You're listening to the Cyber Wire Network, powered by N2K. No, it's not your imagination. Risk and regulation are ramping up, and customers expect proof of security just to do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk, and customer trust together on one AI-powered platform. Whether you're preparing for a SOC 2 or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and Rider report spending 82% less time on audits. That's not just faster compliance, that's more time to focus on growth. When I look around the industry, I see over 10,000 companies from startups to big enterprises trusting Vanta. Get started at vanta.com slash cyber. CISA orders rapid patching of actively exploited Ivanti zero days. Canvas gets hacked during finals week. Dirty Frag is a new Linux zero day. Researchers document a serious Claude Chrome extension bug. Meta ends Instagram encryption. PCP Jack malware cleans house before moving in. A new report highlights quantum era cryptographic threats. Cloudflare announces layoffs amidst AI deployment. Sri Lankan police shut down a scam center. Maria Vermazis joins me to look back at 10 years of geopolitics in cyber. And Vibe Coding reveals valuable data. It's Friday, May 8th, 2026. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today, and happy Friday. It's great as always to have you with us. The U.S. Cybersecurity and Infrastructure Security Agency, CISA, has ordered federal agencies to secure Avanti Endpoint Manager mobile systems within four days after attackers exploited a high-severity vulnerability in zero-day attacks. The flaw allows remote code execution on Avanti EPMM 12.8 and earlier when attackers have administrative privileges. Avanti released patched versions and urged customers to review and rotate admin credentials. The company said exploitation appears limited and affects only on-premises EPMM deployments, not Avanti's cloud or other product lines. Shadow Server reports more than 800 exposed EPMM appliances remain online. The directive highlights the continued risk posed by Internet-facing management platforms, especially when active exploitation is already underway. CISA warned the vulnerability presents significant risk to federal networks and ordered agencies to patch affected systems by May 10th. Educational software provider Canvas is investigating a cybersecurity incident after widespread login outages and claims of responsibility from the hacking group Shiny Hunters. Canvas developer Instructure confirmed the incident in a May 2 status update and said outside forensic experts are assisting the investigation. Reports earlier this week described login failures that displayed messages allegedly from Shiny Hunters, which claimed poor patching enabled the disruption. The group also claimed to have stolen data from schools and universities using Canvas and threatened to leak it unless a settlement is reached by May 12. Several universities temporarily blocked access to the platform and warned students about increased phishing risks. The incident underscores the operational impact ransomware and extortion campaigns can have on widely used software-as-a-service platforms, especially in education environments that depend on centralized systems for coursework and assignments. A newly disclosed Linux zero-day vulnerability called DirtyFrag allows local attackers to gain root privileges on many major Linux distributions using a publicly released proof-of-concept exploit. Researcher Hyunwoo Kim says the flaw stems from Linux kernel code introduced roughly nine years ago. DirtyFrag chains two kernel vulnerabilities to modify protected system files in memory and escalate privileges without authorization. Kim described the exploit as highly reliable because it does not depend on race conditions or timing windows. The flaw affects multiple distributions. No CVE identifier or official patches are currently available after a public disclosure embargo was broken. The disclosure adds pressure on Linux administrators already responding to other actively exploited privilege escalation flaws, including copy-fail and pack-to-the-root, both patched or mitigated only recently. Researchers at browser security firm LayerX disclosed a vulnerability in Anthropik's Claude Chrome extension that could let malicious browser plugins hijack the AI agent and bypass security controls. According to LayerX, the flaw allows any browser extension to communicate with Claude's large language model without verifying the source of the request. Researcher Aviad Gisban demonstrated attacks that extracted files from Google Drive, accessed email activity, sent emails as the user, and stole source code from connected GitHub repositories. The researchers also manipulated Claude's interface to hide security prompts and sensitive actions from users. Layer X said Anthropic issued a partial fix on May 6, but some takeover scenarios reportedly remained possible. The research highlights growing concerns around AI agents that can interact directly with browsers, files, and cloud services. Security experts warned traditional prompt layer monitoring may not detect attacks that manipulate the agent's perceived environment instead of the model itself. Meta has ended end-to-end encrypted direct messages on Instagram, saying few users enabled the feature and directing users to WhatsApp for encrypted communications Privacy advocates criticize the move warning it weakens protections for journalists activists and abuse survivors who rely on secure messaging Groups including the Center for Democracy and Technology, questioned how Meta will handle previously encrypted chats and warned users could face greater surveillance and interception risks. Meta has not publicly clarified whether standard Instagram messages could eventually be used in broader data analysis or add targeted systems. Researchers at SentinelOne have identified a new malware framework called PCP-JACK that removes Team PCP malware from compromised systems before deploying its own credential stealing and propagation tools. Active since late April, PCP-JACK targets Linux environments and appears designed to spread across cloud and enterprise infrastructure. SentinelOne believes the operator may be a former Team PCP member because the framework specifically hunts for and deletes Team PCP artifacts before installing modular Python-based malware components. The framework steals credentials, tokens, SSH keys, and cryptocurrency wallets tied to services including AWS, GitHub, Slack, Docker, Gmail, and Office 365. It also attempts lateral movement through Kubernetes, Redis, MongoDB, and vulnerable web applications, while using Telegram for command and control. The campaign highlights how cybercriminal operations increasingly compete for access to compromised systems, while modular malware frameworks continue expanding beyond traditional endpoints into cloud-native infrastructure. Recorded Future is warning that quantum computing risks are no longer theoretical, as organizations face growing pressure to prepare for a future where quantum systems can break today's encryption standards. In a new report, the company said the biggest threat comes from cryptographically relevant quantum computers, or CRQCs, which could eventually defeat widely used public key encryption systems such as RSA and elliptic curve cryptography. Recorded Future warns that harvest-now-decrypt-later activity is already underway. with threat actors potentially collecting encrypted data today for future decryption once quantum capabilities mature. The report noted that long-lived sensitive information, including government records, intellectual property, health care data, and financial information, faces the greatest exposure risk. The company also said organizations delaying post-quantum cryptography migration beyond 2026 could face higher costs, compressed timelines, and operational disruption as regulatory and procurement requirements accelerate adoption. Cloudflare announced plans to reduce its global workforce by more than 1,100 employees, framing the move as part of a broader restructuring around what it calls the agentic AI era. In a message to employees, company leaders said internal AI usage has surged more than 600% in recent months, changing how teams across engineering, HR, finance, and marketing operate. The company stressed the layoffs were not tied to employee performance, but to a larger effort to redesign workflows and organizational structures around AI-driven operations. Cloudflare also pledged expanded severance, healthcare support, and accelerated equity vesting for affected workers. The announcement lands amid continuing technology sector layoffs as companies race to integrate AI tools while reducing costs and restructuring teams. For employees across the industry, these cuts reflect a painful transition period where years of work and loyalty are colliding with rapid shifts in how companies believe future work will be done. Sri Lankan police have arrested 37 Chinese nationals suspected of operating a scam center in a suburb of Colombo, part of a broader regional crackdown on online fraud operations. Authorities said the suspects were detained during a May 2nd raid in Talangama after a tip-off led officers to a property allegedly housing people working illegally or overstaying tourist visas. Police seized dozens of devices, including 147 mobile phones and 100 SIM cards. Investigators believe the operation may have been tied to romance-baiting cryptocurrency scams, where victims are manipulated through dating apps or unsolicited messages before being directed to fake investment platforms. The arrests follow similar raids in recent months involving hundreds of foreign nationals. The United Nations and Interpol have warned many workers inside these scam compounds may themselves be victims of human trafficking and forced labor. Coming up after the break, Maria Vermazis joins us to look back at 10 years of geopolitics in cyber, and Vibe Coding reveals valuable data. Stay with us. And now a word from our sponsor, the Center for Cyber Health and Hazard Strategies, also known as CHHS. Looking for a graduate degree that will give you an edge on your professional career? Earn a Master of Science in Law at University of Maryland Carey School of Law. This part-time two-year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry. Learn from CHHS faculty who are experts in their field. No GRE required. Learn how you can master the law without a JD at law.umaryland.edu. We are celebrating 10 years of publishing the Cyber Wire Daily podcast this year. Maria Vermazis joins me to analyze 10 years of geopolitics in cyber. Well, it is my distinct honor yet again to bring back Dave Bittner, host of The Cyber Wire. Hi, Dave. Hello. Good to be back. Yes, imagine. We're talking to you today of all days about your show. It's Maria, right? Yeah. Nice to meet you. Nice to meet you. Pleasure's mine. I appreciate that, Dave. And the occasion that brings us together is, as we've been covering for quite a little bit now, of the 10 year anniversary of the Cyber Wire Daily and all of the incredible stories that the show and you have been covering over the last decade. And for our chat today, we're gonna take a focus look at geopolitics in the last decade as it relates to cybersecurity and the many many stories in that realm that you have taken a look at in that time So gosh to start to cover geopolitics I think a few things have changed in the last decade. One or two. Just a few. I mean, 2015, 2016 was a millennia ago. I know. Not literally, but kind of. Yeah. Well, I'm still battling the reality that post-COVID time has no meaning. But I really enjoyed looking back as I was prepping for our conversation today. There were a lot of things that I hadn't really considered in a while. And when you kind of lay them all out in front of yourself, you see that, yeah, there has been a lot of change over the past decade when it comes to a lot of this geopolitical stuff. It's a feedback loop, isn't it? It is. It is. I think one of the things that strikes me is just that it's become constant. Like there, it used to be that you'd have something like the OPM breach, which was more episodic. Ooh, something happened. And ooh, there was a breach. Or ooh, the data got stolen. Or ooh, there was some ransomware. And it's just, it's everywhere now. It's daily. Thank goodness for us. Yeah, there's a low-level drone of this stuff that is all the time now. And so that's the new reality. That's where we are. Yeah. Was there anything, leading question, but anything that contributed to that shift? Because that is quite a change from what the landscape looked like, at least for the civilian side of things. Now, as you said, that drone of continuous threats, especially on that international scale, it is quite a shift. What do you feel has contributed to that? I think geopolitically, it's the reality and the recognition from nation states that cyber is a domain without the usual borders. And also, you get a huge return on your investment. You don't have to build an aircraft carrier to force your influence around the rest of the world. And we've seen that with things like influence operations from the Russians and Chinese stealing information from our companies, our organizations, supply chain issues, all those kinds of things. Again, they're a day-to-day thing now, and they weren't always. That's for sure. Yeah, I think as we start thinking about specific incidents and threats, the one that definitely I'm sure for most of our listeners would come to mind as we look back the 10 years, not Petya, and how seismic Petya and then not Petya truly were, and everything that has come after that. Can you talk us through that one a little bit? Because that was such a huge, huge thing when it landed. Well, I think it was the one that sort of opened everybody's eyes, and thought it can happen to us, right? You have a global disruption of the supply chain, you know, major supplier gets hit and everybody starts worrying that maybe our global economy is a little more fragile than we thought it was. So it certainly got everybody's attention, made everybody feel like it was real. and, you know, it's in everybody's consciousness ever since. That's very true. That's very true. And another thing, as we look back on the last 10 years, 2022 was the start of the war in Ukraine and it's still ongoing. The fallout from that is certainly global, especially when we're talking within the cyber realm. What are the geopolitical shifts within the conflict that you think have fed into the cybersecurity realm, as it were, like the nature of the threat. Yeah. I mean, there's this whole idea that the war in Ukraine has been a bit of a laboratory for cyber war, for modern cyber war, the integration of cyber and kinetic battle, using cyber alongside your battlefield operations, again, information operations, which is top of mind for the Russians. You know, They've always, it's always been something they've had up their sleeve, but it feels like cyber has been an accelerant for that, for them to be able to do the things they do. and then also sort of related to I think it started in Ukraine but related to what we're seeing now in Iran is seeing inexpensive technology being used in warfare little consumer drones consumer electronics routers Starlink all these things that are not nil spec you know Such as it is. Right. Whatever that means. But they're off-the-shelf tools that hose themselves up to the cyber and have allowed folks to have an unfair advantage or at least maybe not as much of an outsized disadvantage against a larger, more capable adversary. Speaking of adversaries, and again, we're based in the United States, so this is our very U.S.-centric point of view. So just owning up to that. But when we think about, in case that wasn't obvious, when we think about, you know, the adversarial nation states, often Russia, China, North Korea, those are the names that commonly come to mind. Iran, of course, is part of that as well, has been. But things have shifted in that arena as well in terms of nation-state strategies against other nation-states and also against private enterprises all in the mix. Over the last 10 years, again, big shifts. Anything notable that you want to highlight on that front? Well, let's look at China, who famously, I think they play the long game. And we're in the middle of that long game. Who knows how long it is? We might be in just the beginning of it. But we've seen that they have positioned themselves in our infrastructure. They have access to supply chain. So many things get manufactured in China that it's and the manufacturers are obligated to do what the Chinese government wants them to do. So I think there's a legitimate concern from nations like ours to think about what might be in the firmware, what might be in our supply chain. We certainly found them in our telecommunications infrastructure with the various typhoons, of old typhoon, salt typhoon, and those sorts of things. so they're more looking for long-term economic influence and advantage rather than turning the lights off which i think is the fear that we have from say russia or iran of messing with our critical infrastructure uh it seems like china really interested in gathering information knowing what we up to so they can leverage that knowledge to their own advantage And it leaves defenders in a really in a bit of a bind truly when you thinking about potential supply chain attacks or just issues from within the supply chain And specifically, if we're talking about devices from China, in many cases, they're the only source for some of these things, many things that are made. There is no domestic supplier for not just some, many of the things that a lot of modern IT infrastructure relies on. So it leaves defenders in quite a difficult position. And I'm wondering, what is the advice that defenders should be applying in their day-to-day? Or what can we tell them? What should they be doing in light of all that? Well, I think ultimately, I mean, it's defense in depth, right? So you can't rely on only one thing to protect yourself. So you do your due diligence to check to make sure your supply chain is as secure as it can be, but then have defenses in place on the chance that it's not because it might not be. And so, look, we're seeing again to the present day. Who thought we would see the rest of the world being so interested in digital sovereignty? Because of the actions of the United States, the major players, the Microsoft, Google, Amazon, we're seeing other nations building their own infrastructure because they're not sure they can depend on us as good partners in a way that they had assumed that they could in prior years. So I don't know the degree to which people saw that coming. I certainly didn't. I don't know about you. That was a blindside for a lot of us. Yeah, I did not. I'm still reeling from it personally, honestly. And given the conversations that you've had, especially in the last few years, I'm wondering if the nature of what you're hearing from people that you've interviewed when geopolitics, but maybe also specifically supply chain issues, has the nature of that conversation changed? I mean, are there new worries, anxieties? What are you hearing that is trend-wise that has changed? Yeah. I mean, I think it's top of mind for a lot of people. They understand that the threat is real. They understand that there's only so far down the supply chain ladder that you can go to trust but verify. And like you said, so many things come out of other nations who are potentially adversarial. I mean, look at how many of us are carrying iPhones around, right? Who makes the iPhones? Where do they come now? So who are we trusting? We're trusting Apple to do their due diligence. But, right. The thing is, so at some point you have to trust someone. I want to let that marinate for a second because it's an important point, But it's also, it makes me kind of recoil. I don't know why, just viscerally, it makes me go, yeah, but. And yet, what is probably the most popular thing that we've seen, or one of the, let's say, top five things that's come to the fore in terms of strategies is zero trust architecture. So you don't want to trust anybody, right? Where does it leave us, truly? Right. Well, you have to strike that balance. And, you know, I guess it's the old Reagan saying, trust but verify. Only trust so far and do your due diligence. And zero trust is a way to be constantly challenging the trust to make sure that people are only getting access to what they need to when they need it. And I think that's wise. So the rise of zero trust and its adoption by governments, you know, the feds really jumping in with both feet with zero trust, I think, shows that that's probably where we're headed going forward. Be sure to check out the full version of my interview with Maria this Sunday as part of a CyberWire special edition. And finally, the promise of VibeCoding was simple. Describe an app in plain English, click publish, and suddenly everyone's a software developer. Unfortunately, some of those developers also accidentally became system administrators with the security habits of an unlocked filing cabinet. According to reporting by Andy Greenberg for Wired, researchers at Red Access found more than 5,000 publicly accessible web apps built with AI coding platforms, including Lovable, Replit, Base44, and Netlify, that lacked meaningful security protections. According to the researchers, many exposed sensitive business and personal information, including medical records, financial data, internal strategy documents, chatbot logs, and cloud credentials. In some cases, the apps reportedly allowed administrative access with little or no authentication. The findings echo earlier waves of cloud storage misconfigurations, where easy-to-use platforms collided with limited security expertise. Researchers warn AI coding tools are now putting powerful application development capabilities into the hands of employees who may never pass through traditional security review processes, if they pass through any process at all. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Mark Kelly, threat researcher at Proofpoint. The research we're discussing is titled I'd Come Running Back to EU Again. TA-416 resumes European government espionage campaigns. That's Research Saturday. Do check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazis. Our executive producer is Jennifer Iben. Peter Kilty is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you.
