Loading summary
A
Cybersecurity Today we'd like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email identity and data threats inside Google Workspace and Microsoft 365. You can contact them at Material Security
B
Mac Malware that tries to gaslight the AI analyzing it a global takedown of two of the busiest info stealers on the market. OpenAI launches an Internet scale bug fixing effort and new findings on fortableed that should send you rotating a lot more than just firewall passwords. This is Cybersecurity Today and I'm your host David Shipley. Lets get started. There's a new piece of Mac malware that doesn't just try to hide from your tools, it tries to gaslight them. Researchers at SentinelOne have named it exactly that. Gaslight. It's a rust based implant and information stealer aimed at macOS and it's been pinned with high confidence on North Korea aligned threat actors. Here's what makes it different. Most malware tries to slip past a sandbox. Gaslight goes after the analyst's AI. Buried inside the sample is a block of 38 fake system messages, phony warnings about token expiry, out of memory crashes, disk exhaustion, repeated failures. There are even bogus alerts about injection flaws and static analysis hits the goal convince an AI triage agent that its own session has fallen apart, so it aborts, truncates or refuses the analysis. SentinelOne puts it plainly it attacks an AI agent's perception, not the sandbox it's trying to run in. The rest of the kit is capable on its own. Command and control runs through a Telegram bot. The operator gets an interactive shell to run code, kill processes and exfiltrate files straight through Telegram. For persistence. This malware hides behind a launch agent dressed up to look like a legitimate Apple system service. Then there's the information stealer. It's a Python suite that scrapes terminal history, installed apps, running processes, the macOS keychain and browser data from Chrome, Brave, Firefox and Safari. Everything gets zipped up and shipped out over Telegram. One more detail. The malware redacts its own Telegram token from its logs, so even if you grab the crash artifacts, the operator's channel stays hidden. Now to a win for the good guys. Microsoft and Europol have teamed up to take down two of the busiest infosteelers on the market, Amadei and Steelsea. And the numbers behind this operation are huge. Amade does the breaking in, Steelsea does the looting. Passwords, sensitive Data, the works. Together, they're everywhere. Microsoft found more than 140,000 infected computers worldwide in just the first two weeks of May. The takedown hits the infrastructure behind this malware. Microsoft identified over 200 malicious command and control domains and IP addresses. Then they shut them down through court orders, domain seizures and related enforcement actions. In a filing with the US District Court in Miami, Microsoft accused a group of unnamed defendants of running a malware as a service operation. And they asked the court to hand over control of the related domains. There's an AI angle here, too. Microsoft says investigators used AI to analyze how the two tools work together. That sped up the probe and let them treat the whole thing as a single conspiracy rather than as scattered pieces. This was all part of Operation Endgame, the broader international effort to dismantle cybercrime infrastructure. Researchers at proofpoint and IBM, who'd also took part in the bust, tallied the haul from the overall operation. 25.6 million stolen credentials recovered and 385,000 compromised systems identified. Infosteelers are one of the main on ramps to ransomware these days. Cut the command and control infrastructure and you sever that vital supply line, forcing ransomware operators to rebuild them from scratch. The fight's not over, but it's nice to see a win. The AI security arms race just picked up more speed. OpenAI has rolled out a batch of security announcements, and the headline is a project they're calling Patch the Planet. The pitch? An Internet scale effort to help open source software get ahead of AI bug hunting tools. OpenAI is running it alongside security firm Trail of Bits, with HackerOne and others in the mix. Here's the problem this effort is trying to solve. Open source maintainers are volunteers, usually, and they hold up critical software the world depends on. With almost no resources, AI bug hunters have made the situation for them almost untenable. They've flooded inboxes with AI, generated slop reports that bury the flaws that may actually matter. As OpenAI's cyber lead put it. Maintainers do this work often out of love, and now they're stuck reviewing slop CVEs, and many of them are calling it quits. So the project offers some free consulting, finding bugs, building patches and leaving custom AI agents behind so maintainers can keep going. More than 30 projects are already involved in the effort. Trail of Bits ran a five day opening sprint with a fifth of its workforce. The early haul, hundreds of bugs found dozens of patches shipped in week one. There's also a new checkpoint of OpenAI's security model GPT 5.5 Cyber it scored 85.6% on the Cyber Gym benchmark and edged out Anthropic's Mythos 5, which sat at 83.8. Anthropic pulled its Fable 5 and Mythos 5 models off the market earlier this month after the Trump administration moved on export control over concerns about their cybersecurity capabilities. OpenAI, meanwhile, is launching a cyber model that scores higher on this benchmark and rolling out an effort to find and fix bugs at Internet scale. But they're not facing an export ban. They're both in the same race with the same capabilities, but there are different rules. Both companies are headed towards IPOs. We've been following Fortibleed for the last few weeks, and a new analysis gets to the heart of what attackers do once they get inside a compromised Fortinet device. Here's a quick recap. Fortableed is a large scale credential theft campaign hitting Internet facing fortigate firewalls and SSL VPNs. Socradar, which coined the term and first disclosed the campaign, now counts more than 86,000 compromised devices across 194 countries. And the key point? This isn't a Fortinet vulnerability. No zero day. It runs on credential reuse, old passwords from past breaches and infostealer logs tested at scale across exposed devices. How well does that all work? Socradar found more than 2,500 devices breached with a single default login. It's admin 3 password 123456. That's it. That's essentially the doors left wide open. Once operators have working credentials, they tunnel in over the victim's own SSL vpn. Arctic Wolf, which reverse engineered the attacker's toolkit, found they bind their traffic to the victim's own VPN pool address. So their active directory queries, their Kerberos requests, their SMB activity all look like they're coming from inside the network. From there, it's a full sweep for other credentials. They enumerate domain admins, roastable accounts, even passwords sitting in the account description fields. They spider file shares for secrets buried in scripts and configs. Then they collect one recovered log clocked 121 gigabyte hall streaming straight out over SSH. A compromised fortigate firewall is a listening post. It's been sniffing the traffic passing through it. So any credential that crossed those wires could be in the hands of attackers, not just your Fortinet logins. So credential rotation for affected organizations is going to be huge. Everything that could have been exposed through those boxes probably needs to be rotated. We'll keep watching this story, and that's Cybersecurity today for Friday, June 26th. I've been your host, David Shipley. Thanks for listening. Stay safe out there. I'll be back on the news desk on Monday, and I hope you have a quiet and wonderful weekend.
A
Here's a question worth asking. What happens after a phishing email slips past your filters? Most email security tools only guard the front door, but attackers are already inside. Material security is different. It's a unified detection and response platform purpose built for Google Workspace and Microsoft 365, protecting email files and accounts all in one place. We're talking automated phishing, remediation, account takeover containment and sensitive data protection without alert fatigue. Find out why companies like Figma, Reddit, and Lyft trust material to stop the threats. Other tools Ms. See workspace security in action at Material Security. That's Material Security. And if you do contact them, take a second and say thanks for sponsoring Cybersecurity today.
Host: David Shipley
Date: June 26, 2026
Episode Overview:
This episode covers breaking developments in cybersecurity, including a novel Mac malware tactic aimed at gaslighting AI analysis tools, a global takedown of prolific info-stealer malware networks, OpenAI’s launch of a massive open source bug hunting effort, and the latest on the ongoing Fortibleed credential campaign targeting Fortinet devices.
David Shipley breaks down how attackers are innovating to outsmart AI-driven security tools, reports on aggressive law enforcement and industry moves against malware networks, explores OpenAI’s new cyber initiatives, and digests how old passwords fuel ongoing breaches. The episode serves as a digest for business leaders and security professionals navigating a fast-evolving threat landscape.
(00:26 – 02:59)
“The goal—convince an AI triage agent that its own session has fallen apart, so it aborts, truncates, or refuses the analysis.”
— David Shipley (01:15)
(02:59 – 05:30)
“Microsoft says investigators used AI to analyze how the two tools work together. That sped up the probe and let them treat the whole thing as a single conspiracy.”
— David Shipley (04:10)
(05:30 – 07:29)
“Maintainers do this work often out of love, and now they’re stuck reviewing slop CVEs, and many of them are calling it quits.”
— David Shipley (06:07, paraphrasing OpenAI’s cyber lead)
(07:29 – 09:30)
“A compromised Fortigate firewall is a listening post…any credential that crossed those wires could be in the hands of attackers.”
— David Shipley (09:00)
David Shipley’s delivery is urgent but measured, peppered with industry detail and plain language analogies. He stresses both the sophistication of attacker innovation (from gaslighting AI to leveraging default passwords) and the power of cross-industry, cross-border security collaboration. The practical advice—especially on credential hygiene for Fortinet users—makes this a must-listen for CISOs, IT managers, and anyone tracking the AI-cyber arms race.
Summary Prepared For:
Those seeking a thorough, actionable digest on the latest in enterprise cybersecurity threats, law enforcement victories, and industry efforts to shore up the open source ecosystem in the face of AI-driven challenges.