A

You're listening to the Cyberwire network. Powered by N2K.

B

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything, but with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at the open source community heads off a major NPM supply chain attack the Treasury Department sanctions cyber scam centers in Myanmar and Cambodia. Scammers abuse iCloud calendar invites to send callback phishing emails. Researchers discover a new malware variant exploiting exposed docker APIs. Phishing attacks abuse the Axios user Agent and Microsoft Direct Send feature. Plex warns users of a data breach. Researchers flag a surge in scans targeting Cisco ASA devices. CISA delays finalizing its Incident reporting rule. The GAO says federal cyber workforce figures are incomplete and unreliable. Our guest is Kevin McGee, global director of Cybersecurity Startups at Microsoft Security, discussing cybersecurity education and going back to school and AI earns its own Darwin Awards. It's Tuesday, September 9th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here. It is great to have you with us. A major supply chain attack targeting the NPM ecosystem was stopped thanks to the rapid response of the open source community. Attackers compromised the NPM account of well known developer Josh Junon, also known as Kicks, publishing malicious versions of widely used packages such as Chalk and stripansi. The malware acted as a crypto clipper, swapping wallet addresses or hijacking transactions to steal cryptocurrency. The malicious packages were live for only a few hours before NPM and maintainers removed them. Researchers noted that the attack chain was sophisticated, but losses were minimal, estimated at just $20 to $66 thanks to Fast community detection. Reports show developers flagged the threat within 15 minutes, with some packages taken down in under an hour. Experts stressed that while any compromise is serious, this was not the biggest supply chain attack ever. Instead, it highlighted the strength of open source collaboration in preventing widespread damage. The U.S. treasury Department has sanctioned individuals and companies tied to cyber scam centers in Myanmar and Cambodia that have defrauded Americans of over $10 billion. The measures target Burmese, Cambodian and Chinese nationals running forced labor compounds where victims are trafficked, abused and forced to carry out scams in Myanmar. Sanctions focus on SH Coco, a hub run by military leaders of the Karen national army who profit by tracking workers and supporting scam operations in Cambodia. The crackdown hit casino linked scam centers tied to Chinese gangs and billionaire Tri fiip. Officials said these sanctions aimed to disrupt industrial scale fraud while combating human trafficking and modern slavery in the region. Apple has issued a warning after scammers were found abusing iCloud calendar invites to send callback phishing emails disguised as purchase notifications. The scheme embeds fake payment alerts, such as a $599 PayPal charge, into the Invites Notes field. Since these messages come from Apple's legitimate servers, they bypass spam filters and appear authentic. Victims are urged to call fraudulent numbers where attackers attempt to trick them into downloading malicious software. Experts advise treating calendar invites with the same caution as suspicious emails. Researchers at Akamai have discovered a new malware variant exploiting exposed docker APIs, evolving from a campaign first seen in June. Unlike the earlier strain that deployed a cryptominer, the updated version now blocks external API access, gains host level control, and installs persistence tools, indicating preparation for larger operations. The malware uses a Go based binary dropper, scans for other vulnerable servers and spreads itself, suggesting early botnet development. It also removes competing crypto miner containers to dominate infected systems. Notably, the code includes inactive routines for Telnet and Chrome's remote debugging, hinting at future expansion. Akamai's honeypot analysis revealed indicators of compromise tied to Tor domains and and webhook addresses. Security experts warn that attackers are shifting from quick profits toward infrastructure building, urging Docker users to secure APIs and monitor activity closely. RelayaQuest has reported a sharp surge in phishing attacks abusing the Axios user agent and Microsoft's Direct Send feature. Between June and August of this year, Axios driven phishing activity jumped 241%, accounting for nearly 24% of all malicious user agent traffic, 10 times higher than any other agent. Axios enabled Campaigns had a 58% success rate compared to just 9% for other incidents, with success, climbing to 70% when paired with Direct Send. Initially aimed at executives in finance, healthcare and manufacturing, the attacks now target regular users. Axios, a lightweight HTTP client, allows attackers to easily intercept, replay and manipulate HTTP requests, bypassing MFA and hijacking session tokens. Its legitimacy helps it evade filters, unlike more suspicious tools. ReliaQuest urged organizations to disable Direct Send if possible, tighten email security and train users to recognize phishing red flags. Popular streaming platform Plex has warned users of a data breach in which attackers accessed emails, usernames, hashed passwords and authentication data from one of its databases. The company stressed that the breach was contained and the risk of cracked passwords is low, but urged users to reset their passwords immediately and sign out of all connected devices. Plex has blocked the attacker's access, launched a security review and advised customers to watch for phishing attempts. The number of affected users remains undisclosed. Cybersecurity researchers have flagged a surge in scans targeting Cisco ASA devices, raising concerns of a possible upcoming vulnerability. Gray Noise observed two major spikes in August, with up to 25,000 IPs probing ASA login portals and Cisco iOS telnet SSH onewave, largely driven by a Brazilian botnet, used Chrome like user agents and focused on US Systems. Similar spikes often precede new flaw disclosures. Admins are urged to apply patches, enforce MFA and restrict direct access. CISA has delayed finalizing its rule requiring critical infrastructure operators to report major cyber incidents until May 2026, seven months past the original deadline. The rule, mandated by the Cyber Incident Reporting for Critical infrastructure act of 2022, requires reporting cyber attacks within 72 hours and ransomware payments within 24. Officials say the delay allows more time to streamline requirements, reduce industry burden and harmonize with other federal regulations. Lawmakers and industry groups welcomed the extension if it ensures stakeholder input is incorporated. Though some criticized CISA's lack of progress, the law, inspired by attacks like the Colonial Pipeline hack, will have wide impact across sectors once implemented. The GAO says federal cyber workforce figures are incomplete and unreliable. Across 23 civilian agencies, it counted at least 63,934 full time cybersecurity employees costing $9.3 billion annually, plus just over 4,000 contractors costing $5.2 billion. But most agencies lack quality data 22 reported only partial or no contractor data 19 had no data quality checks 17 lacked standard criteria for who qualifies as a cyber employee. GAO faulted the ONCD and OMB for lacking plans to improve data, noting a Key Working Group paused in February, and it's unclear if it resumed after Sean Cairncross August Confirmation GAO recommended closing data gaps, standardizing roles, improving reporting quality, and assessing workforce effectiveness. While Biden Era initiatives began in 2023, their current priority is uncertain, hindering sound staffing and security decisions. Coming up after the break, Kevin McGee, global director of Cybersecurity Startups at Microsoft Security, discusses cybersecurity education as we head back to school. School and AI earns its own Darwin Awards. Stay with us. Compliance regulations, third party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A N T a dot com CYBER.

C

This.

D

Episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast. And even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

B

It is always my pleasure to welcome back to the show Kevin McGee. He is the Director of Cybersecurity for Microsoft for Startups. Kevin, welcome back.

C

Hi Dave. Glad to be back.

B

So it is that time of year, the most wonderful time of the year when the kids go back to school. So we thought today we would do a little Dave and Kevin back to School Edition. What do you got for us today, Kev?

C

Well, we both have our kids off to school. It's the happiest day of the year for parents, which is great, but one of the things that we've explored over the years is just the skills gap, but from a different perspective of how do we really address the skills gap in a positive manner, and that's making sure that we're providing educational opportunities to bring in folks from outside the industry to provide opportunities for those within the industry to grow different skills. Because if you're super technical and you just go for another certification in technical aspects of the industry, it's not preparing you for a leadership role. It's not preparing you to be a manager, to recruit and motivate and mentor your staff. So I've always seen this leadership gap challenge within our industry that I thought was really something we needed to address. And I've had an opportunity to work with a couple of universities to develop some programs over the last little while and doing a survey of what's available in the US And I'm Canadian, of course, in Canada. I'm very pleased to see sort of where we're headed with some of the educational opportunities available.

B

Well, before we dig into some of the specifics, can we stay at a high level for a second and let me just be put on my skeptical hat for a minute and ask, are you convinced that the notion of a skills gap is a real thing? Because not everybody is.

C

I'm on record, I think extensively on this podcast of saying no, I don't think there's a skills gap. I meet with students every day in my role and through my connections with universities and colleges that are desperately trying to get in the industry but can't find a job. And then I meet with employers who are trying to hire. They just can't hire. It's not a skills gap, it's a skills mismatch gap. We want someone with five years experience, we want someone with leadership experience. And again, what other options? A lot of the young people come to me and say, well, I've got five certifications, should I do another? It's hard to differentiate yourself. It's hard to demonstrate real world experience. It's hard to match up those two sides. And I think that's because we're just not a mature industry like plumbers. You know, there's a. There's a very clear way to become a plumber. There's a very clear way to become an accountant. There's a very clear way to become A doctor, a lawyer with an apprenticeship or an internship or an article in process or whatnot. We're just not there yet, but we're headed in that direction.

B

Well, let's talk about some of the specifics then. I mean, in terms of maturation, where, where does the industry stand?

C

Well, I've had some firsthand experience with the University of Guelph where I did my master's degree. We created a threat intel program which was a combination of practical skills, but then also theoretical knowledge which involved a capstone project working with companies and cyber leaders to build something out in the real world. The university recruited a board of prominent cybersecurity professionals that could come in and provide guest lectures and really provide those real world experience. What was great for the students, they got to interact with people actually doing the jobs and what was great for the employers is they got a firsthand look at some of those folks that are actually the brightest and up and coming. And we could give feedback then to the university for what could be changed to make the program better. A number of colleges in Canada, I'm not sure if it's the same in the US have these advisory boards where they bring in industry folks to help with curriculum. I'm on a number of them. So I really encourage anyone who wants to look at joining a board of directors or whatnot. This is a good gateway to learn the skills, to work with an educational facility in a board advisory manner, but to just go through the curriculum, provide feedback, real world experience into this program. So it's really making a difference. Now Guelph is actually launching a leadership program in combination with the business program to combine what are the leadership qualities and what are the management qualities that you need to learn to be a successful leader. But within the cyber range, which is completely different from managing in any other business context, what does that provide for.

B

The person new to the industry to walk in with classroom experience in leadership training. Classroom training in leadership, but still lacking that time with an organization that five years of experience that everybody seems to want these days.

C

I think it's going to be difficult to walk into maybe a soc and manage a SOC without any sort of experience. But there's so many other roles that are popping up in our industry now that just didn't even exist maybe a year ago or whatnot that are going to require different skills. So managing risk from a compliance management or automating compliance, we have teams now that are involved in creating basically soar for compliance solutions. Completely different skill set than managing a SoC. But the fundamentals of leadership and management are universal. So there's an opportunity for experienced managers to come from other fields into our industry and maybe bring interesting things from what happens in those industry to ours. The great example I've always used, I sat on a hospital board for a number of years and we started every board meeting with the chief nursing officer of doing a near miss analysis where we went over a potential bad thing that could have happened and what the organization learned from that. Now that's something I've brought to my career in cyber to say let's not wait till something bad happens, let's discuss near misses and how can we improve and get better. So I think it's a chance to bring other folks from other industries maybe into the fold and expand our talent pool, but then also give those technical people that maybe have a computer science degree with no management experience or skills that opportunity to move up in the leadership positions and be successful.

B

What's your advice for the folks who are actually heading back to school as we're recording this, to increase their odds of being the one who's selected when they graduate or when they decide they want to enter the market. What are your recommendations for the breadth of things they should have under their belt?

C

I think when we started out in our generation, you were the computer guy and you had to know everything about the computer and that was fine. And our industry is really getting evolved to sort of niche specializations. So exploring different aspects of what is available in terms of career. Is it forensics? You're interested and you're seeing a lot of cyber law programs that are evolving now where you're not really training to be a lawyer, but you're training to understand how to administer compliance and whatnot. I think thinking beyond the careers available in cybersecurity are just penetration testing and configuring firewalls to the greater depth and breadth of the careers that are available and explore those because there's fascinating opportunities in privacy and consent management. The explosion of AI is going to create all sorts of new challenges and problems that we're going to have to address as security profess professionals as well too. So interdisciplinary skills are fantastic. Bringing like law or some other aspect to the cybersecurity space, but then also finding a niche that really resonates with you as well. So you stand out. Not a generalist now, specialist. I think that's where we're headed. And the market for the educational offering seems to be headed in that direction as well.

B

Let me flip it for you then. I mean what about for the employers? What part can they play in addressing this skills mismatch as you describe it?

C

Yeah, I think the Guelph example where we brought in 40 or 50 different companies to advise. Great opportunity to engage directly with the students, provide feedback on the training. But also the more you're engaged and involved in these programs, the first look of the best talent is yours. So you get to pick out that talent and maybe make that offer before anyone else as well. So you're not, you can't just really wait around for someone to pop up on the radar that has all the skills that you're looking for and all the aspects. I think really we need to start looking at developing talent and taking responsibility for that. And I find the organizations that are hiring the best talent and moving those talent through a process of promotion and whatnot and getting them really engaged quicker are the ones that are very invested right from the very beginning of the pipeline.

B

Kevin McGee is director of Cybersecurity for Microsoft for Startups. Kevin, thanks so much for taking the time for us.

C

Great. Thanks, Dave.

A

Running a business comes with a lot of what ifs, but luckily there's a simple answer to them. Shopify. It's the commerce platform behind millions of businesses including Thrive Cosmetics and Momofuku, and it'll help you with everything you need. From website design and marketing to boosting sales and expanding operations. Shopify can get the job done and make your dream a reality. Turn those what ifs into Sign up for your $1 per month trial@shopify.com Specialoffer.

E

Mint is still $15 a month for premium wireless. And if you haven't made the switch yet, here are 15 reasons why you should 1.

B

1.

E

It's $15 a month.

B

2.

E

Seriously, it's $15 a month.

B

3.

E

No big contracts.

B

4.

E

I use it.

B

5.

E

My mom used to say, are you. Are you playing me off? That's what's happening, right? Okay, give it a try. @mintmobile.com Switch upfront payment of $45 for.

A

Three month plan $15 per month equivalent required New customer offer first three months only, then full price plan options available, taxes and fees extra. See mintmo.com.

B

And finally, it was perhaps only a matter of time before the Darwin Awards, a long monument to human misadventure, spawned an AI edition. The 2025 AI Darwin Awards honor Not tragic self removal from the gene pool, but the hubris of deploying machine intelligence where wisdom plainly did not follow. Consider Taco Bell's drive thru AI, whose grasp of natural language proved as tenuous as its tortillas. Or Ripplet's vibe coding episode, in which an overeager model dutifully ignored instructions and annihilated a production database. Proof that do not touch is irresistible to algorithms and toddlers alike. McDonald's, meanwhile, entrusted 64 million job applicants data to a chatbot felled by the mighty password 123456. The awards remind us AI is merely a tool, although one with global reach, zero patience and alarming enthusiasm. And that's the cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2n2k's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Teltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sam.