FBI network breach, GitHub distributes stealer, Hackers abuse .arpa - Cybersecurity Headlines

Summary5 min read

Podcast Summary: Cybersecurity Headlines
Episode Title: FBI network breach, GitHub distributes stealer, Hackers abuse .arpa
Podcast: CISO Series
Date: March 9, 2026
Host: Steve Prentiss

Episode Overview

This episode covers crucial cybersecurity updates, including a network breach at the FBI, GitHub repositories spreading a data-stealing malware, and the abuse of ARPA and DNS infrastructure by hackers to evade phishing defenses. Other notable stories involve EU legal guidance on phishing refunds, malware attacks on New Jersey counties, North Korea’s novel AI-powered fraud tactics, significant Firefox vulnerabilities found by an LLM, and new details in a massive London transportation data breach.

Key Discussion Points & Insights

FBI Network Breach Investigation

[00:08]

Incident: The FBI is investigating a cybersecurity breach of the Digital Collection System Network, which is integral to the agency’s surveillance and intelligence gathering.
Discovery: The breach, discovered after irregular network behavior, occurred on February 17, 2026.
Entry Point: Attackers allegedly accessed the network via an Internet service provider serving as a vendor.
Implications: The hacked system links directly to sensitive investigative tools, raising concerns about the potential exposure of surveillance operations.

"The incident occurred on February 17th and was discovered after irregular network behaviour was witnessed." — Steve Prentiss [00:13]

GitHub Malware Campaign: Boriped Grab Stealer

[01:01]

Threat: Over 100 GitHub repositories were identified distributing "Boriped Grab" stealer (spelled B-O-R-Y-P-T G-R-A-B).
Functionality: The malware can harvest browser data, cryptocurrency wallets, system information, and user files, as well as assist in command-and-control communications.
Method: Threat actors use deceptive free software tools in ZIP archives, uploaded to GitHub since late 2025.
Trends: Researchers note increasing sophistication and prevalence of these campaigns, with evolving techniques exploiting trusted platforms.

"The Borit Grab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories." — Steve Prentiss [01:20]

Abuse of ARPA, DNS, and IPv6 for Phishing

[01:36]

Technique: Threat actors leverage the IP6.ARPA reverse DNS TLD, traditionally used for IP address mapping, to point to fake IPv6 addresses and configure DNS records that aid phishing campaigns.
Research Source: Detailed by researchers at Infoblox.
Risk: This infrastructure trick enables more convincing phishing sites by abusing the basic mechanics of Internet addressing.

"Researchers at Infoblox described a campaign that uses the IP6 ARPA reverse DNS TLD to essentially point to faked IPv6 addresses..." — Steve Prentiss [01:45]

EU Court Advisor: Banks Should Compensate Phishing Victims

[02:07]

Development: Athanasios Rantos, Advocate General at the European Court of Justice, recommends that banks promptly refund unauthorized transactions, even if the customer was phished, unless fraud by the customer is suspected or proven.
Case Origin: A Polish lawsuit involving money stolen via a spoofed auction site.
Legal Context: Not a court ruling yet, but signals the possible direction for future EU decisions.

"The bank had initially refused, but Rantos stated that under European Union Directives bank can only do this if they have reasonable grounds to suspect customer fraud." — Steve Prentiss [02:30]

New Jersey County Targeted by Malware Attack

[04:09]

Victim: Passaic County, among New Jersey’s largest counties.
Impact: Malware disrupted government office phone lines and IT systems.
Pattern: Follows a trend of attacks on local governments, with several neighboring counties and cities already targeted.

"Passaic County... suffered a cyber attack that disrupted phone lines and IT systems used across government offices." — Steve Prentiss [04:13]

North Korea’s Generative AI-Fueled Fake Worker Schemes

[04:48]

Warning from: Microsoft Threat Intelligence.
Tactics: North Korean groups use AI to enhance creation of fake digital personas, apply for remote technical roles, and employ real-time voice modulation.
Goal: To maintain longer access at global companies and increase the scale and speed of infiltration.
AI Role: Labeled a "force multiplier" in creating more convincing identities rapidly.

"...AI a force multiplier in this pursuit by shortening the time it takes to create digital personas for specific job markets and roles, including impersonations and real-time voice modulation." — Steve Prentiss [05:08]

Claude AI Discovers 22 Firefox Vulnerabilities

[05:38]

Breakthrough: Anthropic’s Claude Opus 4.6 LLM, through its partnership with Mozilla, found 22 new vulnerabilities in Firefox, 14 of which were high severity.
Process: The AI model detected a "use after free" bug in 20 minutes, later confirmed by a human researcher.
Impact: All issues fixed in Firefox version 148.

"Anthropic said the LLM detected a use after free bug in the browser's JavaScript after just 20 minutes of exploration..." — Steve Prentiss [05:57]

New Details on 2024 Transport for London Data Breach

[06:23]

Update: Data breach affected over 7 million people, much higher than the initially reported 5,000.
Reason for Discrepancy: The lower figure focused only on customers whose Oyster card accounts may have involved banking data exposure.
Perpetrators: Two teens linked to the "Scattered Spider" group charged.

Notable Quotes & Memorable Moments

On FBI Breach:
"The incident occurred on February 17th and was discovered after irregular network behaviour was witnessed." — Steve Prentiss [00:13]
On evolving GitHub threats:
"The Borit Grab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories." — Steve Prentiss [01:20]
On ARPA abuse:
"Researchers at Infoblox described a campaign that uses the IP6 ARPA reverse DNS TLD to essentially point to faked IPv6 addresses..." — Steve Prentiss [01:45]
On compensating phishing victims:
"...Rantos stated that under European Union Directives bank can only do this if they have reasonable grounds to suspect customer fraud." — Steve Prentiss [02:30]
On North Korea’s AI worker schemes:
"...AI a force multiplier in this pursuit by shortening the time it takes to create digital personas..." — Steve Prentiss [05:08]
On Claude AI and Firefox:
"Anthropic said the LLM detected a use after free bug in the browser's JavaScript after just 20 minutes of exploration..." — Steve Prentiss [05:57]

Timestamps of Key Segments

FBI Network Breach: 00:08–01:00
GitHub Boriped Grab Stealer: 01:01–01:36
ARPA/DNS Abuse for Phishing: 01:36–02:07
EU Court Advisor on Phishing Refunds: 02:07–03:23
NJ County Malware Attack: 04:09–04:48
North Korean AI-Powered Worker Scheme: 04:48–05:38
Claude Finds Firefox Vulnerabilities: 05:38–06:23
Transport for London Breach Update: 06:23–End

Tone & Language

The tone remains urgent, matter-of-fact, and technical, consistent with the CISO Series’ journalistic style. Steve Prentiss delivers direct reporting with concise explanations and citations from researchers and officials, targeting a security-aware audience.

This episode offers a compact yet comprehensive update on the shifting landscape of threats, regulations, and technological advancements in cybersecurity as of early March 2026.

Loading summary

Transcript1 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, March 9, 2026. I'm Steve Prentiss. FBI investigates suspicious activities on agency network this investigation focuses on a cybersecurity breach suffered by the Digital Collection System Network, which is connected to the agency's wiretaps, pen register, surveillance tools and other intelligence collection systems used in criminal and national security investigations. The incident occurred on February 17th and was discovered after irregular network behaviour was witnessed. A letter to Congress from the FBI allegedly claimed that the threat actors gained entry through an Internet service provider that served as a vendor to the agency. End quote over 100 GitHub repositories distributing Boriped grab stealer this malware spelt B O R Y P T G R A B can harvest browser and cryptocurrency wallet data along with system information and user files and can assist in command and control communication. Researchers at Trend Micro have now revealed the existence of multiple zip archives masquerading as free software tools that have been distributed since late 2025 through the GitHub repositories. The researchers stated that the Borit Grab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories, showing an increasing level of engineering sophistication. Hackers abuse ARPA, DNS and IPv6 to evade phishing defenses the ARPA domain is a special top level domain reserved for Internet infrastructure rather than normal websites. It is used for reverse DNS lookups which allow systems to map an IP address back to a host name. Researchers at Infoblox described a campaign that uses the IP6 ARPA reverse DNS TLD to essentially point to faked IPv6 addresses owned by the threat actors, who can then abuse the reverse DNS zone for the IP range by configuring additional DNS records for phishing sites. End quote A link to a more detailed description of this technique is available in the show Notes to this episode. European Union Court Advisor suggests banks compensate phishing victims the Advocate General of the Court of Justice of the eu, Athanasios Rantos, has made a formal suggestion that banks immediately refund account holders affected by unauthorized transactions, even when the customer has fallen for a phishing scam. This dialogue is based on a specific lawsuit that was issued in Poland against the bank in which a customer had been led to a spoofed auction site and had had money stolen. The bank had initially refused, but Rantos stated that under European Union Directives bank can only do this if they have reasonable grounds to suspect customer fraud. This can be reversed however, if the bank can prove negligence on the part of the customer. To be clear, this is not a European Union Court of Justice ruling, but rather an indication of the direction that the court may take when the matter reaches that stage. Huge thanks to our sponsor DropZone AI. Here is a number worth knowing before RSAC, the average enterprise SOC sees tens of thousands of alerts a day. Most get triaged, a fraction get thoroughly investigated, the rest sit in the queue or get auto closed. Dropzone AI puts AI SOC agents on every one of those alerts, every alert investigated end to end across your full tool stack around the clock. Over 300 deployments in production today. Dropzone AI is at RSAC this year at booth 455 and you can get more information at dropzone AI rsa2026 AI diner d I n E R this link is also available in our show Notes New Jersey county suffers a malware attack Passaic county, one of the largest counties in New Jersey, suffered a cyber attack that disrupted phone lines and IT systems used across government offices. Officials in Passaic recognize that this is just one of several attacks on local governments in New Jersey, noting recent ones in Somerset County, Camden County, Bergen county, the Township of Montclair and the city of Hoboken. North Korea scaling up fake worker schemes with Generative AI A warning from Microsoft Threat Intelligence states that North Korean threat groups are using AI tools to accelerate and expand the country's long running scheme to get remote technical workers hired at global companies for longer durations. A report released Friday calls AI a force multiplier in this pursuit by shortening the time it takes to create digital Personas for specific job markets and roles, including impersonations and real time voice modulation. Claude finds 22 Firefox vulnerabilities as part of its security partnership with Mozilla, Anthropic said on Friday that it discovered these new security vulnerabilities in the Firefox Web browser, with 14 classified as high. The vulnerabilities were discovered using The Claude Opus 4.6 large language model and have been addressed in Firefox 148, released late last month. Anthropic said the LLM detected a use after free bug in the browser's JavaScript after just 20 minutes of exploration, which was then validated by a human researcher in a virtualized environment to rule out the possibility of a false positive. End quote. Transport for London slightly increases their count of the number of people affected by the 2024 breach, following up on a story we covered in September 2024. Transport for London, the local government body responsible for managing much of Lo London's transport system, now says that the September 2024 data breach exposed the data of more than 7 million people, somewhat more than the 5,000 initially suggested. Two teens affiliated with the scattered spider group were charged with committing this crime. The discrepancy in these numbers was not an error, but reflected Transport for London placing priority on 5,000 customers whose digital pass cards, known as the Oyster card, may have been breached, potentially leading to banking Information do you want to know more about the most pressing stories of the last few days in time for your weekly standup? Join us today at 4:00pm Eastern for the Department of no Where. Our guests, John Barrow, CISO at JP Poindexter Co. And Derek Fisher, Director of the Cyber Defense and Information Assurance Program at Temple University, will sort out the priority stories and do a deep dive on the ones that matter most. And of course we will actively involve you in the conversation. If you want, just go to YouTube, search for CISO series and look for Department of no for March 9 under upcoming live Streams. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.