Video game supply chain attack, Bleeding Llama, US gets early LLM access

From the CISO series, it's Cybersecurity Headlines. These are the Cybersecurity Headlines for Wednesday, May 6, 2026. I'm Rich Trafalino. Video game platform hit by supply chain attack. Researchers at ESET documented a campaign by the North Korean-aligned threat group ScarCraft to install a backdoor on targeted Windows and Android devices. This targeted the gaming platform SQGame.net, popular with ethnic Koreans living in China's Yanbyan region that borders Russia and North Korea. Since late 2024, the gaming platform distributed trojanized components for Windows and Android games to install the Bird Call backdoor. Malicious Android apps are still being distributed by the platform as of this recording. Scarcroft has a history of targeting North Korean defectors and human rights activists. Bleeding llama could expose your data. Researchers at Sayera disclosed a heap out-of-bounds read issue in Olama, the popular open-source project for running local LLMs. This bug impacts Olama's GGUF model loader with a maliciously crafted GGUF file that could open the door to memory access and leak API keys and tokens. This is exfiltrated with Olama's built-in model push feature. The entire attack chain requires three unauthenticated API calls and is possible because by default, Olama launches without authentication and listens to all network interfaces. The vulnerability was patched in version 0.17.1. US gets more early LLM access. The U.S. Commerce Department's Center for AI Standards and Innovation announced it reached deals with Google, Microsoft, and XAI to give the U.S. government early access to upcoming models to test and improve security on critical systems. This matches similar deals in place with Anthropic and OpenAI since 2024. The government center has tested over 40 models so far This comes as sources from both The Wall Street Journal and New York Times report that the Trump administration is considering an executive order that would create a program for the government to review new AI tools prior to release. Australia launches Cyber Review Board. The Australian government announced the formation of the Cyber Incident Review Board, which will independently review major cyber attacks in the country. These will be no-fault reviews that focus on systemic lessons to apply to the industry rather than culpability for individual organizations. Telstra CISO Narelle Devine will chair the group. The board will be modeled after the now-defunct U.S. Cyber Safety Review Board, established by the Biden administration in 2022 and disbanded by the Trump administration. And now a huge thanks to our sponsor for today, Vanta. Risk and regulation ramping up, and customers expect proof of security just to do business. Vanta's Automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more at Vanta.com. UK sees a jump in romance scams. The Report Fraud Unit for the City of London Police reports that romance scams increased 29% in 2025 to 10,784. These resulted in 102 million pounds in losses, with an average loss of 9,500 pounds per scam, although some scams reached into the millions of pounds. Almost half of all losses came from people aged 55 to 74, with men reporting more scams, but women suffering larger losses on average. These scams follow the familiar playbook, using fake profiles on social media to build a relationship with the victim, before requesting money for a variety of purported emergencies. Romance scams accounted for just 3 of overall fraud losses in the UK Romance scams make up a much larger percentage of cyber losses in the U with almost billion paid in 2025 Threat Actor finds a way to make compliance worse The Microsoft Defender research team discovered a phishing campaign using fake compliance-related communications as lures. The campaign ran in mid-April, targeting 35,000 users across thousands of organizations, primarily in the U.S. The emails used slick, enterprise-style HTML templates for authenticity. Subject lines used time-sensitive lures, often citing conduct policy reviews, and urging recipients to open attachments to review case materials. The messages also included green POW box encryption banners and showed Cloudflare captchas when clicking through malicious links just to make everything seem legit. Ultimately, these led to phishing pages trying to harvest Microsoft and Google credentials. ProtonMail adds PQC. The privacy-forward company announced that it's rolled out support for post-quantum encryption across its email platform, including users on its free plans. This will deploy as a complement to its existing RSA and ECC encryption. Users must opt into PQC by using new encryption keys, be using the latest Proton apps, and doesn't support PQC on end-to-end encrypted forwarding yet. ProtonMail also announced compatibility with OpenPGP v6 and said it's collaborating with the wider open email ecosystem to ensure quantum-safe mail can operate across all providers. The AI transformation paradox Microsoft released its 2026 Work Trend Index report. One of the top-level findings is that 65% of workers fear falling behind if they don't adapt to AI, but at the same time, 45% of workers feel safer focusing on current workflows than redesigning them for AI. Only 26% of respondents said their leadership is consistently aligned on AI, opening the door to potential shadow AI proliferation. 16 of respondents were identified as frontier professionals those that use multi systems to rethink workflows The biggest use case for AI was analysis and reasoning used by 49 of chats Interactions accounted for 19%, producing work 17%, and gathering information with 15% of chats. Cyberattack halts high-speed rail. Taiwanese authorities arrested a 23-year-old student for interfering with the Tetra communication system used by the country's high-speed rail network. The suspect allegedly used a software-defined radio to send a general alarm signal that triggered emergency braking on nearby trains. This resulted in four trains being halted for 48 minutes on April 5th. Local reports say that the radio system used by Tetra has not had any parameters of its verification system rotated since it was deployed 19 years ago. It's also possible that transmissions weren't encrypted at all or used TEA1 encryption, which has a known backdoor since at least 2023. The suspect faces up to 10 years in prison. Remember to join us this Friday for Super Cyber Friday. Our topic is hacking the end of compliance. We're going to be digging into the impacts of continuous monitoring on the compliance landscape and where we go from here. It all starts at 1 p.m. Eastern. Head on over to our events page at CISOseries.com to register. And we want you to share this event. So if you share the registration link on LinkedIn and tag the CISO Series, we'll put you in a drawing to win some awesome CISO Series swag. We hope to see you there. And remember, if you have some thoughts about the news from today or about the show in general, be sure to reach out to us. Feedback at CISO Series dot com. We'd love to hear from you. Reporting for the CISO Series, I'm Rich Trafalino reminding you to have a super sparkly day. Cyber security headlines are available every weekday. Head to CISOseries.com for the full stories behind the headlines.