CyberWire Daily - Source code in the wild aisle.
Episode Date: January 13, 2026Stolen Target source code looks real. CISA pulls the plug on Gogs. SAP rushes patches for critical flaws. A suspected Russian spy emerges in Sweden, while Cloudflare threatens to walk away from Italy.... Researchers flag a Wi-Fi chipset bug, a long-running Magecart skimming campaign, and a surge in browser-in-the-browser phishing against Facebook users. Mandiant releases a new Salesforce defense tool, and NIST asks how to secure agentic AI before it secures itself. Our guests are Christine Blake and Madison Farabaugh from Inside the Media Minds. Plus, a Dutch court says seven years is still the going rate for a USB-powered cocaine plot. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Christine Blake and Madison Farabaugh from W2 Communications and hosts of Inside the Media Minds podcast on their show joining the N2K CyberWire network. You can listen to the latest episode of Inside the Media Minds today and catch new installments every month on your favorite podcast app. Selected Reading Target employees confirm leaked code after ‘accelerated’ Git lockdown (Bleeping Computer) Fed agencies urged to ditch Gogs as zero-day makes CISA list (The Register) SAP's January 2026 Security Updates Patch Critical Vulnerabilities (SecurityWeek) Sweden detains ex-military IT consultant suspected of spying for Russia (The Record) Cloudflare CEO threatens to pull out of Italy (The Register) One Simple Trick to Knock Out the Wi-Fi Network (GovInfo Security) Google's Mandiant releases free Salesforce access control checker (iTnews) Global Magecart Campaign Targets Six Card Networks (Infosecurity Magazine) Facebook login thieves now using browser-in-browser trick (Bleeping Computer) NIST Calls for Public to Help Better Secure AI Agents (GovInfo Security) Appeal fails for hacker who opened port to coke smugglers (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker, DAC, defense against configurations, you get real assurance that your environment is free,
of misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CSO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their own.
environments. Schedule your demo at Threatlocker.com slash N2K today.
Stolen target source code looks real. Sisa pulls the plug on gogs. SAP rushes patches for
critical flaws. A suspected Russian spy emerges in Sweden while Cloudflare threatens to walk away
from Italy. Researchers flag a Wi-Fi chipset bug, a long-running Magecart skimming campaign, and a
surge in browser and the browser fishing against Facebook users. Mandiant releases a new
Salesforce defense tool, and NIST asks how to secure agentic AI before it secures itself.
Our guests are Christine Blake and Madison Farball from the Inside the Media Minds podcast.
Plus, a Dutch court says seven years is still the going rate for a USB-powered cocaine plot.
It's Tuesday, January 13, 2025. I'm Dave Bittner and this.
This is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great to have you with us.
Multiple current and former employees at Target have confirmed to bleeping computer
that source code and documentation recently shared by a threat actor appear to be authentic
and tied to real internal systems.
Employees recognized internal platform names, proprietary project identifiers, and elements
of Target's technology stack.
including its customized tooling.
Shortly after bleeping computer contacted the company about the alleged leak,
Target implemented an accelerated security change,
restricting access to its internal Git server to corporate networks or VPN only.
The source of the leak remains unclear.
A researcher at Hudson Rock reported a compromised target employee workstation
infected with InfoSteeler malware in 2025,
though no direct link to the leaked code.
has been confirmed. The threat actor claims the full data set is roughly 860 gigabytes,
raising concerns about potential exposure. SISA has ordered federal agencies to immediately stop using
or to lock down Goggs after a high-severity vulnerability was added to its known exploited
vulnerabilities catalog. Gogs is an open-source self-hosted Git service used to manage
source code repositories. The flaw is a path traversal bug that allows authenticated users to
overwrite arbitrary files, effectively enabling remote code execution. According to SISA,
the vulnerability is actively exploited and poses significant risk across federal systems. The issue
was identified by researchers at WIS, who found hundreds of exposed Gogs servers already compromised.
Gogs has not yet released a fix, forcing users to rely on mitigations like disabling registrations or restricting access behind VPNs.
CISA warns that unprotected internet-exposed instances remain at high risk.
SAP has released 17 security notes as part of its January 26th Security Patch Day, including fixes for four critical vulnerabilities.
The most severe is a SQL injection flaw in S4 HANA that could allow full system compromise.
Another critical issue enables remote code execution in Wiley Intrascope via malicious Java Web Start files.
SAP also patched two additional critical code injection bugs that could lead to operating system command execution.
Researchers at Onapsis discovered and reported several of the flaws.
Beyond the critical issues, SAP addressed multiple high, medium, and low severity vulnerabilities across HANA, Netweaver, Fiore, and other products.
SAP customers are urged to apply patches promptly, as exposed SAP systems are high-value targets for attackers.
Swedish authorities have detained a 33-year-old former IT consultant to the armed forces on suspicion of spying for Russian-indexam.
intelligence. Prosecutors say the alleged activity occurred during 2025, though it may date back to
2022. The suspect previously worked with Sweden's military through an IT services firm and is listed
as head of a small cybersecurity company. Officials have released few details, citing national security
concerns. The case comes amid heightened scrutiny of suspected Russian espionage across Europe,
as Sweden continues its support for Ukraine.
Cloudflare is threatening to scale back or exit operations in Italy
after the country's communications regulator, AgCom,
fined the company roughly 14 million euros for failing to comply with Italy's anti-piracy system.
The fine equals about 1% of Cloudflare's global revenue
and exceeds what it earns in Italy.
Piracy Shield allows rights holders to request rapid IP and DNS blocking of suspected pirate services.
A process Cloudflare argues lacks judicial oversight and risks widespread collateral censorship.
Cloudflare's CEO Matthew Prince called the system incompatible with democratic values and said the company will appeal.
He warned Cloudflare could withdraw free services, remove Italian servers, and holtler.
support for the upcoming Winter Olympics if the dispute is not resolved.
Researchers say a flaw in Broadcom wireless chipsets can let attackers repeatedly disable the
5-gahhertz Wi-Fi band on affected routers, regardless of security settings.
Black Duck found that a single malformed wireless frame could knock all 5-GHz clients
offline during testing on an ASIS router. The issue stems from the issue stems from
from a chipset-level vulnerability, not configuration errors,
and does not require authentication.
Broadcom has issued a patch,
but researchers warned protocol-level flaws
can bypass even strong encryption
and enable follow-on attacks like rogue evil twin networks.
Mandient has released Aura Inspector,
an open-source tool designed to help Salesforce administrators
identify misconfigurations that could expose sales.
sensitive data. The tool focuses on access control issues in Salesforce Aura, the user interface
framework behind experience cloud sites. While Aura itself is not inherently insecure,
configuration mistakes can allow unauthenticated users to access records or abuse APIs
to extract data. ARA Inspector automates common abuse scenarios and provides remediation
guidance while operating in read-only mode.
Mandiant says the tool is intended to help defenders secure legacy aura deployments that remain
widely used despite newer frameworks.
Security researchers at Silent Push are warning about a large-scale mage-cart-style digital
skimming campaign that has operated largely undetected since 2022.
The campaign uses malicious JavaScript to target checkout page.
tied to major payment networks, including Visa competitors, such as American Express, MasterCard,
Discover, JCP, Diner's Club, and Union Pay, putting most credit card users at risk.
The skimmers run client-side in victims' browsers, making them difficult for site owners to detect.
Silent push trace the activity to infrastructure linked to a bulletproof hosting provider
and found long-running infections across multiple sites.
The attacks replaced legitimate payment forms with convincing fakes,
silently stealing card and personal data.
Researchers urge stronger content security policies,
access controls, and regular monitoring to reduce exposure.
Researchers at Trellix say attackers are increasingly using the browser-in-the-browser
fishing technique to steal Facebook account credentials.
The method uses fake login pop-ups built with,
eye frames that closely mimic legitimate authentication windows, making scams harder to spot.
Recent campaigns impersonate law firms or meta-security alerts and often rely on shortened
links and trusted cloud hosting platforms. Trellix warns the approach marks an escalation in fishing
sophistication and urges users to navigate directly to official sites, avoid embedded links,
and enable multi-factor authentication to reduce account takeover risk.
The National Institute of Standards and Technology is seeking public input on how to secure
agentric artificial intelligence systems as their use expands across government and critical
infrastructure. In a new request for information, NIST asks industry and researchers to assess
security risks tied to AI agents, defined as systems that combine general
models with software that enables planning and autonomous action. NIST warns these systems introduce
unique threats, including hijacking, data poisoning, prompt injection, and hidden back doors.
Security leaders say those risks are already emerging as agencies deploy AI faster than
protective controls mature. Qualis noted that weak governance could allow attackers to manipulate
alerts or disable defenses. NIST aims to use the
feedback to develop guidelines, evaluation methods, and best practices before agentic AI becomes
deeply embedded in high-impact government operations.
Coming up after the break, my conversation with Christine Blake and Madison Farabaw from
the Inside the Media Minds podcast. Plus, a Dutch court says seven years is still the going rate for
a USB-powered cocaine plot. Stay with us.
Only 36% of Canadian organizations indicate that they have adequate cybersecurity staffing.
Beat the odds with the industry leader in security operations, Arctic Wolf.
Our fully managed solutions provide 24-7 monitoring of your networks, endpoints, and cloud environments by their in-house security teams,
plus the supercharged power of Alpha AI to help you detect, respond, and recover from modern cyber attacks.
Visit Arcticwolf.com backslash Spotify to learn more.
Whether it's with your besties or date night,
get to all the hottest concerts with GoTransit.
Go connects to all the biggest entertainment venues
and makes it affordable with special e-ticket fares.
A weekend pass offers unlimited travel across the network
on any weekend day or holiday for just $10.
A weekday group pass offers the same weekday travel flexibility,
from $30 for two people, up to $60 for five.
So no matter what day of the week,
Goz got you covered.
Find out more at goadransit.com
slash tickets.
Christine Blake and Madison Farabaw are from W2 Communications and hosts of the Inside the Media
Minds podcast.
Their show is joining the N2K Cyberwire Network.
Here's our conversation.
Well, ladies, it is my pleasure to welcome you back here on the Cyberwire.
And we have an exciting announcement to share, which is that Inside the Media Minds podcast is
joining the N2K Cyberwire Network. Welcome. Yes, thank you so much, Dave. We're super excited to be talking to you
today and also to be joining the network. Well, before we dig in, can we do a little bit of the
background and kind of origin story of the podcast itself? What prompted you both to create it?
Yeah, great question. So we started the podcast in 2018 and really the purpose was to flip the script
on their journalism industry.
So we work in cybersecurity and technology communications.
So we thought it'd be a great idea to talk to the reporters and the people who cover the industry,
really figure out what they're interested in, what are some of the current events happening
in the industry, what they care about, how they should be pitched, how vendors can cut
through the noise, really everything that goes on behind the scenes in the journalism industry.
So Madison, who are some of the folks that?
that you've had the pleasure of speaking with.
Oh, goodness.
It's so hard to just pick a few out of the many,
but I would say some of the more recent ones that come to mind initially
are we had Maria Korlov on our show later in the year last year,
talking all about AI, its impact on journalism.
Some others for one of my favorites was our election security episode
where we had kind of a roundtable from CyberSoup, Politico, Information Week.
So that had Jalpia Ruth, then I believe it was John Sacco Lariatus.
So definitely wonderful folks.
All of them had great insights to share.
Well, as I mentioned, you all are joining our network here soon.
How do you plan on kicking off this new home for the show?
Yeah, so our first episode is coming out on January 13th.
And we're going to have CIO Dives, Roberto Torres, on the show.
And he's going to be talking about what he's covering.
at CIO Dive, how he approaches it. And a lot of that conversation is also focused on AI,
as you can imagine. One of the things we wanted to ask him about is pretty much every tech and
cyber vendor and really any company is talking about AI. So how can companies cut through that
noise, not just for prospects and buyers and end users, but also in terms of the media. So it's a
really good conversation we think everyone will enjoy it. Yeah, it's a hot topic to say the least.
We joke around here sometimes if people have gone from the enamored phase with AI to the eye-rolling phase of AI.
So, as you say, it's so hard to cut through the noise, and yet it's an important topic.
Exactly.
We've had over 100 episodes now, and Dave, we were looking back and you know, you were a guest in 2019.
We wanted to bring that up.
I was indeed, yes.
And we were looking at how back then it was, I mean, pre-COVID, pre-A.I kind of, pre-every-every-every-every-thing.
So it was a whole different time.
So we've really enjoyed watching the episodes in the industry evolved since then.
Madison, you were going to say something?
Oh, yes.
I was just going to comment on some of the hearts of Roberto Torres' episode
that were just really cool to hear about some of those focuses for this year,
along with AI implementation and governance.
Another big topic for him will be focusing on the whole idea of tech talent
and how organizations are overcoming different skills shortages this year.
So I think that will be a key theme.
to pay attention to as well.
You know, one of the things I really enjoy about your show is that it is not just for media
professionals.
It's not just for PR folks.
It's not, although all of those people can gain from listening to it, it really strikes
me how everyone in cybersecurity can do better to learn about communications.
I mean, it benefits everyone.
Yeah, so much goes into it, too.
there's a lot that we learn about the editorial process behind the scenes, what it takes to cover certain topics
in the 24-hour news cycle, right, from breaking news to big longer feature stories. So it's really interesting.
Yeah, I would say the other thing, too, is that I've really enjoyed, I mean, I know it's cliche to say,
but really enjoying getting to know the humans behind the publications and all of these stories that they write.
Because, you know, we do get advice from these journalists and reporters about how to best interact with
them. So I think it also helps to raise awareness for them and how is best to work with them
because they get thousands of pitches a day. So I think that mutually beneficial relationship,
not just between PR professionals and their clients, but as well as with us and the media
and how we all interact with you all. Yeah. No, it's true. I too get dozens, if not hundreds
of pitches a day. And there's such a big difference between the ones.
that grab my eye and my attention and the ones that just get skipped over. And that's important.
And those trusted relationships, you know, they're PR. I always say a good PR person is worth their weight
and gold. I just wish there were more of them. I love that. But it's true. I mean,
the trusted relationships are really so important. There are folks in the PR business that they know
what we need. And so if they come to me or my team, I know they're not going to waste our time.
with something that doesn't fit our program.
And so, you know, being able to, doing that homework is so important to everyone all around.
Exactly.
And we hope this podcast can help everyone do that homework and understand these reporters better, too.
All right.
Well, it is the Inside the Media Minds podcast.
It is joining the N2K Cyberwire Network.
Christine Blake and Madison Fariboff, thank you so much for joining us.
And good luck with the show.
Thank you so much, Dave.
It's been a pleasure chatting with you.
Thank you, Dave.
Be sure to check out inside the media minds wherever you get your favorite podcasts.
At MedCan, we know that life's greatest moments are built on a foundation of good health, from the big milestones to the quiet winds.
That's why our annual health assessment offers a physician-led, full-body checkup that provides a clear picture of your health today and may uncover early signs of conditions like heart disease and cancer.
The healthier you means more moment.
to cherish. Take control of your well-being and book an assessment today. Medcan, live well for life.
Visit medcan.com slash moments to get started. You know what I love about AI? What's that?
You can find it everywhere. And on our podcast approximately correct, we talk about the surprising
places you might find AI. Like AI in sports. AI in video games. AI in growing plants. AI plus
creativity. AI in bionic limbs. It's really amazing. And we get to talk to the people who are doing these
amazing, unexpected things, and talk about the science behind AI.
So join us, approximately correct, an AI podcast.
You can subscribe anywhere you get podcasts or on YouTube.
And finally, a Dutch appeals court has decided that hacking a seaport with malware-laced
USB sticks, all in the name of cocaine logistics, still counts as very much illegal,
even if you complain about police reading your chats.
The Amsterdam Court of Appeal upheld a seven-year sentence for a man who turned port IT systems
into a convenience tool for smugglers, rejecting arguments that encrypted Sky ECC messages should have stayed
private. According to the court, the defendant played a hands-on role, persuading a terminal employee
to plug in an infected USB stick, which opened months of remote access. His chats read like a
running commentary on the break-in, rumbling about intrusion detection and promising to wipe logs once he
got his admin rights. Judges were unimpressed by claims this was somehow authorized or unfairly
prosecuted. The hack, they found, helped coordinated a 210-kilogram cocaine shipment disguised as
wine. One massive drug charge was dropped, but the sentence, confiscations, and cleanup costs
largely stayed foot.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at theCiberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire
at N2K.com.
N2K's senior producer is Alice Caruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Eben.
Peter Kilfey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year, make it RASAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges
and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.
Ready to take on Canada's worst invasive plant?
The call for proposals for the invasive Fragmites Control Fund is open.
These funds support collaborative projects led by municipalities,
conservation authorities, indigenous communities, and nonprofits
that focus on Fragmites mapping, monitoring, planning, control, and innovation.
Applications must be submitted electronically by January 23, 2026 at 1159 p.m.
For more information, and to apply, visit our website.