Cybersecurity Headlines – May 6, 2026

Host: Rich Stroffolino
Podcast: CISO Series

Episode Overview

This episode features the latest daily updates from the world of cybersecurity, with stories centered on software vulnerabilities, high-profile attacks, regulatory developments, and evolving trends in AI and compliance. Notable topics include a North Korean supply chain attack targeting gaming platforms, a critical vulnerability in Ollama’s local LLM loader (“Bleeding Llama”), U.S. government AI collaborations, and worrying statistics on romance scams.

Key Discussion Points and Insights

1. Video Game Platform Supply Chain Attack

Timestamp: 00:11–01:24

Incident: Researchers at ESET uncovered that the scarcruft group, aligned with North Korea, targeted the gaming platform sqgame.net, a favorite among ethnic Koreans in China’s Yanbian region, using a supply chain attack.
Attack Details:
- Trojanized Windows and Android gaming components—distribution began in late 2024.
- Installed the “Bird Call” backdoor on devices.
- As of the recording, malicious Android apps were still live on the platform.
Context: Scarcruft is known “for targeting North Korean defectors and human rights activists.”
(Rich Stroffolino, 00:38)

2. Bleeding Llama Vulnerability in Ollama

Timestamp: 01:25–02:11

Vulnerability: Sierra researchers identified a heap out of bounds read affecting Ollama, a local LLM (Large Language Model) platform.
Technical Breakdown:
- Bug lies in GGUF model loader; a crafted GGUF file can leak memory, including API keys/tokens.
- The exploit works due to “Ollama launches without authentication and listens to all network interfaces by default” (01:54).
- Attack chain requires only three unauthenticated API calls and leverages the “model push” feature.
Resolution: Patched in version 0.17.1.

3. US Gets Early LLM Access

Timestamp: 02:12–02:51

Development: U.S. Commerce Department’s Center for AI Standards and Innovation secured early access to new AI models from Google, Microsoft, and XAI to test and bolster security for critical systems––in addition to previous deals with Anthropic and OpenAI.
Impact: Increased government oversight, with “over 40 models tested so far.” (02:31)
Legislative Note: Reports indicate a potential executive order for pre-release government review of new AI tools.

4. Australia Launches Cyber Incident Review Board

Timestamp: 02:52–03:20

Initiative: The Australian government forms an independent Cyber Incident Review Board.
Focus: “No fault reviews that focus on systemic lessons to apply to the industry rather than culpability…” (03:07)
Leadership: Chaired by Telstra CISO Narel Deveen; modeled on the (now-defunct) U.S. Cyber Safety Review Board.

5. UK Sees Surge in Romance Scams

Timestamp: 04:01–04:54

Report: City of London police note a 29% increase in romance scams (2025), with 10,784 incidents and £102 million in losses.
Demographics: Nearly half of all losses from ages 55–74; men report more scams, while women lose more financially.
Quote: “Romance scams made up just 3% of overall fraud losses in the UK. They make up a much larger percentage of cyber losses in the US…” (04:39)
Comparison: U.S. losses approached $1 billion last year.

6. Threat Actor Exploits Compliance Phishing

Timestamp: 04:55–05:37

Discovery: Microsoft Defender identified a phishing campaign exploiting compliance-related lures.
Tactics:
- “Slick enterprise style HTML templates for authenticity.” (05:12)
- Time-sensitive subject lines, references to conduct policy reviews.
- Use of green ‘pow box encryption’ banners and Cloudflare CAPTCHAs to mimic legitimacy.
Goal: Harvest Microsoft and Google credentials.

7. ProtonMail Adds Post-Quantum Encryption

Timestamp: 05:38–06:07

Update: ProtonMail now supports post-quantum encryption (PQC) “across its email platform, including users on its free plans.” (05:42)
Rollout: PQC complements existing RSA/ECC, requires users to opt in and use new encryption keys on the latest Proton apps.
Ecosystem: Proton is working to ensure “quantum safe mail can operate across all providers.” (06:03)

8. Microsoft: The AI Transformation Paradox

Timestamp: 06:08–06:44

Findings from Work Trend Index 2026:
- 65% fear “falling behind if they don’t adapt to AI.”
- 45% feel safer modernizing current workflows for AI rather than adopting entirely new systems.
- Only 26% feel their leadership is “consistently aligned on AI.”
Emergence: Shadow AI risk as alignment falters; 16% identified as ‘frontier professionals’ using multi-agent systems for workflows.

9. Cyber Attack Halts Taiwanese High-Speed Rail

Timestamp: 06:45–07:20

Incident: A 23-year-old student hacked the TETRA communication system of Taiwan’s high-speed rail, sending an alarm via software-defined radio and triggering emergency braking on four trains (halted for 48 min on April 5).
Security Flaws:
- The radio system’s verification has “not had any parameters…rotated since…deployed 19 years ago.” (07:04)
- Possible unencrypted transmissions or outdated TEA1 encryption (known backdoor since 2023).
Legal: The suspect faces up to 10 years in prison.

Notable Quotes & Memorable Moments

On supply chain targeting:
“Malicious Android apps are still being distributed by the platform as of this recording.”
– Rich Stroffolino (00:29)
On Ollama’s default risk:
“By default, Ollama launches without authentication and listens to all network interfaces.”
– Rich Stroffolino (01:54)
On phishing sophistication:
“The emails used slick enterprise-style HTML templates for authenticity… and showed Cloudflare CAPTCHAs when clicking through malicious links just to make everything seem legit.”
– Rich Stroffolino (05:13, 05:20)
On regulatory ambitions:
“This matches similar deals in place with Anthropic and OpenAI since 2024.”
– Rich Stroffolino (02:30)

Conclusion

This concise episode delivers essential cybersecurity news, spotlighting cutting-edge attacks, regulatory responses, and technology trends shaping the sector. Listeners are left with actionable awareness on ongoing threats (supply chain, phishing, system vulnerabilities), and insight into how global entities are adapting to threats and leveraging AI.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines

B (0:06)

these are the cybersecurity headlines for Wednesday, May 6, 2026. I'm Rich Stroffelino Video Game Platform hit by Supply Chain attack Researchers at ESET documented a campaign by the North Korean aligned threat group scarcruft to install a backdoor on targeted Windows and Android devices. This targeted the gaming platform sqgame.net, popular with ethnic Koreans living in China's Yanbian region that borders Russia and North Korea. Since late 2024, the gaming platform distributed Trojanized components for Windows and Android games to install the Bird Call backdoor. Malicious Android apps are still being distributed by the platform as of this recording. Skycraft has a history of targeting North Korean defectors and human rights activists. Bleeding Llama could expose your data Researchers at Sierra disclosed a heap out of bounds read issue in Ollama, the popular Open sour running local LLMs. This bug impacts Ollama's GGUF model loader with a maliciously crafted GGUF file that could open the door to memory access and leak API keys and tokens. This is exfiltrated with Ollama's built in model push feature. The entire attack chain requires three unauthenticated API calls and is possible because by default Ollama launches without authentication and listens to all network interfaces. The vulnerability was patched in version 0.17.1 US gets more early LLM access the US Commerce Department's center for AI Standards and Innovation announced it reached deals with Google, Microsoft and XAI to give the US Government early access to upcoming models to test and improve security on critical systems. This matches similar deals in place with Anthropic and OpenAI since 2024. The Government center has tested over 40 models so far. This comes as sources from both the Wall Street Journal and New York Times report that the Trump administration is considering an executive order that would create a program for the government to review new AI tools prior to release. Australia launches Cyber Review Board the Australian government announced the formation of the Cyber Incident Review Board, which will independently review major cyber attacks in the country. These will be no fault reviews that focus on systemic lessons to apply to the industry rather than culpability for individual organizations. Telstra CISO Narel Deveen will chair the group. The board will be modeled after the now defunct U.S. cybersafety Review Board, established by the Biden administration in 2022 and disbanded by the Trump administration. And now a huge thanks to our sponsor for today Vanta Risk and Regulation Ramping up and customers expect proof of security just to do business. Vanta's automation bring compliance, risk and customer trust together on one AI powered platform. So whether you're prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO UK sees a jump in Romance Scams the report fraud unit for the City of London police reports that romance scams increased 29% in 2025 to 10,784. These resulted in 102 million pounds in losses, with an average loss of 9,500 pounds per scam. Although some scams reached into the millions of pounds, almost half of all losses came from people aged 55 to 74, with men reporting more scams but women suffering larger losses. On average, these scams followed the familiar playbook, using fake profiles on social media to build a relationship with the victim before requesting money for a variety of purported emergencies. Romance scams accounted for just 3% of overall fraud losses in the UK. Romance scams make up a much larger percentage of cyber losses in the US with almost $1 billion paid in 2025. Threat actor finds a way to make compliance worse the Microsoft Defender research team discovered a phishing campaign using fake compliance related communications as lures. The campaign ran in mid April, targeting 35,000 users across thousands of organizations, primarily in the US. The emails used slick enterprise style HTML templates for authenticity subject lines used time sensitive lures, often citing conduct policy reviews and urging recipients to open attachments to review case materials. The messages also included green pow box encryption banners and showed Cloudflare CAPTCHAs when clicking through malicious links just to make everything seem legit. Ultimately, these led to phishing pages trying to harvest Microsoft and Google credentials. ProtonMail adds PQC, the privacy forward company announced that it's rolled out support for post quantum encryption across its email platform, including users on its free plans. This will deploy as a complement to its existing RSA and ECC encryption. Users must opt into PQC by using new encryption keys, be using the latest Proton apps and doesn't support PQC on end to end encrypted forwarding yet. ProtonMail also announced compatibility with OpenPGPv6 and said it's collaborating with the wider open email ecosystem to ensure quantum safe mail can operate across all providers. The AI transformation paradox Microsoft released its 2026 Work Trend Index report. One of the top level findings is that 65% of workers fear falling behind if they don't adapt to AI but at the same time, 45% of workers feel safer focusing on current workflows and redesigning them for AI. Only 26% of respondents said their leadership is consistently aligned on AI, opening the door to potential shadow AI proliferation. 16% of respondents were identified as frontier professionals, those that use multi agent systems to rethink workflows. The biggest use case for AI was analysis and Reasoning used by 49% of chats. Interactions accounted for 19%, producing work 17% and and gathering information with 15% of chats. Cyber Attack Halts High Speed Rail Taiwanese Authorities arrested a 23 year old student for interfering with the TETRA communications system used by the country's high speed rail network. The suspect allegedly used a software defined radio to send a general alarm signal that triggered emergency braking on nearby trains. This resulted in four trains being halted for 48 minutes on April 5. Local reports say that the radio system used by TETRA has not had any parameters of its verification system rotated since it was deployed 19 years ago. It's also possible that the transmissions weren't encrypted at all or use TEA1 encryption, which has a known backdoor since at least 2023. The suspect faces up to 10 years in prison. Remember to join us this Friday for Super Cyber Friday. Our topic is Hacking the End of Compliance. We're going to be digging into the impacts of continuous monitoring on the compliance landscape and where we go from here. It all starts at 1pm Eastern. Head on over to our events page@cisoseries.com to register and we want you to share this event. So if you share the registration link on LinkedIn and tag the CISO series, we'll put you in a drawing to win some awesome CISO series swag. We hope to see you there. And remember, if you have some thoughts about the news from today or about the show in general, be sure to reach out to us feedbackisoseries.com we'd love to hear from you. Reporting for the CISO Series, I'm Rich Stroffelino reminding you to have a super sparkly day.

Cybersecurity Headlines – May 6, 2026

Host: Rich Stroffolino
Podcast: CISO Series

Episode Overview

Key Discussion Points and Insights

1. Video Game Platform Supply Chain Attack

Timestamp: 00:11–01:24

Incident: Researchers at ESET uncovered that the scarcruft group, aligned with North Korea, targeted the gaming platform sqgame.net, a favorite among ethnic Koreans in China’s Yanbian region, using a supply chain attack.
Attack Details:
- Trojanized Windows and Android gaming components—distribution began in late 2024.
- Installed the “Bird Call” backdoor on devices.
- As of the recording, malicious Android apps were still live on the platform.
Context: Scarcruft is known “for targeting North Korean defectors and human rights activists.”
(Rich Stroffolino, 00:38)

2. Bleeding Llama Vulnerability in Ollama

Timestamp: 01:25–02:11

Vulnerability: Sierra researchers identified a heap out of bounds read affecting Ollama, a local LLM (Large Language Model) platform.
Technical Breakdown:
- Bug lies in GGUF model loader; a crafted GGUF file can leak memory, including API keys/tokens.
- The exploit works due to “Ollama launches without authentication and listens to all network interfaces by default” (01:54).
- Attack chain requires only three unauthenticated API calls and leverages the “model push” feature.
Resolution: Patched in version 0.17.1.

3. US Gets Early LLM Access

Timestamp: 02:12–02:51

Development: U.S. Commerce Department’s Center for AI Standards and Innovation secured early access to new AI models from Google, Microsoft, and XAI to test and bolster security for critical systems––in addition to previous deals with Anthropic and OpenAI.
Impact: Increased government oversight, with “over 40 models tested so far.” (02:31)
Legislative Note: Reports indicate a potential executive order for pre-release government review of new AI tools.

4. Australia Launches Cyber Incident Review Board

Timestamp: 02:52–03:20

Initiative: The Australian government forms an independent Cyber Incident Review Board.
Focus: “No fault reviews that focus on systemic lessons to apply to the industry rather than culpability…” (03:07)
Leadership: Chaired by Telstra CISO Narel Deveen; modeled on the (now-defunct) U.S. Cyber Safety Review Board.

5. UK Sees Surge in Romance Scams

Timestamp: 04:01–04:54

Report: City of London police note a 29% increase in romance scams (2025), with 10,784 incidents and £102 million in losses.
Demographics: Nearly half of all losses from ages 55–74; men report more scams, while women lose more financially.
Quote: “Romance scams made up just 3% of overall fraud losses in the UK. They make up a much larger percentage of cyber losses in the US…” (04:39)
Comparison: U.S. losses approached $1 billion last year.

6. Threat Actor Exploits Compliance Phishing

Timestamp: 04:55–05:37

Discovery: Microsoft Defender identified a phishing campaign exploiting compliance-related lures.
Tactics:
- “Slick enterprise style HTML templates for authenticity.” (05:12)
- Time-sensitive subject lines, references to conduct policy reviews.
- Use of green ‘pow box encryption’ banners and Cloudflare CAPTCHAs to mimic legitimacy.
Goal: Harvest Microsoft and Google credentials.

7. ProtonMail Adds Post-Quantum Encryption

Timestamp: 05:38–06:07

Update: ProtonMail now supports post-quantum encryption (PQC) “across its email platform, including users on its free plans.” (05:42)
Rollout: PQC complements existing RSA/ECC, requires users to opt in and use new encryption keys on the latest Proton apps.
Ecosystem: Proton is working to ensure “quantum safe mail can operate across all providers.” (06:03)

8. Microsoft: The AI Transformation Paradox

Timestamp: 06:08–06:44

Findings from Work Trend Index 2026:
- 65% fear “falling behind if they don’t adapt to AI.”
- 45% feel safer modernizing current workflows for AI rather than adopting entirely new systems.
- Only 26% feel their leadership is “consistently aligned on AI.”
Emergence: Shadow AI risk as alignment falters; 16% identified as ‘frontier professionals’ using multi-agent systems for workflows.

9. Cyber Attack Halts Taiwanese High-Speed Rail

Timestamp: 06:45–07:20

Incident: A 23-year-old student hacked the TETRA communication system of Taiwan’s high-speed rail, sending an alarm via software-defined radio and triggering emergency braking on four trains (halted for 48 min on April 5).
Security Flaws:
- The radio system’s verification has “not had any parameters…rotated since…deployed 19 years ago.” (07:04)
- Possible unencrypted transmissions or outdated TEA1 encryption (known backdoor since 2023).
Legal: The suspect faces up to 10 years in prison.

Notable Quotes & Memorable Moments

On supply chain targeting:
“Malicious Android apps are still being distributed by the platform as of this recording.”
– Rich Stroffolino (00:29)
On Ollama’s default risk:
“By default, Ollama launches without authentication and listens to all network interfaces.”
– Rich Stroffolino (01:54)
On phishing sophistication:
“The emails used slick enterprise-style HTML templates for authenticity… and showed Cloudflare CAPTCHAs when clicking through malicious links just to make everything seem legit.”
– Rich Stroffolino (05:13, 05:20)
On regulatory ambitions:
“This matches similar deals in place with Anthropic and OpenAI since 2024.”
– Rich Stroffolino (02:30)

wavePod

Video game supply chain attack, Bleeding Llama, US gets early LLM access

Summary

Cybersecurity Headlines – May 6, 2026

Episode Overview

Key Discussion Points and Insights

1. Video Game Platform Supply Chain Attack

2. Bleeding Llama Vulnerability in Ollama

3. US Gets Early LLM Access

4. Australia Launches Cyber Incident Review Board

5. UK Sees Surge in Romance Scams

6. Threat Actor Exploits Compliance Phishing

7. ProtonMail Adds Post-Quantum Encryption

8. Microsoft: The AI Transformation Paradox

9. Cyber Attack Halts Taiwanese High-Speed Rail

Notable Quotes & Memorable Moments

Conclusion

Transcript

Summary

Cybersecurity Headlines – May 6, 2026

Episode Overview

Key Discussion Points and Insights

1. Video Game Platform Supply Chain Attack

2. Bleeding Llama Vulnerability in Ollama

3. US Gets Early LLM Access

4. Australia Launches Cyber Incident Review Board

5. UK Sees Surge in Romance Scams

6. Threat Actor Exploits Compliance Phishing

7. ProtonMail Adds Post-Quantum Encryption

8. Microsoft: The AI Transformation Paradox

9. Cyber Attack Halts Taiwanese High-Speed Rail

Notable Quotes & Memorable Moments

Conclusion