Podcast Summary: Cybersecurity Today

Episode: BeyondTrust Zero-Day Exploited
Date: February 16, 2026
Host: David Shipley
Theme: Urgent cybersecurity alerts—zero-day in BeyondTrust remote access, innovative malware delivery channels, new social engineering attacks, supply chain risks, and NPM’s security overhaul.

Overview

This episode of Cybersecurity Today is a rapid-fire update on several pressing cybersecurity threats affecting enterprises and developers. Host David Shipley highlights a dangerous new BeyondTrust remote access vulnerability (actively exploited), creative malware delivery through DNS lookups, the use of AI-generated content to spread Mac infostealers, social engineering campaigns targeting developers, and the evolving landscape of software supply chain security following a major NPM incident. Listeners get actionable advice on urgent patching, risk mitigation, and the need for vigilance against evolving tactics.

Key Discussion Points & Insights

1. BeyondTrust Remote Access Zero-Day Actively Exploited

[00:40 – 03:20]

Critical Vulnerability (CVE-2026-1731):
- Affects BeyondTrust Remote Support (v25 and earlier) and Privileged Remote Access (v24 and earlier).
- Pre-authentication remote code execution (RCE)—attackers don’t need credentials or user interaction.
- CVSS score of 9.9/10: “It’s as bad as it gets.” (David Shipley, 00:55)
- Attack vector: Specially crafted client requests allow execution of OS commands as the site user.
- Risks: Complete system compromise, data theft, and disruption.
Scope & Exploit:
- SaaS/hosted instances patched automatically.
- On-premise deployments (~8,500 out of 11,000 exposed instances) require immediate manual patching.
- Exploitation technique: Use of the ‘Get Portal Info’ endpoint to extract 'XNS Company', then open a websocket session to execute commands remotely.
Action Item:
- “If you are running self-hosted BeyondTrust appliances, immediately patching is critical and, given confirmed exploitation, unpatched systems should be treated as potentially compromised.” (David Shipley, 02:45)

2. DNS Lookups as a Malware Delivery Channel

[03:21 – 05:25]

New Social Engineering Tactic:
- Uses NSLookup (built-in tool on Windows/macOS) as a malware staging channel.
- Users are directed to “troubleshooting” pages and asked to run a seemingly harmless command (actually a DNS lookup to an attacker-controlled server).
- The DNS response delivers stage-two payloads, blending in with regular enterprise DNS traffic.
Malware Payload:
- Downloads a ZIP with a malicious Python script -> runs reconnaissance -> deploys 'Modelo RAT' (remote access trojan).
- Persistence through startup shortcuts.
Key Takeaway:
- “The attack does not exploit a software flaw. It relies on users being tricked into executing attacker-controlled commands themselves by convincing them they need to prove they’re human.” (David Shipley, 05:15)

3. AI-Generated Content Pushing Mac Infostealers

[05:26 – 06:30]

Tactic:
- Attackers abuse publicly shared Claude LLM (AI) artifacts and SEO/search ads to distribute malicious terminal commands.
- Commands, often obfuscated, download infostealers like Mac Sync.
Impact:
- Steals sensitive data: Keychain, browser storage, crypto wallets.
- Exfiltration to attacker C2 servers. Tens of thousands of views on observed malicious artifacts.
Notable Pattern:
- “Attackers are combining AI-generated content, search engine manipulation, and social engineering to deliver malware without exploiting software vulnerabilities.” (David Shipley, 06:25)

4. Social Engineering: Recruiters Targeting Developers

[06:31 – 07:40]

Tactic:
- Fake recruiters approach targets (LinkedIn, Reddit) with coding tests for attractive roles.
- Provided projects contain malicious dependencies on NPM/PyPI.
- The campaign, dubbed ‘Grafalgo’, includes ~200 malicious packages, which mimic legitimate library names.
Risks:
- Once installed, malware grants remote access, exfiltrates files, and downloads more payloads.
- Developers are targeted due to their access to critical infrastructure.
Defense Advice:
- “Verification of recruiter identity and isolating untrusted projects are critical safeguards.” (David Shipley, 07:35)

5. NPM Titan Security: Progress and Persistent Risks

[07:41 – 09:20]

NPM’s Security Revamp:
- Deprecated classic tokens in favor of short-lived (~2 hours) session credentials.
- Emphasis on multi-factor authentication (MFA) and OpenID Connect (OIDC) trusted publishing.
Remaining Supply Chain Risks:
- MFA phishing remains a risk; some workflows allow long-lived tokens that can bypass security.
- Most malware introduced during the build/publishing artifact, not in source code.
Key Analyst Insight:
- “Until short-lived, identity-bound credentials and mandatory MFA become universal, supply chain compromise remains a material threat.” (David Shipley, 09:15)

Notable Quotes & Memorable Moments

“[On BeyondTrust Zero-Day] It’s as bad as it gets.” (David Shipley, 00:55)
“If you are running self-hosted BeyondTrust appliances, immediately patching is critical and, given confirmed exploitation, unpatched systems should be treated as potentially compromised.” (David Shipley, 02:45)
“The attack does not exploit a software flaw. It relies on users being tricked into executing attacker-controlled commands themselves by convincing them they need to prove they’re human.” (David Shipley, 05:15)
“Attackers are combining AI-generated content, search engine manipulation, and social engineering to deliver malware without exploiting software vulnerabilities.” (David Shipley, 06:25)
“Verification of recruiter identity and isolating untrusted projects are critical safeguards.” (David Shipley, 07:35)
“Until short-lived, identity-bound credentials and mandatory MFA become universal, supply chain compromise remains a material threat.” (David Shipley, 09:15)

Important Timestamps

00:40: BeyondTrust critical zero-day details and urges to patch.
03:21: DNS-based malware delivery chain explained.
05:26: AI-generated content and Mac infostealer distribution.
06:31: Malware campaign targeting developers via fake recruiters.
07:41: NPM’s security improvements and persistent supply chain risks.

Tone & Style

David Shipley delivers the episode with measured urgency, emphasizing the seriousness of each threat and prioritizing actionable steps and critical thinking over hype. The language is direct, technically clear, and designed to equip listeners to act quickly and wisely in an evolving threat landscape.

Summary Takeaway

Organizations and individuals must act swiftly on urgent vulnerabilities, remain alert to novel social engineering tactics, and recognize that technical improvements (like NPM’s token changes) are only part of the solution. Supply chain risk and human factor exploits remain primary attack vectors; continuous vigilance and robust verification are essential.

Podcast Summary: Cybersecurity Today

Overview

Key Discussion Points & Insights

1. BeyondTrust Remote Access Zero-Day Actively Exploited

[00:40 – 03:20]

Critical Vulnerability (CVE-2026-1731):
- Affects BeyondTrust Remote Support (v25 and earlier) and Privileged Remote Access (v24 and earlier).
- Pre-authentication remote code execution (RCE)—attackers don’t need credentials or user interaction.
- CVSS score of 9.9/10: “It’s as bad as it gets.” (David Shipley, 00:55)
- Attack vector: Specially crafted client requests allow execution of OS commands as the site user.
- Risks: Complete system compromise, data theft, and disruption.
Scope & Exploit:
- SaaS/hosted instances patched automatically.
- On-premise deployments (~8,500 out of 11,000 exposed instances) require immediate manual patching.
- Exploitation technique: Use of the ‘Get Portal Info’ endpoint to extract 'XNS Company', then open a websocket session to execute commands remotely.
Action Item:
- “If you are running self-hosted BeyondTrust appliances, immediately patching is critical and, given confirmed exploitation, unpatched systems should be treated as potentially compromised.” (David Shipley, 02:45)

2. DNS Lookups as a Malware Delivery Channel

[03:21 – 05:25]

New Social Engineering Tactic:
- Uses NSLookup (built-in tool on Windows/macOS) as a malware staging channel.
- Users are directed to “troubleshooting” pages and asked to run a seemingly harmless command (actually a DNS lookup to an attacker-controlled server).
- The DNS response delivers stage-two payloads, blending in with regular enterprise DNS traffic.
Malware Payload:
- Downloads a ZIP with a malicious Python script -> runs reconnaissance -> deploys 'Modelo RAT' (remote access trojan).
- Persistence through startup shortcuts.
Key Takeaway:
- “The attack does not exploit a software flaw. It relies on users being tricked into executing attacker-controlled commands themselves by convincing them they need to prove they’re human.” (David Shipley, 05:15)

3. AI-Generated Content Pushing Mac Infostealers

[05:26 – 06:30]

Tactic:
- Attackers abuse publicly shared Claude LLM (AI) artifacts and SEO/search ads to distribute malicious terminal commands.
- Commands, often obfuscated, download infostealers like Mac Sync.
Impact:
- Steals sensitive data: Keychain, browser storage, crypto wallets.
- Exfiltration to attacker C2 servers. Tens of thousands of views on observed malicious artifacts.
Notable Pattern:
- “Attackers are combining AI-generated content, search engine manipulation, and social engineering to deliver malware without exploiting software vulnerabilities.” (David Shipley, 06:25)

4. Social Engineering: Recruiters Targeting Developers

[06:31 – 07:40]

Tactic:
- Fake recruiters approach targets (LinkedIn, Reddit) with coding tests for attractive roles.
- Provided projects contain malicious dependencies on NPM/PyPI.
- The campaign, dubbed ‘Grafalgo’, includes ~200 malicious packages, which mimic legitimate library names.
Risks:
- Once installed, malware grants remote access, exfiltrates files, and downloads more payloads.
- Developers are targeted due to their access to critical infrastructure.
Defense Advice:
- “Verification of recruiter identity and isolating untrusted projects are critical safeguards.” (David Shipley, 07:35)

5. NPM Titan Security: Progress and Persistent Risks

[07:41 – 09:20]

NPM’s Security Revamp:
- Deprecated classic tokens in favor of short-lived (~2 hours) session credentials.
- Emphasis on multi-factor authentication (MFA) and OpenID Connect (OIDC) trusted publishing.
Remaining Supply Chain Risks:
- MFA phishing remains a risk; some workflows allow long-lived tokens that can bypass security.
- Most malware introduced during the build/publishing artifact, not in source code.
Key Analyst Insight:
- “Until short-lived, identity-bound credentials and mandatory MFA become universal, supply chain compromise remains a material threat.” (David Shipley, 09:15)

Notable Quotes & Memorable Moments

“[On BeyondTrust Zero-Day] It’s as bad as it gets.” (David Shipley, 00:55)
“If you are running self-hosted BeyondTrust appliances, immediately patching is critical and, given confirmed exploitation, unpatched systems should be treated as potentially compromised.” (David Shipley, 02:45)
“The attack does not exploit a software flaw. It relies on users being tricked into executing attacker-controlled commands themselves by convincing them they need to prove they’re human.” (David Shipley, 05:15)
“Attackers are combining AI-generated content, search engine manipulation, and social engineering to deliver malware without exploiting software vulnerabilities.” (David Shipley, 06:25)
“Verification of recruiter identity and isolating untrusted projects are critical safeguards.” (David Shipley, 07:35)
“Until short-lived, identity-bound credentials and mandatory MFA become universal, supply chain compromise remains a material threat.” (David Shipley, 09:15)

Important Timestamps

00:40: BeyondTrust critical zero-day details and urges to patch.
03:21: DNS-based malware delivery chain explained.
05:26: AI-generated content and Mac infostealer distribution.
06:31: Malware campaign targeting developers via fake recruiters.
07:41: NPM’s security improvements and persistent supply chain risks.

wavePod

BeyondTrust Zero-Day Exploited,

Powered by Wave AI

Summary

Podcast Summary: Cybersecurity Today

Overview

Key Discussion Points & Insights

1. BeyondTrust Remote Access Zero-Day Actively Exploited

2. DNS Lookups as a Malware Delivery Channel

3. AI-Generated Content Pushing Mac Infostealers

4. Social Engineering: Recruiters Targeting Developers

5. NPM Titan Security: Progress and Persistent Risks

Notable Quotes & Memorable Moments

Important Timestamps

Tone & Style

Summary Takeaway

Summary

Podcast Summary: Cybersecurity Today

Overview

Key Discussion Points & Insights

1. BeyondTrust Remote Access Zero-Day Actively Exploited

2. DNS Lookups as a Malware Delivery Channel

3. AI-Generated Content Pushing Mac Infostealers

4. Social Engineering: Recruiters Targeting Developers

5. NPM Titan Security: Progress and Persistent Risks

Notable Quotes & Memorable Moments

Important Timestamps

Tone & Style

Summary Takeaway