CyberWire Daily - The bugs are piling up faster than the fixes.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. Do you know how the space and cybersecurity domains connect? T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface. I'm Maria Varmazes, host here at N2K Cyberwire, and I'm excited to share that T-minus is back. Now, as a weekly podcast, the T-minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together, space and cybersecurity. Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled. We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.

Starting point is 00:00:59 So join me for T-minus Space Cyber Reefing, new episodes every Sunday. Maybe that's an urgent message from your CEO, or maybe it's a deep fake trying to target your business. Doppel is the AI-native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back. from automatically dismantling cross-channel attacks to building team resilience and more. Doppel, outpacing what's next in social engineering. Learn more at doppel.com. That's D-O-P-P-E-L.com.

Starting point is 00:01:50 A federal watchdog questions NIST over its vulnerability database backlog. Google patches an Android Zero Day. Citizen Lab exposes a powerful location tracking platform. Malware hides commands in Steam comments. Researchers spot AI-assisted malware development. Attackers compromise Red Hat's NPM namespace. Drive Surge spreads malware through click-fix and fake updates. Free PBX patches a critical flaw.

Starting point is 00:02:31 Dashlane responds to a brute force attack. Our guest is Lor Leiden, opening chair for Info Security Europe and VP of Security and Infrastructure at Flow Health, sharing her expertise on digital health platforms. And Meta's AI support body. proves a bit too eager to hell. It's Tuesday, June 2nd, 2026. I'm Dave Bittner, and this is your Cyberwire Intel briefing.

Starting point is 00:03:20 Thanks for joining us here today. It is great as always to have you with us. NIST's National Vulnerability Database, the NVD, a critical resource used by government and industry to prioritize cybersecurity vulnerabilities, has become increasingly ineffective due to management failures, according to a Department of Commerce Inspector General report. The backlog of unprocessed vulnerabilities more than doubled from 13,000 in February 24

Starting point is 00:03:50 to over 27,000 by the end of 2025, undermining the database's usefulness and public confidence. The report attributes the crisis largely to poor planning after NIST stopped funding contractors who process vulnerability data, although NIST promised to resolve, the backlog by September 24, it lacked a realistic strategy to meet its processing targets. The watchdog also found significant duplication of effort between NIST and SISA, including more than 21,000 overlapping vulnerability reviews and roughly $200,000 in wasted spending. Additional concerns included weak communication with stakeholders and inefficient severity scoring practices that often duplicated work already performed elsewhere.

Starting point is 00:04:42 The Inspector General recommended stronger coordination with SISA, reduced emphasis on vulnerability scoring, improved stakeholder engagement, and a sustainable plan to eliminate the backlog. NIST agreed with the recommendations and said it would begin implementing improvements immediately. Google's June 26 Android Security Updates, Patch 120,000. 24 vulnerabilities, including a high-severity zero-day that has been exploited in limited, targeted attacks. The flaw affects Android 14 and later, allowing local attackers to execute code and escalate privileges. Google also fixed 18 critical vulnerabilities across Android's system

Starting point is 00:05:27 components, including flaws that could enable privilege escalation without user interaction. While pixel devices will receive updates immediately, other Android vendors may take longer to deploy patches. Google urged users to install the latest Android updates as soon as they become available. A new report from Citizen Lab examines Webblock, a geolocation surveillance platform developed by Cobwebs technologies and now sold by Penlink. The system uses location and advertiserables. advertising data collected from consumer mobile apps to track hundreds of millions of devices worldwide. According to the report, Weblock provides access to continuously updated records that can reveal sensitive details about individuals, including home and work locations, social relationships, religious affiliations, political views, and health-related activities.

Starting point is 00:06:26 Researchers found evidence that the technology is used by law enforcement, intelligence, and military organizations in multiple countries, including the United States, Hungary, and El Salvador. The report also highlights concerns about limited transparency, oversight, and the potential for warrantless surveillance. Citizen Lab argues that the growing use of advertising-derived data for government surveillance illustrates how commercial data collection ecosystems can be repurposed for large-scale monitoring, raising significant privacy and civil liberties concerned. Researchers at GoDaddy uncovered a malware campaign affecting roughly 2,000 WordPress sites that uses an unusual command and control technique, hiding instructions inside Steam Community profile comments. The comments appear as harmless Asky art, but invisible unicode characters encode malicious payloads that infected sites decode to retrieve commands and download additional malware.

Starting point is 00:07:33 The campaign ultimately loads a disguised JavaScript file from a malicious domain and installs a persistent PHP backdoor. That backdoor allows attackers to remotely update malicious code across WordPress themes and plugins, making infections difficult to fully remove. The malware also uses multiple layers of obfuscation, including encryption, encoded strings, and legitimate WordPress functions to evade detection. researchers believe the initial compromise likely stems from stolen credentials, vulnerable plug-ins, or other common WordPress attack vectors. The campaign demonstrates how threat actors are increasingly abusing trusted platforms

Starting point is 00:08:16 and unconventional techniques to conceal command and control infrastructure and maintain long-term access to compromised websites. Sophos researchers discovered a threat actor using AI coding tools to develop and refine malware designed to evade endpoint detection and response products from multiple vendors. The activity appeared in a testing lab containing AI-assisted Python scripts, many written in Russian, and tools for building stealthy malware loaders. Sulfos emphasized that AI was not acting autonomously or embedded in the malware. Instead, human operators used AI to accelerate coding, testing, and research.

Starting point is 00:09:01 Although the project was presented as a Red Team exercise, Sophos assessed it was likely intended for real-world post-exploitation activity and linked to ransomware and data theft operations. Attackers briefly hijacked Red Hat's official NPM namespace to distribute back-dored versions of 32 trusted software packages used across the company's hybrid cloud console ecosystem. According to researchers at reversing labs and Akito security, the malicious packages contained hidden pre-install scripts that executed automatically during installation, stealing cloud credentials,

Starting point is 00:09:44 CICD tokens, NPM credentials, and other sensitive data. The malware identified as a variant of the mini-shai-halude worm also attempted to spread by using stolen publishing credentials to compromise additional packages. Investigators believe the attackers breached a GitHub Actions Build pipeline and abused trusted publishing mechanisms based on OIDC tokens. Red Hat has since removed the malicious releases and published clean versions, but organizations that installed affected packages are advised to rotate credentials and review their development pipelines for signs of compromise.

Starting point is 00:10:27 Researchers at Silent Push have identified a large-scale malware district, operator by a threat actor known as Drive Surge, which uses compromised websites to redirect visitors to malicious infrastructure. The campaign relies on two common social engineering techniques, clickfix, which tricks users into running malicious commands, and fake updates, which impersonates browser update prompts to deliver malware. Drive Surge appears to operate as an initial access broker using a pay-per-install model to provide foothold. for other cybercriminals. Visitors are funneled through a traffic distribution system called ZTDS, which determines the

Starting point is 00:11:10 most effective lure for each target. Researchers linked thousands of compromised sites and more than 80 malicious domains to the campaign. The operation targets both Windows and MacOS users, highlighting the growing scale and sophistication of malware delivery through trusted websites. Free PBX has disclosed. a critical vulnerability that could allow unauthenticated attackers to access the user control panel through hard-coded credentials in the UserMan module. The flaw affects multiple versions when the optional generic template setup is used. Successful exploitation could expose sensitive

Starting point is 00:11:52 communications data and enable unauthorized changes to user settings. Administrators should update, restrict management interfaces to trusted networks or VPN access, and enable multifactor authentication or SAML to strengthen account security. Dashlane says a recent wave of account suspensions was triggered by automated defenses responding to brute force login attacks. Affected users received alerts about login attempts and device registration requests from unfamiliar locations, leading some to suspect a fishing campaign. Dash Lane confirmed the activity was caused by external attackers attempting to guess passwords

Starting point is 00:12:38 and said the platform automatically locked targeted accounts to prevent unauthorized access. The company reported no evidence that its systems were compromised and has since restored affected accounts. While Dash Lane marked the incident as resolved, some users have continued to report login issues and difficulties reaching support. Coming up after the break, Laura Leiden, opening chair for Info Security Europe and VP of Security and Infrastructure at Flow Health, shares her expertise on digital health platforms. And Meta's AI support bot proves a bit too eager to help. Stay with us. What's the one thing in business that's spreading as fast as AI?

Starting point is 00:13:43 AI risk. Every new tool your team signs up for, every vendor that turns on AI features, every new integration, each one creates another opportunity for something to go wrong. And most security programs just weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agenetic trust platform, used by more than 16,000 fast-moving companies like Ramp, Curser, and Harvey to help ensure there are. always audit ready. And now, Vanta is helping companies watch for the risks that show up between audits, across vendors, AI tools, and their entire environment. The Vanta agent works like a 24-7 GRC engineer in the background, finding issues, drafting fixes, and cutting vendor assessment time

Starting point is 00:14:33 by up to 50 percent. Whether you're a fast-growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today at vanta.com slash cyber. That's v-a-n-ta.com slash cyber. Maria Vermazes speaks with Lorre Leiden, opening chair for InfoSecurity Europe and VP of Security and Infrastructure at Flow Health. This interview is part of our media partnership with Info Security Europe. Well, you are working in a really fascinating world, and I can't think of an industry where PII privacy matters much more than, especially right now, in FEMTEC. I would love to hear your, maybe your personal philosophy on building privacy into an app that's

Starting point is 00:15:41 tied into something so personal as feminine health. What are your thoughts on that? So privacy and security are our product. It's very simple. We understand that women's health information is amongst the most sensitive personal information that you can give or process. And so, yeah, if our users don't trust our platform, they won't use it. We take trust and building trust very, very seriously. Of course we would.

Starting point is 00:16:24 Our product only works if you build privacy and security into absolutely everything you do. And that's what we do at flow. Privacy and security are at the heart of what we do right from a product idea to a pull request. that ships code. Every step along the way, yeah, privacy and security are built in. For organizations that are dealing with incredibly sensitive information, women's health information is certainly one of them, certainly many other industries are dealing with, you know, sensitive data as well. I'm just, I'm curious about what it's like to be building in privacy as not just a practice, but almost a philosophy at an organizational level, to bake that in,

Starting point is 00:17:15 everything you do. What does that look like? How does that work? Here's how I see it. At Flow, absolutely everybody from the C-suite down understands just how intrinsically important privacy and security are. And at every level, you feel like you're pushing on an open door at Flow. I don't know that there are many organizations where in this type of, you're pushing on. You're pushing on an open door at Flow. I don't know. I don't know that there are many organisations where in this type of role, people can genuinely say that. I remember my first week at Flow and I was trying to make sense of all of the information coming at me, but specifically the governance structures here at Flow. And I was looking through various minutes and diary entries.

Starting point is 00:18:10 and I had the chief people officer just come and approach me. She saw me sort of looking at the privacy and security steering group slides. And she just got really excited. She said, hey, you know, we have the steering group next week. And she was totally invested in the whole process of governing security. And it just wasn't something that I was expecting, sort of unsoliciting. And it really impressed me. It impressed me that she first of all knew when it was, but she was so heavily involved. And I think that's the thing. It doesn't matter where you

Starting point is 00:18:51 turn at Flow. People are fully connected with the privacy and security mission. And it is very much that end-to-end journey here. Yeah. Yeah. I feel like this is a good segue for us to mention that a few years ago, I'm going to summarize this poorly. Feel free to correct. to me, there was a lawsuit involving Flo at some point and a use of SDKs that has been since I believe settled. And I'm sure, and I was looking at Flo's website, there's a lot about sort of lessons learned from that experience and also user privacy. Could you walk me through those lessons learned and sort of what happened and what happened next? So I'm really glad you asked the question because there is so much misinformation out there

Starting point is 00:19:40 and I think it's really important to say that, look, Flo defended itself successfully. And really, what that's done is that set us up as the leader in privacy and security in the Femtech space. Privacy and security are our product. We go way above and beyond. We've chosen, for example, it's a choice that we've made. ourselves to be dual ISO certified to ISO 27,001 and 27701. We have an integrated privacy and security management system.

Starting point is 00:20:21 We really recognize that our users deserve choice. We believe that all the time our users should be kept in control of their data and kept well informed. And that's why we developed anonymous mode. I'm sure you'll remember in the States on the back of Roe v. Wade in 2018 when women lost the constitutional right to abortion, Flo developed anonymous mode, which is, let me say, absolutely unique and very, very special. I'm going to say that in the industry generally, it's really encouraging to see players leaning in towards collecting less personal information. We've gone a step further with anonymous mode,

Starting point is 00:21:13 not only do users not need to share their name, their email, but we give users the choice to strip off all of their personal identifiers. So not even technical identifiers, not even IP address. Through a series of transmission processes, is the user interacts with our app in a completely anonymous way. And what that means is that when the user's using our app, we don't even know who the real user is. And of course, that in turn means that nobody else can know

Starting point is 00:21:50 who that real user is either. And that's something really special and unique. And we don't want to be the gatekeepers, Maria, of this technology. We've open-sourced it. We've open-sourced it for the whole of the industry to use because we firmly believe that women should be able to trust Femtech platforms. The importance of that is it affects people's life outcomes. I can give you an example from even my own personal life, somebody very close to me,

Starting point is 00:22:24 started tracking periods with our app and symptoms from a very early age in their teens and very soon realized that the pain she was experiencing, the symptoms that she was experiencing were not normal. And if she hadn't have been tracking that, in such an honest and digital way, she wouldn't have been able to take that information to a clinician and get a diagnosis of a condition that could otherwise have potentially prevented her from having children.

Starting point is 00:23:01 in later life. So this is the sort of impact that having trust in a digital platform has on people's lives. It's super important that people can trust our platform. And we're doing everything in our ability to make sure that we not only create the right conditions for our users to be able to do that freely, but we want to set the bar for the rest of the industry too. Yeah, thank you for that wonderful response. It was making me think exactly about what you just concluded with, which was, it's shocking to me as a woman who has spent a lot of time looking through a lot of femtech options, how this level of privacy isn't standard.

Starting point is 00:23:46 And it always, when I have these conversations with friends of mine, with family of mine, a lot of people just go, you know what, it is really not worth the risk. I'm just going to go back to pen and paper, which is frankly how I grew up doing it. I know, I know. And it's just, it's a little, it's wild to me that I remember where I was in 2022 when the Dobbs decision came down. I mean, that was a huge moment. It was, and I remember that the feeling of dread. And I understand that it, for many people, and this is not just a U.S. thing, I apologize, I'm getting very America-centric. It's so American-based. But it's for many women around the world, there, I mean, there is, there are tracking, for some reason, tracking.

Starting point is 00:24:29 our health becomes an issue that can be physically dangerous to us, which is just crazy in 2026 that this is still where we're at. And that many solutions in the industry don't seem to take that as seriously as I think real women are. And it's just wild to me. I don't know. I don't really have a point to that aside from it's going, it's crazy to me that, that, you know, you all are a wonderful standout on this front in my biased opinion. But many other solutions really are much further behind. And it just is, I don't understand why it's not taken as seriously as it really should be. Because I don't know if it's really an app versus an app thing versus an app versus pen and paper.

Starting point is 00:25:13 For many people, honestly. My view on this, Maria, is that just like the airline industry doesn't compete on safety, we shouldn't be competing on privacy and security either. this you know women deserve better and great security great privacy should just be table stakes and i unfortunately i think i think you're right um you know there are sadly not all companies walk the walk um quite some are quite good at talking the talk and and we really just want to bring others along um yeah you know this is This is not for any single player to differentiate on. It's for the industry to really appreciate the importance of that to our users.

Starting point is 00:26:05 And not just that, but to really be able to keep our users in control, to be able to keep users informed. We go to great lengths to make things like our privacy policy consumable, really consumable, so that people understand exactly how their information. being processed and then under the hood, all of the effort that goes in every step of the way to making sure that we're following best practice and leading it. That's our own Maria Vermazes speaking with Lord Leiden, opening chair for Infosecurity Europe and VP of Security and Infrastructure at Flow Health.

Starting point is 00:27:04 And finally, hackers claim they found an unexpectedly cooperative accomplice in Mehta's AI support chatbot. According to reports and videos shared in telegram channels, attackers were able to take over Instagram accounts by persuading the AI support system to change the email address associated with a target profile. The process allegedly involved matching the victim's region with a VPN, initiating a password reset,

Starting point is 00:27:35 and then asking the chatbot to link a new email address. Once the AI complied, the attacker received reset codes and gained control of the account. The alleged exploit coincided with a string of high-profile Instagram takeovers, including accounts linked to the Obama White House, the U.S. Space Force, and Sephora. Researchers and victims say the incident highlights a growing challenge with AI-driven support systems. When something goes wrong, there may be no human available to interoperable. intervene. In a touch of irony, Meta had recently promoted its AI support tools as a way to improve account security and prevent takeovers. Meta says the issue has now been fixed and that affected

Starting point is 00:28:22 accounts are being secured. Still, the episode serves as a reminder that replacing human judgment with automation can sometimes produce results no one intended, except perhaps the attackers. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com.

Starting point is 00:29:18 N2K's lead producer is Liz Stokes. by Trey Hester with original music and sound designed by Elliot Peltzman. Our contributing host is Maria Vermazas. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

CyberWire Daily - The bugs are piling up faster than the fixes.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.