A

You're listening to the Cyberwire Network powered by N2K.

B

Do you know how the space and cybersecurity domains connect? T Minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis host here at N2K CyberWire and I'm excited to share that T Minus is back now as a weekly podcast, the T Minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together. Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth. So join me for T Minus Space Cyber Briefing. New episodes every Sunday.

C

Quick Question have you watched Project Hail Mary yet? Humanity is facing an existential threat and racing to solve it with the clock ticking for security teams, that probably hits close to home. With AI use rapidly spreading. Everyone's using AI marketing, sales, engineering, Chris the intern without security even knowing about it. That's where Nudge Security comes in. Nudge finds shadow AI apps, integrations and agents on day one and helps you enforce policy without blocking productivity. Try it free@nudgesecurity.com Cyberwire, A CISA contractor, leaks GovCloud credentials on GitHub. Interpol cracks down on phishing infrastructure across the Middle east and North Africa. Microsoft patches a critical authenticator flaw while Poland moves officials off signal. A Stealthier S Hub macOS info stealer emerges. Universal robots fixes a critical vulnerability. A dark web marketplace dumps millions of stolen payment cards. Echo protocol loses $76 million in a synthetic Bitcoin breach. Our guest is Chris Cochra and vice president of AI Security at Sans, discussing their AI maturity model. And Nathan Detroit rolls malware snake eyes. It's Tuesday, may 19, 2026. I'm dave buettner and this is your cyberwire intel br. Thanks for joining us here today. It's great as always to have you with us. A public GitHub repository maintained by a contractor for the Cybersecurity and Infrastructure Security Agency exposed highly privileged AWS GovCloud credentials and internal agency systems until it was taken offline this weekend. Researchers at GitGuardian and Ceralis say the repository contained plain text passwords, cloud keys, tokens, logs and internal deployment files tied to CISA and the Department of Homeland Security. According to available reports, exposed credentials authenticated to at least three AWS GovCloud accounts with elevated privileges. Researchers also found credentials for CISA's internal software development and code package systems. The repository reportedly included evidence that GitHub's secret scanning protections had been disabled. Exposed administrative credentials and software build systems could provide attackers a pathway for persistence or lateral movement inside sensitive government environments. Researchers describe the leak as an example of poor credential management and weak operational security practices. Interpol says its latest cybercrime crackdown, dubbed Operation Rams, led to more than 200 arrests and the seizure of 53 servers tied to phishing, malware and online fraud operations across the Middle east and North Africa. Authorities across 13 countries also identified 382 additional suspects and linked the seized infrastructure to at least 3,800 confirmed victims. Interpol says the operation disrupted phishing as a service platforms, malware distribution systems and investment fraud schemes. Private sector partners including Kaspersky GroupIB and Team Cymru assisted with threat intelligence and infrastructure tracking. The operation highlights growing international coordination between law enforcement and cybersecurity firms to disrupt cybercriminal infrastructure before it can be reused or expanded. Microsoft has released emergency updates for its Authenticator app ON Android and iOS to fix a critical vulnerability that could allow attackers to steal authentication tokens and access corporate resources. The flaw, with a CVSS score of 9.6, could be exploited by tricking users into approving a malicious authentication request disguised as legitimate, according to Microsoft. The app could then generate and transmit access tokens to an attacker controlled server. Multiple versions were affected. The issue highlights ongoing risks around push based authentication and user approval fatigue, even in multi factor authentication workflows. Poland is directing government officials to stop using signal for sensitive communications after a series of phishing and account takeover campaigns targeting politicians, military personnel and public servants, officials say. The activity is linked to advanced persistent threat groups associated with Russian state interests. According to Poland's National Computer Security Incident Response Teams, attackers posed as signal support staff and tricked users into sharing verification codes or linking attacker controlled devices through malicious QR codes and phishing links. Authorities emphasized that signals encryption was not broken. Instead, attackers exploited users through social engineering techniques. Poland will shift officials to government controlled platforms. The move reflects broader concerns across Europe that user targeted phishing remains one of the biggest weaknesses in secure messaging environments. Researchers at SentinelOne have identified a new variant of the Shub macOS info stealer dubbed Reaper, that uses AppleScript and fake security update prompts to compromise Apple devices and install persistent backdoor access. Unlike earlier Shub campaigns that relied on terminal based social engineering, the new variant abuses the AppleScript URL scheme to launch malicious scripts through macOS Script Editor. Researchers say the malware steals browser data, cryptocurrency wallets, password manager information, telegram sessions, and sensitive files from infected systems. Reaper also hijacks cryptocurrency wallet applications by replacing legitimate application files with malicious versions and establishes persistence through fake Google software update launch agents. The campaign highlights how macOS focused threat actors are adapting to Apple's recent security mitigations by shifting toward new execution methods and broader post compromise access capabilities. Universal Robots has patched a critical vulnerability in its Polyscope 5 operating system that could allow attackers to remotely execute commands on industrial collaborative robots, or cobots. The flaw has a CVSS score of 9.8 and affects the Dashboard server interface and stems from improper handling of user input, according to CISA and the vendor. An unauthenticated attacker with network access could compromise affected robot controllers. Researchers warn that flat industrial networks and remote management connections could increase exposure and potentially allow attackers to move between connected systems. The issue underscores continuing risks around operational technology, security and network segmentation on industrial environments. The Dark Web carding marketplace Blacks Stash has released roughly 4.6 million stolen credit card records for free, claiming the move was punishment for sellers who allegedly resold stolen cards through competing criminal platforms, according to socradar. The leaked records include full payment card details, billing addresses, phone numbers, email addresses and IP data. Researchers estimate roughly 4.3 million of the cards may be previously unseen and potentially active. The majority of affected victims appear to be based in the United States, with additional exposure across Canada, the United Kingdom and parts of Asia. Security researchers warn the release could fuel a spike in card not present fraud, identity theft, phishing campaigns and credential stuffing attacks in the coming weeks as threat actors redistribute the data. Echo Protocol is investigating a major security breach after an attacker minted roughly 1,000 unauthorized EBTC tokens, creating about $76.7 million in synthetic Bitcoin on the Monad blockchain. Blockchain security firms Peckshield and Lookonchain say the attacker moved portions of the funds through decentralized finance platforms, bridged assets to Ethereum and laundered some proceeds through tornado cash. Researchers suspect the incident stemmed from an administrative private key compromise rather than a flaw in the protocol's smart contracts. Echo Protocol has suspended cross chain transactions while the investigation continues. The breach highlights ongoing operational security risks in decentralized finance, particularly around privileged account management and bridge infrastructure. Coming up after the break, my conversation with Chris Cochran from sans. We're discussing their new AI Maturity model and Nathan Detroit Rolls Malware Snake Eyes Stick around,

D

Study and play Come together on a Windows 11 PC and for a limited time, college students get the

E

best of both worlds.

D

Get the unreal college deal everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc when

A

you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed. Sponsored Jobs.

C

Chris Cochran is Field CISO and Vice President of AI Security at sans. I recently caught up with him for the latest on their new SANs AI security maturity model. Chris, welcome back.

E

Hey, it's always good to be back with you, Dave.

C

Well, you have an exciting announcement to share with our audience here today. The latest coming out of SANS from your colleagues. What's going on here?

E

Chris yeah, so it's been a long time coming. I've been spending my days basically talking to other leaders in the space around the world, trying to understand their pain points when it comes to AI adoption, AI security and AI strategy. And honestly, I just kept hearing a lot of the same things of what people are concerned about and being able to, number one, practice what I preach, but then also being able to sort of get the in order, being able to see what other people are doing out there in the space. I decided to pull together an AI Security maturity model and I wanted to create this basically to help folks orient themselves around artificial intelligence, be able to see where they're at from a maturity standpoint, figure out where they need to go and then what they need to do to cross that gap to get to where they need to be.

C

Well, let's walk through that together. I mean, you decide that this is something you're going to take on. What happens next?

E

Yeah, basically it started with the AI blueprint that Sans came out with, which is a really overarching piece around how do you orient yourself around artificial intelligence? They Bucket it into protect, utilize and govern. So protect is how do we secure our AI against attacks. Utilize is how do we use AI for security and govern is how do we manage AI risk and enable innovation in a way that is fast and efficient? And so this is the accompanying document. This is a guide to help folks orient themselves around where they are today and where they need to be.

C

And who's the target audience here? Who are you hoping to help out?

E

I would say the target audience here would be mainly the security leaders. And this could be the CISO, this could be VPs for different organizations within the security function. But I would say it's for anybody that's really trying to understand the world that we live in today when it comes to AI. I have this belief that we are maybe months, maybe a year at most away from autonomous attacks right there. I could see a world in which we have tens of thousands, if not hundreds of thousands of malicious autonomous agents looking for targets of opportunity. And I feel like that we as cybersecurity practitioners and leaders really need to start to get our houses in order so that we can start to defend ourselves against this oncoming storm.

C

Can you give us some examples of some of the things people can expect to find here?

E

Yeah. You'll be able to see the five different stages of maturity. Right. I do these things called Jeffersonian dinners where I have conversations with folks around their AI adoption, AI maturity. And I would have to say that the most of organizations out there are probably around 1, 2, maybe a level 3. You'll be able to see see different questions inside to really assess where you're at from a maturity standpoint and maybe even ask some questions around things that you haven't even thought of yet. Right. When we think about things like third party risk analysis, Right. Are folks going back to older analysis that we've done with vendors that we've already onboarded that have now included artificial intelligence. What are we doing from an AI identity standpoint? Right. We had workforce identity, which we started to do pretty decent. Then we had non human identity, which we haven't done as well. But now we have agentic identity that we have to account for. And we all know exactly how tough that is. And so this is going to help folks sort of orient themselves around the

C

problem with something that's changing as quickly as AI is. Is there anybody out there who you would consider to have a really high level of maturity?

E

There are some organizations out there that I would say they're as mature as they could be. Right. There's A lot of high tech organizations out there that are really pushing the envelope, creating their own infrastructure, creating their own standards and protocols. But I would say that for the most part, I feel like we're all really starting to just figure a lot of this stuff out together. We're all having a lot of the same pain points. And I feel like the more that we can all get on the same page but find a way to communicate with one another, the better we're going to be for the days to come.

C

Yeah, I know that you are out there talking face to face with these folks who are experiencing these pain points. Can you share some of the stories that you're hearing out there?

E

Yeah. For example, I just was speaking to a customer the other day and they were hiring somebody on their team. It was something very simple like a AI security engineer and they put out a job wreck. Within a week they had 2,000 folks. And which sounds great, but after about two months of this process, they couldn't find one person with the requisite skills that they needed to fulfill this role. So, I mean, what that tells me is a couple of things. Number one, there's not a lot of talent right now out there in the world that has the AI skills that we might be looking for because it's such a new arena. But then it also tells me that it might be best case for folks to really look inside their organizations and start to train their people in order to fill the gaps that they have from a skills perspective. And so this document will help from that perspective to, number one, figure out, hey, what are all the components and pieces that we might be missing? But then also, what can we use in here to sort of help us guide exactly the skills that we need, the personnel that we need, the technology and the processes.

C

Do you sense that folks are feeling a little overwhelmed when it comes to this? I mean, it feels like the security leaders are being pulled in a lot of different directions.

E

I'm glad you asked that because that's one of the big problems that I'm seeing right now. Security leaders out there are getting pulled in a million different directions. They are being expected to have a solid strategy and an answer for the board and their C suite counterparts as to, hey, what are we doing with AI? What are we doing with AI Security? They're having to encourage their teams to use artificial intelligence to make their jobs faster, better, more efficient. But believe it or not, there's a lot of technical and even process inertia. I think human beings don't really like change and that even accounts for cybersecurity practitioners. I mean, I wish it wasn't the case, but I speak to people and I would say about 50% of the technologists that I speak to are self professed AI skeptics. And this is what I tell them. I say, you can no longer afford to be a skeptic of artificial intelligence. At worst, you could be cautiously optimistic because our enemies, our adversaries, they're using artificial intelligence and trying to fight fire with fire is the only way that we're going to be able to keep pace.

C

Are you optimistic that we're on a good pathway here? That over the next few years we could see good things come from all of this?

E

I'm always optimistic, but I'm also a realist. I know that the future can be bright. I feel like we're all going to band together and do this, be able to defend ourselves against all the stuff that may come at us. But I do know it's going to take a lot of work and it's going to take a lot of intention on our part in order to get there. So that's part of the communication that I've been sort of pushing is, hey, we all need a band together. We need to really start to hone in on what's the most important. How do we prioritize our initiatives, how do we prioritize our hiring, our resources? Because it's going to take a lot of really concerted effort in order to get there. But I'm optimistic.

C

It's a really good point. I think that despite this push towards technology and these rapid changes, we still need a community 100%.

E

It's the most important thing that we have. When you think about what is the role of the human being, first of all, a human should always be in the loop with artificial intelligence. Second of all, they say high tides raise all boats. But even more importantly, in this arena that we're dealing with in artificial intelligence, potential autonomous attacks, being able to communicate all of these learnings, the findings, hey, we made this discovery or we made this mistake. And being able to share that brain trust of information with one another is how we're going to really become hard targets for the cybercriminals out there.

C

Chris Cochran is Field CISO and Vice President of AI Security at sans. Chris, thanks so much for taking the time for us.

E

Thanks, Dave. Always a pleasure.

C

That's Chris Cochran, Field CISO and Vice President of AI Security at sans.

F

Your summer starts now with Memorial Day deals at the Home Depot. It's Time to fire up summer cookouts with the next grill 4 burner gas grill on special. Buy for only $199 and entertain all season with the Hampton Bay West Grove 7 piece outdoor dining set for only $499. This Memorial Day get low prices guaranteed at the Home Depot while supplies Last price invalid May 14th or May 27th. US only exclusions apply. See homedepot.com pricematch for details.

C

And finally, the Shanhassen Dinner Theaters in Minnesota has canceled two more performances of Guys and Dolls after a 12 punch of norovirus and a Cyber Attack sidelined both cast members and online systems. And I said to myself, sit down, sit down, you rock and loop. The theater says performances scheduled for May 19 and the May 20 matinee will not go on while staff work with the Minnesota Department of Health to disinfect facilities and give performers time to recover. At the same time, officials are responding to a cyber attack that disrupted the theater's computer network and online operations. According to theater leadership, efforts are underway to securely restore affected systems. It is an unusually modern backstage problem. One part public health response, one part incident response plan. For now, the show quite literally cannot go on. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Apparently, please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sam.