CyberWire Daily

Episode: "Message in the malware."
Date: November 25, 2025
Host: Maria Varmazes (in for Dave Bittner)
Guest: Tim Starks, Senior Reporter, CyberScoop

Episode Overview

This episode delivers headline cybersecurity news and an in-depth interview focused on shifts in U.S. national cybersecurity strategy under the Trump administration. Topics covered include major breaches, ongoing malware campaigns, risks in holiday shopping, and challenges in building a resilient federal cyber workforce.

Key News Stories & Insights

CISA Spyware Advisory

[02:10]

• CISA warned that multiple threat actors are increasingly using commercial spyware to target users of mobile messaging apps.
• Delivery Methods: Phishing, zero-click exploits, app impersonation.
• Targets: High-value individuals (government/military officials, civil society) in U.S., Middle East, Europe.
• Notable quote (CISA):

  "While current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals..."

Code Red Emergency Alert Breach

[03:00]

• Incident: Attack forced the nationwide shutdown of the Code Red alert system (OnSolve).
• Compromise: Usernames, phone numbers, email addresses, passwords leaked.
• Impact: Communities in Missouri, Colorado can't send emergency notifications, risking public safety.
• Action: Users urged to change passwords; alternative alert channels in progress.

"Shai Second Coming" Malware in NPM Ecosystem

[04:15]

• Threat: Malicious NPM packages spreading infostealers, with the ability to propagate widely and even wipe developers' home directories if auth fails.
• Evasion Tactic: Use of random GitHub repo names to avoid detection.
• Advice: Block public NPM registry access, review token permissions, enable endpoint protection against malicious load behaviors.

Citus AMC Data Breach

[05:10]

• Victim: Real estate finance tech vendor Citus AMC.
• Discovered: Nov 12, 2025.
• Data Impacted: Corporate/client data, possible customer info (accounting records, legal agreements).
• Notified: JPMorgan Chase, Citi, Morgan Stanley.
• FBI Involvement: Active investigation.

Dartmouth College Oracle EBS Breach

[05:55]

• Attack: Part of a wave of zero-day attacks on Oracle E-Business Suite; breached by the Cl0p ransomware gang.
• Affected: Names, Social Security Numbers of 1,497 Maine residents (among others).
• Other Victims Noted: Logitech, Harvard, Washington Post, Envoy Air, Mazda.
• Scope: Dozens more organizations potentially compromised.

In-Depth Interview: National Cyber Strategy under Trump

Guest: Tim Starks, CyberScoop | Host: Dave Bittner
[10:17 - 20:45]

Quick Takeaways

• The new administration is moving fast on a national cyber strategy, aiming for significant changes in deterrence, public-private partnership, federal modernization, and workforce development.

Drafting the Cyber Strategy

[10:38]

• Draft Complete: Circulated interagency, led by National Cyber Director Shawn Cairncross.
• Potential Delay: Interagency process is a historic bottleneck.

Pillars of the New Cyber Strategy

[11:17]

1. Imposing Costs on Adversaries
   • Signal a hard line: "You're not allowed to do some of these things you've been doing to us in cyberspace."
   • Quote (Tim Starks):

     "We're going to impose costs on adversaries in a way that we haven't seen before..." [11:20]

2. Public-Private Partnerships
   • Focused on clarifying sector-specific expectations and reducing "overly hasty" and conflicting regulations.
   • Shift from prior heavy private-sector burden.
3. Enhancing Cyber Workforce (hinted)
   • Noted challenges due to recent workforce reductions.
4. Modernizing Federal Security (hinted)
   • Accelerate technology procurement and piloting at national labs.
   • Quote (Dave Bittner):

     "Those modernizing programs are kind of like painting the Golden Gate Bridge..." [13:14]

Deterrence and Presidential Tone

[14:06]

• Broader context: Universal messaging from Trump officials on deterrence (Cairncross, Blizzell, CISA); exception is the President himself.
• President's stance:

  "Yeah, you think we don't do that? Yeah, we do that too. We're better at it."
  Indicates a more transactional, less moralistic approach to cyber-espionage.

Workforce Morale and Hiring Crisis

[16:01 - 18:25]

• Current State: Low morale in cyber agencies.
• Federal jobs: Once prized for stability; now threatened by shutdowns, layoffs, and diminished sense of public service.
• Quote (Tim Starks):

  "If you're a federal government employee in general right now... they're really just kind of hanging on until they can find something different or until they hit retirement age.” [16:04]

• Future Hiring: Likely to draw only "the highly desperate" and "true believers of the MAGA cause.” Overlap with cyber skillsets is questionable.

Reception to Cairncross’ Approach

[19:30]

• Perception: Bipartisan respect for Cairncross’s diligence and careful approach, despite his lack of cyber-specific background.
• Limitations: Uncertainty if thoughtful planning can overcome current adverse circumstances.

Seasonal Cyber Threats & Shopping Risks

[22:20]

• Holiday spike: Ransomware and phishing increase during off-hours and holidays (Semperis report).
  • 78% of companies cut SOC staffing during off hours.
• Holiday shopping scams:
  • 1700+ suspicious shopping domains before December (Pre Crime Labs).
  • Fake luxury stores, themed crypto tokens, “zombie” festival travel scams.
• Black Friday Apps:
  • Average of 29 permissions requested per app; 8 considered “dangerous.”
  • Many falsely claim not to access sensitive data.
• Quote (Maria Varmazes):

  “Whether you are in the boardroom or in the checkout line, remember that the holidays may slow us down, but they speed cybercriminals up.” [23:10]

Notable Quotes & Moments

• Tim Starks on regulatory shift:

  "We're going to spell out what we expect for each critical infrastructure, sector by sector of the private sector." [11:45]

• Dave Bittner on constant modernization struggle:

  "When you start on one end and by the time you get to the other, it's time to go back... and start all over again, you know." [13:14]

• Tim Starks on Cairncross:

  “He’s impressed a lot of people on both the left and the right with his approach… he seems like someone who is approaching these things carefully and thoughtfully.” [19:50]

• Maria Varmazes on holiday scams:

  “Fake luxury stores, crypto seasonal tokens, travel deals to zombie festivals… someone is weaponizing it.” [22:50]

Key Timestamps

• [02:10] — CISA spyware advisory & Code Red breach
• [04:15] — NPM Shai Second Coming malware campaign
• [05:10] — Citus AMC breach
• [05:55] — Dartmouth Oracle EBS breach
• [10:17 - 20:45] — Tim Starks interview: Trump cyber strategy, federal workforce
• [22:20] — Holiday season cybercrime risks

Conclusion

This episode delivers urgent threat intelligence—spanning new attacks on infrastructure and software supply chains—while previewing significant shifts in U.S. cybersecurity policy under the Trump administration. The thoughtful interview with Tim Starks highlights strategic realignments on deterrence, public-private collaboration, and modernization, as well as the acute morale and hiring crises facing federal cyber agencies. The final segment warns listeners of increased digital risks during the holiday season, urging continued vigilance both at work and at play.