A

Cybersecurity Today we'd like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email identity and data threats inside Google Workspace and Microsoft 365. You can contact them at Material Security.

B

Microsoft threatens researcher with criminal charges Google Engineer charged in polymarket insider trading Hackers exploit Palo Alto VPN authentication bypass and attackers weaponize ChatGPT pages for malware this is Cybersecurity Today and I'm your host David Shipley. Let's get started. The biggest cybersecurity story of the past week is the next chapter of a dispute we've been tracking since April between Microsoft and an independent security researcher who's published a series of unpatched zero day vulnerabilities in Microsoft products. Last week, the dispute escalated. Microsoft is now threatening to refer the researcher for criminal investigation. According to TechCrunch, Microsoft published a blog post on Wednesday criticizing the researcher, who currently goes by the handle Nightmare Eclipse and who we previously covered under the related handle Chaotic Eclipse. Listeners who heard our April 20th show will remember that Blue Hammer and Red Sun Zero Days targeting Windows Defender we covered in our May 20th episode Yellow Key, the BitLocker bypass that's still unpatched. Microsoft's blog post names a fourth bug as well undefend and takes aim at the researcher publicly for the whole series. What's changed is Microsoft's framing. In April, the company's response was a standard corporate statement about coordinated disclosure. Last week the blog said that Microsoft's Digital Crimes unit will, quote, continue bringing cases against these actors and those that enable their criminal activity. That's Microsoft framing the publication of proof of concept exploits for zero day vulnerabilities as criminal activity. Microsoft's argument is that the researcher failed to disclose the bugs through the company's responsible channels and that some have since been used in real world attacks, with CISA flagging at least one as actively exploited. The researcher side is that they had tried to report these bugs and that Microsoft mistreated them, including revoking their account on Microsoft's vulnerability reporting portal. When that reporting channel got cut off, they argue, public disclosure became the only path left. Brian Krebs has documented that nightmare Eclipse is no random actor. They have a long bug Bounty history, a Hacker1 profile, and according to their LinkedIn, worked full time at Microsoft from September 2022 to June 2025. The former Microsoft employee Angle was first called out by researcher Kevin Beaumont. Beaumont's response to Microsoft's blog post is a must read piece this week he describes Microsoft's position as a, quote, dumpster fire of its own making, end quote. Katie Musaris, who pioneered Microsoft's bug bounty program in the mid-2000s and convinced the company to adopt coordinated disclosure terminology in the first place, told TechCrunch that invoking responsible disclosure was the first strike and added that the Digital Crimes Unit reference was over the top. She warned the consequences will be researchers losing trust with Microsoft, fewer people coming forward to report bugs, and a less safe ecosystem for everyone. This dispute matters far beyond Microsoft and Nightmare eclipse the framing Microsoft chose in their blog post that publishing proof of concept exploit code for unpatched vulnerabilities is criminal activity is a position the cybersecurity community has spent 20 years pushing back against. If it sticks, the incentives for independent researchers to ever report bugs to a major vendor get dramatically worse. The dynamic that fills the gap is AI augmented vulnerability discovery increasingly available, increasingly capable, with no obligation to report. Microsoft's blog post was likely not intended to make that case, but it may have made it anyway. A key point that Brian Krebs has made is that there may indeed be more to this story than what the cybersecurity community has been made aware of so far. Right now, the story doesn't look so great for Microsoft, but it could take another dramatic turn. A new front in the insider risk landscape opened up last week, according to Bleaking Computer US Federal prosecutors have charged a Google security engineer with insider trading after he allegedly used confidential company Data to win $1.2 million on the cryptocurrency prediction market Polymarket. The accused is Michael Spagnolio, a 36 year old Italian citizen living in Switzerland and a Google employee since 2014. According to the criminal complaint, Spagnagulo had access to the internal Google tool containing the confidential urine search data, the company's annual ranking of the top trending search terms marketed each December as a major Google PR event. Starting in October of 2025, Spagnalio allegedly used a polymarket account under the alias Alpha Raccoon to bet on whether specific individuals would appear on the list. He placed approximately 25 bets on unlikely outcomes with near perfect accuracy. The FBI traced the alpha Raccoon account back to the cryptocurrency payment processor registered in Spagnolio's and linked it to his Italian government id. After online communities in Discord and X started speculating that Alpha Raccoon was a Google Insider, the username was removed from the account. Spagnalio faces up to 10 years in prison on a commodities fraud account and 20 years each on wire fraud and money laundering accounts. None of these allegations have been proven in court. Here's why this story matters for the wider cybersecurity audience, prediction markets like Polymarket and others like Kalshi have created a fundamentally new kind of insider risk. What prediction markets do is take essentially anything a company knows ahead of the public annual rankings, product launch dates, executive departures, sales numbers, and turns it into a tradable market with real money at stake. The year end search data isn't financial information. Nobody at Google had to disclose it to a regulator. There's no internal designation for it more sensitive than Google confidential. On polymarket it was worth $1.2 million. If your insider risk program has not yet been updated to think about prediction markets, this is a case study for you and your team. A quick note before we get started on the next story, We've devoted a recurring segment on the show this year to Fortinet critical vulnerabilities we've jokingly referred to as fortawatch, and we've had reason to use it more than I'd like. So, in the interest of fairness and to reassure our friends at Fortinet that we hold other vendors to the same standards, we're almost relieved to be covering an actively exploited critical flaw from a firm that isn't Fortinet. Palo Alto Networks is reporting that hackers are now actively exploiting an authentication bypass vulnerability in its Global Protect VPN product to breach corporate networks. According to Bleeping Computer, the flaw is CVE2026 0257. It allows an attacker to bypass authentication for Pan OS global protect portals and gateways, and to establish an unauthorized VPN connection. Palo Alto patched it earlier this month and rated it at medium severity because exploitation required specific conditions, authentication, override cookies enabled, and a specific certificate configuration. On Friday, Palo Alto raised the severity to high and confirmed limited exploitation in the wild. Rapid7 observed that the earliest exploitation was on May 17. CISA added the flaw to its Known Exploited Vulnerabilities catalog on Friday. Federal civilian agencies have until today to mitigate Our next story is about how some of the most popular AI platforms are being weaponized to host malware. Threat actors are abusing OpenAI's ChatGPT content sharing feature to host fake outage pages that trick users into downloading malware. According to Bleeping Computer, the campaign documented by Push Security uses Google Ads targeting people searching for ChatGPT. The ads direct users to what looks like a perfectly legitimate chatgpt shared page hosted on the real chatgpt.com domain because that's where it actually lives. Instead of showing a chat conversation, the page renders a fake outage notice and claims the web version is unavailable and prompts the user to download the desktop app. The trick is that the fake outage notice is built using ChatGPT's own HTML rendering. The attackers wrote custom HTML and CSS as a ChatGPT prompt, then published the result as a shared ChatGPT link. The download takes the victim to a lookalike site, which impersonates OpenAI's desktop download portal. The site uses cloaking to show a harmless company website to URL scanners and the real malicious download to actual victims. Both Windows and macOS versions install malware. Push Security has also observed parallel attacks abusing Anthropic's cload artifacts feature for Qlik Fix style lures. That's Cybersecurity Today for Monday, June 1, 2026. We appreciate all of your feedback. Feel free to leave a comment under the YouTube video or to drop by technewsday.com or CA and send us a note. I'll be back on Wednesday with the latest cybersecurity headlines.

A

Here's a question worth asking. What happens after a phishing email slips past your filters? Most email security tools only guard the front door, but attackers are already inside. Material security is different. It's a unified detection and response platform purpose built for Google workspace and Microsoft 365, protecting email files and accounts all in one place. We're talking automated phishing, remediation, account takeover containment, and sensitive data protection without alert fatigue. Find out why companies like Figma, Reddit, and Lyft trust material to stop the threats. Other tools Ms. See workspace security in action at Material Security. That's Material Security. And if you do contact them, take a second and say thanks for sponsoring Cybersecurity Today.