A

This is Rich Strofalino with the department of no. Kate Mullen, director at the SABSA Institute. I have to ask, first of all, thanks for being here. But one, what has been your priority this week?

B

Actually, I've kind of strayed away from business for last this past week. Going to be working next week and the week after. I'm going to stray again. I did a lot of education and training, a combination of things for our local West Florida Ice HAKA chapter, as well as for materials and information about the SAPSA Institute. Because if we don't educate people, we're going to fight the same battles over and over again.

A

Don't hate educate. It's what I always say. I also say thanks for being here. Nick Espinosa, host of the Deep Dive Radio Show. I have to ask, what is your what has been your priority this week?

C

You know, it's amazing to me how quickly priorities changed because I started really focusing on projects and I ended my week building a canoe so I could get into my basement and fix my broken hot water heater. So here we are. That's right. I can literally swim in my own house and all I had to do was wait 13 years for the thing to break. Hi.

A

You know, a baker's dozen is a fine life for a hot water tank until you realize you didn't know that you had the same one for 13 years. All right, producer Josh, let's run that opening. Get into the show. From the CISO series, it's Department of no. Yes, indeed. Welcome to the Department of Know youw Virtual Friday strategy meeting. Our sponsor for this week and for today specifically is Threat Locker. Appreciate them helping make the show possible. Also appreciate everybody joining us in our chat on YouTube. I see find the true 2 I see CCL I believe is in there. Kevin Ferrell sent us a giant Woo Rick FL flair style. So there's enthusiasm abounds here. You have to join us every Friday at 4pm Eastern. It's a lot of fun. You can share your thoughts on the stories of the week or send them to us feedbacksoseries.com we in fact read all the emails. Just a quick reminder before we jump into the news here that all of the opinions expressed by our glorious guests are in fact their own, not necessarily those of any employers, friends or family. We've got about 30 minutes, so let's dive in. We're going to kick it off with our no or no segment. This is where we want to know, is this something we need to know about to dig into with our teams or is this. That's a no, thanks. We're going to start out here. We don't always cover stuff from Google IO here, but Google wants people to remember codemnder. It seems to be part of a trend. Who knew AI, it's still a thing. At its IO conference, Google announced that it's making its code mender tool available to select groups of experts. Google initially announced codemander back in October 2025, which in AI terms is like 6 billion years ago. And it's an AI agent that's similar to Anthropic's Mythos and that can debug and fix software vulnerabilities. At the initial announcement, Google said it was taking a cautious approach, focusing on reliability with code vendor and all patches were being reviewed by human researchers. At that time, the CTO for Google DeepMind confirmed that they have been in discussions with governments and enterprises to audit systems with code member Nick. You know, Google has both the. You know, it kind of has the 800 pound gorilla in the AI space in DeepMind. If we learn nothing else from the Elon Musk OpenAI trial, it's that they're all terrified of Demis Hassab. Doesn't seem though that codemender got the same hype as what OpenAI and Anthropic were doing just earlier a couple months ago. Do you want to know more about Codemender specifically or are these, you know, vulnerability scanning LLMs all starting to look the same to you?

C

I mean, you know, I mean, you know, we know what they do, you know, and you know, shame on Google for not marketing better. Right? But the only thing I'd be interested in, in this entire thing because, yeah, you got Mythos, you got Daybreak now over at OpenAI.

A

Yep.

C

Google's like, hey, you know, we're not the redheaded stepchild and nobody thinks you are Google, you know, but the only thing that, that I would really want to know is what governments they're in. Discussion is are we talking North Korea and Iran or are we talking more?

A

It's burying the lead, Google.

C

Right?

A

That's. That.

C

That's the only real question I have for Google is who. Who are you talking to?

A

Kate, what about you? Do you, do you want to.

B

I'm 100% with Nick on this. It's like, meh. It's another. I mean, you know, maybe in the future I'm going to care about it, but right now I got enough on my plate. No, thank you.

A

Yeah, I need to see the reports from I think it's the AI Safety Institute have been testing Mythos and what is it? Codec Security or the latest GPT 5.5 model. And like those are interesting to see like what these are capable of. So when that comes out for Codemodor, I definitely want to see that until this gets into hands that I could, people I could talk to that have actually used it. That's, that's, I think when the litmus test for me will be next up. Next up here. UK cybercrime law reform would protect almost no one, says experts According to recorded future news, the British government's plans to overhaul the Computer Misuse act of 1990 would offer such narrow legal protections that most security researchers would be left in the same position as today. The updated law was intended to protect researchers from conviction in court as long as they meet certain safety or certain safeguards. But sources say that those safeguards are extraordinarily limited, requiring government certified researchers to immediately stop scanning once any vulnerability is found and only protecting them if they're doing individual scanning. So they couldn't be managing like a larger team, an automated system. Cough, cough. Mythos. Kate, I'm going to start with you here. A law that seems completely out of touch with lived reality. How novel. Do you want to know more about what the UK is thinking with revising? They've waited 35 years to revise this law or is it a no thanks for you?

B

Actually I do a lot of international so I am interested in and the problem is you get something written in one country and the next time you look at it it's all over the place. Yes. I think right now what they are doing is misguided. I think it's single fold focused. I'm sorry, I actually fix or have my teams fixed multiple vulnerabilities at the same time. So this, I mean that's an audit methodology, that's not a development methodology. So I think it's good to look at because it is currently a proposal. So if we can comment on it and make it better, I believe in providing input because they don't know what we're thinking if we don't tell them.

A

Nick, where are you at with this story?

C

I mean there's the right way, there's the wrong way and then there's the British way, which apparently is the wrong way, only a whole lot slower. I mean, what are they thinking? We don't test one IP address at a time. Right. I mean it's really that simple. We load up the entire block and we get Rolling as fast as we can, and so requiring vulnerability testers, researchers, all of that, to immediately stop the moment they find a single vulnerability. It just fundamentally misunderstands our job. It misunderstands how we analyze things and all of this. And it is ironic, I think, right, because modern defenders, modern vulnerability testers, we need to behave at machine speed because the attackers already do. We're slow enough as it is through all the corporate red tape or organizational red tape, and now we've got a law that potentially constrains our automation. Like, what the hell are you thinking?

A

You know, we have machine speed, we have human speed, and then we have British government speed. Yes.

C

It's like calm and carry on as the.

A

It's. It's the fish coming out of the water. This is the log fin.

C

Oh, my God.

B

They do actually do a lot of really good security stuff. This just isn't it.

A

Yes, yes. Yeah, yeah. And I will say this all comes into a larger reset kind of in the whole UK cyber posture. I know the NCSC is going through some very foundational shifts as well. So this is not a final law. This is reporting on a proposed law. So things may change. I hope they take feedback that they are receiving from seemingly everyone to heart with this. But we will keep you up to date on cybersecurity headlines as we get more details as this gets closer to being law. Claude Sandbox hole, Real and dangerous is our next story here. Anoun Gown, a cloud and AI security researcher at Wise Labs, found two patch vulnerabilities in Anthropic's Claude code sandbox that could allow network sandbox bypass and data exfiltration when combined with prompt injections. The flaw includes a socks5 hostname null byte injection to expose credentials, GitHub tokens and cloud metadata. But they were silently fixed. Anthropic says the issue was already patched before this disclosure. Gowen argues that the lack of clear public notice leaves users unaware that their sandbox boundary may have been ineffective for months. It turns out the black box is still super black again. Who knew? Nick, for you, do you want to learn more about these already patched vulnerabilities? Is that valuable to you? Or is it enough to know that, hey, LLM makers, they found it, they fixed it, let's move on.

C

I actually think this is an incredibly important one. And the reason being is this is exactly the kind of AI security issue that we should be telling the world to. Right? It literally exposes an issue in sandboxing something that is supposed to be a hard Boundary that we're supposed to trust. And the way I look at it is if you're an LLM maker at this point, you're not just making AI, you're a security vendor. I'm sorry, right? Mythos wasn't initially created to find vulnerabilities. And look at that thing go. You are a security vendor, right? So if you can run these kinds of code, you can handle secrets, you can do all of these things, not to mention just access to production based environments. You're a security vendor. I'm sorry, you know, and you've got to be treated as such. It's just, it's a mess. It really is.

A

Kate, are you in the same boat as Nick here?

B

Well, so part of it is, I mean, we're not allowing cloud right now. Cloud right now because of multiple issues. But I think that the people that are doing vendor due diligence need to know this is not a transparent vendor. And by the way, that's not the only news this week about not transparent vendors. But the other thing is if, you know, I mean, I get shadow AI everywhere, everybody does. Finding out if anybody was using Claude during that period of time and what happened. I mean, at this point, you're looking at sandboxing the sandbox.

A

Yeah, yeah, yeah. Which again begs so many questions to get into the, you know, can we, can we even call it a sandbox then at that point? No. Fantastic. I love the passion. I was not expecting the passion in the story. This is absolutely fantastic. In our chat we've got some, some lively stuff about Skynet going on right now. But let us know how you're feeling about this cloud story because I feel like this is going to resonate too as well. Are you having the same kind of concerns? Let us know in the chat. Ethical infosec ccl find the true 2. Let us know in there. Love to hear from you folks. Our next story here, the last one in our no or no segment. Shai Hulud wave compromised the 600 npm packages socket Endor Labs, Akaido Security and Microsoft say a new Shai Hulud supply chain attack published more than 600 malicious npm packages mainly targeting the Ant V ecosystem. Research has found the malware steals developer and CICD credentials self propagates using stolen NPM tokens, exfiltrates data through the encrypted session network and generates legitimate looking SIG store attestations to evade detection. Akaido also found persistent backdoors and VS code and cloud code configs. While nearly 3,000 GitHub repos were automatically created to store the data. Nothing like a nice complex chain there. You know, NPM seems like the target that keeps getting targeted here. Kate, this isn't our first run in with the shaihalud supply chain attacks. I imagine it's not going to be the last one as well. Do you want to know more about just kind of this whole ecosystem here or is this becoming run of the mill at this point for you?

B

Here's the thing, the impacts are big. I think that we really, really have to keep an eye on Shai Hulud. I mean thank you for the Dune reference, I really enjoy it but. And by the way, I can talk to my kids about it because you know, Dune. But the reality is that these guys are smart. They're in everything. They are everywhere. And of, you know, this is a group that, that people, you know, talking to the team, they need to be aware of these guys and they need to be aware of the impacts of what they can trust and what they can trust downstream. And are there even any protections we can put in place place? I mean, because for everything that gets announced, where else are they? I mean the whole problems with credentials is getting more and more massive.

A

Yeah, this, this is kind of the, you know, hitting on both sides of everything that's under stress right now. It's, it's software supply chain, it's, it's unmanageable credentials. I mean Nick, where is your mind at when, when we're seeing more and more of these SHAI hauled campaigns?

C

Yeah, well, first things first, it better be the Kyle McLaughlin Patrick Stewart Dune and not the Timothy Chalame Dune. I'm just throwing that out there right now.

B

Oh, I'm sorry. I go, I go back to the books.

A

Oh, they were books. You go to Herbert.

C

I'm good.

B

Yes, yes, I've got them on the bookcase.

C

Okay, that aside, and maybe I'm just jaded at this point, but like you know, you know, Rich, every Sunday I do a breaches of the week video and podcast and they just keep getting longer and so it's just same as it ever was. But what I think what this really just like kind of underscores is that we can't base trust anymore on the popularity of something. Right. Or a familiar name or just the green check mark, you know, like, like we have to dive deeper. Like due diligence now has to be vastly more granular. And we all know there's been a big push in just, you know, corporate due diligence you know, in the last, let's say eight to ten years in cybersecurity. But going down to the package level just seems like that's what we're going to have to do. We'll get those bad sandboxes from Anthropic and, you know, have at it. So, you know, it's a mess.

A

Whoever can integrate in the solution to this with a hairless cat that's being milked in a tiny box probably is going to win first. Also,

C

am I missing a reference here or did we just go completely off the rails?

A

Sting is walking around in the Dune movie with that at one point. That's like the only visual I remember from the David Lynch. It's a weird David lynch moment. Well, that's my own, so if you haven't seen that yet, it may have been very confusing. I do apologize. The David lynch one is completely bizarre. It's amazing. It is really bizarre. All right. What is not bizarre is our appreciation for our sponsor for today, and that is of course, threatlocker. Threat Locker is extending Zero Trust beyond Endpoint control with their recent release of Zero Trust Network Access and Zero Trust Cloud access. Access isn't based on credentials alone. It requires the right user, the right device and the right conditions. Because as we've seen in recent large scale CRM breaches, stolen credentials and misconfigurations can expose massive amounts of data. With Threat Locker, nothing is exposed and access is limited to exactly what's needed. Learn more and start your free trial today@threatlocker.com CISO all right, before we move into our deeper discussions here, CCL in our chat was Saying as a macOS homebrew user, the report on rubygems as c2 was scary. We talked about that. That was one of our big discussion stories last week. So c if you didn't get a chance to check that out, make sure you check out last week's department of no, we kind of broke that down. That was one of the more interesting stories to me, new to the Pallet, in terms of how to abuse a package manager like that. Speaking of abuse, our first story here, CISA Admin Leaks keys. This comes from security reporter Brian Krebs. He was contacted by researchers at GitGuardian warning that a GitHub repository exposed credentials for several AWS.gov cloud accounts. GitGuardian routinely scans for exposed secrets and notifies account holders. In this case, the owner didn't respond to their notifications. So the GitHub repository was named Private Cisa ironically, and contained Cloud keys, tokens, passwords in plain text, and other sensitive CISA and DHS assets. The account owner also Disabled the default GitHub feature that prevents sharing of secrets. They know that people will be lazy and usually try and stop you. They turned that off. While the repo was eventually set to private, researchers at Soralis confirmed that credentials were working up to 48 hours later, even after being taken private. CESA said it was aware of the exposed assets, but said there was no indication that any sensitive data was compromised. Nick, this doesn't sound. I'm going to be generous here. Great. Help me contextualize this. How bad is this? How much would. Would you have to try to set up GitHub like this? What lessons, I guess, can we learn from this if we're sharing the story around with our teams?

C

I mean, I swear I love me some Brian Krebs, but God, he makes me want to drink. Five o' clock somewhere. I think, like, if I'm really going through this one, I mean, it's a team effort to really screw this one up. Right? I mean, you know, disabling multiple security controls, which, I mean, that's Cybersecurity 101. And we're talking about CISA. But I think outside of like the breakdown of the discipline, the layers of security, you know, the exposure of all of these things, I think we have to understand that this comes in the backdrop right now of this agency being gutted, losing funding. You know, they are, they are scaling back on vulnerability, enumeration and discovery and all of that to only focus on government systems. In other words, they're trying to cover all the bases with like a quarter of a baseball team. Right. It's virtually impossible for them to, I think, fully defend themselves, let alone focus on those, those core competencies that Chris Krebs, no relation to Brian, for the record, actually, you know, really spun up and obviously Jenner's easterly picked up the ball, all that kind of stuff. But my point here is, is that if I'm looking at this, I mean, this is a literal organization responsible for improving our cyber hygiene. They are supposed to be our advisors, right? And they're ignoring the basics of like, secret management. I mean, I mean, talk about an erosion of trust. And, and, and it is just depressing, depressing to, to see what has happened at, at cisa.

A

Kate, are, are you drinking when you're reading Brian Krebs here or, and, and I guess is the. Do you agree with the diagnosis here that, that Nick is laying out?

B

I would layer on more. Okay, I really would. And yes, between the Krebs, I mean, you know, it's one of those. By the way, I've taught people if you get a call from Brian, you need to pass that over to information Security right away because you could stop a mess. But here's the thing, here's the thing. When we look at it, it's like if CISA had actually gone and run their security controls assessment against themselves after that loss of headcount, it was a third party contractor obviously outsourcing critical controls as they had removed that headcount and they're not scanning their own infrastructure, so they missed it. By the way, it can be hard to find when people have personal GitHubs and professional. I mean that is something that a lot of us has run, run into over the years. But here they're not following Zero Trust. They are not following basic, basic, basic access management controls. They're, they're not responding to alerting and alarming it. And, and here's the thing, the person that was notified could have been one of those headcount people that isn't even there anymore. I mean this is, this is really, really sad because I have, you know, relied on and used so many CISA resources over the years and the folks in CISA that are still hanging in there, they're doing yeoman's work. Yeah, but they can't, they can't do it. And I'm sorry if you say that we looked and nothing was compromised and you can't even see that this type of stuff is going on. I don't have any faith that things weren't compromised and you don't have embedded back doors in there. I mean, sorry, I think you should be bringing in one of the big forensic firms and taking a look. And I'm not always for outsourcing, but at this point these guys need to, but they need to do it with people that are reputable.

C

Right. But to that point, if I may, it speaks, I think to a breakdown of trust overarchingly in the information that we're receiving when if we are relying on a government entity, we should have trust in that entity and quite frankly we just can't right now. And to me that's absolutely heartbreaking. I mean, when I was thinking about this, just as we were putting these show the things together, just disabling GitHub secret scanning protections, that's like the cyber security equivalent of removing your smoke detector because it makes noise. You know what I mean?

A

It's making noise because they're.

C

I do have a smoke detector down right now, so who am I to complain? But the point being is that's what we're talking about, right? And so if we are doing things like that, you know, if we're letting the privates figure out the war because all the generals got sacked, you know, this is a, this is just a longitudinal problem and this is just indicative of what we are going to continue to see from them. If they don't start to get funding and manpower. It's just, it's going to be a huge problem.

B

Well, and I'm sorry to layer on that some of the services they provided, including they're only going to be looking at federal, nobody else provides it. Europe is looking and seeing if maybe this is something that they can bridge and help. But small businesses in America, healthcare in America have solutions. They don't have the money or the resources to figure this out. And you drop that and there's going to be vulnerabilities exploited all over the country.

A

That was one of the things that excited me under Jen Easterly was putting working with private industry to give tooling to SMBs, SMEs, that kind of stuff and building out those programs, those relationships, you know, that wasn't necessarily a top down thing. It was, you know, but you know, making it easier to get that kind of tooling and yeah, distressing to see CISA's mandate in that way curtailed when it's seemingly most needed or we don't. That's not all the CSA news we got folks. We got, we got another CISA story. Let me set this up for you here. The Cybersecurity and Infrastructure Security Agency, you may know it as cisa, is advising critical infrastructure operators to prepare for the possibility of operating independently from IT systems and third party vendors for weeks or even months during a major cyber conflict. The guidance is driven largely by concerns over persistent threats from Chinese state linked groups such as Salt Typhoon and Volt Typhoon. CISA plans to conduct targeted resilience assessments focused on ensuring utilities and infrastructure operators can continue delivering essential services even if disconnected from external networks. The agency says organizations should strengthen operational technology resilience. Oh boy. And rehearse manual recovery procedures. Kate, you were fired up about this story when we were, when we were getting the show together, particularly its impacts in the health care space. You have a ton of experience there. I'm curious, what are the challenges there specifically?

B

So in health care they do, a lot of organizations do downtime procedures and those downtime procedures are meant to last a couple of days, a week. And the impacts are significant. They use them a lot for ransomware events, etc. They are tabletop exercises. So they don't know what they don't know in terms of what is going to fail. For large hospital systems, the vendors actually have access into their systems and the vendors are actually running and supporting them. And then the other thing is Most of the EHR EMRs are actually cloud based now. So you take all that out and you put people on paper. There are certain things, there are certain classes of drugs, for example, that you need electronic approval from. And in order to override not getting that electronic approval, you have to already have a relationship with your governor's office. I mean, there are so many intricacies related to this. And basically when taken down this way, these hospital systems just don't offer the systems that they can't run electronically. And the thing is, there are certain things that you can't transfer if you are a cancer patient and a lot of that stuff is cloud based and you are being treated with radiation treatments, all of the records basically can't leave the system they're in. A lot of organizations will not take the transport of a patient without that information. And if you go too long and by the way, week weeks without cancer treatment, what happens is you got to start over again. And I'm sure all of us have been touched by people with cancer where, I'm sorry, they're willing to do it once, they're not willing to do it twice. It is a death sentence for a lot of people. And that's just in the healthcare space. I mean, and some of what CISA is recommending is these downstream vendors, you know, being able to, but without coordination. And oh, by the way, we're not going to know the vulnerabilities in our systems because CISA is never going to tell us anymore. I am despondent because a lot of the hospital systems and clinics, because of the funding crisis have closed and they are closing more. And the way they are providing care is virtually. So what happens is there are a lot of people in this country that will not have access to basic medical care if this happens.

A

Well, and I think, you know, kind of going back to what you're saying at the beginning there that so many, so often, in this case the vendors, right, are the ones in charge of this. We were talking about this on defense in depth that you know, ot vendors mostly own like, you know, you're asking them for permission a lot of times to apply patches and that kind of stuff. I mean, Nick, can you think of, I mean, I'm sure there are many other industries in critical infrastructure where this is going to be, I don't know, unfeasible or extraordinarily painful to prepare for that kind of eventuality.

C

Yeah, I mean, let me, let me put it this way because like, I, and I agree with what Kate said, but I kind of see this in a different way when I was really doing my homework on this. I think CISA is basically saying the quiet part out loud, right? In a serious cyber conflict, critical infrastructure down. We're not going to be able to count on normal connectivity, we're not going to be able to count on vendors, cloud services, remote support, those kinds of things. They are literally saying that they are shifting from an incident response mode to a survival mode. And that should be concerning for absolutely everybody. The world is in an incredibly contentious place right now. We have conflicts not just in the Strait of Hormuz in Iran, but we can see basically pieces lining up on the chessboard, if you will. And there's a lot of things that are moving around here. And so they're not just saying or asking the hospitals of the world, the critical infrastructure of the world. The economy, basically. Right, the infrastructure that runs the economy, you know, because that's what technology is. They're basically saying, can you keep enough water, power, fuel, transportation, whatever, to survive for potentially months? You know, and we've all seen the news. Like the Iranian hackers are looking at critical infrastructure. The Russian hackers are looking at critical infrastructure. Volt Typhoon, which apparently CESA lost track of for a while. These are the issues. And I think this is just the other thing that I was really thinking about when I was putting my notes together on this, is that this is just the hard truth on modern infrastructure because our efficiencies have created a ton of dependencies, right? So many essential services rely on interconnected it, remote access, you know, those kinds of things. And so when you look at it, and my biggest concern of all of them is probably voltfight Typhoon at the moment, is that they're very good at getting into this stuff, disrupting these kinds of things, everything, you know, and we just had a summit where, you know, President Trump went to talk to President Xi, you know, and now we are seeing even different things happening right now as a result of that. So the United States paused weapons shipments to Taiwan. Well, what happens then? I mean, it does. If the Chinese, who have been looking at potentially blockading Taiwan, they would strangle 90% of chip production around the world. It could tank the economy, you know, so it's a huge issue. And this isn't just like a technical one, this is just operational resilience, you know, but, but they're really coming out and saying prepare for this like this, we expect this to happen. And I think that should just, everybody should be on alert for that.

A

Yeah, I mean when you, when you, you know, talking about remote access, I mean, how many in all of these water hack stories that we hear, water system hack stories is that. Oh yeah, they were just running like TeamViewer this like wide open. Right? You know, I mean like, yeah, exactly like. So I'm just like, we're gonna throw an extra exclamation point on their password and you know, hey, we're doing great now guys.

C

And local government is so underfunded, you know.

B

And by the way, I used to work for Oldsmar that had that hack.

A

Oh my, oh my gosh.

B

Yeah, well, you know, and, and the thing is, I mean these guys aren't. It guys, just aren't. And fortunately, because they're not, you know, some of the things that could have happened, they're not as dependent on, you know, so the worst case scenario didn't happen. But depending on the systems, yeah, it can. And I think we need to craft this message well, and bring this to executives. Okay. Because if you look at the, the, you know, the, the financial system that was compromised that caused oil shortages, it's one of those, what do you do when you cannot get revenue? I can still perform the service, but I'm not going to get any revenue if the government hasn't provided some methodology to keep critical infrastructure running. Some revenue source. Guess what? People will only work so long if they're not getting paid. Oh, and we've seen it with tdsa, aren't getting paid. Can't even afford the fuel to drive to work.

C

Yeah, yeah. So happy Friday everybody.

A

Hey, hey, don't worry.

C

How do you end your day?

A

Don't worry. We got some open source drama as a nice chaser for existential dread over about the future of critical infrastructure. Okay, we've got two open source supply chain issues going on here. Linus Torvalds, he's the founder, he's the most of the word of Linux here. He's being grumpy about AI powered bug hunting tools. He's saying that it's made the Linux kernel security mailing list almost entirely unmanageable due to duplicate reports. Everybody's using the same tools to scan for vulnerabilities, basically saying don't submit the vulnerability unless it has context, unless it has exploitability, unless you actually do some enrichment on it and make it useful. Please, please leave us alone. Then there's Tanstack considering making pull requests. Invitation only. After supply chain attack last week, tied to the say it with me shy Hullood worm compromised its GitHub Actions workflows. Attackers exploited a feature to run malicious code through an automated CI pipeline, poisoning a shared cache across the repository. They have fixed that issue, but they're thinking, hey, invitation only might be the best way to secure it here. I'm just going to keep it in the drumbeat that 2026 is the year that every assumption about open source is being stress test all at once. Obviously Linus is speaking about a wider open source problem here, but I'm curious, Nick, for you, do you think that we'll see more companies looking at this invite only PR, you know, PRs going forward and I guess, does that meaningfully change open source for you?

C

Yeah, I think it does. I mean, okay, to be fair, Linus is the quintessential old man. Yells at cloud, you know, literally cloud in this case, you know, but I mean, the invitation only request I think is pretty huge, you know, if you're thinking about it, right, because it fundamentally shifts, you know, basically the openness that we've had thanks to supply chain attacks. And so now you've got a whole bunch of projects reconsidering, you know, open source. Right, and all of these issues. And I think that then basically creates, I think, a really difficult balance. Right, because if you think about it like open collaboration really does drive innovation. Right? But we've got modern supply chain threats and that exploits the openness. And so I think what we're going to see just longitudinally is there are going to be a lot of projects that unfortunately are going to be invitation only or closed in some way, shape or form. But I think that's just a response to the nonstop 24 7, 365, you know, threat that we see. Like we all know, we all know every IPv4 address, for example, is scanned something like 80 times a day. Something like 80% of that is malicious, you know, and so it's just going to, it's just going to keep going, you know, as a basic example. But yeah, this is. Supply chain issues are just continuing to increase.

A

Kate, where are you at with this?

B

So, yes, and so part of it is that, yeah, for now, the solution is likely invite, you're removing anonymization I mean, we fought so hard to be able to use open source and to have this happen is so sad. On the other hand, I think that, I'm sorry, we're all brilliant. We will find another solution. This is going to be a temporary drag. On the other hand, my thing with, with, with the crying because you keep getting repeat information about the same things. Set up a little, I do a comparison and only pass through the new stuff. Sorry, not that hard. And you know, I, I empathize with the problems we all have and have had over the years where we get somebody that drives by and says this is broken and they don't say where they found it, how they found it, they don't give you any way to search it. And depending on the information they give you, you may or may not be able to find it, you may not have the resources to find it. And then when it blows up, it's your fault. Thank you very much for your information. Dump of nothing.

C

Right, right. Well, and let me add to that, I mean, because obviously we all have to go get our anthropic sandboxes now, right, Kate?

B

The sandbox for the sandbox. Yes.

A

Right.

C

And I get that. But in terms of spinning up AI, I mean, AI obviously can help find bugs, right? I mean that's just, you know, 101. But I think the problem is, is that there's going to be a lot of noise, like a lot of duplication, a lot of just low value things like reports and actually, you know, that get submitted. I think that's what Linus is really complaining about. But if I'm looking at it from the perspective of our field, it just slows security response because now we have to sift through duplicates. We've got to cut through the noise to get to the actual vulnerability or, you know, whatever needs fixing. And here we are. So I agree with them. You know,

B

I'm serious. What is AI good at? Sorting through massive amounts of data. So when you're complaining about the fact you're having problems sorting through massive amounts of data, you know, it is a much better use than some of the other ones I've seen for AI, that

A

is that that is a higher performing data transformation. That it is not beyond the realm of capability.

C

Yeah, right, right. And, and that's because finding vulnerabilities are only, only to your point, part of the job. Right. We have to have actionable analysis. Right. We have to have testing that is reproducible. I mean, there's just a lot that goes into it. So, yes, I would agree. I was approaching it from the AI find bug, AI report bug, you know, and you're saying, okay, on the back end, AI sift through bug. And I get that. And I think that's. That's a really good point.

B

And the thing is, I've always had problems with the lack of traceability with AI anyway. I mean, that's one of my big complaints.

C

Yeah, I'd agree.

A

All right, before we get out of here, fantastic. Anytime I get to close out my week with a discussion about the future of open source, it's probably a pretty great week. But before we get out of here, is there any piece of advice, Nick, from you that you'd like to share from our audience, kind of based on our conversation? Any kind of. Kind of lessons we can leave them with?

C

One, check your hot water heater regularly. Two, just advice for everybody. I don't care where you live. The other thing I would say is keep a real close eye on CISA and support CISA in any way that you can, because quite frankly, cybersecurity is best when we are collaborative. We are all in this together. I don't care who you are and who you work for. You know, we are literally defending the infrastructure that runs the engine of the entire global economy. You know, we are the early detection warning systems, the seat belts on the car, the airbag when we hit the tree, and all of that. And we can never forget that, you know, and so. So CISA has always been an integral part and they've taken a lot of damage, not gonna lie. But. But we've gotta help them, and hopefully we can get them back to strength sooner than later.

A

Kate, what about for you, any. Any nugget of wisdom that you can leave our audience with?

B

Yeah, put it in perspective. Okay? Really put it in perspective. And yes, you should be looking at resilience. You should be doing disaster recovery exercises related to these scenarios. I live in Florida. I can survive for weeks without electricity or water. You know, it's looking at this as an opportunity and not treating these things as black swans when they happen. We're being given a heads up and some of this other stuff. Yeah, keep an eye on it. Sometimes it's just interesting and it gives you something to chat with the rest of the community.

A

Well, thank you both so much for being on the show. Fantastic conversation. Kate Mullen, the director over at the SABSA Institute, and Nick Espinoza, host of the Deep Dive radio show. We'll have links to both of your LinkedIn in our show notes and a link to the Deep Dive radio show if you want to check that out as well. Thank you both for being on the show. Truly, truly appreciate it. Thanks also to our sponsor for today, ThreatLocker. Remember, you can send us feedback anytime@feedbackisoseries.com Remember to join us again next Friday at 4pm Eastern for another edition of the Department of Note. Thank you so much for joining us today. I know your Fridays are valuable so if you can join us live, it is truly, truly appreciated. I hope everybody listening has a great week. Stay secure out there. And for myself, for Nick, for Kate, for all of us here, for a wonderful producer Josh and the big boss man David Spark and the rest of the CISO series team, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to CISO soseries.com for the full stories behind the headlines.