CyberWire Daily - The four-day race you don’t want to be in.
Episode Date: May 8, 2026CISA orders rapid patching of actively exploited Ivanti zero-day. Canvas gets hacked during finals week. Dirty Frag is a new Linux zero-day. Researchers document a serious Claude Chrome extension bug.... Meta ends Instagram encryption. PCPJack malware clean house before moving in. A new report highlights quantum-era cryptographic threats. Cloudflare announces layoffs amidst AI deployment. Sri Lankan police shut down a scam center. Maria Varmazis joins me to look back at ten years of geopolitics in cyber. Vibe coding reveals valuable data. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we’re previewing a special edition of CyberWire Daily’s 10th anniversary series, where N2K CyberWire’s Maria Varmazis and Dave Bittner revisit a decade of cyber geopolitics and warfare. Selected Reading CISA gives feds four days to patch Ivanti flaw exploited as zero-day (Bleeping Computer) Hackers ate my homework: Educational SaaS Canvas down after cyberattack (The Register) New Linux 'Dirty Frag' zero-day gives root on all major distros (Bleeping Computer) Flaw in Claude’s Chrome extension allowed ‘any’ other plugin to hijack victims’ AI (CyberScoop) Meta U-turns on encryption push for Instagram as DMs go plaintext (The Register) ‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials (Security Week) Quantum Risk Explained (Recorded Future) Building for the future (Cloudflare) Sri Lanka makes 37 arrests as it raids another scam centre (Bitdefender) Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web (WIRED) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
No, it's not your imagination.
Risk and regulation are ramping up,
and customers expect proof of security just to do business.
That's where Vanta comes in.
Vanta automates your compliance process
and brings compliance, risk, and customer trust together
on one AI-powered platform.
Whether you're preparing for a SOC 2
or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving.
Companies like Ramp and Writer reports spending 82% less time on audits.
That's not just faster compliance, that's more time to focus on growth.
When I look around the industry, I see over 10,000 companies from startups to big enterprises
trusting Vanta.
Get started at vanta.com slash cyber.
Sisa orders rapid patching of actively exploited Yvante Zero Days.
Canvas gets hacked during finals week.
Dirty Fragg is a new Linux Zero Day.
Researchers document a serious Claude Chrome extension bug.
Meta ends Instagram encryption.
PCP Jack malware cleans house before moving in.
A new report highlights quantum era cryptographic threats.
Cloudflare announces layoffs amidst AI deployment.
Sri Lankan Police shut down.
down a scam center. Maria Vermazas joins me to look back at 10 years of geopolitics in cyber,
and vibe coding reveals valuable data. It's Friday, May 8th, 2026. I'm Dave Bittner, and this is
your Cyberwire Intel briefing. Thanks for joining us here today, and happy Friday. It's great as always
to have you with us. The U.S. Cybersecurity and Infrastructure Security Agency, SISA, has ordered
federal agencies to secure
Avanti Endpoint Manager mobile
systems within four days
after attackers exploited
a high severity vulnerability in
zero-day attacks.
The flaw allows remote code
execution on
Avanti EPMM-12.8
and earlier when attackers
have administrative privileges.
Avanti released patched versions
and urged customers to review
and rotate admin credentials.
The company said
exploitation appears limited and affects only on-premises EPM deployments, not Avanti's cloud or other
product lines. Shadow's server reports more than 800 exposed EPM appliances remain online.
The directive highlights the continued risk posed by internet-facing management platforms,
especially when active exploitation is already underway. Sisa warned the vulnerability presents
significant risk to federal networks and ordered agencies to patch affected systems by May 10th.
Educational software provider Canvas is investigating a cybersecurity incident after widespread login
outages and claims of responsibility from the hacking group Shiny Hunters.
Canvas developer Instructure confirmed the incident in a May 2nd status update and said
outside forensic experts are assisting the investigation. Reports earlier this week described
login failures that displayed messages allegedly from shiny hunters, which claimed poor patching
enabled the disruption. The group also claimed to have stolen data from schools and universities
using Canvas and threatened to leak it unless a settlement is reached by May 12. Several
universities temporarily blocked access to the platform and warned students about increased
fishing risks. The incident underscores the operational impact ransomware and extortion campaigns
can have on widely used software-as-a-service platforms, especially in education environments that
depend on centralized systems for coursework and assignments.
A newly disclosed Linux zero-day vulnerability called Dirty Fragg allows local attackers to gain
root privileges on many major Linux distributions using a publicly released proof-of-concept exploit.
Researcher Hjunwu Kim says the flaw stems from Linux kernel code introduced roughly nine years ago.
Dirty-frag chains two kernel vulnerabilities to modify protected system files in memory
and escalate privileges without authorization.
Kim described the exploit as highly reliable because it does not depend on race conditions or
timing windows. The flaw affects multiple distributions. No CVE identifier or official patches are
currently available after a public disclosure embargo was broken. The disclosure adds pressure on Linux
administrators already responding to other actively exploited privilege escalation flaws,
including copy fail and pack to the route, both patched or mitigated only recently.
researchers at browser security firm Layer X disclosed a vulnerability in Anthropics Clod Chrome extension
that could let malicious browser plugins hijack the AI agent and bypass security controls.
According to Layer X, the flaw allows any browser extension to communicate with Claude's
large language model without verifying the source of the request.
Researcher Aviad Gispan demonstrated a text that extracted.
files from Google Drive, accessed email activity, sent emails as the user, and stole
source code from connected GitHub repositories.
The researchers also manipulated Claude's interface to hide security prompts and sensitive actions
from users.
Layer X said Anthropic issued a partial fix on May 6, but some takeover scenarios reportedly
remained possible.
The research highlights growing concerns around AI agents that
can interact directly with browsers, files, and cloud services.
Security experts warned, traditional prompt layer monitoring may not detect attacks that
manipulate the agent's perceived environment instead of the model itself.
Meta has ended end-to-end encrypted direct messages on Instagram, saying few users enabled the feature
and directing users to WhatsApp for encrypted communications.
privacy advocates criticize the move, warning it weakens protections for journalists, activists, and abuse survivors who rely on secure messaging.
Groups including the Center for Democracy and Technology questioned how META will handle previously encrypted chats,
and warned users could face greater surveillance and interception risks.
Meta has not publicly clarified whether standard Instagram messages could eventually be used in broader data analysis.
or add targeted systems.
Researchers at Sentinel One have identified a new malware framework called PCP Jack
that removes Team PCP malware from compromised systems before deploying its own credential
stealing and propagation tools.
Active since late April, PCP Jack targets Linux environments and appears designed to spread
across cloud and enterprise infrastructure.
Sentinel 1 believes the operator may be a former Team PCP member because the framework specifically hunts for and deletes Team PCP artifacts before installing modular Python-based malware components.
The framework steals credentials, tokens, SSH keys, and cryptocurrency wallets tied to services including AWS, GitHub, Slack, Docker, Gmail, and Office 365.
It also attempts lateral movement through Kubernetes, Redis, MongoDB, and vulnerable web applications,
while using Telegram for command and control.
The campaign highlights how cybercriminal operations increasingly compete for access to compromise systems,
while modular malware frameworks continue expanding beyond traditional endpoints into cloud-native infrastructure.
Recorded Futures warning that quantum computing rates,
risks are no longer theoretical, as organizations face growing pressure to prepare for a future
where quantum systems can break today's encryption standards. In a new report, the company said
the biggest threat comes from cryptographically relevant quantum computers or CRQCs, which could eventually
defeat widely use public key encryption systems such as RSA and elliptic curve cryptography. Recorded
future warns that Harvest Now, decrypt later activity is already underway, with threat actors
potentially collecting encrypted data today for future decryption once quantum capabilities mature.
The report noted that long-lived sensitive information, including government records, intellectual property,
health care data, and financial information faces the greatest exposure risk.
The company also said organizations delaying post-quantum cryptography migration,
beyond 2026 could face higher costs, compressed timelines, and operational disruption as regulatory
and procurement requirements accelerate adoption.
Cloudflare announced plans to reduce its global workforce by more than 1,100 employees,
framing the move as part of a broader restructuring around what it calls the Agentic AI era.
In a message to employees, company leaders said internal AI.
AI usage has surged more than 600% in recent months, changing how teams across engineering,
HR, finance, and marketing operate.
The company stressed the layoffs were not tied to employee performance, but to a larger effort
to redesign workflows and organizational structures around AI-driven operations.
Cloudflare also pledged expanded severance, healthcare support, and accelerated equity
vesting for affected workers.
The announcement lands amid continuing technology sector layoffs as companies raised to integrate
AI tools while reducing costs and restructuring teams.
For employees across the industry, these cuts reflect a painful transition period where
years of work and loyalty are colliding with rapid shifts in how companies believe future work
will be done.
Sri Lankan police have arrested 30,000.
Chinese nationals suspected of operating a scam center in a suburb of Colombo, part of a broader
regional crackdown on online fraud operations. Authorities said the suspects were detained during a May
second raid in Tallengama after a tip-off led officers to a property allegedly housing people
working illegally or overstaying tourist visas. Police seize dozens of devices, including 147 mobile
phones and 100 SIM cards.
Investigators believe the operation may have been tied to romance-baiting cryptocurrency
scams where victims are manipulated through dating apps or unsolicited messages before
being directed to fake investment platforms.
The arrests follow similar raids in recent months involving hundreds of foreign nationals.
The United Nations and Interpol have warned many workers inside these scam compounds may
themselves be victims of human trafficking and forced labor.
Coming up after the break, Maria Vermazas joins us to look back at 10 years of geopolitics
in cyber, and vibe coding reveals valuable data. Stay with us.
And now a word from our sponsor, the Center for Cyber Health and Hazard Strategies, also known
as CHHS. Looking for a graduate degree that will give you an edge on your professional career,
earn a Master of Science in Law at University of Maryland Carey School of Law.
This part-time two-year online graduate degree program is designed for experienced professionals
to understand laws and policies that impact your industry.
Learn from CHS faculty who are experts in their field.
No GRE required.
Learn how you can master the law without a JD at law.u-maryland.edu.
We are celebrating 10 years of publishing the CyberWire Daily podcast this year.
Maria Vermazes joins me to analyze 10 years of geopolitics in cyber.
Well, it is my distinct honor yet again to bring back.
Dave Bittner, host of The Cyberwire.
Hi, Dave.
Hello.
Good to be back.
Yes, imagine.
We're talking to you today, of all days, about your show.
It's Maria, right?
Yeah, nice to meet you.
Nice to meet you.
I appreciate that, Dave.
And the occasion that brings us together is,
as we've been covering for quite a little bit now,
the 10-year anniversary of the CyberWire Daily
and all of the incredible stories that the show
and you have been covering over the last decade.
And for our chat today,
we're going to take a focus look at geopolitics
in the last decade as it relates to cybersecurity
and the many, many stories in that realm
that you have taken a look at in that time.
So, gosh, to start to cover geopolitics, I think a few things have changed in the last decade.
One or two.
Just a few.
I mean, 2015, 2016 was a millennia ago.
I know.
Not literally, but kind of.
Yeah.
Well, I'm still battling the reality that post-COVID, time has no meaning.
But I really enjoyed looking back as I was prepping for our conversation today.
There were a lot of things that I hadn't really considered in a while.
And when you kind of lay them all out in front of yourself,
you see that, yeah, there has been a lot of change over the past decade
when it comes to a lot of this geopolitical stuff.
It's a feedback loop, isn't it?
It is. It is.
I think one of the things that strikes me is just that it's become constant.
Like, it used to be that you'd have something like the OPM breach,
which was more episodic.
ooh, something happened
and oh, there was a breach
or oh, the data got stolen
or, oh, there was some ransomware.
And it's just, it's everywhere now.
It's daily, thank goodness for us.
Yeah, there's a low-level drone
of this stuff that is all the time now.
And so that's the new reality.
That's where we are.
Yeah, was there anything leading question,
but anything that contributed to that,
that shift, because that is quite a change from what the landscape looked like, at least for the civilian side of things.
Now, as you said, that drone of continuous threats, especially on that international scale, it is quite a shift.
What do you feel has contributed to that?
I think geopolitically, it's the reality and the recognition from nation states that cyber is a domain without the usual borders.
and also you get a huge return on your investment.
You don't have to build an aircraft carrier
to force your influence around the rest of the world.
And we've seen that with things like influence operations
from the Russians and Chinese stealing information
from our companies, our organizations,
supply chain issues,
all those kinds of things.
Again, they're a day-to-day thing now,
and they weren't always.
That's for sure.
Yeah, I think as we start thinking about specific incidents and threats,
the one that definitely, I'm sure for most of our listeners,
would come to mind as we look back the 10 years,
not petia, and how seismic petia and then not peti
We truly were, and everything that has come after that.
Can you talk us through that one a little bit?
Because that was such a huge, huge thing when it landed.
Well, I think it was the one that sort of opened everybody's eyes and thought it can happen to us, right?
You have a global disruption of the supply chain, you know, major supplier gets hit,
and everybody starts worrying that maybe our global economy is a little more.
fragile than we thought it was. So it certainly got everybody's attention, made everybody feel like
it was real, and it's in everybody's consciousness ever since. That's very true. That's very true.
And another thing, as we look back on the last 10 years, 2022 was the start of the war in Ukraine.
And it's still ongoing. The fallout from that is certainly global, especially when we're talking
within the cyber realm.
What are the geopolitical shifts
within the conflict
that you think have fed into
the cybersecurity realm, as it were,
like the nature of the threat?
Yeah.
I mean, there's this whole idea
that the war in Ukraine
has been a bit of a laboratory
for cyber war, for modern cyber war,
the integration of cyber and kinetic battle,
using cyber alongside
your battlefield operations,
again,
information operations, which is top of mind for the Russians.
You know, they've always, it's always been something they've had up their sleeve.
But it feels like cyber has been an accelerant for that, for them to be able to do the things they do.
And then also, I sort of related to, I think it started in Ukraine, but related to what we're seeing now in Iran is seeing inexpensive
technology being used in warfare, little consumer drones, consumer electronics,
routers, Starlink, all these things that are not millspec, you know,
such as it is.
Right, whatever that means.
But they're off-the-shelf tools that hose themselves up to the cyber and have allowed
folks to be to have an unfair advantage or or at least maybe not as much of a
outsized disadvantage against a larger more capable adversary speaking of adversaries and
again we're we're based in the united states so this is our very u.s. centric point of view so
just owning up to that but when we think about in case that wasn't obvious uh when we think
about you know the adversarial nation states often russia china north korea those are the
the names that commonly come to mine, Iran, of course, as part of that as well, has been.
But things have shifted in that arena as well in terms of nation-state strategies against other
nation-states and also against private enterprise. It's all in the mix. Over the last 10 years,
again, big shifts. Anything notable that you want to highlight on that front?
Well, let's look at China, who famously, I think they play the long game. And we're in the
middle of that long game. Who knows how long it is? We might be in just the big.
beginning of it but we've seen that they have positioned themselves in our infrastructure
they have access to supply chain so many things get manufactured in China that it's
and the manufacturers are obligated to do what the Chinese government wants them to do
so I think there's a legitimate concern from nations like ours to think
about what might be in the firmware,
what might be in our supply chain.
We certainly found them in our telecommunications infrastructure
with the various typhoons of old typhoon, salt typhoon,
and those sorts of things.
So they're more looking for long-term economic influence and advantage
rather than turning the lights off,
which I think is the fear that we have from,
say Russia or Iran, of messing with our critical infrastructure,
it seems like China's really interested in gathering information,
knowing what we're up to so they can leverage that knowledge to their own advantage.
And it leaves defenders in a really, in a bit of a bind, truly,
when you're thinking about potential supply chain attacks
or just issues from within the supply chain.
And specifically, if we're talking about devices from China,
in many cases, they're the only source for some of these things, many things that are made.
There is no domestic supplier for not just some, many of the things that a lot of modern
IT infrastructure relies on.
So it leaves defenders in a quite difficult position.
And I'm wondering, what is the advice that defenders should be applying in their day-to-day?
Or what can we tell them?
What should they be doing in light of all that?
Well, I think ultimately, I mean, it's defense and debt.
depth, right? So you can't rely on only one thing to protect yourself. So you do your due diligence
to check to make sure your supply chain is as secure as it can be, but then have defenses in place
on the chance that it's not because it might not be. And so, look, we're seeing again,
to the present day, who thought we would see the rest of the world being so interested in digital
sovereignty because of the actions of the United States, the major players, the Microsoft, Google,
Amazon, we're seeing other nations building their own infrastructure because they're not sure
they can depend on us as good partners in a way that they had assumed that they could in prior years.
So I don't know the degree to which people saw that coming.
I certainly didn't.
I don't know about you.
That was a blind side for a lot of us.
Yeah, I did not.
I am still reeling from it personally, honestly.
And given the conversations that you've had,
especially in the last few years,
I'm wondering if the nature of what you're hearing
from people that you've interviewed,
when geopolitics, but maybe also specifically supply chain issues,
has the nature of that conversation changed?
I mean, are there new worries, anxieties?
What are you hearing that is trend-wise that has changed?
Yeah, I mean, I think it's top of mind for a lot of people.
They understand that the threat is real.
They understand that there's only so far down the supply chain ladder that you can go to trust but verify.
And like you said, so many things come out of other nations who are potentially adversarial.
I mean, look at how many of us are carrying iPhones around, right?
Who makes the iPhones?
where do they come now so who who are we trusting we're trusting apple to do their due diligence
but right at the thing so at some point you have to trust someone i want to let that marinate
for a second because it's an important point but it's also it makes me kind of recoil i don't know
why just viscerally it makes me go yeah but oh but and yet what is probably the most you know
popular thing that we've seen, or one of the, let's say, top five things that's come to the
four in terms of strategies is zero-trust architecture. So you don't want to trust anybody, right?
Where does it leave us, truly? Right. Well, you have to strike that balance. And, you know,
I guess it's the old Reagan saying, trust but verify, only trust so far and do your due diligence.
And zero trust is a way to be constantly challenging the trust to make sure that people are only getting access to what they need to when they need it.
And I think that's wise.
So the rise of zero trust and its adoption by governments, you know, the feds really jumping in with both feet with zero trust, I think shows that that's probably where we're headed going forward.
be sure to check out the full version of my interview with Maria this Sunday as part of a Cyberwire special edition.
And finally, the promise of vibe coding was simple.
Describe an app in plain English, click publish, and suddenly everyone's a software developer.
Unfortunately, some of those developers also accidentally became system administrators with the security habits of an unlocked filing cabinet.
According to reporting by Andy Greenberg for Wired,
researchers at Red Access found more than 5,000 publicly accessible web apps
built with AI coding platforms, including lovable, replit, base 44, and Netlify,
that lacked meaningful security protections.
According to the researchers, many exposed sensitive business and personal information,
including medical records, financial data, internal strategy documents,
chatbot logs and cloud credentials. In some cases, the apps reportedly allowed administrative access
with little or no authentication. The findings echo earlier waves of cloud storage misconfigurations,
where easy-to-use platforms collided with limited security expertise. Researchers warn AI coding tools
are now putting powerful application development capabilities into the hands of employees
who may never pass through traditional security review processes
if they pass through any process at all.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's research Saturday
and my conversation with Mark Kelly,
threat researcher at ProofPoint.
The research we're discussing is titled,
I'd come running back to EU again.
TA416 resumes European government espionage campaign.
That's Research Saturday. Do check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound-disc.
designed by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kiltney is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.