CyberWire Daily — “Chalk One Up for Defenders.”

Date: September 9, 2025
Host: Dave Bittner (N2K Networks)
Guest: Kevin McGee, Global Director of Cybersecurity Startups, Microsoft Security

Episode Overview

This episode delivers a fast-paced rundown of recent cybersecurity events, defenses against major supply chain attacks, and regulatory updates. The highlight is an in-depth discussion with Kevin McGee, who explores the evolving landscape of cybersecurity education as back-to-school season arrives, offering actionable advice for students and employers alike. The show closes with a wry look at the inaugural “AI Darwin Awards.”

Key News & Analysis Segments

1. Open Source Community Thwarts NPM Supply Chain Attack

Segment: [01:00–03:10]
A coordinated open source community effort quickly neutralized a sophisticated supply chain attack targeting the NPM ecosystem.
Details:
- Attacker compromised the account of developer Josh Junon (“Kicks”) and poisoned popular packages (Chalk, strip-ansi).
- The malware acted as a crypto clipper, aiming to intercept and reroute cryptocurrency transactions.
- Community response was remarkably rapid: “Developers flagged the threat within 15 minutes, with some packages taken down in under an hour.” ([02:40])
- Estimated losses ranged only from $20–$66.
- The incident underscores both the seriousness of supply chain threats but, more importantly, “the strength of open source collaboration in preventing widespread damage.” ([03:05], Dave)

2. Treasury Sanctions Southeast Asian Cyber Scam Centers

Segment: [03:12–04:15]
The U.S. Treasury sanctioned numerous individuals and entities behind scam centers in Myanmar and Cambodia, which had defrauded Americans of over $10 billion.
- The sanctions target crime rings involved in human trafficking and scams, including forced labor compounds and casino-linked centers.
- “Officials said these sanctions aimed to disrupt industrial scale fraud while combating human trafficking and modern slavery in the region.” ([04:06], Dave)

3. iCloud Phishing via Calendar Invites

Segment: [04:16–04:47]
Scammers circulate fake calendar invites with embedded purchase notification scams, leveraging Apple’s own servers for legitimacy.
- “Victims are urged to call fraudulent numbers where attackers attempt to trick them into downloading malicious software.” ([04:40])
- Advisory: Treat calendar invites with the same skepticism as suspicious emails.

4. Evolving Malware Targeting Docker APIs

Segment: [04:48–05:35]
Akamai discovered a new, more advanced malware variant exploiting Docker APIs.
- This malware now blocks API access, persists on hosts, and aggressively removes competing miners.
- Signs point to “early botnet development” and future expansion.
- Call to Action: “Docker users [should] secure APIs and monitor activity closely.” ([05:30])

5. Phishing Surge via Axios User Agent & Microsoft Direct Send

Segment: [05:36–06:37]
ReliaQuest observed a 241% spike in Axios-driven phishing campaigns since June, now comprising roughly a quarter of malicious user agent traffic.
- Axios-enabled phishing enjoyed a 58% success rate, soaring to 70% with Direct Send—far outpacing other methods.
- The attacks transitioned from targeting executives to regular users.
- Axios’ legitimacy as a tool helps attackers evade filters.
- Advice: Disable Direct Send, enhance user training, and reinforce email security.

6. Plex Data Breach

Segment: [06:38–07:10]
Streaming platform Plex disclosed a data breach, exposing user emails, usernames, hashed passwords, and authentication tokens.
- Urged all users to reset passwords and sign out.
- “The number of affected users remains undisclosed.” ([07:08])

7. Surge in Scans Targeting Cisco ASA Devices

Segment: [07:11–07:50]
A sharp spike in scanning activity targeting Cisco’s ASA security appliances may foreshadow new vulnerability disclosures.
- Most scans originated from a Brazilian botnet using Chrome-like user agents.
- Admins are advised to apply patches, enforce MFA, and restrict access.

8. CISA Delays Incident Reporting Rule Implementation

Segment: [07:51–08:44]
The CISA’s timeline for mandatory incident reporting by critical infrastructure operators is pushed to May 2026.
- The extension aims to “streamline requirements, reduce industry burden and harmonize with other federal regulations.”
- Some lawmakers support the extension for greater stakeholder input, others express frustration at slow progress.
- Inspired by past attacks (e.g., Colonial Pipeline), the law is expected to have sweeping industry impact upon enactment.

9. GAO Criticizes Federal Cyber Workforce Data

Segment: [08:45–09:44]
The GAO calls out incomplete and unreliable data on the federal cyber workforce.
- Over 63,000 cybersecurity staff tracked, but contractor data, data quality checks, and role definitions are inconsistent or missing.
- “GAO recommended closing data gaps, standardizing roles, improving reporting quality, and assessing workforce effectiveness.” ([09:40])

Feature Interview: Kevin McGee on Cybersecurity Education & the “Skills Gap”

Segment: [14:39–23:39]
Host: Dave Bittner
Guest: Kevin McGee, Global Director, Cybersecurity Startups at Microsoft Security

1. Is There Really a “Skills Gap?”

Kevin pushes back on the traditional “skills gap” narrative:
- “It's not a skills gap—it's a skills mismatch gap. We want someone with five years experience, we want someone with leadership experience... I meet students every day... desperately trying to get into the industry but can't find a job.” ([16:23])
- The cybersecurity field lacks the clear career pathways seen in other trades and professions.

2. Industry Maturation & Educational Innovation

Universities are beginning to blend theory with practical, real-world experience:
- Example: University of Guelph’s threat intel program combines classroom knowledge with capstone projects and input from prominent cyber professionals ([17:31]).
- “They got to interact with people actually doing the jobs ... and we could give feedback then to the university for what could be changed to make the program better.” ([17:49])
- Advisory boards—where industry helps shape curriculum—are instrumental for both students and employers.

3. Addressing the “Leadership Gap”

Kevin identifies a pressing need for leadership and management skills, not just technical certifications:
- “If you're super technical and you just go for another certification... it's not preparing you for a leadership role.” ([15:10])
- New leadership programs are emerging, often in tandem with business schools.

4. Broadening the Talent Pool & Lessons from Other Industries

The cyber sector benefits from bringing in experienced managers from outside and nurturing technical talent with leadership training.
- “The fundamentals of leadership and management are universal... it's a chance to bring other folks from other industries into the fold.” ([19:30])
- Memorable example: “We started every board meeting [at the hospital] with the chief nursing officer doing a near miss analysis... now that's something I've brought to my career in cyber.” ([19:50])

5. Advice for Students Returning to School

Specialization and interdisciplinary skills are increasingly valuable:
- “Explore different aspects of what is available in terms of career... Think beyond the careers available in cybersecurity are just penetration testing and configuring firewalls.” ([21:11])
- Standout careers include forensics, cyber law, compliance, privacy, consent management, and the impending challenges AI will bring.
- “Interdisciplinary skills are fantastic... finding a niche that really resonates with you as well. So you stand out. Not a generalist now, specialist.” ([21:44])

6. Advice for Employers

Get directly involved with educational institutions:
- “The more you're engaged and involved in these programs, the first look of the best talent is yours.” ([22:44])
- Talent cultivation requires proactive engagement, not just waiting for perfect candidates to appear.

Notable Quotes

On the “skills gap”:
- “I'm on record... of saying no, I don't think there's a skills gap. ... It's hard to differentiate yourself. It's hard to demonstrate real world experience. It's hard to match up those two sides. ... We're just not a mature industry.” — Kevin McGee ([16:23])
On broadening the talent pool:
- “The fundamentals of leadership and management are universal. ... It's a chance to bring other folks from other industries maybe into the fold and expand our talent pool.” — Kevin McGee ([19:30])
Advice for students:
- “Interdisciplinary skills are fantastic... finding a niche that really resonates with you as well. So you stand out. Not a generalist now, specialist. I think that's where we're headed.” — Kevin McGee ([21:44])
Advice for employers:
- “You can't just really wait around for someone to pop up… Really we need to start looking at developing talent and taking responsibility for that.” — Kevin McGee ([22:44])

Memorable Moments

Fastest Community Response:
Developers flagged the NPM supply chain attack in 15 minutes ([02:40]), demonstrating open source vigilance.
AI Darwin Awards:
The debut AI Darwin Awards humorously spotlight misapplied AI, including Taco Bell’s language-challenged drive-thru, a chatbot using “123456” as a password, and production data wiped by an overeager algorithm ([24:59]).
- “The awards remind us AI is merely a tool, although one with global reach, zero patience and alarming enthusiasm.” ([25:40], Dave)
Career Pathways:
Cybersecurity is described as evolving from generalist “computer guy” roles to highly specialized professions ([21:11]).

Timestamps for Key Segments

| Segment | Timestamp | |------------------------------------------------|--------------| | NPM Supply Chain Attack Stopped | 01:00–03:10 | | Treasury Sanctions Scam Centers | 03:12–04:15 | | iCloud Calendar Phishing | 04:16–04:47 | | Docker API Malware Evolution | 04:48–05:35 | | Axios/Direct Send Phishing Surge | 05:36–06:37 | | Plex Data Breach | 06:38–07:10 | | Cisco ASA Scanning Activity | 07:11–07:50 | | CISA Incident Reporting Delay | 07:51–08:44 | | GAO Critique on Cyber Workforce Data | 08:45–09:44 | | Interview: Kevin McGee – Cyber Ed & Talent Gap | 14:39–23:39 | | AI Darwin Awards | 24:59–25:40 |

Conclusion

This episode maps out cyber threats and shifting defenses while providing a valuable deep dive into how cybersecurity education is adapting to industry needs. It challenges the idea of a plain “skills gap,” urges both students and employers to pursue specialization and involvement, and ends with a cheeky warning—a tool as powerful as AI can produce both triumph and comedy.

CyberWire Daily — “Chalk One Up for Defenders.”

Date: September 9, 2025
Host: Dave Bittner (N2K Networks)
Guest: Kevin McGee, Global Director of Cybersecurity Startups, Microsoft Security

Episode Overview

Key News & Analysis Segments

1. Open Source Community Thwarts NPM Supply Chain Attack

Segment: [01:00–03:10]
A coordinated open source community effort quickly neutralized a sophisticated supply chain attack targeting the NPM ecosystem.
Details:
- Attacker compromised the account of developer Josh Junon (“Kicks”) and poisoned popular packages (Chalk, strip-ansi).
- The malware acted as a crypto clipper, aiming to intercept and reroute cryptocurrency transactions.
- Community response was remarkably rapid: “Developers flagged the threat within 15 minutes, with some packages taken down in under an hour.” ([02:40])
- Estimated losses ranged only from $20–$66.
- The incident underscores both the seriousness of supply chain threats but, more importantly, “the strength of open source collaboration in preventing widespread damage.” ([03:05], Dave)

2. Treasury Sanctions Southeast Asian Cyber Scam Centers

Segment: [03:12–04:15]
The U.S. Treasury sanctioned numerous individuals and entities behind scam centers in Myanmar and Cambodia, which had defrauded Americans of over $10 billion.
- The sanctions target crime rings involved in human trafficking and scams, including forced labor compounds and casino-linked centers.
- “Officials said these sanctions aimed to disrupt industrial scale fraud while combating human trafficking and modern slavery in the region.” ([04:06], Dave)

3. iCloud Phishing via Calendar Invites

Segment: [04:16–04:47]
Scammers circulate fake calendar invites with embedded purchase notification scams, leveraging Apple’s own servers for legitimacy.
- “Victims are urged to call fraudulent numbers where attackers attempt to trick them into downloading malicious software.” ([04:40])
- Advisory: Treat calendar invites with the same skepticism as suspicious emails.

4. Evolving Malware Targeting Docker APIs

Segment: [04:48–05:35]
Akamai discovered a new, more advanced malware variant exploiting Docker APIs.
- This malware now blocks API access, persists on hosts, and aggressively removes competing miners.
- Signs point to “early botnet development” and future expansion.
- Call to Action: “Docker users [should] secure APIs and monitor activity closely.” ([05:30])

5. Phishing Surge via Axios User Agent & Microsoft Direct Send

Segment: [05:36–06:37]
ReliaQuest observed a 241% spike in Axios-driven phishing campaigns since June, now comprising roughly a quarter of malicious user agent traffic.
- Axios-enabled phishing enjoyed a 58% success rate, soaring to 70% with Direct Send—far outpacing other methods.
- The attacks transitioned from targeting executives to regular users.
- Axios’ legitimacy as a tool helps attackers evade filters.
- Advice: Disable Direct Send, enhance user training, and reinforce email security.

6. Plex Data Breach

Segment: [06:38–07:10]
Streaming platform Plex disclosed a data breach, exposing user emails, usernames, hashed passwords, and authentication tokens.
- Urged all users to reset passwords and sign out.
- “The number of affected users remains undisclosed.” ([07:08])

7. Surge in Scans Targeting Cisco ASA Devices

Segment: [07:11–07:50]
A sharp spike in scanning activity targeting Cisco’s ASA security appliances may foreshadow new vulnerability disclosures.
- Most scans originated from a Brazilian botnet using Chrome-like user agents.
- Admins are advised to apply patches, enforce MFA, and restrict access.

8. CISA Delays Incident Reporting Rule Implementation

Segment: [07:51–08:44]
The CISA’s timeline for mandatory incident reporting by critical infrastructure operators is pushed to May 2026.
- The extension aims to “streamline requirements, reduce industry burden and harmonize with other federal regulations.”
- Some lawmakers support the extension for greater stakeholder input, others express frustration at slow progress.
- Inspired by past attacks (e.g., Colonial Pipeline), the law is expected to have sweeping industry impact upon enactment.

9. GAO Criticizes Federal Cyber Workforce Data

Segment: [08:45–09:44]
The GAO calls out incomplete and unreliable data on the federal cyber workforce.
- Over 63,000 cybersecurity staff tracked, but contractor data, data quality checks, and role definitions are inconsistent or missing.
- “GAO recommended closing data gaps, standardizing roles, improving reporting quality, and assessing workforce effectiveness.” ([09:40])

Feature Interview: Kevin McGee on Cybersecurity Education & the “Skills Gap”

Segment: [14:39–23:39]
Host: Dave Bittner
Guest: Kevin McGee, Global Director, Cybersecurity Startups at Microsoft Security

1. Is There Really a “Skills Gap?”

Kevin pushes back on the traditional “skills gap” narrative:
- “It's not a skills gap—it's a skills mismatch gap. We want someone with five years experience, we want someone with leadership experience... I meet students every day... desperately trying to get into the industry but can't find a job.” ([16:23])
- The cybersecurity field lacks the clear career pathways seen in other trades and professions.

2. Industry Maturation & Educational Innovation

Universities are beginning to blend theory with practical, real-world experience:
- Example: University of Guelph’s threat intel program combines classroom knowledge with capstone projects and input from prominent cyber professionals ([17:31]).
- “They got to interact with people actually doing the jobs ... and we could give feedback then to the university for what could be changed to make the program better.” ([17:49])
- Advisory boards—where industry helps shape curriculum—are instrumental for both students and employers.

3. Addressing the “Leadership Gap”

Kevin identifies a pressing need for leadership and management skills, not just technical certifications:
- “If you're super technical and you just go for another certification... it's not preparing you for a leadership role.” ([15:10])
- New leadership programs are emerging, often in tandem with business schools.

4. Broadening the Talent Pool & Lessons from Other Industries

The cyber sector benefits from bringing in experienced managers from outside and nurturing technical talent with leadership training.
- “The fundamentals of leadership and management are universal... it's a chance to bring other folks from other industries into the fold.” ([19:30])
- Memorable example: “We started every board meeting [at the hospital] with the chief nursing officer doing a near miss analysis... now that's something I've brought to my career in cyber.” ([19:50])

5. Advice for Students Returning to School

Specialization and interdisciplinary skills are increasingly valuable:
- “Explore different aspects of what is available in terms of career... Think beyond the careers available in cybersecurity are just penetration testing and configuring firewalls.” ([21:11])
- Standout careers include forensics, cyber law, compliance, privacy, consent management, and the impending challenges AI will bring.
- “Interdisciplinary skills are fantastic... finding a niche that really resonates with you as well. So you stand out. Not a generalist now, specialist.” ([21:44])

6. Advice for Employers

Get directly involved with educational institutions:
- “The more you're engaged and involved in these programs, the first look of the best talent is yours.” ([22:44])
- Talent cultivation requires proactive engagement, not just waiting for perfect candidates to appear.

Notable Quotes

On the “skills gap”:
- “I'm on record... of saying no, I don't think there's a skills gap. ... It's hard to differentiate yourself. It's hard to demonstrate real world experience. It's hard to match up those two sides. ... We're just not a mature industry.” — Kevin McGee ([16:23])
On broadening the talent pool:
- “The fundamentals of leadership and management are universal. ... It's a chance to bring other folks from other industries maybe into the fold and expand our talent pool.” — Kevin McGee ([19:30])
Advice for students:
- “Interdisciplinary skills are fantastic... finding a niche that really resonates with you as well. So you stand out. Not a generalist now, specialist. I think that's where we're headed.” — Kevin McGee ([21:44])
Advice for employers:
- “You can't just really wait around for someone to pop up… Really we need to start looking at developing talent and taking responsibility for that.” — Kevin McGee ([22:44])

Memorable Moments

Fastest Community Response:
Developers flagged the NPM supply chain attack in 15 minutes ([02:40]), demonstrating open source vigilance.
AI Darwin Awards:
The debut AI Darwin Awards humorously spotlight misapplied AI, including Taco Bell’s language-challenged drive-thru, a chatbot using “123456” as a password, and production data wiped by an overeager algorithm ([24:59]).
- “The awards remind us AI is merely a tool, although one with global reach, zero patience and alarming enthusiasm.” ([25:40], Dave)
Career Pathways:
Cybersecurity is described as evolving from generalist “computer guy” roles to highly specialized professions ([21:11]).

Chalk one up for defenders.

Powered by Wave AI

Summary

CyberWire Daily — “Chalk One Up for Defenders.”

Episode Overview

Key News & Analysis Segments

1. Open Source Community Thwarts NPM Supply Chain Attack

2. Treasury Sanctions Southeast Asian Cyber Scam Centers

3. iCloud Phishing via Calendar Invites

4. Evolving Malware Targeting Docker APIs

5. Phishing Surge via Axios User Agent & Microsoft Direct Send

6. Plex Data Breach

7. Surge in Scans Targeting Cisco ASA Devices

8. CISA Delays Incident Reporting Rule Implementation

9. GAO Criticizes Federal Cyber Workforce Data

Feature Interview: Kevin McGee on Cybersecurity Education & the “Skills Gap”

1. Is There Really a “Skills Gap?”

2. Industry Maturation & Educational Innovation

3. Addressing the “Leadership Gap”

4. Broadening the Talent Pool & Lessons from Other Industries

5. Advice for Students Returning to School

6. Advice for Employers

Notable Quotes

Memorable Moments

Timestamps for Key Segments

Conclusion

Summary

CyberWire Daily — “Chalk One Up for Defenders.”

Episode Overview

Key News & Analysis Segments

1. Open Source Community Thwarts NPM Supply Chain Attack

2. Treasury Sanctions Southeast Asian Cyber Scam Centers

3. iCloud Phishing via Calendar Invites

4. Evolving Malware Targeting Docker APIs

5. Phishing Surge via Axios User Agent & Microsoft Direct Send

6. Plex Data Breach

7. Surge in Scans Targeting Cisco ASA Devices

8. CISA Delays Incident Reporting Rule Implementation

9. GAO Criticizes Federal Cyber Workforce Data

Feature Interview: Kevin McGee on Cybersecurity Education & the “Skills Gap”

1. Is There Really a “Skills Gap?”

2. Industry Maturation & Educational Innovation

3. Addressing the “Leadership Gap”

4. Broadening the Talent Pool & Lessons from Other Industries

5. Advice for Students Returning to School

6. Advice for Employers

Notable Quotes

Memorable Moments

Timestamps for Key Segments

Conclusion