Good Morning Security Gang!
Today’s episode of the CyberHub Podcast is unlike most. It’s Thursday, September 11th, 2025, and instead of jumping straight into cyber news, I started the show reflecting on two tragedies weighing heavily on me - and on many of us. Twenty-four years since 9/11, and just yesterday the shocking assassination of Charlie Kirk.
These moments pull us back to the basics: resilience, unity, and the freedom to debate without fear. So today, I stepped away from the usual stream of vulnerabilities, breaches, and ransomware updates to focus on remembrance, reflection, and the values that underpin both our nation and our cybersecurity work.
🕯 Remembering 9/11 – 24 Years Later
I spoke from the heart about what 9/11 meant to me, where I was when it happened, and how it still shapes my outlook. Watching today’s commemoration in New York, with families holding up photos of loved ones lost, I remembered the courage of first responders who ran into burning towers while others ran out.
“September 12th reminded us that America is an idea that can’t be broken, no matter how hard our enemies try.” James Azar
I reminded listeners that America is more than just a place—it’s an idea of resilience, freedom, and unity. September 12th, 2001, showed us a united America, and that spirit is something we desperately need to rediscover.
💔 The Assassination of Charlie Kirk
Yesterday’s assassination of Charlie Kirk hit me hard. I admired him for his willingness to debate ideas respectfully, for showing up prepared, and for elevating the public square into what the founders envisioned: a place where ideas, not bullets, win.
“The bullet may have silenced Charlie Kirk, but it didn’t silence anyone else who believed in debate, in dialogue, and in the cornerstone of American democracy.” James Azar
His murder is a direct assault on American democracy and the freedom to disagree without fear of violence. I pray for his wife and children, including a daughter the same age as my son, who will now grow up without her father because of political hate.
Hackers left empty-handed after massive NPM supply-chain attack
What happened: An attacker gained access to the NPM maintainer “qix” (Josh Junon) via a phishing attack (password reset lure), and pushed malicious updates into several very popular packages (including chalk and debug-js) that together have billions of weekly downloads.
Scope & impact: Within ~2 hours, about 10% of cloud environments had pulled the malicious versions. The compromised packages are foundational to many JS/Node setups—used in 99% of cloud environments, per visibility from researchers.
What the attacker attempted: The malicious code attempted to steal cryptocurrency by redirecting Ethereum / Solana signing requests, swapping wallet addresses, etc.
Result: Minimal financial gain—only a few dollars in various cryptocurrencies. Companies scrambled to remove compromised packages; cleanups, rebuilding, audits were necessary.
Jaguar Land Rover Admits Data Breach Caused by Recent Cyberattack
What happened: Jaguar Land Rover (JLR) confirmed that a recent cyberattack—which had already disrupted factories and dealership operations—also involved a data breach.
Scope & impact: Factories in the UK, China, India, and Slovakia were shut down; workers were sent home due to system disruptions. The breach details (what kind of data, how many persons affected) have not yet been disclosed.
Who’s behind it: The “Scattered Spider” cybercrime group claimed responsibility.
What’s next: Forensics are ongoing. JLR is informing regulators. They haven’t yet determined or revealed the extent or nature of the compromised data.
US Investors in Spyware Firms Nearly Tripled in 2024: Report
What happened: A report by the Atlantic Council found the number of U.S.-based investors backing spyware firms rose from 11 in 2023 to 31 in 2024.
Scope & impact: This includes vendors, suppliers, partners, brokers, etc., across 46 countries. The U.S. now leads globally in such investment; next are Israel and then Italy.
Notable concerns: Many spyware firms are connected to controversial operations—e.g. Paragon’s product being used in targeting WhatsApp users, Candiru being on the U.S. Commerce Dept’s Entity List. Also, opaque structures involving resellers and brokers are complicating oversight.
Why this matters: There's tension between investment activity and regulatory/sanctions efforts. While the U.S. government is restricting some spyware actors, financial backing is growing, making the ecosystem harder to regulate.
House Moves Ahead with Defense Bill That Includes AI, Cyber Provisions
What happened: The U.S. House passed its version of the National Defense Authorization Act (NDAA) for FY ?? (defense policy bill), valuing ~$848 billion. It includes new provisions around cybersecurity and AI.
Key elements:
NSA must brief on its plan for a Cybersecurity Coordination Center. Unified combatant commands must report to Congress annually on how well U.S. Cyber Command supports them.
Requirement for a “software bill of materials” for AI-enabled tech used by DoD.
Authorization for the Pentagon to establish up to 12 “generative AI lines of effort” to improve cyber and intelligence operations.
Amendments: One allows NSA to share threat intelligence with private sector for better telecom security; another tasks DoD with studying the National Guard’s role in cyber incident response.
What was left out: Efforts to renew or extend the 2015 Cybersecurity Information Sharing Act and the State & Local Cybersecurity Grant Program failed.
Remote CarPlay Hack Puts Drivers at Risk of Distraction and Surveillance
What happened: Security researchers (Oligo Security) disclosed a remote CarPlay vulnerability (part of a broader set of flaws known as AirBorne) affecting Apple’s AirPlay protocol & SDK.
Technical details: Among flaws is CVE-2025-24132, which allows zero-click remote code execution. Attack paths include wireless (WiFi/Bluetooth) and wired connections. The iAP2 protocol used by CarPlay is weak: the head unit authenticates the phone, but not vice versa, which opens impersonation vectors.
Potential consequences: Once compromised, an attacker could distract drivers (display or play arbitrary content), eavesdrop, track location, etc.
Mitigation status: Apple patched the core SDK in April, but many vendors/automakers haven’t integrated the patch into their CarPlay systems. The variation in system architectures and slow update cycles mean many cars remain exposed.
Ukraine’s Ousted Cyber Chief Posts Bail in Corruption Case
What happened: Illia Vitiuk, former head of cybersecurity operations for Ukraine’s SBU, posted bail (~9 million hryvnias / ~$218,000) in a corruption case.
Allegations: He is accused of illicit enrichment. The case centers on his family purchasing a Kyiv apartment in Dec 2023 for ≈ $535,000 but reporting it at roughly half that price. Investigators allege the funds came from a man accused of embezzling from state firms. Documents supporting claimed consulting work by Vitiuk’s wife were allegedly backdated.
Defense & context: Vitiuk rejected the charges as arbitrary, claiming no knowledge of the full details. The SBU says the case is politically motivated. Anti-corruption activists/ journalists have expressed skepticism of the defense.
Next steps: He must meet bail conditions (report changes of residence, surrender foreign passports, etc.), and the legal proceedings continue.
🧠 James Azar’s CISO Take
As a CISO, I normally spend this time dissecting threats, vulnerabilities, and governance failures. But today, my take is more human: resilience applies to more than just systems. It’s about people, communities, and the values we defend every day. Just as we build layered defenses in cyber, we need layered resilience as a nation. The same way we patch systems, we must also patch our divisions, restoring the ability to debate freely without fear.
My other reflection is this: political violence is the ultimate insider threat to democracy. Just as no organization can function if employees are at war with each other, no nation can survive if communities are torn apart by ideology and hate. Whether in cybersecurity or civic life, governance, transparency, and respect are the controls that keep the system alive. On this day of remembrance, I commit to building resilience in both.
✅ Action Items
🕯 Take a moment today to remember the 3,000 lives lost on 9/11 and their families who carry the weight daily.
💔 Pray for Charlie Kirk’s family and for healing in our nation.
🗣 Recommit to respectful dialogue—debate ideas, not people.
🛡 Apply the concept of resilience not only in cyber defenses but in communities and daily life.
📜 Reflect on what unites us more than what divides us—because unity is our strongest firewall.
