CyberWire Daily - Too many cooks in the algorithm.
Episode Date: May 22, 2026Trump hits pause on an AI executive order. Lawmakers sound alarms over CISA cuts. A sophisticated scareware campaign traps users in fake tech support scams. Ubiquiti patches critical UniFi flaws. The ...U.S. pours billions into quantum computing. Researchers uncover delayed Google API key revocation. Canadian authorities arrest the alleged Kimwolf botnet operator. Two Americans plead guilty in a global tech support fraud scheme. Our guest is Ankit Kumar Honey, Senior Engineering Manager for Dependabot at GitHub, discussing closing the agentic gap between alert and patch at a global scale. AI generated reports still come up short. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ankit Kumar Honey, Senior Engineering Manager for Dependabot at GitHub, joins us to discuss closing the agentic gap between alert and patch at a global scale. Selected Reading Why Trump's AI executive order was pulled (Axios) Restoring CISA is one issue many lawmakers can agree on (Federal News Network) U.S. CISA adds Trend Micro Apex One and Langflow to its Known Exploited Vulnerabilities catalog (Security Affairs) Threat Spotlight: CypherLoc, an advanced browser-locking scareware targeting millions (Barracuda Networks Blog) Ubiquiti patches three max severity UniFi OS vulnerabilities (Bleeping Computer) Department of Commerce Announces Letters of Intent With 9 Companies for $2 Billion to Accelerate U.S. Leadership in Quantum Computing (NIST) Google API keys keep working after you delete them (Akido) Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada (Krebs on Security) Two Americans plead guilty to assisting India-based tech support scam centers (The Record) AI-generated reporting: Lessons learned from Cisco Talos Incident Response (Cisco) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Looking to understand the cybersecurity risks emerging beyond Earth's atmosphere?
In the weekly Signals in Space newsletter, T-minus host Maria Vermazas and producer Ethan Cook connect the dots between terrestrial infrastructure and the growing attack surface in space.
Each week, you'll get the latest space cyber headlines, direct access to the week's T-minus podcast conversation, plus everything.
expert insights and resources to help security professionals better understand this rapidly evolving domain.
Space systems are becoming critical infrastructure.
Signals in space helps you stay ahead of the threats shaping the next frontier.
Subscribe now to the Signals and Space newsletter.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security before they'll even do business.
that's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform.
So whether you're getting ready for a SOC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving.
Companies like Ramp and writers spend 82% less time on audits with Vanta.
That means less time chasing paperwork and more time.
focused on growth. For me, it comes down to this. Over 10,000 companies from startups to large
enterprises trust Vanta to help prove their security. Get started at vanta.com slash cyber.
Trump hits pause on an AI executive order. Lawmakers sound alarms over Sissacuts. A sophisticated
scareware campaign traps users in fake tech support scans. Ubiquity patches critical unify flaws,
The U.S. pours billions into quantum computing.
Researchers uncovered delayed Google API key revocation.
Canadian authorities arrest the alleged Kim Wolf Botnet operator.
Two Americans plead guilty in a global tech support fraud scheme.
Our guest is Unkid Kumar Honey,
senior engineering manager for Dependibot at GitHub,
discussing closing the agentic gap between alert and patch at a global scale.
And AI-generated reports still.
come up short. It's Friday, May 22nd, 2026. I'm Dave Bittner, and this is your Cyberwire Intel
briefing. Thanks for joining us here today. It's great as always to have you with us. Happy Friday.
President Trump delayed a planned executive order on AI and cybersecurity just hours before it was
sent to be signed after pushback from top advisor David Sacks and several tech leaders,
according to Axios.
Sources said Trump objected to the order because he viewed it as unnecessary regulation
that could slow U.S. AI companies as they compete with China.
Meta CEO Mark Zuckerberg, X-AI CEO Elon Musk and David Sacks, reportedly spoke with Trump
before the decision.
The delay highlights growing divisions inside both the White House and the tech industry
over how aggressively AI should be regulated.
Some officials and industry sources also questioned why the Treasury Department would play a leading
role in identifying AI security vulnerabilities, a task typically handled by agencies like SISA and NIST.
While many companies support voluntary AI testing and safeguards,
disagreements remain on oversight, model-sharing rules, and government involvement.
For now, advocates.
of lighter AI regulation appear to have gained the upper hand,
though additional White House AI security initiatives may still emerge.
Bipartisan lawmakers are raising concerns over staffing cuts and operational strain
at the Cybersecurity and Infrastructure Security Agency,
warning the agency may be less prepared to defend federal and critical infrastructure networks.
Representatives Don Bacon and James Walkenshaw said,
The Trump administration has weakened SISA through funding and workforce reductions,
despite growing cyber threats and increased use of artificial intelligence to uncover zero-day vulnerabilities.
Democratic lawmakers Benny Thompson and Delia Ramirez also requested a briefing from acting Sisa director Nick Anderson
after reports that a contractor exposed privileged AWSGov cloud credentials in a public GitHub repository.
They argued the incident may reflect declining security oversight following the loss of nearly 1,000 employees over the past 15 months.
Sessa said it is still investigating the exposure and currently has no indication mission data was compromised.
Meanwhile, lawmakers continue pressing the agency about whether it has sufficient staffing and resources to fulfill its cybersecurity mission.
Speaking of SISA, they have added two actively exploited flaws to the known-exploited vulnerabilities
catalog, a critical Langflow origin validation flaw, and a trend micro-Apex-1 directory traversal flaw.
Researchers say the Langflow bug can enable full system compromise and expose sensitive API keys,
while reports linked its exploitation to Iran-aligned threat group Muddy Water.
Trend Micro-confirmed active exploitation of the Apex 1 flaw in on-premise deployments.
SISA ordered federal agencies to patch both vulnerabilities by June 4th.
Researchers at Barakuda Networks detailed a sophisticated scareware kit called Cipherlock
that uses browser-based tricks and psychological pressure to push victims into calling fraudulent tech support lines.
Since early 2026,
Researchers observed roughly 2.8 million attacks using the framework.
Cipher lock begins with phishing emails that lead victims to malicious websites.
The kit hides encrypted payloads that only activate under specific conditions,
helping it evade scanners and sandboxes.
Once triggers, it locks the browser in full-screen mode,
displays fake security alerts, plays warning audio,
and even shows the victim's public IP address to increase panic.
Attempts to inspect the page can intentionally slow or destabilize the browser.
Barracuda said the campaign reflects a shift from traditional malware
toward browser-based social engineering attacks that rely on fear and deception
rather than malicious file downloads.
Ubiquity released security updates for five vulnerabilities affecting Univocity,
OS devices, including three maximum security flaws that remote unauthenticated attackers could
exploit. The issues include improper access control, path traversal, and command injection vulnerabilities.
Ubiquity also patched another critical command injection flaw and a high-severity information
disclosure bug. The company said the vulnerabilities were reported through its Hacker 1 bug bounty
program and can be exploited with low-complexity attacks.
Threat intelligence firm Census tracks nearly 100,000 Internet-exposed unify OS endpoints worldwide.
The U.S. Department of Commerce announced plans to provide more than $2 billion in Chips and Science
Act incentives to nine quantum technology companies aimed at strengthening U.S. leadership in quantum
computing. The funding includes support for quantum foundries led by IBM and global foundries,
along with investments in seven quantum computing firms working across superconducting,
photonic, trapped ion, silicon spin, and neutral atom technologies. Officials say the investments
are intended to accelerate development of utility scale, fault-tolerant quantum computers,
and address engineering challenges such as error correction,
photonic loss, cryogenic systems, and cubit scalability.
The administration framed the initiative as both an economic and national security priority,
citing potential applications in defense, energy, finance, advanced materials,
and biopharmaceutical research.
Researchers from Iketo found that deleted Google API keys can continue authentic,
requesting requests for up to 23 minutes after deletion because revocation propagates gradually
across Google's infrastructure. In testing across 10 trials, deleted keys remained intermittently
functional for between 8 and 23 minutes, potentially allowing attackers to continue accessing
enabled services, including Gemini, after a credential leak. The researchers say the delayed revocation
stems from Google's eventually consistent infrastructure model
and warned that users receive no indication a deleted key may still be active.
They also observed regional inconsistencies in how quickly revocation took effect.
Google reportedly closed the disclosure as won't fix,
describing the delay as expected system behavior.
Researchers advised organizations to treat API key deletion
as a roughly 30-minute process,
and closely monitor usage during that window for signs of abuse.
Canadian authorities arrested a 23-year-old Ottawa resident, Jacob Butler, also known as Dort,
on allegations he operated the Kim Wolf Internet of Things Botnet linked to massive DDoS attacks.
U.S. prosecutors allege the botnet infected millions of devices, including webcams and digital photo frames,
and generated attacks reaching nearly 30 terabits per second.
Authorities said Kim Wolf issued more than 25,000 attack commands
and caused significant financial damage,
including attacks affecting Department of Defense address ranges.
Investigators tied Butler to the operation through IP addresses,
transaction records, and online messaging accounts.
He also allegedly participated in harassment, doxing, and swatting campaigns,
targeting security researchers.
Canadian and U.S. authorities coordinated the investigation
alongside broader efforts to seize infrastructures tied to several DEDOS for hire services.
Butler now faces criminal charges in both Canada and the United States.
Two Americans pleaded guilty to charges tied to a long-running India-based tech support fraud scheme
that targeted elderly and vulnerable victims across the United States.
Prosecutors said Adam Young and Harrison Geverts provided phone numbers, call routing, and tracking services that helped scammers connect victims to fraudulent call centers in India between 2016 and 2022.
Victims were tricked through fake malware warnings and pressured into paying for bogus technical support services.
In some cases, scammers gained remote access to devices and stole financial information.
Investigators said the pair continued.
supporting the operation even after learning customers were involved in fraud and allegedly advised
scammers on ways to avoid detection by rotating phone numbers. The case comes amid broader government
effort to combat robocalls and digital scams, which lawmakers say continue to cost
Americans billions of dollars annually. Coming up after the break, my conversation with
Unkit Kumar Honey, senior engineering manager for Dependibot at Kee.
GitHub. We're discussing closing the agentic gap between alert and patch. And AI-generated reports
still come up short. Stay with us. When it comes to mobile application security, good enough
is a risk. A recent survey shows that 72% of organizations reported at least one mobile application
security incident last year, and 92% of responders reported threat levels have increased in the past two
years. Guard Square delivers the highest level of security for your mobile apps without compromising
performance, time to market, or user experience. Discover how Guard Square provides industry-leading
security for your Android and iOS apps at www.gardesquare.com. Could AI help you do more of what you
love? Workday is the AI platform for HR and finance that actually knows your business. We help you handle
the have-to-dos so you can focus on the can't-wait-to-dos. It's a new workday.
Ankit Kumar Honey is Senior Engineering Manager for Dependabot at GitHub. We recently got together
to discuss closing the agenetic gap between alert and patch. Basically, the team which I lead
is a part of a supply chain security organization within GitHub. This team, what it does
is basically it builds and operates automated dependency security system that monitors around
20 plus million repository across 32 ecosystem,
and which is serving around 180 million or even more developers worldwide.
So basically our team works around vulnerability detection through,
I'll repeat that again.
So basically our team works on vulnerability detection through GitHub advisory database,
automated security updates,
and AI augmented vulnerability remediation at scale.
Well, take us through some of the changes and innovations that you and your team have been implementing here lately with the onset of all of this concern about AI.
Yeah, so one thing is basically how AI agent is able to fix vulnerabilities.
So we shipped something which is called security alerts remediation with an AI coding agent that was last month.
So what's emerging across the industry is the idea of assigning a security alert to an AI coding agent,
not just to flag the problem.
And this is something our team depend on wanted to tackle.
This is the first step.
So what we try to do is we just not analyze the vulnerability.
Basically, we examine how the affected dependencies used in a specific code base and propose a fix.
So exactly what happens.
You have a security vulnerability in your code base.
You assign that vulnerability to AI coding agent.
The AI coding agent, what it does is it actually analyzes those vulnerabilities,
examine how the affected dependency is used in your specific code base,
and it proposes a fix.
Now, what agent does is it opens a draft pull request that a human engineer reviews before merging.
And this is a very important part because we always want to have humans in the loop.
AI generated fix are not always correct.
They can message cases.
introduce new issues or produce incomplete patches.
Sorry, they can produce incomplete patches.
But they dramatically reduce the time from alert to actionable sex,
especially for the complex cases that human engineers do not have bandwidth to tackle.
So it sounds to me like this system does just about everything but press the go button
and relies on the human to look over what it's prepared before commitment.
to it. Do I have that right?
Yes, exactly. And the best part is, or I would say the beauty is,
once the draft pull request is ready, there is a section called View Session
where a developer can go and see what exactly the AI coding agent has done
and how they proposed a fix. So that gives the developer more confidence in terms of, like,
you know, reviewing that particular pull request and shipping it to production.
Can you share with us how this tool was developed? How did you and
your colleagues decide you are going to approach this particular problem?
Few things which made us make this decision.
First, the AI generated code explosion is creating new dependency patterns,
which we haven't seen before.
Now, when the ALM write code, it pulls in packages based on its training data,
which means it's recommending packages that were popular two years ago,
not necessarily the most secure options today.
We are seeing huge number of security alerts.
and the time to remediation is between 8 to 70 days.
So in the industry right now, we have a very good detection mechanism.
Industries have good security scanners.
They have good advisory database.
They have good vulnerability reporting mechanism.
But the average time to remediation is still between 8 days to 70 days,
which means detection without.
remediation is just noise. And that is what exactly we are trying to tackle it. And the first
step towards this is like, why don't we assign a security alert to an AI coding agent, which will
solve a problem within a couple of hours rather than like having that problem sit for days for the
developers. This will also help developers to reduce the backlog. And the more the backlog increases,
the attack surface area for those particular packages or application increases.
How do you balance people's desire to save time with the need to be accurate here?
So the first thing we are trying to tackle is the noise.
Engineering teams get hundreds and thousands of alerts.
The simple ones get fixed, but the complex ones, for example,
breaking API changes or compromised packages,
transitive dependency conflicts, those gets piled up and it creates a backlog which is,
which becomes a kind of a headache for any developer, any security folks.
And this is exactly we want to tackle and to fill that gap.
We are trying to make sure we provide a solution to the developers so that they can
themselves analyze and figure out like, you know, what needs to be done within,
within our time frame, which is suitable for them as well as for the security folks in the organization.
Since you have launched this, what has the response been? And what have you learned?
So the initial response is promising. We are still in the early phase. So I will circle back again after a couple of months.
But the initial response was pretty good. We are seeing customers onboarding to it and we are getting some good results.
That's Unkit Kumar Honey from GitHub.
The 2006 Chevrolet Equinox awarded the most dependable compact SUV in the U.S. by J.D. Power.
It is designed for your everyday.
And with available all-wheel drive, you can handle your to-do list with total confidence.
Start your build at Chevrolet.ca. Details at J.D.Power.com.
And finally, researchers at Cisco Talos spent months teaching large language models
how to write cybersecurity reports without wandering off into confidently incorrect fiction.
A task easier said than done when your co-author occasionally invents facts with perfect grammar.
The team found that AI-generated reports often suffered from inconsistent conclusions,
formatting drift, and the digital equivalent of losing the plot halfway through a meeting.
To rein things in, Talos developed tightly controlled prompt engineering,
techniques, including task-specific prompts, strict source constraints, rigid templates, and
structured formatting rules. In testing, the approach cut report drafting time roughly in half
while improving consistency and reducing typos, a rare moment when everyone involved in
incident response briefly experienced joy. The researchers cautioned that human oversight
remains essential, models still hallucinated recommendations, mixed content between projects,
and occasionally missed obvious errors while confidently flagging imaginary ones.
In other words, the AI intern still needs supervision.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Just a quick program note, we will not be publishing our daily podcast.
this coming Monday in observance of Memorial Day.
Be sure to check out this weekend's research Saturday
and my conversation with Sase Levi,
Security Research Lead at Noma Security.
The research we're discussing is titled Grafana Ghost,
The Phantom Stealing Your Data.
That's Research Saturday. Check it out.
And hello, Maria Vermazas here.
On Sunday's T-minus space cyber briefing,
we're covering the future of modernizing
and securing GPS operations,
with Dr. Sean Gorman, CEO at Zephyr.
That's Sunday on T-minus.
Don't miss it.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey and the show notes
or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you all back here next week.
Hey, y'all, it's Kelly Clarkson with Wayfair.
Ever order furniture online and wonder what if?
Like, what if it doesn't hold up?
That sofa was four days old.
You should have ordered from Wayfair.
With Wayfair, there's no what-if.
Just style you love and quality you can trust.
Visit Wayfair.ca.
Fair, every style, every home.