CyberWire Daily - A war of missiles and messages.
Episode Date: April 1, 2026Iran’s cyber campaign continues. North Korea targets the axios NPM package. Cisco suffers a Trivy-related breach. Claude’s code leak unveils broad capabilities. The DOD’s zero-trust efforts are ...slow-going. A proposed class action suit accuses Perplexity of oversharing. Google patches another Chrome zero-day. The FBI warns against using foreign-developed mobile apps. Christy Wyatt, CEO from Absolute Security, discussing why cyber risk is now a business continuity problem. A city circulates cameras to cultivate crime control. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We will be sharing a series of interviews we held at RSAC 2026 over the next few weeks. Christy Wyatt, CEO from Absolute Security, discussing why cyber risk is now a business continuity problem. If you enjoyed this conversation, tune in here to listen to the full interview. Selected Reading Iran's hackers are on the offensive against the US and Israel (Ars Technica) Cisco Source Code and AWS Keys Stolen in Trivy Supply Chain Attack (Beyond Machines) Claude Code's source reveals extent of system access (The Register) Pentagon's Zero Trust Push Faces a 2027 Reality Check (GovInfo Security) Perplexity AI Machine Accused of Sharing Data With Meta, Google (Bloomberg) Google fixes fourth Chrome zero-day exploited in attacks in 2026 (Bleeping Computer) FBI warns against using Chinese mobile apps due to privacy risks (Bleeping Computer) North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack (Google Cloud Blog) Silicon Valley city to give residents doorbells equipped with cameras (The Guardian) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor, Arcova, formerly Morgan Franklin Cyber.
Arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat.
They work directly with enterprise teams to solve complex security challenges,
building Secure by Design programs that hold up as technology and threats evolve.
From focused engagements to long-term partnership,
Arcova delivers outcomes that endure
because no one should navigate complexity alone.
Learn why leading global enterprises trust Arcova at www.orgovna.com.
That's A-R-C-C-O-V-A.com.
Iran's cyber campaign continues.
North Korea targets the Axios NPM package.
Cisco suffers a trivia-related breach.
Claude's code leak unveils broad capabilities.
The DOD's zero-trust efforts are slow-going.
A proposed class action suit accuses perplexity of oversharing.
Google patches another Chrome Zero Day.
The FBI warns against using foreign-developed mobile apps.
Our guest is Christy Wyatt, CEO from Absolute Security,
discussing why cyber risk is now a business continuity problem.
And a city circulates cameras to cultivate crime control.
It's Wednesday, April 1st, 2026. No fooling. I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great as always to have you with us.
Thousands of Israelis recently received fake emergency texts during missile alerts,
including messages urging them to download a spoof shelter app that could steal personal data.
Cybersecurity experts say these incidents reflect a broader online conflict,
among Iran, Israel, and the United States, where cyber operations support military strategy and
psychological warfare. Iran's cyber campaign involves official intelligence units, contractors,
and volunteer hacktivists conducting activities ranging from fishing and data theft to disruptive
wiper attacks that erase systems. Groups linked to Tehran have targeted companies, politicians,
research centers, and defense-related networks, and reportedly,
disrupted operations at a major U.S. medical technology firm. Meanwhile, Israel and the U.S.
have carried out their own cyber operations, including intelligence gathering and infrastructure
disruption. Analysts say Iran often focuses on softer targets and morale effects while quietly
probing critical networks for long-term access. Despite visible activity, experts warn more
consequential attacks could still emerge if Iran's cyber operators,
regroup. A North Korea-linked threat actor targeted the widely used Axios NPM package in a supply
chain attack that deployed the Wave Shaper V2 Remote Access Trojan. That's according to Google's
threat intelligence group and mandient. The malware enables system reconnaissance, command execution,
and file system enumeration while maintaining persistence through Windows registry changes.
Researchers attribute the campaign to UNC 1069, a financially motivated group active since 2018.
Because Axios is broadly embedded across software projects, the compromise could expose large volumes of credentials and enable downstream attacks, including SaaS breaches and extortion.
Analyst warned the incident reflects a broader surge in open-source supply chain compromises.
Defenders are urged to audit dependencies.
avoid affected versions, rotate exposed secrets, block known command and control infrastructure,
and strengthen long-term supply chain monitoring.
Cisco experienced a cyber attack after threat actors used stolen credentials
from the recent Trivy Vulnerability Scanner supply chain compromise
to access its internal development environment.
Attackers leveraged a malicious GitHub action plugin to harvest credentials and data
affecting dozens of developer and lab systems.
Reportedly compromised assets included multiple AWS access keys,
more than 300 GitHub repositories,
source code for AI-related and unreleased products,
customer repositories tied to banks,
business process outsourcing firms and U.S. government agencies,
as well as CICD credentials and build environment data.
Cisco has contained the initial information.
intrusion, isolated, affected systems, and begun credential rotation and re-imaging.
Multiple threat actors were reportedly involved, and additional fallout from related light
LLM and checkmarks supply chain attacks is expected. The scope of exposure, affected individuals,
and any ransom demands remain undisclosed, and Cisco has not issued a public statement on the
Trivi-linked breach.
A leak of Anthropics Clod Code client source code suggests the AI coding agent may have far broader access to user systems and data than previously understood.
Analysis by security researchers indicates the software can collect prompts, file contents, telemetry, and session transcripts,
and includes features enabling desktop control, background automation, remote policy updates, and automated memory.
extraction. Anthropic maintains that in classified government deployments it cannot remotely alter or disable
models, citing controls that route traffic through restricted cloud environments and block external
communications. Outside those conditions, however, the source indicates the agent may transmit
system metadata and synchronize stored memories across users and services. The code also includes
instructions to conceal AI authorship in open-source contributions. Researchers say the scope of certain
experimental capabilities and long-term data exposure risks remains unclear. The U.S. Department of Defense's
effort to implement a zero-trust cybersecurity architecture by September 27 is under pressure as the Pentagon
simultaneously integrates AI, cloud systems, and connected battlefield technologies.
Officials say the shift from perimeter-based defenses to continuous verification is central to modernizing security across a fragmented environment that includes legacy IT, operational technology, and contractor networks.
Congress has allocated about $15 billion for cyber modernization, but analysts warned structural challenges, including governance fragmentation and limited access visibility, could slow progress.
As of early 2025, only 14% of target-level zero-trust activities had been completed across DOD components.
Experts caution the deadline may reflect compliance milestones rather than meaningful risk reduction,
especially given persistent gaps in identity systems, data classification, and network enforcement across mission-critical environments.
Perplexity AI faces a proposed class-activity.
lawsuit, alleging it secretly shared users chatbot conversations with meta platforms and Google
through embedded trackers, potentially violating California privacy laws.
The complaint claims data was transmitted even in incognito mode and could be used for
advertising or resale to third parties. Filed on behalf of a Utah user who shared
sensitive financial information, the suit also accuses meta and Google of related
privacy violations.
Perplexity says it has not been served the lawsuit, and Google did not comment.
Speaking of Google, they've released emergency updates to patch a Chrome Zero Day vulnerability
that's actively exploited in the wild.
The flaw stems from a use-after-free issue in Dawn, Chromium's implementation of the Web GPU
standard.
It could allow crashes, data corruption, or abnormal browser behavior.
This marks the fourth Chrome Zero Day fixed in 2026 so far.
Google issued updated stable desktop versions for Windows, MacOS, and Linux,
though details about observed attacks remain limited.
The FBI warned Americans against using some foreign-developed mobile apps,
particularly those linked to China,
citing privacy and national security risks.
In a public advisory issued through the Internet crime,
Complaint Center, the Bureau said Chinese law could allow government access to user data collected
by apps operating digital infrastructure in China. Officials warned that some apps may gather
contacts, emails, addresses, and other personal information, sometimes even with limited user
permissions, and may store that data on servers in China. The FBI urged users to limit
data sharing, update devices, and download apps only from trusted stores.
All of us here at the Cyberwire are excited about NASA's Artemis launch scheduled for this
evening, but there is no one here more excited than our own Maria Vermazas.
Hey friends, friendly neighborhood space nerd Maria Vermazas here, and no fooling tonight, April
1st at 6.24 p.m. Eastern Time. NASA is planning to launch the Artemis 2 mission, which will
send a crew of four around the moon. This is humanity's return to the moon after more than 50 years
away, and we will see the first woman, the first person of color, and the first Canadian
going to lunar orbit. Godspeed and go Artemis!
Coming up after the break, my conversation with Christy Wyatt from Absolute Security,
we're discussing why cyber risk is now a business continuity problem. And a city's circulate
circulates cameras to cultivate crime control.
Stay with us.
Maybe that's an urgent message from your CEO,
or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform
fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated,
Dopple uses it to fight back.
from automatically dismantling cross-channel attacks to building team resilience and more.
Dopple, outpacing what's next in social engineering.
Learn more at doppel.com.
That's do p-p-e-l.com.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack zero-trust networks, including hardware, firmware, and software, all designed to work seamlessly together.
The result? Fast, reliable, and secure connectivity without the constant patching, vendor-juggling, or hidden costs.
From wired and wireless to routing, switching, firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
and since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire. That's M-E-T-E-R-com.com slash.
CRIBERWire.
Christy Wyatt is CEO at Absolute Security at last week's RASAC 2026 conference.
I got together with her for this sponsored industry voices conversation
about why cyber risk is now a business continuity problem.
We've been talking for two years about resilience and let's make sure we're ready for this,
especially in the age of AI where things are accelerating.
Let's make sure that everybody is activated.
But we still continue to get phone calls from customers.
but say something really bad happened, can you guys help?
And we'll say, well, did you turn it on?
Oh, you didn't turn it on?
Well, then there's not a lot we can do.
And so we really came in asking ourselves,
why wouldn't you turn it on?
If you have this built in and if we make it as low friction as possible
to just pre-contemplate that you might need it someday,
then when you eventually make the phone call,
there's something we can do, right?
We can search services and licenses over to you
and activate and kind of take care of you in the moment.
And here we are on the show floor at RSAC 2026, and it is my pleasure to welcome Christy Wyatt,
who is CEO at Absolute Security.
Christy, welcome.
Thanks for joining us.
Thanks for adding me.
So before we dig into the topics we want to discuss today, can we just check in?
How's your week going so far here at the big show?
It's a great week, actually.
The energy is back at RSA.
It's been a lot of fun this week, so I'm having a great time.
So for folks who may not be familiar with Absolute, can you give us sort of a rundown of the spectrum of offerings?
Sure.
So we are maybe uniquely focused on endpoint resilience.
So we have a platform that is embedded in the unflashable part of the firmware of almost every PC on the planet.
It's over 600 million devices.
And if you activate it, then you have the ability to track, manage, control that device.
We use that to heal the device.
So if an application or security control that you care about stops working,
we can fix it if the device becomes compromised by ransomware or some other event.
We can rebuild it remotely.
So it's really about how do we minimize the downtime and how do we get your business back online?
Well, let's talk about downtime.
I know you make the point that downtime is really an important place to focus.
Can we dig into that together?
What does that mean?
So it's fascinating.
It just came from another conversation
where we were talking about driving the board level conversation
around cybersecurity.
And I think our view is that, you know,
this isn't really a cybersecurity conversation uniquely.
The conversation we need to be having
is how do we make more resilient businesses?
So when we like to talk about cyber events
because cyber events could be the thing
that negatively impacted you.
It could be some other IT event.
It could be some other disruption.
But the clock starts ticking
in almost every minute that you can't take
can't pay your employees, can't invoice customers,
your business is going to suffer and you may or may not recover.
And so that's why we really focus on downtime
as being sort of the commercial proxy
for what is the cost of not being resilient
within your business.
I think our view is that, especially with AI
and everything accelerating around us,
it's not an if but a when.
You will have a business disruption.
I can almost guarantee it.
And so resilient businesses really focus
on how do you snap back and how do you get back
back to business as quickly as possible.
You know, I sometimes make the analogy.
I feel like some companies, many companies, feel like,
well, they have this idea that they're going to have like an old-timey
like Frankenstein's scissors switch on the wall,
that when things go down, they can just throw this big switch
and everything will come back up and it's business as usual.
But that's not, that is rarely the reality.
Like never, yeah.
What's the disconnect there?
Why are so many people checking that box for themselves, but diluting themselves?
I just think it's, I like to call it, you know, we don't watch the movie to the end of the tape.
So we spend a lot of time in our organizations talking about what things could go wrong.
How would we see the bad thing before it attacked us?
How would we stop the attack?
So we spend a lot of time and money really focusing on those points.
And even when we sit down and rehearse the situation, tabletop exercises, board conversations, whatever,
We sort of stopped the movie at the chapter where we've fixed the bad thing,
and now it's just like clean up on aisle 6.
And I just don't think we think that through.
I don't think we rehearse that as intensely.
I don't think we really pre-contemplate.
It's also not uniquely within the world of the cybersecurity practitioner.
When you see the press release, it's going to say massive cyber event,
stopped you from making cars for three months or whatever it was.
But that's not actually what stopped you from making cars for three months, right?
The thing that stopped your business for three months was how long did it take you to put all of the pieces sort of back together?
So I don't think we focus on that part of it as quickly.
I think it's more cross-functional, right?
It takes the entire company to sit down and say, what are our playbooks?
Who comes online first?
How are they communicating with one another?
How do we get them back up and online on safe systems that we know we can trust?
How does that propagate through the rest of the business?
I think we have to rehearse that and get it at the same amount of intensity that we give on the detection and prevention.
in the first place.
What are the things that contribute to downtime?
What are the things that people really should be focused on?
Well, uniquely, we focus very much on how do you get your users
back up and online very quickly.
So, you know, it shocked me when we first started the conversation around Rehydrate,
which is this capability to rebuild a device remotely.
And it was sort of on the heels of maybe the CrowdStrike BSOD event about 18 months ago.
And I would ask global CSOs,
large, large banks. You know, what is your, what does your process look like? And they'd say,
we have it very well rehearsed, you know, this group of people, they go into this location,
they work on safe systems. And I'd say, great, now you have 10,000 employees who are working
in their living rooms, in their homes, or you have devices sitting in cages, in banks, or wherever
it is, you know, how do you get that all rebuilt? And it was just sort of abstract. It was like,
well, the tech people will clean it up. And the more I would press, the more often I found out that
The answer was, please unplug it, put it at a FedEx box, and send it back to home,
and we'll send you a new one, or we'll refresh it and send it back.
Because we're embedded in the firmware and we awake before the operating system,
it just sort of got us thinking there has to be a better way, right?
We have this unique connection to the device.
We can make that minutes, right?
We can securely wipe the device and then rebuild you, or remediate or remove the infected file,
or whatever it happens to be.
And so it's really about thinking about those unique use cases where the cost is,
weeks, right? To package things up and send them back means that user is not working for weeks,
but there's a better answer, right? And so if we take a look at putting the pieces back together
in a business, yes, we have to go through the hardening of our systems and are we doing all of
the right things to make sure that we're scalable and reliable and that we've prevented the bad
event, but we have to sort of think about where are the shortcuts we can take to sort of hijack
the downtime and get ourselves back up and running. You know, there's sort of the old chestnut
in security that although it's hard to get the money for preventative things, there's always
money to clean up the mess.
What you're advocating here is that it's a, I suppose it's a fractional investment in
prevention and making sure this is on, this is organization wide or to prevent having
to pay me later.
Right.
So the, the Rehydrate Ready campaign that we launched at this show is really sort of speaking to
that first scenario.
We've been talking for two years about resilience
and let's make sure we're ready for this,
especially in the age of AI where things are accelerating,
let's make sure that everybody is activated.
But we still continue to get phone calls from customers
that say something really bad happened, can you guys help?
And we'll say, well, did you turn it on?
Oh, you didn't turn it on?
Well, then there's not a lot we can do.
And so we really came in asking ourselves,
why wouldn't you turn it on?
If you have this built in
and if we make it as low friction as possible
to just pre-contemplate that you might,
need it someday, then when you, you know, when you eventually make the phone call, there is
something we can do, right? We can search services and licenses over to you and activate and
kind of take care of you in the moment. So, so, so, yes, we're trying to, even for those that
say, I've invested so much in security and I'm sure I'm never going to be the one that has
the bad day. We're saying, wow.
So everybody says that. Just on the chance it might be you. Maybe, maybe we do this now.
Right, right. Yeah. Huh.
So let's talk about AI.
We can't not talk about AI here.
It's a law against not talking about AI.
It is required.
What's your take on that?
I mean, how is it affecting the types of things that you all are doing and the preparations?
Is there a velocity factor and the speed at which things can go wrong?
I would say, first and foremost, I'm a technologist, so I'm a huge optimist, and I am a,
I'm a big believer in the potential for our customers, for our products and all of the work that we're doing.
I also see it as a massive amplifier, for good and for bad.
And so I think one of the biggest risks that we really see in the coming next couple of years is as organizations start to layer in these technologies.
And we put out every year a Resilience Index.
We just put ours out this week.
We tried to answer the question is, is AI making us more resilient?
punchline is no, it's not.
Not yet, but I think that whenever you see an era where lots of new technology is going to get introduced into the stack,
you're going to see some of it go well and some of it is not going to go well.
Folks are going to start layering on these agents, users are going to start bringing in their own tech,
things are going to accelerate, and sometimes you may not know whether the thing just went wrong on that device
was a bad actor that was targeting you or it was just some horrible collision of,
new stuff that you just put into that attack.
I think that's going to happen more frequently.
I think it's going to happen with larger blast radiuses.
And I think we're just introducing a lot of new fragility into our environments.
It might not be forever.
But for now, that's the movie we're going to be seeing.
And I think that's why we believe really passionately that you have to kind of have this alternate control strategy,
this kind of way back button that says, timeout.
Like, I don't really know whether that was a good guy or a bad guy that just hit me.
Let's just get you back up online.
and then we'll go figure out sort of what are the right next steps.
So I think speed is the thing that works against all of us for the next little bit
because it's just happening so quickly.
Yeah.
And what's your advice for folks who are considering this journey?
They recognize this is a good thing for me to do for my organization.
What's that journey going to look like?
What should they expect?
How heavy a lift is it?
I actually think when you start having the conversation,
My experience, you know, is that it's actually quite liberating
because the challenge is that it is a very cross-functional conversation, right?
It is not purely in the security department or in the IT department.
It really is a, if you understand here are the critical business processes that need to function,
who are involved in those, and what are the things that you require,
and then how do we sort of harden that set of capabilities,
and then what are the cyber strategies and the resilient strategies around those things?
I actually think it actually takes a lot of anxiety out of the system.
I think folks start to see it in practical terms.
I understand who I would call.
I know what I would do next.
I know where I would go to find the playbook.
I know you start to take it out.
I think a lot of times when we see the press releases,
when somebody else is having a bad day,
folks go, oh gosh, I hope that's never me.
I don't know what I would do.
And I think that bringing folks into the conversation
is a good way to sort of get past the anxiety
and start getting into the practical, here's what you would do.
It must be gratifying when the things,
when people have put the things in place,
and so they have the tools to set things right?
Well, we never see those press releases, right?
That's true.
Mary's your case studies get written.
I hope someone sends you a thank you card.
We do get thank you cards that say this really bad thing happened.
Let me tell you this cool way we used your product.
You know, I had a customer that talked about how they
They used our product to bring out and surface an insider and another fake employee.
So we get those stories quite often.
Those are the stories I love.
They often won't let us publish them.
Sure, sure, sure.
Well, Christy Wyatt is CEO at Absolute Security.
Christy, thanks so much for joining us.
Thank you for having me.
There's a lot more to this conversation than we have time to share here.
So please check out the full unedited interview.
You can find a link to that.
in our show notes.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker DAC, defense against configurations, you get real assurance that your
environment is free of misconfigurations, and clear visibility.
into whether you meet compliance standards.
Threat Locker is the simplest way
to enforce zero-trust principles
without the operational pain.
It's powerful protection
that gives CISO's real visibility,
real control, and real peace of mind.
Threat Locker makes zero-trust attainable,
even for small security teams.
See why thousands of organizations
choose Threat Locker to minimize alert fatigue,
stop ransomware at the source,
and regain control over their environments.
Schedule your demo at FETOES.
threatlocker.com slash
N2K today.
When it comes to mobile application
security, good enough, is a risk.
A recent survey shows that 72%
of organizations reported at least
one mobile application security
incident last year, and 92
percent of responders reported
threat levels have increased in the past two
years. Guard Square delivers
the highest level of security
for your mobile apps without compromise
performance, time to market, or user experience. Discover how Guard Square provides industry-leading
security for your Android and iOS apps at www.gardsquare.com. And finally, the city of Milpitas,
a Silicon Valley suburb north of San Jose, has decided that safer neighborhoods may begin with a
free doorbell. The City Council approved $60,000 to distribute camera-equipped wireless
doorbells, one per household, on a first-come, first-served basis, with the hope that residents will
voluntarily share footage with police when needed. Officials say the program is meant to strengthen
community ties and deter crime, though participation is optional and police cannot access video without
permission. The cameras will not be Amazon ring devices, partly to avoid subscription costs,
even if that choice may slow investigations.
Critics note that doorbell cameras increasingly resemble neighborhood-scale surveillance tools,
especially as similar programs spread nationwide,
quietly turning front porches into auxiliary observation posts.
And that's the Cyberwire.
Be sure to check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you.
Keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producers, Liz Stokes.
We're mixed by Trey Hester with original music and sound designed by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibn.
Peter Kilpie is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.