CyberWire Daily - Foreign routers get a longer lifeline.
Episode Date: May 11, 2026The FCC eases restrictions on foreign-made routers. Shiny Hunters hit Canvas and Zara. SailPoint discloses unauthorized access to its GitHub repositories. TrickMo Android banking malware has more tric...ks up its sleeve. Polish officials warn of increased targeting of ICS and public infrastructure. A federal judge orders $10 million in restitution for stolen zero days. German authorities takedown the Crimenetwork marketplace, again. Monday business breakdown. Dan Lorenc, Chainguard CEO and co-founder, is talking about a recent wave of supply chain attacks. Malware gets signed, sealed and delivered. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Dan Lorenc, Chainguard CEO and co-founder, is talking about how the recent wave of supply chain attacks is fundamentally different – and more dangerous –than previous incidents, as well as immediate steps organizations should take as this continues to unfold. Selected Reading US: FCC Relaxes Foreign-Made Router Ban to Allow for Security Updates (Infosecurity Magazine) ShinyHunters Escalates Canvas Extortion (Infosecurity Magazine) Zara Data Breach Impacts Nearly 200,000 Customers (Infosecurity Magazine) SailPoint Discloses GitHub Repository Hack (SecurityWeek) TrickMo Android banker adopts TON blockchain for covert comms (Bleeping Computer) Polish ABW warns cyberattacks shifting from espionage and data theft toward physical disruption of critical infrastructure (Industrial Cyber) Trenchant Exec Who Sold Zero Days to Russian Buyer Ordered to Pay $10 Million in Restitution to Former Employers (Zero Day) Resurrected 'Crimenetwork' Marketplace Taken Down, Administrator Arrested (SecurityWeek) XBOW secures an additional $35 million in Series C funding. (N2K Pro Business Briefing) Hackers Trick DigiCert Into Issuing Certificates Used to Sign Malware (Hackread) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Maybe that's an urgent message from your CEO,
or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform
fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated,
Dopple uses it to fight back.
from automatically dismantling cross-channel attacks to building team resilience and more.
Doppel. Outpacing what's next in social engineering.
Learn more at doppel.com.
That's DOPPEL.com.
The FCC eases restrictions on foreign-made routers.
Shiny hunters hit canvas and Zara.
Sailpoint discloses unauthorized access to its GitHub repositories.
Tricmo Android banking malware has motored.
tricks up its sleeve. Polish officials warn of increased targeting of ICS and public infrastructure.
A federal judge orders $10 million in restitution for stolen zero days. German authorities take down
the crime network marketplace again. We've got your Monday business breakdown. Our guest is
Dan Larenk, CEO and co-founder of Chain Guard, talking about a recent wave of supply chain attacks.
And malware gets signed, sealed, and delivered.
It's Monday, May 11, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Monday.
It's always great to have you with us.
The Federal Communications Commission has extended the deadline for foreign-made router manufacturers
to provide security updates to U.S. customers by nearly two years.
The FCC banned the import and sale of consumer-grade routers
from certain foreign manufacturers in March of this year, citing national security concerns.
Under the original order, vendors could continue shipping security patches until March 27.
A new public notice from the FCC's Office of Engineering and Technology
now extends that deadline until at least January 1st of 2019.
The exemption applies only to software and firmware updates that maintain device functionality or
patch vulnerabilities.
Vendors are still prohibited from adding new features.
The same policy also applies to banned foreign-made drone systems and drone components.
Unpatched routers remain a common entry point for espionage and persistence operations.
Recent campaigns linked to Volt Typhoon and Salt Typhoon demonstrated how poorly managed
network infrastructure can provide attackers with long-term, low-visibility access into
enterprise environments.
The Canvas Learning Platform is back online after a cyber attack disrupted access for students
and faculty at universities worldwide during final exam season.
Instructure, the company behind Canvas, said it took the platform offline after discovering
an unauthorized actor had modified pages seen by some users.
The company later restored service for most customers.
Instructure said the attackers exploited an issue tied to free-for-teacher accounts, which have now been temporarily disabled.
Threat analysts said MSSaft said the hacking group Shiny Hunters claimed responsibility,
and alleged nearly 9,000 schools were affected.
According to available reports, the group also claimed access to billions of private messages and records,
though Instructure has not confirmed the scope of compromised data.
The outage exposed how dependent schools have become on centralized digital learning systems for grades, coursework, and communications.
Security researchers said the timing, just before final exams and project deadlines, likely increased pressure on affected institutions and students while amplifying disruption across campuses.
Elsewhere, another data breach linked to shiny hunters exposed information belonging to more than 197,000.
and customers of global fashion brand Zara, according to Have I Been Poned.
The breach stemmed from an April 26 incident tied to analytics provider Anadot.
Have I been poned, said the stolen data included email addresses, product stockkeeping units,
order IDs, and support ticket details.
Zara parent company Inditex said payment information, passwords, and names were not affected.
researchers believe stolen anodot authentication tokens were used to access downstream big query
and snowflake environments tied to multiple companies.
The campaign highlights the growing risk posed by third-party service providers and exposed
authentication tokens.
According to reports, millions of customers across several companies may have been impacted
by the broader pay-or-leak operation.
Identity management firm,
Sailpoint, disclosed a cybersecurity incident
involving unauthorized access to a subset of its GitHub repositories.
In an SEC filing,
SailPoint said it detected the intrusion on April 20th
and quickly contained the activity.
The companies said the repositories were compromised
through a vulnerability in a third-party application,
which has since been addressed.
SailPoint said an investigation conducted
with an outside cybersecurity firm
found no evidence that customer production
or staging environments were accessed or disrupted.
Customers whose information was stored
in the affected repositories were directly notified.
Researchers at ThreatFabric
say a new variant of the Tricmo Android banking malware
is using the open network or TUN
to conceal communications with attacker infrastructure.
Threat Fabric says,
the malware tracked as TrickmoC has targeted banking and cryptocurrency wallet users in France,
Italy, and Austria since at least January. The malware disguises itself as TikTok or streaming
applications and steals credentials through fishing overlays, screen recording, SMS interception,
and key logging. Researchers said the latest version routes command and control traffic
through ton ADNL addresses and an embedded local proxy,
making infrastructure more difficult to identify or disrupt.
The variant also adds network reconnaissance and tunneling capabilities,
including SSH tunneling, SOX-5 proxy support, and remote port forwarding.
The campaign reflects a broader shift toward decentralized infrastructure,
designed to resist takedowns and blend malicious traffic into legitimate encrypted network
activity.
Poland's internal security agency, the ABW, says cyber attacks targeting industrial control
systems and public infrastructure intensified sharply through 2024 and 2025, including
multiple breaches of municipal water treatment facilities.
In its annual report, ABW disclosed that attackers compromised operational systems at water
plants in several Polish municipalities, including one August 2025 incident that nearly disrupted
a city's water supply before authorities intervened. Officials also linked broader sabotage campaigns
targeting military and civilian infrastructure to Russian state-backed actors. Security researchers said
many of the attacks exploited internet-exposed systems protected by weak passwords or outdated
configurations rather than advanced malware.
Researchers and vendors, including Dragos and Anthropic, also warned that artificial intelligence
is lowering the barrier for identifying and targeting operational technology environments.
The incidents reflect growing concern that cyber operations are shifting from espionage toward
direct interference with physical systems tied to water, transportation, and energy
services. Analysts warn that smaller utilities remain especially vulnerable because of limited
cybersecurity resources and increased reliance on internet-connected industrial systems.
A U.S. federal judge ordered former L3 Harris Technologies Executive Peter Joseph Williams to pay $10 million
in restitution for stealing zero-day exploits from subsidiary L3 trenchant and selling them to a Russian
broker. The ruling follows Williams' earlier plea agreement requiring an additional $1.3 million payment,
bringing total restitution to $11.3 million. Prosecutors had sought $35 million, arguing the stolen
tools caused major business losses. Williams pleaded guilty last year to stealing eight hacking
tools between 2022 and 2025 and selling them to Russian exploit broker Operation Zero under
agreements reportedly worth about $4 million. Prosecutors said the exploits could have enabled
access to millions of devices worldwide. Williams was sentenced in February to more than seven
years in prison and faces possible deportation to Australia after release. The case underscores
growing concerns around insider threats within offensive cyber operations and the commercial
market for zero-day exploits used in intelligence and military activities.
German authorities announced the takedown of the revived Crime Network Cybercrime Marketplace
and the arrest of a suspected administrator in Spain. Police said the German language
platform reappeared days after the original crime network was dismantled in December 2024.
The new version had more than 22,000 users and over 100 sellers trading stolen data, drugs, and forged documents.
Investigators said the marketplace generated more than 3.6 million euros in revenue through cryptocurrency transactions.
Authorities seized roughly 194,000 euros in assets and collected extensive user and transaction records for further analysis.
The operation highlights...
continued law enforcement pressure on major underground marketplaces,
despite rapid attempts by operators to rebuild infrastructure.
Turning to our Monday business breakdown,
cybersecurity investment activity continued to surge this past week,
driven largely by demand for AI security, identity protection,
and offensive security platforms.
Seattle-based Ex-Bow raised an additional $35 million in Series C funding,
bringing the total round to $155 million.
Swiss ethical hacking firm Bug Bounty Switzerland
secured $15.3 million to expand AI-driven security testing,
while AI-focused startups, including general analysis and herd security,
also announced new funding rounds.
The week also saw a wave of acquisitions centered on AI and identity security.
Palo Alto networks agreed to acquire AI security,
Gateway firm Portkeye, while Cisco announced plans to acquire Israeli identity security startup
Asterix security for $400 million. The deals reflect growing industry focus on securing AI
agents, operational technology, and non-human identities as enterprises rapidly expand AI adoption.
Benders are also investing heavily in continuous security validation and AI-assisted
defensive tooling.
Be sure to check out our weekly business briefing on our website,
thecyberwire.com.
That is part of Cyberwire Pro.
Coming up after the break, my conversation with Dan Laurent,
chain guard CEO and co-founder.
We're talking about a recent wave of supply chain attacks.
And malware gets signed, sealed, and delivered.
When it comes to mobile application security, good enough,
is a risk. A recent survey shows that 72% of organizations reported at least one mobile application
security incident last year, and 92% of responders reported threat levels have increased in the past
two years. Guard Square delivers the highest level of security for your mobile apps without compromising
performance, time to market, or user experience. Discover how Guard Square provides industry-leading
security for your Android and iOS apps at www.gardesquare.com.
No, it's not your imagination.
Risk and regulation are ramping up, and customers expect proof of security just to do business.
That's where Vanta comes in.
Vanta automates your compliance process and brings compliance, risk, and customer trust together
on one AI-powered platform.
Whether you're preparing for a SOC 2 or managing an enterprise,
GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and
Riter reports spending 82% less time on audits. That's not just faster compliance, that's more time to
focus on growth. When I look around the industry, I see over 10,000 companies from startups to big
enterprises trusting Vanta. Get started at vanta.com slash cyber. Dan Larenk is chain guard CEO.
and co-founder.
We recently got together
to discuss a recent wave
of supply chain attacks.
So I'll give some context
on what happened
where it started
and where this is going to go.
This started with an attack
on a bunch of open source projects
called HackerBot Claw
or HackerClaw or something like that.
But it was an AI-assisted attack
to exploit weaknesses
in the way these open-source projects
had set up their CICD.
Open source projects are particularly vulnerable
to stuff like this
because anyone can send code.
and they set up CICD to run tests on the code sent by random strangers on the internet.
In this case, somebody sent some malicious code that was designed to exploit that testing pipeline
and steal a bunch of credentials from those projects.
This is a common pattern not just for open source projects, but for companies anyone running CICD.
These systems are typically the least secured, but also highest privilege systems in any company.
They deploy into production.
They're the thing that brings the code from where it is into production.
So they have to have ways to get into production.
And this attack stole a bunch of keys that are used to publish artifacts on Docker Hub, on PiPI, on NPM, from a bunch of open source projects.
It got caught.
The projects all tried to rotate credentials and stuff like that.
And we thought we were done.
Fast forward a couple of weeks.
And the Trivy project from Aqua Security, which is a security scanner, it's free.
It's used by tons of open source projects.
It's used by tons of companies, too.
It was hit a second time.
They hadn't properly rotated all of the credentials or gotten the attackers fully out.
And this time when it got hit, instead of just stealing keys again, they used the keys they stole the first time and put malware into those binaries.
So the security scanner that everyone was running all of a sudden now had malware in it.
That was stealing the keys of every system that security scanner was running inside of.
This was live for six, seven hours, something like that before it got completely taken down.
But hundreds, thousands of projects had their credentials stolen in that time period.
Aqua took it down again, thought they got the attackers out one more time.
And then two days later, the attackers just defaced the repos one more time just to show that they weren't fully out.
More as a prank than another attack.
But now we're in kind of the follow-on phase of that first attack.
Light LOM, a hugely popular Python library in the AI space, got hit from that attack.
They were running a security scanner trying to do best practice.
practices and didn't realize what had happened, and their credentials got stolen.
malware got shipped again, stealing credentials from everyone using that project.
A couple JavaScript projects, including one of the top 10 ones in the world, Axios, got hit yesterday.
We're still in the early phases of this, and the attackers are still in the steal more credentials
phase rather than the do something that will eventually get us money phase.
This is, it looks like a cyber crime group, but they're out there. Eventually, they're going to hit
companies, there's probably going to be ransomware, something like that is some end state here.
But we're still in the early days of this attack, and it's going to keep happening.
Help me understand here, Dan, because I think it's fair to say that the defenders in the community
don't lack imagination when it comes to being able to imagine the possibility of an attack like this.
So what's the disconnect between that and multiple repositories and these projects getting popped like this?
The surface area for these systems is just massive.
CICD systems all at the end of the day kind of look like giant rude goldberg machines held together with duct tape and bailing wire.
That's just been standard in the industry forever.
It's not something anyone really wants to invest in.
And they're really hard to secure and really hard to get right.
The primitives just aren't that good.
GitHub Actions is probably the most widely used one in the world.
It's free.
It's bundled into GitHub where over 100 million developers write code every year.
The primitives and design decisions they made when they rolled out GitHub actions are basically the opposite of secure by default years and years and years ago.
There's a lot of steps you have to take and a lot of care.
You have to apply to do these things securely.
And people make mistakes.
And then when you're looking at an open source supply chain where you have tens of thousands of dependencies from tens of thousands of people,
all takes as a few of those to screw up.
And now you're affected at the end of the supply chain.
So are we in a place where it's time for a reboot?
We've been in this place as an industry since software started.
The only change now is attackers are finally focusing on it.
And I think it's a testament to the security investments and security improvements we've made everywhere else in software.
Supply-chated attacks aren't new.
The original paper on this was written by Ken Thompson called Reflections on Trusting Trust over 30 years ago.
He showed that if you backdoor a compiler and that compiler makes the rest of software,
even no foundation of trust in any software built ever again after that, unless you have reviewed
every single line of code going back to the very first line of code on the first compiler written 30
years ago. And I think it was so scary that everyone just kind of forgot about that problem and
ignored it and blocked it out. But things like two-factor off and things like HTTPPS everywhere
are only really new and it's gotten to ubiquity in the last five years. Attackers didn't
need to do these supply chain attacks because they were much easier ways in. We've gotten
good enough everywhere else that they go to the next easiest target, which is the software supply chains
themselves.
So what do you think we need to do here? What's a potential long-term solution?
The one I think a lot of people are operating under is just hope the attackers stop,
which, you know, hope is never a strategy, especially when it comes to security.
But there's no single answer, right? The core thing everyone has to grapple with is you have
to treat your build systems like production systems because they are. You know, it's not something
where you can just throw Jenkins or some other build system on a machine,
toss it in a closet and forget about it anymore.
People have to wake up and make those changes,
start operating those systems securely.
And that's just on the malware side, right?
Open source supply chains have a ton of other problems, too,
when it comes to vulnerabilities.
These are just the ones that bad people are putting it on purpose.
When you've got tens of thousands of dependencies,
another large problem is just the accidental vulnerabilities,
things like Log 4J, things like heartbleed,
where the more code you have and the more code you're using,
the more bugs they're going to be.
And some of those bugs have security incidents.
People just haven't been paying attention to this space at all,
and they're surprised when they see the counts of known vulnerabilities,
the number of malware attacks.
We do need a bit of a reset as an industry to think about this part.
Up until now, people have been very worried about the vulnerabilities
and the security of their own code, but that's only 2%.
open source is 90 to 98% by lines of code in every application today
and focusing on that 2% isn't just going to cut it anymore
yeah and i mean those those proportions are such that there's there's no turning back from that
we're not going to see an era where people suddenly start home brewing everything from
inside the house i suppose yeah and that wouldn't be better either right like i don't want to it
always can't come off as fear-mongery about open source but if you look per line of code open
source is way more secure than anything else. Don't go try to rewrite all this stuff yourself.
You're going to have way more vulnerabilities. Lina Torvald says a law for years that said many
eyes make all bugs shallow and that's one of the benefits to open source. But the proportions are
just so crazy even if per line open source is way more secure. You have 50 times as much of it.
That's where more of the vulnerabilities are going to be.
So is this a matter of accepting this reality and putting proper mitigations in effect to
counter it?
Yeah, and there's no single mitigation, and that's kind of why this space is hard.
It's securing your build systems.
It's managing and updating and bumping and patching your dependencies.
It's trying to keep malware out and then having systems in place to remediate when malware does sneak
its way in.
Because at the end of the day, security is a multiplayer game.
Nothing is perfect.
Everyone knows that a persistent, well-funded enough attacker is going to be able to get in
anything if they have long enough time.
And the other big shift for signal is AI.
You know, we've made it a nice.
minutes in without talking about AI, but I guess we have to. Yeah, AI has kind of dropped the burden of time.
That was really the only limiting factor for attackers. If they would point at one system and spend a
year and get in. Now in that year, they can do the same thing for hundreds or thousands of systems.
The bottlenecks for attackers are now gone, but defenders are still left with the same bottlenecks.
Dan, I sense a certain exasperation in your voice. And yet, perhaps a little edge of optimism.
as well? Yeah, this is how security always works, right? You can't go fund a bunch of work
if there's not real risk there, if you don't feel the risk, or if you can't explain it to anyone.
And it's hard to do that until attackers start doing something. That's how the software industry
is always operated. It's a game of cat and mouse. But yeah, some days I'm like, I've been
yelling about this for six years and no one cared. All of a sudden, now we do, let's do something.
But it's just reality. But I'm glad everyone's taking it seriously now.
That's Dan Laurent, CEO and co-founder at Chain Guard.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave,
and with Threat Locker DAC, defense against configurations, you get real assurance
that your environment is free of misconfigurations
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles
without the operational pain.
It's powerful protection that gives CISO's real visibility,
real control, and real peace of mind.
Threat Locker make zero-trust attainable,
even for small security teams.
See why thousands of organizations
choose Threat Locker to minimize alert fatigue,
stop ransomware at the source,
and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
Hey, y'all, it's Kelly Clarkson with Wayfair.
Ever order furniture online and wonder, what if?
Like, what if it doesn't hold up?
That sofa was four days old.
You should have ordered from Wayfair.
With Wayfair, there's no what if.
Just style you love and quality you can trust.
Visit Wayfair.ca.
Wayfair, every style, every home.
And finally, hackers breached DigiCert in April by posing as a customer in a support chat
and convincing an employee to repeatedly open a malicious file disguised as a screenshot.
Persistence apparently still works.
According to DigiSert's incident report,
the malware was initially blocked multiple times by internal security tools
before finally infecting a support workstation on the fifth attempt.
A second compromised machine with a malfunctioning crowd strike sensor
then gave attackers access to internal certificate order systems.
DigiCert said the intruders obtained initialization codes tied to EV code signing certificates,
which they later used to sign malware, including Zhang Steeler.
Researchers eventually discovered the abuse after noticing malware carrying legitimate Digisert signatures.
The company revoked 60s,000.
certificates and canceled pending orders linked to the incident.
The breach highlights how social engineering and operational blind spots can undermine even highly
trusted security infrastructure.
DigiCert also acknowledged that without an outside researcher flagging the issue, the certificate
theft operation might have continued unnoticed.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Mary.
Maria Vermazas. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.