Good Morning Security Gang
Today’s episode is packed with stories that hit every side of the cyber landscape, finance, regulation, infrastructure, and AI. From a $40 million crypto heist caused by an executive’s compromised laptop to new zero-days in React Native and Citrix NetScaler, the trend this week is crystal clear: human trust is the weakest link.
We’ll also dive into Iron Mountain’s minor data breach, a flood of fake cloud renewal scams, a new push for national cyber standards out of D.C., and critical updates from Docker and vLLM on AI-driven vulnerabilities.
Grab your coffee; I’ve got my double espresso, and it’s strong enough to get us through this one. Coffee cup cheers, y’all.
Step Finance Loses $40M After Executive Device Compromised
Step Finance confirmed a $40 million crypto theft after attackers compromised an executive’s endpoint and used it to authorize on-chain transactions. This wasn’t a smart contract bug — it was a device-level takeover. Once the attackers had valid sessions and wallet keys, they moved funds instantly.
As I said on the show:
“They didn’t hack the blockchain — they hacked the person holding the keys.”
Mitigation means moving all high-value transactions to multi-sig hardware wallets requiring approvals from separately managed devices. No single laptop or phone should ever hold treasury access again. Executive endpoints remain the soft underbelly of crypto and fintech operations.
Iron Mountain Data Breach Limited to Marketing Materials
Iron Mountain disclosed a limited data breach that impacted marketing materials — not customer or operational systems. The incident was small, but it still opens the door for brand impersonation and phishing. Attackers can now clone Iron Mountain’s look, tone, and logos to target corporate clients.
“It’s not the data that hurts you — it’s the brand built on it.”
CISOs should enable brand impersonation filters in their email security tools and flag any Iron Mountain-themed messages for the next 90 days. Even a benign marketing breach can snowball into spear-phishing at scale.
White House Cyber Strategy Begins Taking Shape
U.S. National Cyber Director Sean Crankcross unveiled the early outline of the Trump administration’s cybersecurity policy, signaling a shift toward industry collaboration and standardized regulation rather than punitive reporting mandates.
The plan emphasizes public-private disruption campaigns, workforce development, and aligning compliance “to function, not checklists.”
As I told listeners:
“For the first time in a while, Washington might actually be listening to the people defending the networks.”
The key takeaway — companies should expect consolidation of overlapping regulations and more real-time coordination with federal agencies, not just paperwork. It’s a good sign if the promises hold.
Cloud Storage Renewal Scams Target Finance Teams
Threat actors are sending fake cloud renewal and cancellation invoices, spoofing brands like Dropbox, OneDrive, and Google Drive. The goal is to trick users into paying fake fees or surrendering login credentials.
These emails use urgent countdowns (“3 days before cancellation”) to trigger panic payments from finance teams and executive assistants.
Mitigation: require AP and finance departments to pay invoices only within authenticated vendor portals, never from links or phone numbers in emails. Train EAs and finance leads to treat “urgent renewals” as red flags, not action items.
React Native Zero-Day Under Active Exploitation
The React Native framework vulnerability CVE-2025-11953 is now being exploited in the wild. Attackers can execute remote code through malicious component packages, threatening both mobile and desktop apps built on the framework.
This bug carries a CVSS score of 9.8 and is already spreading through tainted dependencies.
Mitigate immediately by upgrading to the patched version, rebuilding all dependent apps, and enabling “break-the-build” gates in CI/CD for this package family. Don’t rely on runtime detection — the risk here is compromised supply chain artifacts.
Citrix NetScaler Faces Massive Proxy Scanning Wave
Researchers detected a massive reconnaissance campaign hitting Citrix NetScaler and ADC edges using residential proxy networks to evade IP-reputation filters. This suggests attackers already have an exploit ready and are mapping exposed systems before launch.
If your NetScaler management plane is accessible from the internet, it’s time to panic — or at least patch. Move management to dedicated, IP-allow-listed interfaces and ensure you’re running the latest patch train.
“If they’re scanning, they’re planning. This is the calm before the exploit storm.”
InfoStealers Expanding Into Token & Session Theft
Traditional password-stealing malware has evolved into session and token theft, letting attackers log in without credentials. They’re now extracting cookies, API keys, and OAuth tokens, maintaining persistent access even after password resets.
CISOs should enforce phishing-resistant MFA (like hardware keys and passkeys) and add device posture checks for all SSO sessions. A stolen token should never satisfy authentication on its own.
Docker AI Plugin Exposes Developer Secrets
Docker shipped a patch for a flaw in its AI assistant plugin, which could leak developer environment secrets and registry tokens while processing AI prompts.
Update to the fixed Docker Desktop extension, and disable the AI plugin organization-wide until verified in a sandbox. Supply-chain tools can no longer be trusted “by default” — they need guardrails.
vLLM Remote Code Execution Vulnerability
Finally, VLLM, an open-source large-language-model backend, patched a remote code execution flaw that allowed malicious model or URL inputs to execute commands on inference servers.
LLM backends often run with broad system privileges and access to internal data — making this a potential catastrophic breach vector for AI-driven companies.
Mitigation: disable remote asset fetching, place VLLM behind an authenticated API gateway, and block all outbound egress from model servers by default.
Action List
💰 Move high-value crypto to multi-sig hardware wallets with dual approvals.
✉️ Enable brand impersonation protection for Iron Mountain-related phishing.
🧠 Engage in policy feedback with federal cyber offices — regulation is shifting.
💳 Require in-portal payments only for all cloud renewals or invoices.
🧩 Patch React Native (CVE-2025-11953) and rebuild all apps using it.
🌐 Isolate Citrix NetScaler management planes from the internet.
🔑 Deploy phishing-resistant MFA and device posture enforcement for SSO.
🧱 Patch and validate Docker AI plugin and VLLM RCE fixes before re-enablement.
James Azar’s CISO’s Take
Today’s episode shows that our threat landscape isn’t defined by tools — it’s defined by trust. Step Finance’s loss wasn’t a smart-contract failure — it was human complacency. The React Native flaw, Docker plugin, and Citrix scans all trace back to one recurring issue: we keep trusting what we haven’t validated.
My takeaway? Security must move closer to the developer and executive level. If you’re a CISO, you can’t just protect infrastructure — you must govern behavior. Teach executives to protect their devices like crown jewels, and force your developers to sign and verify every dependency. The future isn’t about bigger budgets; it’s about smarter trust boundaries.
Stay alert, stay caffeinated, and as always — stay cyber safe.
