Cybersecurity Today – February 2, 2026

Host: David Shipley (standing in for Jim Love)
Episode Theme:
A fast-paced review of recent major cybersecurity incidents, detailing how attackers are exploiting even trusted infrastructure – from Google's takedown of a global proxy network, to AI agent hijacks via exposed databases, to sophisticated phishing attacks targeting SSO, and supply chain threats embedded in antivirus updates. The episode underscores the evolving, multifaceted nature of cybersecurity risks for organizations.

Main Topics & Key Insights

1. Google’s Takedown of the IP Idea Proxy Network

Background:
Millions of Android devices worldwide were covertly being used as part of a massive residential proxy network, allowing nation-state and criminal hackers to cloak their operations.
How it Worked:
- The ‘IP Idea’ proxy network embedded itself through hundreds of popular Android apps and developer toolkits.
- Once installed, these apps would silently turn devices into Internet relays, routing third-party (malicious) traffic through real people’s connections.
Abuse and Scale:
- Used by over 550 tracked threat groups in ONE week, including state-linked actors from China, Russia, Iran, and North Korea.
- Supported everything from credential theft and espionage, to DDoS attacks (Denial of Service) and command and control traffic.
Response:
- Google disabled related domains, updated Play Protect to remove compromised apps, and worked with partners to disrupt the backend.
- 9 million devices and hundreds of malicious apps were cut from the network’s control.
Residual Risk:
- “Parts of the infrastructure may still exist, but the scale of abuse has been sharply reduced.” (David Shipley, 01:38)
Notable Quote:
- "Millions of people were unknowingly letting criminals and nation state hackers use their home and mobile Internet connections to hide cyberattacks..." (David Shipley, 00:34)

2. AI Agent Platform Hijack with a Single URL

Incident Detail:
- The AI agent social platform ‘Multbook’ left its entire backend database unprotected, exposing control over all AI agents.
Technical Failure:
- The database (Supabase) exposed API keys, verification tokens, and ownership data for every agent. Row-level security was never enabled.
- Critical secrets even published in their own code, enabling complete account takeover.
Risk & Impact:
- “Those keys effectively act as passwords, allowing agents to post and act online.” (David Shipley, 03:02)
- 404 Media verified the weakness and demonstrated agent takeover.
- Some compromised agents belonged to high-profile AI figures, increasing risk of impersonation and reputational harm.
Resolution:
- The vulnerability was fixed after disclosure and no malicious use has been confirmed.
Notable Moment:
- Welcome to “2026's answer to unsecured AWS S3 buckets.” (David Shipley, 04:15)

3. SSO Phishing and Cloud Extortion by ‘Shiny Hunters’

Attack Overview:
- Shiny Hunters extortion group targets single sign-on (SSO) systems including Okta, Microsoft Entra, and Google.
Tactics:
- Sophisticated “vishing” (voice phishing): Attackers impersonate IT, call employees, and guide them through a lookalike MFA process using real-time phishing kits.
- Real credentials and MFA tokens are captured and relayed on the fly, letting attackers register their own MFA devices.
Impact:
- Attackers access the SSO dashboard, “which in some cases may list every connected SaaS application the user can access, including Salesforce, Microsoft 365, SharePoint document, Slack, Google Drive, and so on.” (David Shipley, 05:14)
- Automation: Bulk data downloads via PowerShell, security notifications deleted to conceal activity.
Result:
- Bulk data theft, extortion, and stolen data already surfacing on leak sites.
Notable Quote:
- “The attacks begin with voice phishing… and call employees directly claiming there's an issue with multi factor authentication.” (David Shipley, 05:03)

4. Russian State-linked Attacks on Polish Energy Infrastructure

Incident Recap:
- Russian-linked cluster ‘Static Tundra’ targeted >30 wind/solar farms, a manufacturing firm, and a combined heat & power plant in Poland on December 29, 2025.
Tactics:
- Caused communications disruption between renewable facilities and power grid operators.
- Gained access via vulnerable Fortigate devices and SSL VPNs.
- Damaged firmware, deleted system files, attempted to deploy “dynowiper” malware on industrial interfaces.
- Months-long reconnaissance, data theft, movement inside networks, focusing on SCADA and OT projects.
Impact:
- Attacks aimed at destruction, but “thankfully failed to cause an outage” (David Shipley, 07:13)
Notable Quote:
- "According to CERT Polska, the attacks had a destructive objective. Communications between renewable energy facilities and grid operators were disrupted, but electricity production thankfully continued." (David Shipley, 06:49)

5. E Scan Antivirus Update Server Compromised

Incident:
- E Scan antivirus users received malware through a compromised update server, affecting mainly enterprise customers.
Timeline:
- Detection: January 20. Public disclosure by Morphisec: January 29.
Malicious Payload:
- ‘Reload.exe’ file: blocked updates, changed AV behavior, established persistence, and fetched other malware.
Challenges:
- Auto-remediation was impossible due to blocked servers; users had to contact E Scan directly.
- Company disputes Morphisec’s classification as a ‘supply chain attack,’ confirming only regional update impact.
Remediation:
- Compromised servers isolated, update tools released, operations restored.
Notable Quote:
- “Because compromised services were cut off from update servers, automatic remediation was impossible, forcing users to contact E Scan directly for a cleanup.” (David Shipley, 08:52)

Notable Quotes & Memorable Moments

Mass Proxy Network:
- “That meant malicious activity didn't come from suspicious data centers, it came from real phones, real homes, real people.” (David Shipley, 01:17)
On AI Security Lapses:
- “You really didn't need to hack much, you just needed a URL. You heard that right...” (David Shipley, 02:39)
On SSO Attack Tactics:
- “These sites use advanced phishing kits that allow attackers to interact with victims in real time.” (David Shipley, 05:10)
Industrial Threats:
- “Attackers accessed internal networks tied to substations, conducted reconnaissance, damaged firmware on industrial controllers, deleted system files and attempted to deploy custom wiper malware...” (David Shipley, 07:25)
AV as Attack Vector:
- "Even security software can be an attack vector." (David Shipley, 08:39)

Timestamps for Key Segments

Google Proxy Network Takedown: 00:34 – 02:38
AI Agent Platform Hijack: 02:39 – 04:18
Single Sign-On Phishing Attacks: 04:19 – 06:48
Russian Attacks on Polish Energy Sector: 06:49 – 08:38
Antivirus Update Supply Chain Compromise: 08:39 – 10:00

Tone & Closing Thoughts

The episode underscores the persistent creativity and sophistication of attackers, the dangers of misconfigured cloud and app infrastructure, and the importance of multi-layer security—including vigilance for even trusted tools like antivirus software. David Shipley delivers the stories succinctly, occasionally dropping in wry observations about the digital state of play in 2026 (“welcome to 2026’s answer to unsecured AWS S3 buckets”).

Host Sign-off:
"I'm David Shipley. Thanks for listening. Have a great week. Jim Love will be back on the news desk on Wednesday." (David Shipley, 10:01)

Cybersecurity Today – February 2, 2026

Main Topics & Key Insights

1. Google’s Takedown of the IP Idea Proxy Network

Background:
Millions of Android devices worldwide were covertly being used as part of a massive residential proxy network, allowing nation-state and criminal hackers to cloak their operations.
How it Worked:
- The ‘IP Idea’ proxy network embedded itself through hundreds of popular Android apps and developer toolkits.
- Once installed, these apps would silently turn devices into Internet relays, routing third-party (malicious) traffic through real people’s connections.
Abuse and Scale:
- Used by over 550 tracked threat groups in ONE week, including state-linked actors from China, Russia, Iran, and North Korea.
- Supported everything from credential theft and espionage, to DDoS attacks (Denial of Service) and command and control traffic.
Response:
- Google disabled related domains, updated Play Protect to remove compromised apps, and worked with partners to disrupt the backend.
- 9 million devices and hundreds of malicious apps were cut from the network’s control.
Residual Risk:
- “Parts of the infrastructure may still exist, but the scale of abuse has been sharply reduced.” (David Shipley, 01:38)
Notable Quote:
- "Millions of people were unknowingly letting criminals and nation state hackers use their home and mobile Internet connections to hide cyberattacks..." (David Shipley, 00:34)

2. AI Agent Platform Hijack with a Single URL

Incident Detail:
- The AI agent social platform ‘Multbook’ left its entire backend database unprotected, exposing control over all AI agents.
Technical Failure:
- The database (Supabase) exposed API keys, verification tokens, and ownership data for every agent. Row-level security was never enabled.
- Critical secrets even published in their own code, enabling complete account takeover.
Risk & Impact:
- “Those keys effectively act as passwords, allowing agents to post and act online.” (David Shipley, 03:02)
- 404 Media verified the weakness and demonstrated agent takeover.
- Some compromised agents belonged to high-profile AI figures, increasing risk of impersonation and reputational harm.
Resolution:
- The vulnerability was fixed after disclosure and no malicious use has been confirmed.
Notable Moment:
- Welcome to “2026's answer to unsecured AWS S3 buckets.” (David Shipley, 04:15)

3. SSO Phishing and Cloud Extortion by ‘Shiny Hunters’

Attack Overview:
- Shiny Hunters extortion group targets single sign-on (SSO) systems including Okta, Microsoft Entra, and Google.
Tactics:
- Sophisticated “vishing” (voice phishing): Attackers impersonate IT, call employees, and guide them through a lookalike MFA process using real-time phishing kits.
- Real credentials and MFA tokens are captured and relayed on the fly, letting attackers register their own MFA devices.
Impact:
- Attackers access the SSO dashboard, “which in some cases may list every connected SaaS application the user can access, including Salesforce, Microsoft 365, SharePoint document, Slack, Google Drive, and so on.” (David Shipley, 05:14)
- Automation: Bulk data downloads via PowerShell, security notifications deleted to conceal activity.
Result:
- Bulk data theft, extortion, and stolen data already surfacing on leak sites.
Notable Quote:
- “The attacks begin with voice phishing… and call employees directly claiming there's an issue with multi factor authentication.” (David Shipley, 05:03)

4. Russian State-linked Attacks on Polish Energy Infrastructure

Incident Recap:
- Russian-linked cluster ‘Static Tundra’ targeted >30 wind/solar farms, a manufacturing firm, and a combined heat & power plant in Poland on December 29, 2025.
Tactics:
- Caused communications disruption between renewable facilities and power grid operators.
- Gained access via vulnerable Fortigate devices and SSL VPNs.
- Damaged firmware, deleted system files, attempted to deploy “dynowiper” malware on industrial interfaces.
- Months-long reconnaissance, data theft, movement inside networks, focusing on SCADA and OT projects.
Impact:
- Attacks aimed at destruction, but “thankfully failed to cause an outage” (David Shipley, 07:13)
Notable Quote:
- "According to CERT Polska, the attacks had a destructive objective. Communications between renewable energy facilities and grid operators were disrupted, but electricity production thankfully continued." (David Shipley, 06:49)

5. E Scan Antivirus Update Server Compromised

Incident:
- E Scan antivirus users received malware through a compromised update server, affecting mainly enterprise customers.
Timeline:
- Detection: January 20. Public disclosure by Morphisec: January 29.
Malicious Payload:
- ‘Reload.exe’ file: blocked updates, changed AV behavior, established persistence, and fetched other malware.
Challenges:
- Auto-remediation was impossible due to blocked servers; users had to contact E Scan directly.
- Company disputes Morphisec’s classification as a ‘supply chain attack,’ confirming only regional update impact.
Remediation:
- Compromised servers isolated, update tools released, operations restored.
Notable Quote:
- “Because compromised services were cut off from update servers, automatic remediation was impossible, forcing users to contact E Scan directly for a cleanup.” (David Shipley, 08:52)

Notable Quotes & Memorable Moments

Mass Proxy Network:
- “That meant malicious activity didn't come from suspicious data centers, it came from real phones, real homes, real people.” (David Shipley, 01:17)
On AI Security Lapses:
- “You really didn't need to hack much, you just needed a URL. You heard that right...” (David Shipley, 02:39)
On SSO Attack Tactics:
- “These sites use advanced phishing kits that allow attackers to interact with victims in real time.” (David Shipley, 05:10)
Industrial Threats:
- “Attackers accessed internal networks tied to substations, conducted reconnaissance, damaged firmware on industrial controllers, deleted system files and attempted to deploy custom wiper malware...” (David Shipley, 07:25)
AV as Attack Vector:
- "Even security software can be an attack vector." (David Shipley, 08:39)

Timestamps for Key Segments

Google Proxy Network Takedown: 00:34 – 02:38
AI Agent Platform Hijack: 02:39 – 04:18
Single Sign-On Phishing Attacks: 04:19 – 06:48
Russian Attacks on Polish Energy Sector: 06:49 – 08:38
Antivirus Update Supply Chain Compromise: 08:39 – 10:00

Tone & Closing Thoughts

Host Sign-off:
"I'm David Shipley. Thanks for listening. Have a great week. Jim Love will be back on the news desk on Wednesday." (David Shipley, 10:01)

wavePod

Google's Proxy Network Takedown, AI Agent Hijack, and More: Cybersecurity Today for February 2, 2026

Powered by Wave AI

Summary

Cybersecurity Today – February 2, 2026

Main Topics & Key Insights

1. Google’s Takedown of the IP Idea Proxy Network

2. AI Agent Platform Hijack with a Single URL

3. SSO Phishing and Cloud Extortion by ‘Shiny Hunters’

4. Russian State-linked Attacks on Polish Energy Infrastructure

5. E Scan Antivirus Update Server Compromised

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Tone & Closing Thoughts

Summary

Cybersecurity Today – February 2, 2026

Main Topics & Key Insights

1. Google’s Takedown of the IP Idea Proxy Network

2. AI Agent Platform Hijack with a Single URL

3. SSO Phishing and Cloud Extortion by ‘Shiny Hunters’

4. Russian State-linked Attacks on Polish Energy Infrastructure

5. E Scan Antivirus Update Server Compromised

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Tone & Closing Thoughts