Summary6 min read

CyberWire Daily: "Foreign Routers Get a Longer Lifeline"

Date: May 11, 2026
Host: Dave Bittner (N2K Networks)
Guest: Dan Lorenc, CEO & Co-founder of Chainguard
Episode Theme: Key cybersecurity news and a deep dive into recent software supply chain attacks

Episode Overview

This episode covers the latest global cybersecurity news, including an FCC decision impacting foreign network devices, multiple high-profile data breaches, evolving malware tactics, threats to critical infrastructure, and headline business moves in the cyber sector. The heart of the episode is an in-depth interview with Dan Lorenc of Chainguard, exploring the mechanics and implications of recent software supply chain attacks, why they continue to succeed, and what organizations should do next.

Key News Highlights

FCC Eases Restrictions on Foreign Routers

[00:12–01:41]

Summary: The FCC has extended the deadline for foreign-made router manufacturers to supply security updates to US customers by nearly two years, pushing it to at least January 1, 2029.
Applies only to software/firmware updates to maintain functionality or patch vulnerabilities—adding new features remains forbidden.
The same policy covers banned foreign-made drones.
Threat context: Unpatched routers remain a prime attack surface, with recent campaigns from Volt Typhoon and Salt Typhoon exploiting poor network management for espionage.

Shiny Hunters Target Canvas and Zara

[01:41–03:41]

Canvas: The learning platform suffered a major disruption pre-exam season; the attackers exploited “free for teacher” accounts, now disabled. Shiny Hunters claimed to affect nearly 9,000 schools.
Zara: Data from 197,000+ customers exposed in an incident tracing to third-party analytics provider Anadot. Although some sensitive fields were safe, authentication tokens were abused, broadening the risk to millions across several companies.

SailPoint GitHub Breach

[03:41–04:32]

Unauthorized access to a subset of Sailpoint’s GitHub repositories via a third-party vulnerability; prompt containment and no impact on customer production systems.

Trichmo Android Banking Malware Evolution

[04:32–05:43]

New variant disguises itself as TikTok/streaming apps, targets France, Italy, Austria.
Uses Open Network (tun) and other stealthy methods, now integrating SSH tunneling and decentralized C2 to resist takedowns.

Polish ICS and Infrastructure Attacks

[05:43–07:07]

Surge in attacks through 2024-25, notably on municipal water systems. Many exploited poor security rather than sophisticated malware.
Russian state-backed actors named in wide-ranging infrastructure campaigns.
AI-fueled attacks and under-resourced utilities named as growing risks.

Insider Threat & Zero-Day Thefts

[07:07–08:11]

Former L3 Harris exec ordered to pay $11.3M in restitution for selling zero-days to Russian broker Operation Zero.
Serves as a case study in the dangers of insider threats to offensive cyber tools.

"Crime Network" darknet marketplace taken down

[08:11–09:11]

German authorities disrupt a revived cybercrime marketplace. 22,000+ users, €3.6M in revenue seized.

Business Breakdown: Cybersecurity Funding and Acquisitions

[09:11–11:07]

AI security, identity protection, and offensive security are the hottest investment areas.
Major announcements include Expo’s $155M Series C, Bug Bounty Switzerland’s $15.3M raise, Palo Alto & Cisco making big acquisitions.
Focus is shifting to securing AI agents and non-human identities amid enterprise AI adoption.

FEATURE INTERVIEW: Dan Lorenc on Supply Chain Attacks

[15:54–25:03]

How the Recent Attack Unfolded

[15:54–18:54]

Attack began with “Hackerbot Claw” — an AI-assisted campaign against open source projects’ CI/CD pipelines.
Malicious code in pull requests exploited insecure test runners to steal credentials.
Stolen keys allowed attackers to corrupt binaries of major projects (e.g., the Trivy security scanner).
After initial fix attempts, attackers re-compromised repos and ultimately pivoted to include credential-stealing malware in infected binaries.
The fallout touched thousands of downstream projects, including Light LLM (AI Python library) and Axios (top 10 JavaScript library).

Notable Quote:

"Open source projects are particularly vulnerable ... anyone can send code and they set up CI/CD to run tests on the code sent by random strangers on the Internet."
— Dan Lorenc, [15:58]

Attackers are still in "cred theft" mode, but likely to escalate to ransom or further monetization.

Why Supply Chain Attacks Keep Succeeding

[18:54–20:10]

Massive attack surface: CI/CD systems are often complex, fragile, and not secure by default—especially in GitHub Actions.
Open source supply chains have long dependency links—just a few mistakes can impact thousands.

Notable Quote:

“CI/CD systems, all at the end of the day, look like giant Rube Goldberg machines held together with duct tape and baling wire.”
— Dan Lorenc, [19:16]

Is It Time for a Supply Chain Security "Reboot"?

[20:10–21:18]

Attacks on the supply chain are not new—referenced Ken Thompson's “Reflections on Trusting Trust.”
Recent focus is because other vectors have become better defended; supply chain is now the “easier target.”

Notable Quote:

“The only change now is attackers are finally focusing on it ... they go to the next easiest target, which is the software supply chains themselves.”
— Dan Lorenc, [20:47]

What Should Security Teams Actually Do?

[21:18–23:37]

No silver bullet:
- Treat build systems as production systems
- Actively manage and rotate credentials
- Invest in dependency hygiene and patch management
Vast majority of software comes from open source; vulnerabilities are inevitable—prevention and detection must be continual.

Notable Quote:

“Open source is 90 to 98% by lines of code in every application today … focusing on that 2% [your own code] isn’t going to cut it anymore.”
— Dan Lorenc, [22:44]

Accepting Reality and AI's Accelerating Role

[23:37–24:26]

No single mitigation is enough; instead, a multi-layered approach is critical.
AI has shifted the landscape by allowing attackers to scale their efforts massively without increasing time investment—but defenders don’t have equivalent scale.

Notable Quote:

“AI has kind of dropped the burden of time. That was really the only limiting factor for attackers ... now in that year, they can do the same thing for hundreds or thousands of systems. The bottlenecks for attackers are now gone, but defenders are still left with the same bottlenecks.”
— Dan Lorenc, [24:10]

Dan’s Final Take

[24:26–25:03]

Security is, and always will be, a “cat and mouse” game; defenders react only when real risk is visible.
The positive spin: “I'm glad everyone's taking it seriously now.”
Lorenc expresses both exasperation and cautious optimism that change is coming.

Other Notable Cyber Incidents

DigiCert Breach via Social Engineering

[27:04–28:38]

Attackers posed as customers in support chat, persuading staff to repeatedly open malware — succeeded on fifth attempt after security tools initially blocked the file.
Second compromised machine enabled access to certificate systems; attackers signed malware with DigiCert EV signatures.
DigiCert revoked 60 certificates after an external researcher discovered the issue.
Highlights: Social engineering and operational blind spots undermine even trusted infrastructures.

Notable Moment:

"Persistence apparently still works ... the malware was initially blocked multiple times by internal security tools before finally infecting a support workstation on the fifth attempt."
— Dave Bittner, [27:12]

Memorable Moments & Quotes

On CI/CD fragility:
“They look like giant Rube Goldberg machines held together with duct tape and baling wire.” – Dan Lorenc, [19:16]
On open source risk:
“Open source is way more secure [per line of code], but you have 50 times as much of it ... that's where more vulnerabilities are going to be." – Dan Lorenc, [22:58]
On AI’s role:
“AI has kind of dropped the burden of time ... attackers are now unbounded.” – Dan Lorenc, [24:10]

Timestamps to Key Segments

FCC Router Deadline Extension – [00:12–01:41]
Canvas & Zara Breaches – [01:41–03:41]
Trichmo Banking Malware – [04:32–05:43]
Polish Infrastructure Attacks – [05:43–07:07]
L3 Harris Zero-Day Case – [07:07–08:11]
Crime Network Take Down – [08:11–09:11]
Business Cyber Investment – [09:11–11:07]
Interview: Supply Chain Attacks – [15:54–25:03]
DigiCert Breach – [27:04–28:38]

Summary Takeaway

This episode underscores the increasing complexity and interconnectedness of enterprise security risks—from regulatory decisions and marketplace disruptions to the hard truths of supply chain vulnerability and the accelerating impact of AI in both attack and defense. The discussion with Dan Lorenc stands out as a comprehensive breakdown of why software supply chains remain so vulnerable, how threat actors exploit them at scale, and why urgent, systemic improvements are needed industry-wide.

Loading summary

Transcript19 lines

[00:02]
A
You're listening to the Cyberwire Network powered by N2K.
[00:13]
B
Maybe that's an urgent message from your CEO. Or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppel.com that's D O P E L dot com. The FCC eases restrictions on foreign made routers Shiny Hunters hit Canvas and Zara Sailpoint discloses unauthorized access to its GitHub repositories Trichmo Android banking malware has mo tricks up its sleeve Polish officials warn of increased targeting of ICS and public infrastructure a federal judge orders $10 million in restitution for stolen zero days German authorities take down the crime network marketplace again We've got your Monday business breakdown. Our guest is Dan Lorenk, CEO and co founder of Chainguard, talking about a recent wave of supply chain attacks and malware gets signed, sealed and delivered. It's Monday, may 11, 2026. I'm dave buettner and this is your cyberwire intel briefing. Thanks for joining us here today. Happy Monday. It's always great to have you with us. The Federal Communications Commission has extended the deadline for foreign made router manufacturers to provide security updates to US Customers customers by nearly two years. The FCC banned the import and sale of consumer grade routers from certain foreign manufacturers in March of this year, citing national security concerns. Under the original order, vendors could continue shipping security patches until March 2027. A new public notice from the FCC's Office of Engineering and Technology now extends that deadline until at least January 1st of 2029. The exemption applies only to software and firmware updates that maintain device functionality or patch vulnerabilities. Vendors are still prohibited from adding new features. The same policy also applies to banned foreign made drone systems and drone components. Unpatched routers remain a common entry point for espionage and persistence operations. Recent campaigns linked to Volt Typhoon and Salt Typhoon demonstrated how poorly managed network infrastructure can provide attackers with long term low visibility access into enterprise environments. The Canvas learning platform is back online after a cyber attack disrupted access for students and faculty at universities worldwide during final exam season. Instructure, the company behind Canvas, said it took the platform offline after discovering an unauthorized actor had modified pages seen by some users. The company later restored service for most customers. Instructure said the attackers exploited an issue tied to free for teacher accounts, which have now been temporarily disabled, threat analysts at emsisoft said. The hacking group Shiny Hunters claimed responsibility and alleged nearly 9,000 schools were affected, according to available reports. The group also claimed access to billions of private messages and records. Though Instructure has not confirmed the scope of compromised data, the outage exposed how dependent schools have become on centralized digital learning systems for grades, coursework and communications. Security researchers said. The timing, just before final exams and project deadlines, likely increased pressure on affected institutions and students while amplifying disruption across campuses elsewhere. Another data breach linked to Shiny Hunters exposed information belonging to more than 197,000 customers of global fashion brand Zara, according to have I Been Pwned? The breach stemmed from an April 2026 incident tied to analytics provider Anadot, have I been Pwned said. The stolen data included email addresses, product stock keeping units, order IDs and support ticket details. Zara parent company Inditex said payment information, passwords and names were not affected. Researchers believe stolen Anodot authentication tokens were used to access downstream BigQuery and Snowflake environments tied to multiple companies. The campaign highlights the growing risk posed by third party service providers and exposed authentication tokens. According to reports, millions of customers across several companies may have been impacted by the broader pay or leak operation. Identity management firm Sailpoint disclosed a cybersecurity incident involving unauthorized access to a subset of its GitHub repositories in an SEC filing. Sailpoint said it detected the intrusion on April 20 and quickly contained the activity. The company said the repositories were compromised through a vulnerability in a third party application, which has since been addressed. Sailpoint said. An investigation conducted with an outside cybersecurity firm found no evidence that customer production or staging environments were accessed or disrupted. Customers whose information was stored in the affected repositories were directly notified, researchers at ThreatFabric say. A new variant of the Trichmo Android banking malware is using the Open Network, or tun, to conceal communications with attacker infrastructure, Threat fabric said. The malware, tracked as Trichmo C, has targeted banking and Cryptocurrency wallet users in France, Italy and Austria since at least January. The malware disguises itself as TikTok or streaming applications and steals credentials through phishing overlays, screen recording and SMS interception and key logging, researchers said. The latest version routes command and control traffic through tun, ADNL addresses and an embedded local proxy, making infrastructure more difficult to identify or disrupt. The variant also adds network reconnaissance and tunneling capabilities, including SSH tunneling socks 5 proxy support and remote port forwarding. The campaign reflects a broader shift toward decentralized infrastructure designed to resist takedowns and blend malicious traffic into legitimate encrypted network activity. Poland's internal security agency, the abw, says cyberattacks targeting industrial control systems and public infrastructure intensified sharply through 2024 and 2025, including multiple breaches of municipal water treatment facilities. In its annual report, ABW disclosed that attackers compromised operational systems at water plants in several Polish municipalities, including one August 2025 incident that nearly disrupted a city's water supply before authorities intervened. Officials also linked broader sabotage campaigns targeting military and civilian infrastructure to Russian state backed actors. Security researchers said many of the attacks exploited Internet exposed systems protected by weak passwords or outdated configurations rather than advanced malware. Researchers and vendors including Dragos and Anthropic also warned that artificial intelligence is lowering the barrier for identifying and targeting operational technology environments. The incidents reflect growing concern that cyber operations are shifting from espionage toward direct interference with physical systems tied to water, transportation and energy services. Analysts warn that smaller utilities remain especially vulnerable because of limited cybersecurity resources and increased reliance on Internet connected industrial systems. A US federal judge ordered former L3 Harris Technologies executive Peter Joseph Williams to pay $10 million in restitution for stealing zero day exploits from subsidiary L3 Trenchant and selling them to a Russian broker. The ruling follows Williams earlier plea agreement requiring an additional $1.3 million payment, bringing total restitution to $11.3 million. Prosecutors had sought $35 million, arguing the stolen tools caused major business losses. Williams pleaded guilty last year to stealing eight hacking tools between 2022 and 2025 and selling them to Russian exploit broker Operation Zero under agreements reportedly worth about $4 million. Prosecutors said the exploits could have enabled access to millions of devices worldwide. Williams was sentenced in February to more than seven years in prison and faces possible deportation to Australia after release. The case underscores growing concerns around insider threats within offensive cyber operations and the commercial market for zero day exploits used in intelligence and military activities. German authorities announced the takedown of the revived Crime Network Cybercrime Marketplace and the arrest of a suspected administrator in Spain, police said. The German language platform reappeared days after the original Crime Network was dismantled in December 2020. The new version had more than 22,000 users and over 100 sellers trading stolen data, drugs and forged documents. Investigators said the marketplace generated more than 3.6 million euros in revenue through Cryptocurrency transactions. Authorities seized roughly €194,000 in assets and collected extensive user and transaction records for further analysis. The operation highlights continued law enforcement pressure on major underground marketplaces despite rapid attempts by operators to rebuild infrastructure. Turning to our Monday business breakdown, cybersecurity investment activity continued to surge this past week, driven largely by demand for AI security, identity protection and offensive security platforms. Seattle based Expo raised an additional $35 million in Series C funding, bringing the total round to $155 million. Swiss ethical hacking firm Bug Bounty Switzerland secured $15.3 million to expand AI driven security testing, while AI focused startups including General Analysis and Herd Security also announced new funding rounds. The week also saw a wave of acquisitions centered on AI and identity security. Palo Alto Networks agreed to acquire AI security gateway firm Portkey, while Cisco announced plans to acquire Israeli identity security startup asterix Security for $400 million. The deals reflect growing industry focus on securing AI agents, operational technology and and non human identities as enterprises rapidly expand AI adoption vendors are also investing heavily in continuous security validation and AI assisted defensive tooling. Be sure to check out our weekly business briefing on our website thecyberwire.com that is part of Cyberwire Pro. Coming up after the break, my conversation with Dan Lorenk, Chainguard CEO and co founder. We're talking about a recent wave of supply chain attacks and malware gets signed, sealed and delivered. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsqu. No, it's not your imagination. Risk and regulation are ramping up and customers expect proof of security just to do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're Preparing for a SoC2 or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and RYTR report spending 82% less time on audits. That's not just faster compliance, that's more time to focus on growth. When I look around the industry, I see over 10,000 companies from startups to big enterprises. Trusting Vanta get started@vanta.com cyber. Dan Lorenk is Chainguard CEO and co founder. We recently got together to discuss a recent wave of supply chain attacks.
[15:54]
C
So I'll give some context on what happened, where it started and where this is going to go. This started with an attack on a bunch of open source projects called Hackerbot Claw or Hacker Clawbot or something like that. But it was an AI assisted attack to exploit weaknesses in the way these open source projects had set up their CI cd. Open source projects are particularly vulnerable to stuff like this because anyone can send code and they set up CI CD to run tests on the code sent by random strangers on the Internet. In this case, somebody sent some malicious code that was designed to exploit that testing pipeline and steal a bunch of credentials from those projects. This is a common pattern, not just for open source projects, but for companies. Anyone running cicd, these systems are typically the least secured, but also highest privileged systems in any company they deploy into production. They're the thing that brings the code from where it is into production. So they have to have ways to get into production. And this attack stole a bunch of keys that are used to publish artifacts on Docker Hub, on Pypi, on npm, from a bunch of open source projects. It got caught. The projects all tried to rotate credentials and stuff like that and we thought we were done. Fast forward a couple weeks and the Trivi project from Aqua Security, which is a security scanner, it's free, it's used by tons of open source projects, it's used by tons of companies too, was hit a second time. They hadn't properly rotated all of the credentials or gotten the attackers fully out. And this time when it got hit, instead of just stealing keys again, they used the keys they stole the first time and put malware into those binaries. So the security scanner that everyone was running all of a sudden now had malware in it that was stealing the keys of every system that security scanner was running inside of. This was live for six, seven hours, something like that, before it got completely taken down. But hundreds, thousands of projects had their credentials stolen in that time period. Aqua took it down again, thought they got the attackers out one more time, and then two days later, the attackers just defaced the repos one more time just to show that they weren't fully out. More as a prank than another attack. But now we're in kind of the follow on phase of that first attack. Light LLM, a hugely popular Python library in the AI space, got hit from that attack. They were running a security scanner, trying to do best practices and didn't realize what had happened and their credentials got stolen. Malware got shipped again, stealing credentials from everyone using that project. A couple JavaScript projects, including one of the top 10 ones in the world, Axios, got hit yesterday. We're still in the early phases of this and the attackers are still in the steal more credentials phase rather than the do something that will eventually get us money phase. This is, it looks like a cyber crime group. They're out there. Eventually they're going to hit companies. There's probably going to be ransomware or something like that as some end state here. But we're still in the early days of this attack and it's going to keep happening.
[18:55]
B
Help me understand here, Dan, because I think it's fair to say that the defenders in the community don't lack imagination when it comes to being able to imagine the possibility of an attack like this. So what's the disconnect between that and multiple repositories and these projects getting popped like this?
[19:16]
C
The surface area for these systems is just massive CICD systems, all at the end of the day, kind of look like giant Rube Goldberg machines held together with duct tape and baling wire. That's just been standard in the industry forever. It's not something anyone really wants to invest in. And they're really hard to secure and really hard to get right. The primitives just aren't that good. GitHub Actions is probably the most widely used one in the world. It's free, it's bundled into GitHub, where over 100 million developers write code every year. The primitives and design decisions they made when they rolled out GitHub actions are basically the opposite of secure by default. Years and years and years ago. There's a lot of steps you have to take and a lot of care you have to apply to do these things securely. And people make mistakes. And then when you're looking at an open source supply chain where you have tens of thousands of dependencies from tens of thousands of people, all it takes is a few of those to screw up and now you're affected at the end of the supply chain.
[20:11]
B
So are we in a place where it's time for a reboot?
[20:15]
C
We've been in this place as an industry since software started. The only change now is attackers are finally focusing on it. And I think it's a testament to the security investments and security improvements we've made everywhere else in software. Supply chain attacks aren't new. The original paper on this was written by Ken Thompson called Reflections on trusting trust. Over 30 years ago he showed that if you backdoor to compiler and that compiler makes the rest of software even. No foundation of trust in any software built ever again after that, unless you have reviewed every single line of code going back to the very first line of code on the first compiler written 30 years ago. And I think it was so scary that everyone just kind of forgot about that problem and ignored it and blocked it out. But things like two factor Auth and things like HTTPs everywhere are only really new and have gotten to ubiquity in the last five years. Attackers didn't need to do these supply chain attacks because there were much easier ways in. We've gotten good enough everywhere else that they go to the next easiest target, which is the software supply chains themselves.
[21:18]
B
So what do you think we need to do here? What's a potential long term solution?
[21:23]
C
The one I think a lot of people are operating under is just hope the attackers stop. Which hope is never a strategy, especially when it comes to security. But there's no single answer. Right? The core thing everyone has to grapple with is you have to treat your build systems like production systems, because they are. You know, it's not something where you can just throw Jenkins or some other build system on a machine, toss it in the closet and forget about it anymore. People have to wake up and make those changes, start operating those systems securely. And that's just on the malware side, right? Open source supply chains have a ton of other problems too when it comes to vulnerabilities. These are just the ones that bad people are putting in on purpose when you've got tens of thousands of dependencies. The another large problem is just the accidental vulnerabilities. Things like log4j, things like heartbleed, where the more code you have and the more code you're using, the more bugs there are going to be. And some of those bugs have security incidents. People just haven't been paying attention to this space at all and they're surprised when they see the counts of known vulnerabilities, the number of malware attacks. We do need a bit of a reset as an industry to think about this part. Up until now, people have been very worried about the vulnerabilities and the security of their own code. But that's only 2%, right? Open source is 90 to 98% by lines of code in every application today. And focusing on that 2% isn't going to cut it anymore.
[22:46]
B
Yeah, and I mean those proportions are such that there's no turning back from that we're not going to see an era where people suddenly start home brewing everything from inside the house. I suppose.
[22:59]
C
Yeah. And that wouldn't be better either. Right? Like I don't want to. It always can come off as fear mongering about open source, but if you look per line of code, open source is way more secure than anything else. Don't go try to rewrite all this stuff yourself, you're going to have way more vulnerabilities. Linus Torvalds has a law for years that said many eyes make all bugs shallow. And that's one of the benefits to open source. But the proportions are just so crazy. Even if per line open source is way more secure, you have 50 times as much of it. That's where more of the vulnerabilities are going to be.
[23:27]
B
So is this a matter of accepting this reality and putting proper mitigations in effect to counter it?
[23:37]
C
Yeah, and there's no single mitigation. And that's kind of why this space is hard. It's securing your build systems, it's managing and updating and bumping and patching your dependencies. It's trying to keep malware out and then having systems in place to remediate when malware does sneak its way in. Because at the end of the day, security is a multiplayer game. Nothing is perfect. Everyone knows that a persistent, well funded enough attacker is going to be able to get into anything if they have long enough time. And the other big shift we're seeking out is AI. You know, we've made it nine minutes in without talking about AI, but I guess we have to. Yeah, AI has kind of dropped the burden of time. That was really the only limiting factor for attackers. If they would point at one system and spend a year and get in now in that year, they can do the same thing for hundreds or thousands of systems. The bottlenecks for attackers are now gone, but defenders are still left with the same bottlenecks.
[24:26]
B
Dan, I sense a certain exasperation in your voice and yet perhaps a little edge of optimism as well.
[24:37]
C
Yeah, this is how security always works, right? You can't go fund a bunch of work if there's not real risk there. If you don't feel the risk or if you can't explain it to anyone. And it's hard to do that until attackers start doing something. That's how the software industry has always operated. It's a game of cat and mouse. But yeah, it's. Some days I'm like, I've been yelling about this for six years and no one cared. All of a sudden, now we do. Let's do something. But it's just reality. But I'm glad everyone's taking it seriously now.
[25:03]
B
That's Dan Lorenk, CEO and co founder at chainguard. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.
[26:28]
D
Study and play come together on a Windows 11 PC, and for a limited time, college students get the best of both. World get the unreal college deal everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30, terms at aka mscollegepc.
[27:04]
B
And finally, hackers breached Digicert in April by posing as a customer in a support chat and convincing an employee to repeatedly open a malicious file disguised as a screenshot. Persistence apparently still works. According to Digicert's incident report, the malware was initially blocked multiple times by internal security tools before finally infecting a support workstation on the fifth attempt. A second compromised machine with a malfunctioning crowdstrike sensor then gave attackers access to internal certificate order systems. Digicert said the intruders obtained initialization codes tied to EV code signing certificates, which they later used to sign malware, including Zhongsteeler. Researchers eventually discovered the abuse after noticing malware carrying legitimate Digicert signatures. The company revoked 60 certificates and canceled pending orders linked to the incident. The breach highlights how social engineering and operational blind spots can undermine even highly trusted security infrastructure. Digicert also acknowledged that without an outside researcher flagging the issue, the certificate theft operation might have continued unnoticed. And that's the cyber wire for links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
[29:39]
A
Your next chapter in healthcare starts at Carrington College's School of Nursing in Portland. Join us for our open house on Tuesday, January 13th from 4 to 7pm you'll tour our campus, see live demos, meet instructors and learn about our Associate Degree in Nursing program that prepares you to become a registered nurse. Take the first step toward your nursing career. Save your spot now at Carrington Edu Events. For information on program outcomes, visit carrington. Edu Sci Fi.