Cybersecurity Today — Episode Summary

Episode: Cybersecurity Update: Incorrect Company Naming, Major Breaches, and New Malware Campaigns
Host: Jim Love
Date: November 27, 2025

Episode Overview

This episode provides an up-to-date briefing on recent and significant cybersecurity incidents affecting financial institutions, large enterprises, and software supply chains. Host Jim Love covers major ransomware and data theft breaches, emerging malware campaigns targeting creative and development ecosystems, and a reminder that basic phishing techniques remain devastatingly effective. He also apologizes and corrects a prior misnaming of a company involved in a recent breach, underlining the show’s commitment to accuracy and transparency.

Key Discussion Points & Insights

1. Correction of Company Naming in Previous Reporting

[00:01 – 01:45]
- Jim Love opens with an apology for incorrectly naming a company associated with a breach in a prior episode. The correct company is Citus AMC, not Ascensus (who were mistakenly mentioned).
- Importance of responsible reporting: “We’re never playing a blame game. We’re only trying to make sure our listeners know what to look for and get the facts.” (Jim Love, 00:22)
- Listener vigilance highlighted as a strength of the show’s community: “You are the best and you keep us honest.” (Jim Love, 01:18)

2. Citus AMC Data Theft Breach

[02:00 – 04:00]
- US banks are assessing impact after ransomware group AlphaV (Black Cat) claimed to steal 3TB of data from fintech vendor Citus AMC.
- No ransomware encryption was used—data theft only.
- Citus AMC responded by taking systems offline, launching an investigation, and notifying regulators; the FBI is now involved.
- Sample documents posted by attackers; full scope of breach still unknown.
- “This type of operation typically targets files sensitive enough to justify demanding payment from large institutions.” (Jim Love, 03:22)
- Ongoing uncertainty as banks determine exposure; investigators expect further developments.

3. Clop Ransomware Hits Broadcom via Oracle ERP Vulnerability

[04:00 – 06:00]
- Clop ransomware group is exploiting zero-day vulnerabilities in Oracle E-Business Suite, naming Broadcom as its latest target.
- Broadcom isn't confirming (or denying) a breach; acknowledges its Oracle instance was targeted, says patches are in place and “core systems remain intact”.
- Affected data believed to be limited, but investigation continues.
- Oracle has issued a patch; ongoing risk as Clop continues naming victims before reviews are complete.
- “We may see more names surface in the days ahead, either from investigations or from the attackers themselves.” (Jim Love, 05:46)

4. New Malware via Blender 3D Model Files (Steelsee)

[06:00 – 08:30]
- Increasing reports of malware hidden inside Blender .blend files; Blender’s autorun feature executes embedded Python when opened.
- Steelsee info-stealer targets over 23 browsers, crypto wallets, communication tools, VPN/mail clients; now with advanced evasion features.
- Updated variants undetected by current antivirus engines: “No security engine on VirusTotal detected the Steelsea variant they analyzed.” (Jim Love, 08:02)
- Serious supply chain risk as infected models are freely shared on creative platforms.

5. Shaihalud Worm Infects npm Packages

[08:30 – 10:30]
- “A new supply chain attack is sweeping through the JavaScript ecosystem…” (Jim Love, 08:34)
- 500+ npm packages compromised after attackers steal maintainer credentials, inject self-replicating malware (Shaihalud).
- On install, it harvests cloud/dev credentials and propagates itself.
- Compromise runs deep: trusted but backdoored packages, hard to rapidly detect.
- Warning: “Blindly pushing updates from NPM is no longer safe. The weakness isn’t one library, it’s how much trust we place in an ecosystem…” (Jim Love, 10:07)

6. Traditional Phishing Still Works — Microsoft Account Scam

[10:30 – 12:00]
- New phishing campaigns exploit visually similar domains: “rnicrosoft.com” vs “microsoft.com.”
- Tricked users redirected to fake login pages, compromising entire account suites.
- Visual deception (not malware) bypasses many defensive tools.
- Host’s practical security advice:
  - “I will not, repeat, not enter credentials into anything that's linked to a site that has been supplied to me in email or any other way. I will go on and type the name of that company, that URL myself and if I can't find what they sent me, I don't care. It doesn't exist.” (Jim Love, 11:30)
- Takeaway: simplest con games remain potent by preying on human attention, especially during holiday surges.

Notable Quotes & Memorable Moments

On journalistic integrity:
- “When we get it wrong, we'll tell you. No excuses. But also thanks to our listeners who alerted me before the company spotted it.” (Jim Love, 01:01)
On evolving threat landscapes:
- “Steelsee has been on the radar since 2023 and it's still slipping past defenses.” (Jim Love, 07:50)
- “The supply chain has multiple points where it could be compromised… It takes work to validate what you're installing…” (Jim Love, 09:50)
On persistent, low-cost threats:
- “While we focus on complex threats like AI driven attacks and supply chain compromises, the simplest tactics still work because they exploit human attention and not software flaws.” (Jim Love, 11:50)

Timestamps for Key Segments

| Segment | Timestamp | |-------------------------------------------------|-------------| | On-air correction & apology | 00:01–01:45 | | Citus AMC ransomware/data theft | 02:00–04:00 | | Clop/Oracle zero-day & Broadcom's response | 04:00–06:00 | | Blender/Steelsee malware campaign | 06:00–08:30 | | Shaihalud npm supply-chain worm | 08:30–10:30 | | Phishing campaign: Microsoft lookalike domains | 10:30–12:00 | | Security tip: Never click login links from emails| 11:30 |

Summary Tone

Jim Love maintains a direct, reassuring, and practical tone, blending technical accuracy with accessible language and actionable security advice.

Takeaways

Correction and transparency are crucial in cybersecurity journalism.
Major breaches continue to affect core infrastructure (fintech, enterprise software, and creative toolchains).
Supply-chain and social engineering attacks have become more sophisticated — but old tricks (phishing) still work.
Vigilance, critical thinking, and “never click login links in emails” remain among the best lines of defense.
The ecosystem’s structural weaknesses mean everyone (not just IT) needs ongoing security awareness.

Cybersecurity Today — Episode Summary

Episode: Cybersecurity Update: Incorrect Company Naming, Major Breaches, and New Malware Campaigns
Host: Jim Love
Date: November 27, 2025

Episode Overview

Key Discussion Points & Insights

1. Correction of Company Naming in Previous Reporting

[00:01 – 01:45]
- Jim Love opens with an apology for incorrectly naming a company associated with a breach in a prior episode. The correct company is Citus AMC, not Ascensus (who were mistakenly mentioned).
- Importance of responsible reporting: “We’re never playing a blame game. We’re only trying to make sure our listeners know what to look for and get the facts.” (Jim Love, 00:22)
- Listener vigilance highlighted as a strength of the show’s community: “You are the best and you keep us honest.” (Jim Love, 01:18)

2. Citus AMC Data Theft Breach

[02:00 – 04:00]
- US banks are assessing impact after ransomware group AlphaV (Black Cat) claimed to steal 3TB of data from fintech vendor Citus AMC.
- No ransomware encryption was used—data theft only.
- Citus AMC responded by taking systems offline, launching an investigation, and notifying regulators; the FBI is now involved.
- Sample documents posted by attackers; full scope of breach still unknown.
- “This type of operation typically targets files sensitive enough to justify demanding payment from large institutions.” (Jim Love, 03:22)
- Ongoing uncertainty as banks determine exposure; investigators expect further developments.

3. Clop Ransomware Hits Broadcom via Oracle ERP Vulnerability

[04:00 – 06:00]
- Clop ransomware group is exploiting zero-day vulnerabilities in Oracle E-Business Suite, naming Broadcom as its latest target.
- Broadcom isn't confirming (or denying) a breach; acknowledges its Oracle instance was targeted, says patches are in place and “core systems remain intact”.
- Affected data believed to be limited, but investigation continues.
- Oracle has issued a patch; ongoing risk as Clop continues naming victims before reviews are complete.
- “We may see more names surface in the days ahead, either from investigations or from the attackers themselves.” (Jim Love, 05:46)

4. New Malware via Blender 3D Model Files (Steelsee)

[06:00 – 08:30]
- Increasing reports of malware hidden inside Blender .blend files; Blender’s autorun feature executes embedded Python when opened.
- Steelsee info-stealer targets over 23 browsers, crypto wallets, communication tools, VPN/mail clients; now with advanced evasion features.
- Updated variants undetected by current antivirus engines: “No security engine on VirusTotal detected the Steelsea variant they analyzed.” (Jim Love, 08:02)
- Serious supply chain risk as infected models are freely shared on creative platforms.

5. Shaihalud Worm Infects npm Packages

[08:30 – 10:30]
- “A new supply chain attack is sweeping through the JavaScript ecosystem…” (Jim Love, 08:34)
- 500+ npm packages compromised after attackers steal maintainer credentials, inject self-replicating malware (Shaihalud).
- On install, it harvests cloud/dev credentials and propagates itself.
- Compromise runs deep: trusted but backdoored packages, hard to rapidly detect.
- Warning: “Blindly pushing updates from NPM is no longer safe. The weakness isn’t one library, it’s how much trust we place in an ecosystem…” (Jim Love, 10:07)

6. Traditional Phishing Still Works — Microsoft Account Scam

[10:30 – 12:00]
- New phishing campaigns exploit visually similar domains: “rnicrosoft.com” vs “microsoft.com.”
- Tricked users redirected to fake login pages, compromising entire account suites.
- Visual deception (not malware) bypasses many defensive tools.
- Host’s practical security advice:
  - “I will not, repeat, not enter credentials into anything that's linked to a site that has been supplied to me in email or any other way. I will go on and type the name of that company, that URL myself and if I can't find what they sent me, I don't care. It doesn't exist.” (Jim Love, 11:30)
- Takeaway: simplest con games remain potent by preying on human attention, especially during holiday surges.

Notable Quotes & Memorable Moments

On journalistic integrity:
- “When we get it wrong, we'll tell you. No excuses. But also thanks to our listeners who alerted me before the company spotted it.” (Jim Love, 01:01)
On evolving threat landscapes:
- “Steelsee has been on the radar since 2023 and it's still slipping past defenses.” (Jim Love, 07:50)
- “The supply chain has multiple points where it could be compromised… It takes work to validate what you're installing…” (Jim Love, 09:50)
On persistent, low-cost threats:
- “While we focus on complex threats like AI driven attacks and supply chain compromises, the simplest tactics still work because they exploit human attention and not software flaws.” (Jim Love, 11:50)

Timestamps for Key Segments

Summary Tone

Jim Love maintains a direct, reassuring, and practical tone, blending technical accuracy with accessible language and actionable security advice.

Takeaways

Correction and transparency are crucial in cybersecurity journalism.
Major breaches continue to affect core infrastructure (fintech, enterprise software, and creative toolchains).
Supply-chain and social engineering attacks have become more sophisticated — but old tricks (phishing) still work.
Vigilance, critical thinking, and “never click login links in emails” remain among the best lines of defense.
The ecosystem’s structural weaknesses mean everyone (not just IT) needs ongoing security awareness.

wavePod

Cybersecurity Update: Incorrect Company Naming, Major Breaches, and New Malware Campaigns

Powered by Wave AI

Summary

Cybersecurity Today — Episode Summary

Episode Overview

Key Discussion Points & Insights

1. Correction of Company Naming in Previous Reporting

2. Citus AMC Data Theft Breach

3. Clop Ransomware Hits Broadcom via Oracle ERP Vulnerability

4. New Malware via Blender 3D Model Files (Steelsee)

5. Shaihalud Worm Infects npm Packages

6. Traditional Phishing Still Works — Microsoft Account Scam

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Summary Tone

Takeaways

Summary

Cybersecurity Today — Episode Summary

Episode Overview

Key Discussion Points & Insights

1. Correction of Company Naming in Previous Reporting

2. Citus AMC Data Theft Breach

3. Clop Ransomware Hits Broadcom via Oracle ERP Vulnerability

4. New Malware via Blender 3D Model Files (Steelsee)

5. Shaihalud Worm Infects npm Packages

6. Traditional Phishing Still Works — Microsoft Account Scam

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Summary Tone

Takeaways