Good Morning Security Gang!

Welcome to the CyberHub Podcast — it’s Thursday, July 24, 2025, and even though this one’s pre-recorded (and tragically espresso-free), we’re not short on firepower. I’m your host, James Azar, and today we’ve got a massive wave of cyber news to cover: a U.S. nuclear agency hacked, a $380 million cybersecurity lawsuit, China in the crosshairs (again), and a federal warning about voice-based deepfakes. It’s been a week of confirmations, failures, and a lot of “we told you so.” Let’s dig in.

☢️ U.S. Nuclear Agency Confirmed Hacked in SharePoint Attacks

We said it was coming — and now it’s confirmed. The National Nuclear Security Administration (NNSA), part of the U.S. Department of Energy, has been compromised through the ToolShell SharePoint zero-day exploit. While Microsoft continues to dodge direct attribution, every other major security firm and federal whistleblower is pointing to Chinese APTs — specifically Lennon Typhoon and Violet Typhoon. DOE officials claim “minimal impact,” but let’s be real — when the agency overseeing our nuclear arsenal is breached, minimal is not comforting. Especially when classified systems were thankfully untouched... this time.

🧽 Clorox Sues Cognizant for $380 Million Over 2023 Cyberattack

Clorox is taking its IT contractor Cognizant to court, blaming them for last year’s devastating cyberattack. The lawsuit claims Cognizant’s help desk agents handed login credentials to attackers with zero verification, causing Clorox to shut down operations and lose nearly $400 million in damages. The kicker? It’s all recorded — Clorox has the calls. This could set a major precedent for third-party liability in cybersecurity. And it raises the bigger question: is outsourcing IT support worth the security risk?

"Cognizant didn't just drop the ball according to their lawsuit - they say they handed over the keys to Clorox's corporate network to a notorious cyber criminal group in reckless disregard for Clorox policies and long established cyber security standards." James Azar

📮 Hong Kong Post Breached

Hong Kong Post’s EC-Ship platform was breached in a short-lived but impactful attack. The target: contact information from customer address books — names, emails, phone numbers, and faxes. It’s not financial or medical data, but it still highlights how public service infrastructure remains a soft target for automated exploitation. Operations are back online, but the message is clear: even low-value PII can be weaponized.

🧠 Sam Altman Warns Voice Deepfakes Will Break Banking

At a Federal Reserve conference, OpenAI CEO Sam Altman warned that voiceprint authentication is dead. As AI-generated voice clones grow indistinguishable from real humans, banks and financial institutions relying on voice-based identity verification are about to get burned — badly. Vice Chair for Supervision Michelle Bowman acknowledged the risk. Expect regulatory movement and renewed pressure for MFA evolution — possibly tied to liveness detection or biometric fusion.

🧱 NPM Nukes “Stylus” Library, Breaking Builds Worldwide

In a wild twist, NPM mistakenly flagged and removed the popular Stylus package, breaking builds for thousands of devs globally. The removal replaced the package with a “security holding page,” even though the package wasn’t malicious. Stylus maintainer Lai Chen is publicly scrambling to get access restored. Once again, our open-source supply chain shows its fragility — all it takes is one admin error to trigger cascading failures across countless environments.

npm developers can opt to reference the stylus package "dynamically by specifying a branch, tag, or commit hash in the dependencies section of package.json," states Chen, such as:

{
  "dependencies": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

Using overrides is another option for npm developers:

"You can override the stylus package version used by other dependencies by specifying it in the overrides section (supported in npm v8.3.0 and later)"

{
  "overrides": {
    "stylus": "github:stylus/stylus#version-you-need"
  }
}

Note: Ensure the specified tag, branch, or commit (e.g., 0.54.4) exists in the stylus/stylus repository. Clear the npm cache (npm cache clean --force) if you encounter issues with outdated dependencies."

To summarize, Chen reiterates:

"Stylus does not contain malicious code; this has been confirmed. npmmirror.com (a non-profit mirror sponsored by Alibaba) has resumed access [to the library].

It is unclear whether this is a coincidence, but a tool called Stylus Tools component has been reported to have a CVE.

Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code.

We are awaiting official action from npmjs. Yes, we are waiting for them to handle it.

A workaround has been provided in the comments. Please apply it as needed."

"Some personal thoughts: if your company has been affected by Stylus, you need to reevaluate the relationship between npmjs and npm mirror and design a more reliable development process," wrote the maintainer.

⚖️ French Police Arrest XSS Forum Admin in Ukraine

After four years of investigation, French authorities — with help from Europol — arrested the alleged admin of the infamous XSS cybercrime forum in Ukraine. The forum had facilitated ransomware deals, secure comms, and generated over $7M in criminal profits. While the arrest is a win, history tells us: forums like these grow new heads faster than you can say Hydra.

📺 Jetflix Pirate Streaming Ring Busted

Christopher Lee Dallman, the mastermind behind “Jetflix,” a Netflix knockoff streaming pirated content to tens of thousands of subscribers, has been sentenced to seven years in prison. His operation offered 183,000 episodes and 10,500 movies, raking in millions in illegal profits before the FBI shut it down. A stark reminder that pirated content isn’t just an ethics issue — it’s a felony with serious consequences.

🧑‍💻 Akamai Uncovers Coyote Banking Trojan Abusing UI Automation

Akamai researchers have identified the “Coyote” banking trojan exploiting Microsoft’s UI Automation framework — the first malware of its kind to do so. Active since February, it leverages accessibility tools to quietly exfiltrate banking and crypto credentials, all while bypassing EDR detection. The UIA attack vector is stealthy, powerful, and dangerous — and it works on every Windows version from XP forward. Enterprises should start considering UIA hardening in their security baselines.

🚰 New York Mandates Cybersecurity for Water Systems

New York is proposing new cyber regulations for its 318 publicly owned water and wastewater systems. With $2.5 million in funding (cue eye roll), the rules require vulnerability assessments, cyber training, incident response plans, and 24-hour breach reporting. While the funding is minimal — especially for large systems facing up to $5M in annual compliance costs — it’s a step toward stronger water infrastructure protection. Let's hope other states follow.

✅ Action List:

• 🚨 Patch Microsoft SharePoint and audit for ToolShell IOCs — now.

• 🧑‍⚖️ Evaluate contracts with MSPs and help desks for cyber liability clauses.

• 👁️ Monitor contact scraping activity from public portals.

• 🎙️ Eliminate voiceprint authentication — it’s broken.

• 📦 If your build uses Stylus, check NPM alternatives or override.

• 🔍 Harden defenses against UI automation abuse on Windows endpoints.

• 💧 If in New York: start prepping for new water system regulations.

• 🔒 Review legal exposure and incident response readiness around third-party vendors.

🧠 James Azar’s CISO Take:

The confirmation that the US National Nuclear Security Administration was breached via the SharePoint zero-day exactly as I predicted yesterday underscores the severity of this threat. When agencies responsible for our nuclear weapons stockpile are being compromised by Chinese APTs, we're not just talking about cybersecurity anymore - we're talking about national security at the highest levels. The fact that the Department of Energy is also a victim but hasn't announced it yet tells me they're still assessing the full scope of what the Chinese accessed, which is deeply concerning for our critical infrastructure.

The Clorox lawsuit against Cognizant represents a watershed moment for third-party liability in cybersecurity incidents. Having call recordings of help desk workers literally handing over network access to cybercriminals creates an indefensible legal position that will likely result in a significant settlement. This case, combined with Sam Altman's warnings about voice phishing and the NPM supply chain disruption, highlights how our interconnected digital ecosystem creates cascading vulnerabilities. As we've seen with everything from voice authentication to package dependencies, the human element remains our weakest link, and we need to fundamentally rethink how we approach security culture in an era where outsourcing and automation can create more risk than they mitigate.

That's it for our show this morning, security gang. We'll be back Monday live at 9 AM Eastern. Don't forget to subscribe at CyberHubPodcast.com for tomorrow's exclusive episode with ThreatLocker's Chief Product Officer Rob. Until then, have a great weekend, patch your networks,
Stay cyber safe.

✅ Story Links:

https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-hacked-in-microsoft-sharepoint-attacks/

https://therecord.media/clorox-cyberattack-lawsuit-cognizant-it-contractor

https://thecyberexpress.com/hongkong-post-cyberattack/

https://www.securityweek.com/openais-sam-altman-warns-of-ai-voice-fraud-crisis-in-banking/

https://www.bleepingcomputer.com/news/security/npm-accidentally-removes-stylus-package-breaks-builds-and-pipelines/

https://www.securityweek.com/france-says-administrator-of-cybercrime-forum-xss-arrested-in-ukraine/

https://www.bleepingcomputer.com/news/technology/operator-of-jetflix-illegal-streaming-service-gets-7-years-in-prison/

https://www.securityweek.com/coyote-banking-trojan-first-to-abuse-microsoft-uia/

https://therecord.media/new-york-cyber-regulations-water-grants

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.