Summary6 min read

Podcast Summary: Cybersecurity Today

Episode: Cisco Breached: Source Code Stolen

Host: David Shipley (guest host for Jim Love)
Date: April 1, 2026

Episode Overview

This episode delivers a torrent of critical cybersecurity updates, with a spotlight on a major Cisco breach involving source code theft following a supply chain attack. Other headline stories include attacks on the popular Axios JavaScript library, renewed exploitation of vulnerabilities in Fortinet and Citrix platforms, an accidental leak of a dangerous Anthropic AI model, and fresh allegations about fake compliance at Delve, a compliance automation startup. Host David Shipley emphasizes that these are not April Fool's jokes but real threats shaping the cybersecurity landscape in early 2026.

Key Discussion Points & Insights

1. Cisco Breach: Source Code Theft via Supply Chain Attack

Details:
Threat actors exploited credentials stolen in the recent Trivi supply chain attack to breach Cisco's internal development environment.
Attack Method:
- Used a malicious GitHub Action to steal credentials and data.
- Impacted dozens of devices including developer workstations.
- Over 300 GitHub repositories cloned, including source code for Cisco’s AI-powered products.
Implications:
- Some stolen code reportedly belonged to Cisco’s corporate customers, banks, BPOs, and US government agencies.
- Multiple AWS keys were stolen and used for unauthorized activity.
- Cisco responded by isolating impacted systems, reimaging devices, and rotating credentials.
Notable Quote:

"This breach, alongside news that up to 1000 SaaS platforms were also impacted by Trivi, puts this supply chain attack to be among the top stories of the year. And it's only March." — David Shipley [01:33]
Fallout:
The breach is ongoing, with continued risks from related supply chain attacks on platforms like Light LLM and Checkmarx.

2. Axios Supply Chain Attack

Incident:
The highly popular JavaScript library Axios (83 million weekly downloads) was victim to a supply chain attack.
Attack Method:
- The attacker compromised the primary maintainer’s account.
- Released legitimate-looking package first, then injected malicious versions (prebuilt malware payloads for Windows, macOS, Linux).
- Payload was in a fake dependency, not Axios’s core code — evading standard code review.
- Malware contacted a command and control server and self-deleted.
Urgent Remediation Advice:
- Downgrade from affected versions (1.14.1 or 0.30.4) back to safe versions (1.14.0 or 1.30.3).
- Remove plain crypto-js, rotate credentials, audit CI/CD logs.
- Assume compromise until thoroughly checked.
Notable Quote:

"Traditional code review may not have caught it. This was not opportunistic. It was staged, rehearsed and executed with precision." — David Shipley [03:02]

3. Fortinet: More Patchable but Unpatched Vulnerabilities

Event:
Another active exploitation of an old vulnerability—this time CVE-2026-21643, an SQL injection in Fortinet's FortiClient EMS.
Details:
- Attackers use a malicious HTTP request to execute arbitrary code, impacting multi-tenant deployments.
- Exploitation confirmed by researchers and ongoing as of episode air date.
- CISA has not added it to its known exploited list yet despite active attacks.
Pattern:
- Fortinet has 24 vulnerabilities flagged as actively exploited, 13 leading to ransomware.
- Keeps "playing vulnerability whack-a-mole"; fails to eliminate entire bug classes.
Notable Quote:

"SQL injection has been on the OWASP top 10 since 2003... They're still playing vulnerability whack-a-mole." — David Shipley [05:23]

4. Citrix Bleed Returns

Current Flaws:
- CVE-2026-3055 (critical, 9.3/10 severity) actively exploited in Citrix Netscaler ADC and Gateway.
- Related issue (CVE-2026-4368) can cause user session mix-ups.
Risks:
- Attacks ongoing since at least March 27.
- Appliances configured as SAML identity providers affected.
- Urgent patch advisories; federal agencies have a tight remediation deadline.
Historical Context:
- Mirrors the 2023 "Citrix Bleed" vulnerability exploited by LockBit.
Expert Warning:

"Check for signs of compromise now, not after patching, and to trigger incident response immediately if they find anything." — David Shipley relaying Watchtower founder Benjamin Harris [07:02]

5. Anthropic AI Model Leak

Incident:
Anthropic accidentally leaked details about "Claude Mythos," described as their most capable and dangerous AI model to date, via a misconfigured publicly accessible draft blog post.
Model Capabilities:
- Advances in reasoning, coding, and cybersecurity, purportedly able to exploit vulnerabilities rapidly.
Industry Response:
- Anthropic is rolling out the model cautiously, sharing findings with security teams first.
- Previous iterations were reportedly used by state-sponsored actors for cyberattacks.
Market Impact:
- Cybersecurity vendors’ stocks reacted; the seriousness of AI threat capabilities is underlined.
Notable Quote:

"Anthropic’s leak may have been embarrassing, but they responded quickly, acknowledged the risks, and they've been transparent. That's a positive sign." — David Shipley [10:41]

6. Delve Compliance Scandal: Breaking Trust

Allegations:
Compliance automation startup Delve accused by "Deep Delver" (whistleblower) of aiding clients in fabricating audit evidence and working with non-rigorous auditors.
Evidence:
New leaks: internal Slack messages and video suggesting executive awareness.
Industry Reflection:
- Some use this as an excuse to dismiss compliance frameworks, but Shipley refutes this.
- The real issue is treating compliance as "performance instead of practice."
Risks:
- Real vulnerabilities are masked by rubber-stamped audits, providing false confidence.
Notable Quote:

"The problem here isn't compliance frameworks, it's how they're used. Too many organizations treat compliance as a box to check, not a standard to live by." — David Shipley [12:09]
Ongoing:
Whistleblower promises more revelations are coming.

Notable Quotes & Memorable Moments

| Timestamp | Speaker | Quote | |---|---|---| | 01:33 | David Shipley | "This breach, alongside news that up to 1000 SaaS platforms were also impacted by Trivi, puts this supply chain attack to be among the top stories of the year. And it's only March." | | 03:02 | David Shipley | "Traditional code review may not have caught it. This was not opportunistic. It was staged, rehearsed and executed with precision." | | 05:23 | David Shipley | "SQL injection has been on the OWASP top 10 since 2003... They're still playing vulnerability whack-a-mole." | | 07:02 | David Shipley (quoting Watchtower founder Benjamin Harris) | "Check for signs of compromise now, not after patching, and to trigger incident response immediately if they find anything." | | 10:41 | David Shipley | "Anthropic’s leak may have been embarrassing, but they responded quickly, acknowledged the risks, and they've been transparent. That's a positive sign." | | 12:09 | David Shipley | "The problem here isn't compliance frameworks, it's how they're used. Too many organizations treat compliance as a box to check, not a standard to live by." |

Key Timestamps for Important Segments

00:20 — Episode begins, quick headlines rundown
00:40 — Cisco breach report details
02:40 — Axios JavaScript library supply chain attack
05:02 — Fortinet FortiClient exploit and industry context
07:00 — Citrix vulnerabilities and patch urgency
09:50 — Anthropic AI model leak and implications
11:40 — Compliance scandal at Delve and broader takeaways

Tone and Style

David Shipley's delivery is candid, urgent, and incisive, with a blend of technical detail and direct advice. He’s unafraid to call out recurring industry failures, but balances criticism with actionable steps and context for defenders.

Takeaways

2026 is shaping up as a year of high-profile, technically sophisticated attacks, especially via the software supply chain.
Both established and cutting-edge technologies—from GitHub automation to next-gen AI—are being leveraged by malicious actors.
Timely patching, credential rotation, principled compliance, and thorough incident response remain critical as attackers increase in sophistication.
CISOs and technical teams should stay vigilant, audit dependencies, review logs, and not become complacent with "checkbox security."
The cybersecurity community is encouraged to share findings, patch rapidly, and—above all—never trust results that aren’t verified by intent and action.

Final Thoughts

This 1,500th episode of Cybersecurity Today underscores the pace, complexity, and seriousness of 2026’s threat landscape. The host closes with gratitude to listeners and a reminder: real vigilance and adaptation—not just adopted standards—are the difference between building real security and leaving doors open for the next breach.

Next Episode:
David Shipley returns after the Easter break with another news recap.
Stay safe, and take care.

Loading summary

Transcript3 lines

[00:00]
A
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them@meter.com CST Cisco breached
[00:20]
B
with source code stolen a supply chain attack hits Another massively popular open source tool Fortinet is back in the headlines for all the wrong reasons. Citrix may be bleeding again Anthropic accidentally leaks news about a new dangerous AI model and a compliance startup's bad press headaches just got a lot worse. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. According to Bleeping, computer threat actors used credentials stolen in the recent Trivi supply chain attack to break into Cisco's internal development environment. The attackers used a malicious GitHub action to steal credentials and data from Cisco's build environment, hitting dozens of devices, including developer workstations. More than 300 GitHub repositories were cloned during the incident, among them source code for Cisco's AI powered products, including AI Assistance and AI Defense. A portion of that stolen code reportedly belongs to corporate customers, banks, business process outsourcers, US Government agencies. Multiple AWS keys were also stolen and used to perform unauthorized activity across a number of Cisco accounts. Cisco has isolated affected systems, begun reimaging them, and is rotating credentials at scale. The initial breach has been contained, but the company expects continued fallout from related supply chain attacks on light LLM and checkmarks. This breach, alongside news that up to 1000 SaaS platforms were also impacted by Trivi, puts this supply chain attack to be among the top stories of the year. And and it's only March. Well, at least until the fallout from this next supply chain attack becomes clearer. Our next story comes from Hacker News. They're reporting that one of the most widely used tools in web development, the JavaScript library Axios, with 83 million weekly downloads, was hit by a supply chain attack this week. An attacker compromised the account of the project's primary maintainer and used it to push poison versions to the NPM registry that included a dropper and a remote access tool. What makes this attack stand out is the patience of the attackers. They didn't rush. They first published a clean, legitimate looking package to establish trust and to bypass automated security checks. Then they struck three payloads were pre built for Windows, macOS, and Linux. Once installed, the malware called out to a command and control server, then deleted itself to cover its tracks. No malicious code touched Axios itself, it lived entirely in a fake dependency triggered automatically on install. Traditional code review may not have caught it. This was not opportunistic. It was staged, rehearsed and executed with precision. If you're running Axios versions 1.14.1 or 0.30.4, downgrade immediately to 1.14.0 or 1.30.3. Remove the plain crypto JS package from your Node modules and rotate all credentials. Check your CICD logs for any runs that installed affected versions and assume compromise until you can prove comprehensively otherwise. Our next story required none of that sophistication. Just another unpatched system and a vulnerability class that's been around for more than 20 years and a repeat offender. Fortinet if all of this sounds too familiar, it should. It's another critical vulnerability, another SQL injection flaw, and once again it's another race against time, with attackers likely exploiting before defenders can patch. According to bleeping computer researchers at Diffuse confirmed active exploitation of CVE2026 21643 an SQL injection vulnerability in Fortinet's Forta client EMS platform. An unauthenticated attacker can send a malicious HTTP request through the web interface and execute arbitrary code. Defuse says attackers have been exploiting this for at least four days. As of Tuesday, Fortinet had not updated its advisory to reflect active exploitation and CISA had not yet added it to their known exploited vulnerabilities list. There is a patch version 7.4.0.5 fixes it but the window to act is closing if not closed. This exploit appears to require multi tenancy, not single tenant deployments. CISA has now flagged 24 Fortinet vulnerabilities as actively exploited. Thirteen have been known to lead to ransomware attacks. Two years ago another Forta client EMS SQL injection flaw was used by Chinese state sponsored group Salt Typhoon to breach telecom providers across North America in the last 12 months. This is Fortinet's seventh critical CVE SQL injection has been on the OWASP top 10 since 2003. Fortinet signed CISA's Secure by Design pledge in 2025, yet these issues remain and they failed to consistently eliminate entire bug classes. They're still playing vulnerability whack a mole. Our next story is a return of a truly unloved expression. Citrix Bleed According to cybersecurity dive, threat actors are actively exploiting a critical vulnerability in Citrix, Netscalar ADC and Netscaler Gateway. The flaw CVE2026 3055 carries a severity score of 9.3 out of 10. CISA added it to the known Exploited Vulnerabilities catalog on Monday. Federal agencies have until Thursday to remediate Exploitations have been happening since at least March 27, giving attackers a head start. Researchers at Watchtower warn this may involve more than one flaw. A second vulnerability, CVE2026 4368, is a race condition issue that can cause user session mix ups. Watchtower founder Benjamin Harris is urging organizations to check for signs of compromise now, not after patching, and to trigger incident response immediately if they find anything. The reference point here is citrix bleed in 2023. That flaw was used by Lockbit and others to breach major organizations worldwide, and the pattern could be repeating critical flaw, slow response, mass exploitation Watchtower is already seeing the attacks in its honeypots, and the exposure affects appliances configured as a SAML identity provider. If this describes your environment and you haven't patched since Citrix issued its bulletin on March 23, you're behind in this race. Trivi Axios, Cisco Fortinet, Citrix Today's episode is a catalog of what attackers can do right now with existing tools, but what happens when those tools continue to get more powerful? Ironically, we've all found out about what is being called one of the most dangerous AI models built yet, thanks to leaked details of it revealed through a basic security misconfiguration. According to Futurism, Anthropic accidentally exposed a draft blog post through a publicly accessible data store, revealing a new model called Claude Mythos. In that document, Anthropic described Mythos as a general purpose AI system with advances in reasoning, coding and cybersecurity, calling it the most capable that they've built. We don't genuinely know if this was an accidental leak or something more deliberate Guerrilla marketing maybe. But the draft described a model that could exploit vulnerabilities far faster than what Defenders can respond to. Anthropic has acknowledged the risks the model presents. They've rolled out Mythos slowly, starting with enterprise security teams to study its capabilities before a wider release. They've also committed to sharing findings to help defenders prepare. Anthropic previously disclosed that a Chinese state sponsored group used an earlier code model to conduct cyber attacks against banks and governments by framing up what it was doing as legitimate testing in order to break the guardrails. That was a less capable system than what they're describing as what could be coming next. Another detail Cybersecurity stops dropped after the leak CrowdStrike Palo Alto and Fortinet all declined as investors tried to price in the impact. Whether that reaction was rational or not, the signal is clear. The market is paying attention to the message and if anything, cybersecurity is about to get a lot more intense. Anthropic's leak may have been embarrassing, but they responded quickly, acknowledged the risks, and they've been transparent. That's a positive sign. Our final story is about a different kind of failure, and it's one of the worst kinds Breaking Trust with Fake Compliance According to reporting from TechCrunch, the Delve story we covered last week has escalated. The anonymous whistleblower known as Deep Delver is back now with video and internal Slack messages and says more is coming. Deep Delver claims the video clearly shows Delve executives and staff knew there were issues with an auditor handling client certifications. Delve, a Y Combinator backed startup, automates compliance processes like SoC2 and ISO 27001. The allegation? It helped customers fabricate audit evidence and knowingly work with auditors who did not scrutinize clients materials and acted more like certification mills than auditors. Delve has raised more than $32 million. The accusations against Delve from Deep Delver were covered by TechCrunch first on March 22, and included claims about fabricated evidence used to achieve compliance with standards. Since the story broke, some people have been using it to dismiss compliance frameworks entirely. That would be the wrong takeaway. Done properly, certifications and frameworks improve security. They force organizations to examine controls, identify gaps and build repeatable processes. The problem here isn't compliance frameworks, it's how they're used. Too many organizations treat compliance as a box to check, not a standard to live by. When compliance becomes performance instead of practice, you get this Auditors rubber stamping customers, giving false confidence and real vulnerabilities hiding behind clean reports. Deep Delver says even more is coming. This story isn't over yet. That's Cybersecurity today for Wednesday, April 1, 2026. I wish all these headlines were April Fool's jokes, but they're real. Before we sign off, a milestone worth noting. This is episode 1,500 of Cybersecurity Today. When Jim Love first approached Howard Solomon about starting the show in March 2018, it wasn't clear what it would become. Eight years later, the show reaches 2.4 million downloads a year and is in the top 10 in US and Canada, the top 20 in the UK and drumroll. We just hit number one for tech news in Saudi Arabia to listeners there. Welcome. For me, it's been a privilege to join Jim and to follow in Howard's footsteps. Thank you all of you for helping us reach this milestone. We've grown because you've given us five star reviews, subscribed, given likes, given us the thumbs up, and great comments. Every one of these counts more than you'll ever know and we could continue to use your help. Please continue to like, subscribe and share the show. I'm excited to get on with the work for the next 1500 episodes. We'll be taking a break for the Easter holiday. I'll be back on Tuesday with a recap of the latest news. Until then, stay safe and take care.
[14:03]
A
We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and run support. It's a single, integrated solution that scales from branch offices, warehouses and large campuses to data centers. Book a demo at meter.com CST that's M-E T E-R.com/CST.