM Vulnerability: CVE-2026-4681

A critical deserialization remote code execution vulnerability in PTC Windchill FlexPLM is under active threat. PLM systems hold sensitive product design and intellectual property data — high-value targets for both espionage and competitive intelligence theft. Immediate patching and restriction of external access to PLM environments are required.

Citrix NetScaler: Session Hijacking via Session Mix-Up Vulnerabilities

Critical vulnerabilities in Citrix NetScaler introduce session mix-up conditions, effectively breaking trust between users and systems at the edge. NetScaler sits at the intersection of identity and access, making these vulnerabilities particularly dangerous. Immediate patching of all internet-facing Citrix infrastructure is essential.

Cisco Firewall Zero-Day Exploited by Ransomware Groups

A Cisco firewall zero-day continues to be actively exploited by ransomware operators. Perimeter compromise provides direct internal network access, backdoor account creation, and long-term persistence. Patch immediately and implement real-time monitoring for abnormal firewall configuration changes.

QNAP Vulnerabilities Demonstrated Live at Pwn2Own

Researchers chained multiple QNAP vulnerabilities to achieve root access in a live demonstration. NAS devices are consistently undermonitored and infrequently patched despite sitting inside enterprise networks with access to sensitive stored data. Inventory and patch all network-attached storage devices immediately.

ConnectWise ScreenConnect: Session Hijacking

ConnectWise disclosed a ScreenConnect vulnerability enabling session hijacking. Remote access platforms carry administrative-level capabilities when compromised, attackers inherit full system control. Enforce session-level authentication and privileged access monitoring across all remote access tooling.

TP-Link Router Authentication Bypass

A critical TP-Link vulnerability allows attackers to bypass authentication entirely and gain full administrative access to affected devices. Router compromise gives attackers foundational network visibility and control. Isolate management interfaces from public exposure and enforce zero-trust access principles including for network infrastructure devices.

SQL Server Exposure: Old Attack Path Still Working

Threat actors continue scanning and exploiting publicly exposed Microsoft SQL servers through weak credentials and misconfigured services. This is one of the oldest attack paths in enterprise security — and it still works because organizations still expose database services to the internet. Disable public exposure and enforce strong authentication across all database services.

Chrome: Continued High-Severity Patching

Google released Chrome version 146 with multiple high-severity patches. Browsers remain one of the most consistent initial access vectors, particularly when combined with phishing. Enforce automatic updates and browser security policies across all enterprise endpoints.

Node.js Vulnerabilities: Dependency Risk in Backend Services

Node.js released updates addressing vulnerabilities including denial-of-service and application stability flaws. Node is deeply embedded in enterprise application stacks. Automated patching pipelines for all runtime environments are required security has moved to runtime and patch hygiene must follow.

CISA Adds Wing FTP, Zimbra, and Others to KEV Catalog

CISA continues flagging actively exploited vulnerabilities across FTP servers, email infrastructure, and enterprise platforms. These additions carry federal patch mandates and should be treated with equivalent urgency by enterprise security teams.

🤖 AI, Supply Chain & Developer Threats

AI Supply Chain Attack Targets LiteLLM via PyPI

A supply chain compromise targeting the LiteLLM Python package distributed malicious code through PyPI the trusted package repository used by AI and ML developers globally. AI tooling is being adopted faster than security teams can vet it, and attackers are exploiting that gap directly. Developers are pulling these packages into production pipelines without validation, unknowingly introducing persistence mechanisms. Strict dependency allow-listing for AI and ML libraries is a required control for any organization deploying AI-driven applications.

Team PCP Expands to PyPI, Docker Hub, and VS Code Extensions

The Team PCP threat group has scaled from isolated targeting into a full-spectrum, multi-platform supply chain operation simultaneously attacking PyPI packages, Docker Hub images, and VS Code extensions. This is industrialized developer compromise. The goal is mass downstream enterprise access through development environment infiltration. Runtime scanning across containers and development environments is essential prevention controls are no longer keeping pace with the distribution velocity of these attacks.

Time to Initial Access Compressed to Hours or Minutes

New reporting confirms what practitioners have been observing: attackers are now achieving initial access within hours sometimes minutes of targeting an organization. This is driven by AI-assisted phishing, automation, and the maturation of initial access broker marketplaces. Detection windows have collapsed. Real-time identity threat detection and response across all identities human and non-human is the only operationally viable response to this timeline compression.

Microsoft Device Code Phishing Hits 340 Organizations

A large-scale phishing campaign is exploiting Microsoft device code authentication flows, impacting more than 340 organizations. Attackers are not breaking authentication — they are abusing it. Users are tricked into entering legitimate authentication codes, granting attackers valid session access without credential theft. Restrict device code authentication flows where they are not operationally required. This is the future of phishing: exploiting trust rather than bypassing controls.

Tycoon 2FA Phishing Kit: Responsible for 62% of Blocked Phishing Attempts

The Tycoon 2FA phishing kit responsible for 62% of phishing attempts blocked by Microsoft in 2025 was disrupted this week, but activity resumed almost immediately. This kit bypasses MFA, not just passwords. MFA alone is no longer sufficient against modern phishing infrastructure. Phishing-resistant authentication passkeys and FIDO2-based mechanisms is now the required standard for any organization that has faced or expects to face targeted credential theft.

Void Stealer Targets Chrome Credential Storage

New malware dubbed Void Stealer targets Chrome’s encryption keys to decrypt stored credentials using debugger techniques. Browser-based credential storage is not a secure vault it is a conveniently organized target. Enforce hardware-backed credential storage and eliminate browser-based password management across enterprise environments.

Malware Distributed via Open Directories

Researchers identified attackers using open, publicly accessible directory listings to host and rotate malware payloads — low-tech, but effective precisely because it exploits overlooked and misconfigured infrastructure. Identify and remediate misconfigurations in internet-facing systems and deploy network-level blocking of known open-directory distribution patterns.

North Korean Actors Target Developers via VS Code Auto-Run Tasks

North Korean threat actors are abusing VS Code auto-run task configurations to deploy malware against developer workstations. Developers are a primary attack vector across job postings, malicious packages, and now compromised IDE tooling. Restrict automated execution within development tools and enforce configuration validation across developer environments.

Russian Hackers Bypass Signal Encryption via Endpoint Compromise

The FBI warned that Russian hackers are targeting Signal users — not by breaking encryption, but by compromising the devices running it. Encrypted communications are only as secure as the endpoint managing them. Mobile and desktop endpoint security must receive the same rigor as network perimeter security for anyone handling sensitive communications.

💰 Financial Cybercrime

$24.5 Million DeFi Hack: Uncollateralized Stablecoins Minted Through Infrastructure Weakness

DeFi platform Resolve suffered approximately $24.5 million in losses after attackers exploited infrastructure weaknesses to mint uncollateralized stablecoins, which were then converted to Ethereum — crashing the token’s value in the process. This is a recurring pattern in DeFi: innovation velocity outpacing security validation. Independent smart contract audits and robust key management practices must be required before any financial protocol deployment.

Russian Initial Access Broker Sentenced to Six-Plus Years

A Russian initial access broker tied to ransomware operations was sentenced to more than six years in prison. Ransomware is an ecosystem, not a solo operation access brokers establish entry and sell it to ransomware groups for execution. Preventing initial access through strong identity controls, MFA enforcement, and network segmentation is the most effective intervention point in the entire ransomware kill chain.

Trivy Supply Chain Compromise Hits CI/CD Pipelines

A breach involving the Trivy vulnerability scanner resulted in attackers distributing an infostealer through GitHub Actions workflows. The target was a security tool used inside CI/CD pipelines which means the very tools organizations rely on for security were the vector. Pipeline integrity checks and third-party tool verification must be implemented across all automated build and deployment workflows.

⚖️ Law Enforcement, Policy & Regulatory

CISA Pushed Toward Reactive Posture by Funding Constraints

CISA is reportedly being constrained by funding limitations that are reducing its capacity for proactive threat defense and public-private coordination. CISA has served as a central hub for actionable threat intelligence and coordinated response across critical infrastructure sectors. Any degradation in that capability increases systemic national risk at exactly the moment the threat environment is most demanding. This is not theoretical exposure — it is real, measurable risk at scale.

LeakBase Admin Arrested in Rare Russian Enforcement Action

Authorities arrested the alleged administrator of LeakBase, a platform used to buy and sell stolen data — with the arrest taking place inside Russia, marking a rare enforcement action within that jurisdiction. While arrests disrupt momentum and create some deterrence, they rarely dismantle the broader cybercrime ecosystem. Continuous monitoring of underground markets remains essential.

Vendor Compliance Integrity: Delve Facing False Claims Allegations

A report surfaced alleging that compliance startup Delve made misleading claims about its security certifications and processes. Details remain contested, but the broader issue is real: the gap between vendor-claimed security capabilities and actual verified controls is a persistent and dangerous vulnerability in enterprise procurement. Independent audits and verified certification reviews must be part of any vendor onboarding process.

Libyan Oil Infrastructure Targeted with Long-Running AsyncRAT Campaign

A Libyan oil refinery was the target of a long-running espionage campaign using AsyncRAT, with attackers maintaining persistent access for months. Energy infrastructure continues to be a geopolitical targeting priority. Organizations operating OT environments must deploy continuous threat hunting and behavioral monitoring across industrial control systems not as an aspirational goal but as a present-day operational requirement.

✅ This Week’s Priority Action List

Immediate (Do This Now)

• Patch Oracle Identity Manager RCE emergency patch — identity system compromise is total environment compromise

• Patch Citrix NetScaler, Cisco firewall zero-day, ConnectWise ScreenConnect, Windchill CVE-2026-4681 immediately

• Enforce multi-approval workflows for all destructive administrative actions — the Stryker hybrid attack confirms this as a critical control

• Implement real-time identity threat detection and response across all human and non-human identities

• Restrict device code authentication flows for Microsoft services where not operationally required

• Deploy behavioral detection for abnormal administrative patterns — not just signature-based malware detection

Short-Term (This Month)

• Enforce strict dependency allow-listing and runtime scanning for AI/ML packages and developer tools (LiteLLM, Team PCP)

• Implement pipeline integrity checks and third-party tool verification for all CI/CD workflows

• Lock down Zendesk and all third-party SaaS support platforms — enforce strict access controls and monitoring

• Sandbox all inbound documents in HR workflows — North Korean malicious resume campaigns are active

• Eliminate browser-based credential storage; enforce hardware-backed authentication (Void Stealer is active)

• Inventory and patch all QNAP NAS devices, TP-Link routers, SQL servers exposed to the internet

• Monitor dark web and threat actor channels for claims related to your organization or key partners

• Deploy runtime scanning across all container and developer environments (Docker Hub, VS Code, PyPI)

Strategic (This Quarter)

• Transition to phishing-resistant authentication (passkeys / FIDO2) — Tycoon 2FA proves MFA alone is insufficient

• Assess and formalize supply chain security controls across AI tooling, developer dependencies, and SaaS platforms

• Conduct continuous threat hunting specifically for Chinese and Iranian APT persistence indicators

• Harden DeFi and financial smart contract environments with independent audits before deployment

• Establish approved hardware procurement policies and assess FCC-flagged foreign networking equipment

• Review CISA KEV catalog compliance and ensure federal patch guidance is matched or exceeded in enterprise environments

• Design segregated backup and recovery environments with business-SLA-calibrated recovery objectives

🎙️ James Azar’s CISO’s Take

When I look at this week in its entirety, what stands out most is the industrialization of access. Nation-state actors are quietly embedding in military systems for months. Cybercriminals are simultaneously attacking PyPI, Docker Hub, and VS Code. Initial access timelines have compressed to minutes. Phishing kits are bypassing MFA. And a security platform HackerOne exposed vulnerability blueprints through a misconfigured API. The common thread across all of it is the same: attackers are exploiting trust, misconfiguration, and the speed gap between adoption and security validation. They’re not forcing their way through the door — they’re walking through the ones we left open.

The second takeaway is that the security model has to evolve to match this reality. Prevention is necessary but no longer sufficient. Detection and response are now the decisive capabilities, and they must operate in real time. Identity is the front line. Supply chain is the battlefield. Speed is the deciding factor. If your detection time is measured in hours, you’re already behind. The organizations that will remain resilient in this environment are the ones that combine relentless execution on fundamentals with continuous monitoring, adaptive defenses, and the strategic awareness to anticipate where the next trusted door will be opened.

📋 Week in Summary

This week confirmed that the cybersecurity threat landscape has entered a new phase — not of sophistication for its own sake, but of industrialized trust exploitation at speed. Stryker’s attack was confirmed as a hybrid operation. Iranian infrastructure returned online days after FBI seizure. Supply chain attacks scaled across every developer platform simultaneously. AI tooling is being poisoned before organizations finish deploying it. And the time between an attacker identifying a target and achieving access has collapsed to hours or minutes in many documented cases.

The geopolitical dimension remained active on every front. China continued its patient military espionage in Southeast Asia. Iran’s Handela group proved its resilience. North Korea expanded social engineering operations into new languages and new targets. And CISA — the backbone of U.S. public-private cyber defense coordination — is facing resource constraints that reduce its proactive capacity at exactly the wrong moment in history.

The response, as always, comes back to fundamentals executed with urgency and discipline: identity control, supply chain validation, behavioral detection, segmentation, and patch velocity. These aren’t aspirational controls. They are the difference between organizations that absorb these attacks and those that become the next case study. Know which one you want to be.

Stay informed. Stay prepared. Stay Cyber Safe. 🔐

Leave a comment

© CyberHub Podcast | Subscribe on Substack | Watch on YouTube | Follow on LinkedIn

Today’s episode is all about one thing: speed and scale.

Attackers are getting in faster than ever, spreading wider than ever, and doing it by exploiting trust whether that’s identity, software supply chains, or legitimate authentication flows.

Today’s show brings together three major themes: nation-state espionage, AI-driven supply chain compromise, and identity-based attacks accelerating initial access. The good news? Not a ton of consumer data breaches. The bad news? Everything else is getting more dangerous.

Coffee cup cheers — let’s get into it.

Subscribe now

China-Linked Espionage Campaign Targets Military Systems

We start with a significant report of China-linked threat actors breaching military systems across Southeast Asia. This isn’t smash-and-grab this is long-term, quiet espionage.

This aligns perfectly with China’s doctrine: persistent access over loud disruption. They’re not there to break things they’re there to understand them. Response plans, operational readiness, infrastructure dependencies.

This correlates with previous reporting we’ve covered on pre-positioning within critical infrastructure, especially in regions aligned with U.S. defense strategy.

The risk here is massive: long-term undetected access to military intelligence and operational planning systems. From an enterprise lens, the takeaway is clear segment sensitive environments and continuously validate access. If you don’t, someone else already has.

AI Supply Chain Attack Hits LiteLLM

The LiteLLM supply chain compromise, and this one is a wake-up call. AI tooling is being adopted faster than security teams can vet it. Attackers know this and are injecting malicious code directly into trusted packages. AI is now the new open-source attack surface.

Developers are pulling these packages straight into production pipelines, unknowingly introducing persistence mechanisms for attackers. The risk is data exfiltration, model manipulation, and downstream compromise across environments.

Mitigation? Strict dependency allow-listing for AI/ML libraries — if you’re not controlling what goes into your pipeline, you’re not controlling your environment.

Team PCP Expands Multi-Platform Supply Chain Operation

Team PCP is back and bigger. What started with isolated targeting has now expanded into a full-scale multi-platform supply chain attack, hitting PyPI, Docker Hub, and VS Code extensions.

This is no longer opportunistic. This is industrialized. The goal is clear: compromise developers at every layer: code, container, and tooling.

This represents a shift toward AI-assisted, large-scale supply chain compromise, where attackers automate distribution across ecosystems.

The risk is mass downstream enterprise compromise originating from developer environments. Mitigation requires runtime scanning across containers and development environments because prevention alone isn’t keeping up anymore.

Attackers Slash Time to Initial Access

New reporting shows attackers are now gaining access within hours sometimes minutes of targeting an organization.

This is being driven by:

• AI-assisted phishing

• Automation

• Initial access broker marketplaces

We’ve talked about this before — the move to malware-free, identity-first attacks. Attackers don’t need persistence if they can move fast enough.

The risk is compressed detection windows and rapid breach execution. Mitigation is non-negotiable: real-time identity threat detection and response across all identities, human and non-human. If your detection time is still measured in hours, you’re already behind.

Malware Distribution via Open Directories

Researchers uncovered attackers using open directories to host and distribute malware payloads. This is low-tech, but highly effective.

Why? Because it exploits misconfigured environments and overlooked infrastructure. Attackers rotate payloads quickly and evade detection by using publicly accessible hosting.

The risk is malware delivery through trusted or ignored infrastructure paths. Mitigation: identify and eliminate misconfigurations, and block known open-directory patterns at the network level.

Node.js Vulnerabilities Highlight Dependency Risk

Node.js released updates addressing vulnerabilities that could lead to denial of service or unstable application behavior. While not all are critical, Node is deeply embedded in enterprise environments. This reinforces a growing issue dependency risk in modern application stacks.

The risk is application disruption or exploitation through vulnerable backend services. Mitigation: automated patching pipelines for runtime environments. Security has moved to runtime, if you’re not there yet, you’re playing yesterday’s game.

TP-Link Router Flaw Enables Authentication Bypass

A critical vulnerability in TP-Link routers allows attackers to bypass authentication and gain administrative access. Routers remain one of the most ignored yet critical attack surfaces, especially in remote and hybrid work environments.

The risk is full control of network infrastructure devices. Mitigation: isolate management interfaces from public exposure and enforce zero trust principles.

Yes — even for your routers.

Microsoft Device Code Phishing Hits 340 Organizations

A large-scale phishing campaign is exploiting Microsoft device code authentication flows, impacting over 340 organizations. This is clever attackers aren’t breaking authentication, they’re abusing it. Users are tricked into entering legitimate codes, granting attackers access.

The risk is account takeover through legitimate authentication abuse. Mitigation: restrict device code authentication where not operationally required. This is the future of phishing exploiting trust, not bypassing controls.

CISA Resource Constraints Raise National Risk

CISA is reportedly being pushed into a reactive posture due to funding constraints and operational limitations. This reduces its ability to proactively defend against emerging threats. CISA has been a central hub for public-private cyber defense coordination, and any degradation increases systemic risk.

The risk is delayed national response to cyber threats impacting critical infrastructure and enterprise environments. This isn’t theoretical — this is real exposure at scale.

LeakBase Admin Arrested in Global Takedown

Authorities arrested the alleged administrator of LeakBase, a platform used to sell stolen data. The arrest took place in Russia, marking a rare instance of enforcement action within that jurisdiction.

While arrests create temporary disruption and some deterrence, they rarely dismantle the broader cybercrime ecosystem. The risk remains: ongoing industrialized trade of stolen data. Still deterrence matters, and visibility into these operations helps disrupt momentum.

Key Action Items for Security Teams

• Segment and continuously validate access to sensitive environments

• Enforce strict dependency controls for AI and software supply chains

• Deploy runtime monitoring across developer and container environments

• Implement real-time identity detection and response

• Continuously scan for and remediate misconfigurations

• Automate patching for runtime and backend systems

• Isolate network infrastructure management interfaces

• Restrict unnecessary authentication flows (especially device code auth)

• Reduce reliance on perimeter-based detection — focus on identity and behavior

• Monitor supply chain exposure across all development pipelines

Leave a comment

James Azar’s CISOs Take

What stands out to me today is how attackers are industrializing access. Whether it’s nation-state actors quietly embedding themselves in military systems or cybercriminals scaling supply chain attacks across developer ecosystems, the game has fundamentally changed. This is no longer about breaking in — it’s about being invited in through trust, misconfiguration, and speed.

The second takeaway is that security teams must evolve from prevention to real-time response. The compression of time to initial access means detection and response are now the most critical capabilities. Identity is the front line, supply chain is the battlefield, and speed is the deciding factor. If we don’t adapt to that reality, we’re not defending, we’re reacting.

Stay Cyber Safe