Former NSA chief says the U.S. can beat China in cyberspace. Canvas cuts a deal with hackers. The FCC proposes KYC rules for phone users. SAP patches critical flaws. A poisoned TanStack npm supply chain attack spreads malware. Humanitarian aid lures deliver spyware. Japan launches an AI-driven cyber review. Texas sues Netflix over data practices. And Harvard experts debate the future of agentic AI security. On our Threat Vector segment David Moulton welcomes, Assaf Keren, CSO at Qualtrics and author of Lessons from the Frontlines. Our guest is Tim Starks from CyberScoop discussing changes to the CyberCorps Scholarship program. The Gentleman’s guide to awful OPSEC. 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

Threat Vector

AI is the most powerful tool defenders have ever had. It's also the most dangerous weapon attackers have ever had. Assaf Keren, CSO at Qualtrics and author of Lessons from the Frontlines, has seen AI reshape both sides of the threat equation. In this conversation, he gets specific about what happens when powerful tools fall into the wrong hands, and what leaders need to do before they get caught off-guard. You can listen to the full conversation here, and catch new episodes of Threat Vector with host David Moulton every Thursday on your favorite podcast app.

CyberWire Guest

Today we are joined by Tim Starks from CyberScoop discussing changes to the CyberCorps Scholarship program. You can read more in Tim’s article “Trump officials are steering a cybersecurity scholarship program toward AI.”

Selected Reading

I Ran the N.S.A. This Is How to Defeat China’s Hacker Army. (The New York Times)

Canvas hack: company pays criminals to delete students' stolen data (BBC News)

FCC Attempts to Solve Robocall Problem by Potentially Creating Even Bigger Privacy Problem (Gizmodo)

SAP Patches Critical S/4HANA, Commerce Vulnerabilities (SecurityWeek)

Cache-poisoning caper turns TanStack npm packages toxic (The Register)

Operation HumanitarianBait Uses Fake Aid Documents to Deploy Python Spyware (Hackread)

Japan’s PM orders cybersecurity review to stop Mythos going full CyberZilla (The Register)

Texas sues Netflix over alleged data practices that create ‘surveillance machinery’ without user consent (The Record)

Time for government, business leaders to figure out AI cybersecurity regulation (Harvard Gazette)

Tables Turned: Gentlemen Ransomware Group Suffers Data Leak (BankInfo Security)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The FCC eases restrictions on foreign-made routers. Shiny Hunters hit Canvas and Zara. SailPoint discloses unauthorized access to its GitHub repositories. TrickMo Android banking malware has more tricks up its sleeve. Polish officials warn of increased targeting of ICS and public infrastructure. A federal judge orders $10 million in restitution for stolen zero days. German authorities takedown the Crimenetwork marketplace, again. Monday business breakdown. Dan Lorenc, Chainguard CEO and co-founder, is talking about a recent wave of supply chain attacks. Malware gets signed, sealed and delivered. 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Dan Lorenc, Chainguard CEO and co-founder, is talking about how the recent wave of supply chain attacks is fundamentally different – and more dangerous –than previous incidents, as well as immediate steps organizations should take as this continues to unfold.

Selected Reading

US: FCC Relaxes Foreign-Made Router Ban to Allow for Security Updates (Infosecurity Magazine)

ShinyHunters Escalates Canvas Extortion (Infosecurity Magazine)

Zara Data Breach Impacts Nearly 200,000 Customers (Infosecurity Magazine)

SailPoint Discloses GitHub Repository Hack (SecurityWeek)

TrickMo Android banker adopts TON blockchain for covert comms (Bleeping Computer)

Polish ABW warns cyberattacks shifting from espionage and data theft toward physical disruption of critical infrastructure (Industrial Cyber)

Trenchant Exec Who Sold Zero Days to Russian Buyer Ordered to Pay $10 Million in Restitution to Former Employers (Zero Day)

Resurrected 'Crimenetwork' Marketplace Taken Down, Administrator Arrested (SecurityWeek)

XBOW secures an additional $35 million in Series C funding. (N2K Pro Business Briefing)

Hackers Trick DigiCert Into Issuing Certificates Used to Sign Malware (Hackread)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Career Notes.

Payal Chakravarty, Head of Product for Security and Risk from Coalition, sits down to share her story of working at several different organizations, including interning for IBM and Microsoft. After obtaining her master's degree, she worked with IBM a bit more closely and fell in love with one of the projects she was working on. Payal had a very interesting career path going from physical to virtual, virtual to cloud now, cloud to containers. She says that there is still some bias she has dealt with as a woman in her field, she says, "I think the way you handle it is you negotiate or you kind of calmly handle the situation, there's no ego involved." Payal shares that in working in this field you need to be in love with it, giving the advice that don't just choose a job because of the money or because it's cool, but because you feel connected to it as a profession. We thank Payal for sharing her story.

Learn more about your ad choices. Visit megaphone.fm/adchoices

In this special edition of CyberWire Daily’s 10th anniversary series, N2K CyberWire's Maria Varmazis and Dave Bittner discuss cybersecurity geopolitics and warfare that have been in the news over the past 10 years.

We begin our conversation around the supply chain malware from the destructive NotPetya campaign out of Russia, then Maria and Dave highlight: Olympic Destroyer disrupting the Pyeongchang Games, CozyBear's SolarWinds espionage campaign, the Colonial Pipeline ransomware disruption, Russia’s full invasion of Ukraine paired with Viasat hack, Iranian hackers attacking ICS devices at water treatment plants in Israel, and China's VoltTyphoon and SaltTyphoon intrusions in critical sectors.

Join us as we reflect on the escalation from election interference and disruption, to espionage and ransomware as national security crises, to integration in kinetic war,and now expansion into space, with AI-driven defenses and NATO codifying cyber as a collective defense domain.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Mark Kelly, Staff Threat Researcher at Proofpoint, is discussing their work on "I’d come running back to EU again: TA416 resumes European government espionage campaigns." China-linked threat group TA416 has resumed large-scale phishing and malware campaigns targeting European governments, diplomatic missions tied to the EU and NATO, and more recently Middle Eastern entities following the outbreak of conflict in Iran.

The group has continually evolved its tactics between mid-2025 and early 2026, using techniques like fake Cloudflare verification pages, Microsoft OAuth redirect abuse, and malicious C# project files to deliver customized PlugX malware through spearphishing campaigns. Researchers say the renewed activity reflects shifting geopolitical priorities tied to EU-China tensions, the Russia-Ukraine war, and instability in the Middle East, while highlighting TA416’s ongoing focus on intelligence gathering against diplomatic networks.

The research and executive brief can be found here:

• I’d come running back to EU again: TA416 resumes European government espionage campaigns

Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA orders rapid patching of actively exploited Ivanti zero-day. Canvas gets hacked during finals week. Dirty Frag is a new Linux zero-day. Researchers document a serious Claude Chrome extension bug. Meta ends Instagram encryption. PCPJack malware clean house before moving in. A new report highlights quantum-era cryptographic threats. Cloudflare announces layoffs amidst AI deployment. Sri Lankan police shut down a scam center. Maria Varmazis joins me to look back at ten years of geopolitics in cyber. Vibe coding reveals valuable data. 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today we’re previewing a special edition of CyberWire Daily’s 10th anniversary series, where N2K CyberWire’s Maria Varmazis and Dave Bittner revisit a decade of cyber geopolitics and warfare.

Selected Reading

CISA gives feds four days to patch Ivanti flaw exploited as zero-day (Bleeping Computer)

​​Hackers ate my homework: Educational SaaS Canvas down after cyberattack (The Register)

New Linux 'Dirty Frag' zero-day gives root on all major distros (Bleeping Computer)

Flaw in Claude’s Chrome extension allowed ‘any’ other plugin to hijack victims’ AI (CyberScoop)

Meta U-turns on encryption push for Instagram as DMs go plaintext (The Register)

‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials (Security Week)

Quantum Risk Explained (Recorded Future)

Building for the future (Cloudflare)

Sri Lanka makes 37 arrests as it raids another scam centre (Bitdefender)

Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web (WIRED)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA pushes critical infrastructure to prepare for offline operations during cyberattacks. Questions grow over a shared U.S.-China AI threat. A Russian university is accused of feeding talent into GRU cyber units. Researchers warn poisoned data could quietly corrupt enterprise AI. LinkedIn faces a GDPR fight over monetizing user data. Millions downloaded fake Android call-history apps before Google pulled them. Dragos reports AI-assisted targeting of OT systems. A California man is sentenced in a $250 million crypto theft ring. Our guest is Asdrúbal Pichardo, CEO of Squalify, who wonders if banks are ready for worst-case cyber disruptions. A bandwidth bandit brakes bullet trains.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today we are joined by Asdrúbal Pichardo, CEO of Squalify, sharing insights on  “Are banks ready for worst-case cyber disruptions amidst geopolitical tensions?"

Selected Reading

New CISA initiative aims for critical infrastructure to operate offline during cyberattacks (The Record)

The U.S. and China Have a Common Foe. Hint: It’s Not the U.S.S.R. (New York Times)

Revealed: Russia’s top secret spy school teaching hacking and election meddling (The Guardian)

Poisoned truth: The quiet security threat inside enterprise AI (CSO Online)

Noyb cries foul on LinkedIn withholding profile visitor data (The Register)

Fake call logs, real payments: How CallPhantom tricks Android users (We Live Security)

AI in the Breach: How an Adversary Leveraged AI to Target a Water Utility’s OT (Dragos)

Polish intelligence warns hackers attacked water treatment control systems (The Record)

Crypto gang member gets 6.5 years for role in $230 million heist (Bleeping Computer)

Student hacked Taiwan high-speed rail to trigger emergency brakes (Bleeping Computer)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA warns CopyFail is under active exploitation. Attackers compromise installers for a widely used disk imaging utility. MuddyWater masks cyberespionage as ransomware. Attackers spread malware through a fake OpenClaw plugin. Researchers ID a new Linux RAT. Vimeo blames a third party provider for a recent breach. Palo Alto’s Captive Portal is under attack. The FTC settles with a data broker over location sharing. A former Conti gang member gets jail time. Our guest is Dov Yoran, CEO of Command Zero, discussing how cybersecurity teams are fighting AI with AI. Geotargeting turns creepy.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today we are joined by Dov Yoran, CEO of Command Zero, discussing how cybersecurity teams are fighting AI with AI.

Selected Reading

Attackers are cashing in on fresh 'CopyFail' Linux flaw (The Register)

Hackers compromise Daemon Tools in global supply-chain attack, researchers say (The Record)

Iranian APT Intrusion Masquerades as Chaos Ransomware Attack (SecurityWeek)

Malicious OpenClaw Skill Targets DeepSeek Agentic AI Workflows (Cyber Press)

Sophisticated Quasar Linux RAT Targets Software Developers (SecurityWeek)

ShinyHunters claims dump puts 119K Vimeo emails in the wild (The Register)

Palo Alto Networks warns of firewall RCE zero-day exploited in attacks (Bleeping Computer)

FTC bans data broker Kochava from selling sensitive location info (The Record)

Conti, Akira Affiliate Sentenced to 102 Months in Prison for Ransomware and Extortion Operations Targeting over 50 Organizations (TechNadu)

A college student is suing a dating app that allegedly used her TikTok videos to target men in her dormitory (CyberScoop)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Brace for an AI-driven patch surge. Google fixes a critical Android flaw. Trellix confirms a source code breach. Apache Software Foundation ships urgent fixes. Data tied to Liberty Mutual leaks. CloudZ evolves to steal OTPs. Ouroboros persistence raises the stakes. A vishing suspect faces U.S. charges. Our guest is Markus Rauschecker, Executive Director for the University of Maryland Center for Cyber, Health and Hazard Strategies (CHHS), on the importance of the non-technical aspects of good cybersecurity preparedness and response. Our Threat Vector segment focuses on incident response. If you think UK age verification is working, I mustache you a question.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

Industry Voices

Markus Rauschecker, Executive Director for the University of Maryland Center for Cyber, Health and Hazard Strategies (CHHS), discussing the importance of the non-technical aspects of good cybersecurity preparedness and response. If you enjoyed this conversation check out the full interview here.

Threat Vector Segment

On this segment of Threat Vector by Palo Alto Networks, host David Moulton speaks with guest Steve Elovitz. In this conversation, Steve reflects on what two decades of incident response actually teaches you about the people on the other side of a breach. You can listen to the full conversation here, and catch new episodes of Threat Vector every Thursday on your favorite podcast app.

Selected Reading

NCSC Warns of an AI-Fuelled “Vulnerability Patch Wave” (Infosecurity Magazine)

AI Adoption Outpaces Safety Policies, Leaving Organizations Exposed (Infosecurity Magazine)

Critical Remote Code Execution Vulnerability Patched in Android (SecurityWeek)

Trellix Reveals Unauthorized Access to Source Code (Infosecurity Magazine)

Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server (SecurityWeek)

Everest Group Begins Leaking Alleged Liberty Mutual Data (GovInfo Security)

CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs (Bleeping Computer)

dMSA Ouroboros: Self-Sustaining Credential Extraction in Windows Server 2025 (Huntress)

Western District of North Carolina | Romanian National Appears in Federal Court Following Extradition from Romania on Bank Fraud Charges Stemming From “Vishing” Scheme (United States Department of Justice)

Kids can bypass some age checks with a drawn-on mustache (The Register)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Progress Software urges customers to patch a critical MOVEit authentication bypass. Washington worries about limited access to advanced AI tools. Paid influencers promote pro-American AI. CISA warns Copy Fail is under active exploitation. The Canvas educational platform suffers a data breach. The Lazarus Group uses ClickFix to target high-value enterprise users. U.S. and Chinese authorities raid scam centers in Dubai. Monday Business Brief. On Afternoon Cyber Tea with Ann Johnson: Tony Sager, Senior VP & Chief Evangelist, Center for Internet Security, joins Ann to discuss the accelerating pace of technology, AI, and global software dependencies. May the Fourth be with your firewall. 

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

Afternoon Cyber Tea

On this segment of Afternoon Cyber Tea with Ann Johnson: Tony Sager, Senior VP & Chief Evangelist, Center for Internet Security, joins Ann to discuss how the accelerating pace of technology, AI, and global software dependencies are reshaping the cybersecurity landscape. To hear the full conversation, check out the episode and subscribe where you get your favorite podcasts to listen to past episodes. The show is going on hiatus. Stay tuned for the next chapter soon.

Selected Reading

⁠Progress warns of critical MOVEit Automation auth bypass flaw⁠ (Bleeping Computer)

⁠What Was Discussed at Google’s White House Meeting About A.I. ⁠(The New York Times)

⁠US Military Reaches Deals With 7 Tech Companies to Use Their AI on Classified Systems ⁠(SecurityWeek)

⁠A Dark-Money Campaign Is Paying Influencers to Frame Chinese AI as a Threat⁠ (WIRED)

⁠CISA says ‘Copy Fail’ flaw now exploited to root Linux systems⁠ (Bleeping Computer)

⁠Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats⁠ (SecurityWeek)

⁠Lazarus Targets macOS Users With New “Mach-O Man” Malware Kit⁠ (GB Hackers)

⁠US, China partner on scam center takedown in Dubai⁠ (The Record)

⁠Cloudsmith raises $72 million in Series C funding.⁠ (N2K Pro Business Briefing)

Microsoft for Startups (N2K Networks)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com.

The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Career Notes.

Kayla Williams, CISO of Devo, sits down to share her story, from graduating with a finance degree to rising to where she is now. She quickly learned that finance was not for her and changed paths, working towards gaining an information security certificate. From there she was able to excel and was offered the opportunity to move to England which changed her life. Working in her new role, she really enjoys thriving with her team. She says "We really try to be the department of no problem versus the department of no." She mentions how her and her team work on a day to day basis together solving issues and yet she says not everything related to cybersecurity needs to be a fire drill. She would rather her and her team build bridges in the face of adversity and in the face of people who may be naysayers. We thank Kayla for sharing her story.

Learn more about your ad choices. Visit megaphone.fm/adchoices