One email could be all it takes.

A

You're listening to the Cyberwire Network, powered by N2K.

B

Maybe that's an urgent message from your CEO. Or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more. Doppel outpacing what's next in social engineering? Learn more@doppel.com that's D O P E L dot com. Microsoft sounds the alarm on a critical exchange zero day OpenAI and Mistral AI deal with fallout from a widening supply chain attack campaign. Researchers uncover a thriving underground market for unlocking stolen iPhones, a stealthy macOS info stealer spreads through click fix scams, healthcare braces for major HIPAA security changes and hackers cash in big at home to own Berlin Maria Vermazes joins us with the latest from the T Minus Space Cyber podcast and researchers roll their eyes at ransomware reassur assurances. It's Friday, may 15, 2026. I'm dave bittner and this is your cyberwire intel brief. Thanks for joining us here today. Happy Friday. It is great as always to have you with us. Microsoft is warning organizations about a high severity zero day vulnerability in on premises Exchange server deployments that could let attackers execute arbitrary code through a specially crafted email sent to an Outlook user. The flaw stems from a cross site scripting vulnerability in Microsoft Exchange Server. Microsoft says the issue affects all supported versions of Exchange Server 2016, 2019 and Subscription Edition, but not Exchange Online. The company has not released a patch yet. In the meantime, Microsoft recommends enabling the Exchange Emergency Mitigation service, which automatically applies protections by default. Manual mitigations are also available for disconnected or air gapped environments on premises. Exchange servers remain high value targets for attackers. Organizations may need to balance risk reduction against potential disruptions to features like inline images and calendar printing while waiting for patches. OpenAI says a recent software supply chain attack tied to the compromised Tanstack ecosystem led to the theft of limited credential material from internal source code repositories. The attack began May 11 when the team PCP Hacking Group published malicious packages across the Tan Stack development stack and other NPM and PYPI namespaces. The campaign infected developer systems with the shy Hulud worm. OpenAI says two employee devices were compromised, giving attackers access to several internal repositories. The company says no customer data or intellectual property was exposed, but compromised repositories did contain code signing certificates for macOS, Windows, iOS and Android applications. The incident highlights the downstream risks of open source package attacks. OpenAI revoked affected certificates, rotated credentials and restricted deployment workflows. MacOS users must update OpenAI applications by June 12 as older versions may stop functioning properly. Researchers at Darktrace say a suspected Chinese state linked hacking group tracked as Mustang, Panda and Twill Typhoon has expanded its FDMTP malware with new modular capabilities. The updated framework allows attackers to load plugins, update tooling and maintain persistence through legitimate looking Windows processes. Researchers observed the activity targeting Asia Pacific government organizations and finance sector systems using spoof domains, impersonating Yahoo and Apple infrastructure. The campaign reflects a broader shift toward flexible long term cyber espionage operations built for stealth and adaptability. The team PCP hacking group claims it stole nearly 450 internal repositories from Mistral AI and is threatening to leak the data unless A buyer pays $25,000, according to posts on a hacker forum. The data allegedly includes repositories tied to training, benchmarking, inferen and future artificial intelligence projects. Mistral AI confirmed that attackers compromised a code base management system during the wider Tan stack supply chain attack, which spread through contaminated NPM and PI PI packages using stolen CI CD credentials. The company says some software development kit packages were briefly affected after a developer device was compromised. The incident highlights the cascading risk of software supply chain attacks, especially when developer environments and trusted package ecosystems are targeted. Mistral says its hosted services, managed user data and research environments were not compromised. And as we mentioned earlier, OpenAI has also disclosed downstream impact from the same campaign. Federal regulators are expected to decide this year whether to finalize major updates to the HIPAA rule, marking the most significant overhaul since the regulation was introduced more than two decades ago. The proposed changes would make many currently addressable safeguards mandatory, including encryption and multi factor authentication. The draft rule also calls for stricter documentation, enhanced security risk analysis, tighter oversight of business associates and potentially new requirements around micro segmentation and incident response. Healthcare industry groups argue the measures could impose heavy financial and operational burdens on already stretched providers. Still, current and former health and human services officials say growing cyber threats against hospitals and healthcare systems make stronger standards difficult to ignore. Security and legal experts say organizations should begin preparing now, even if the final rule is delayed or narrowed. Many view the proposal as a roadmap for what regulators increasingly consider baseline security expectations for healthcare environments. California based lender American Lending center says a ransomware attack discovered in July of last year may have exposed personal information tied to more than 123,000 people. The company says attackers compromised its internal network and accessed files containing names, dates of birth and Social Security numbers. A forensic Investigation concluded in April 2026, and the company says it has found no evidence of misuse of the data so far. The incident adds to ongoing concerns about ransomware targeting financial institutions and the risks tied to sensitive customer records. Researchers at Sophos say a recent macOS incident involved a variant of the Atomic macOS, or Amos Infostee, delivered through a click fix style social engineering attack. The victim was tricked into running a malicious terminal command that downloaded additional payloads, captured the user's macOS password, harvested browser credentials and keychain data and established persistence through launch daemons. Sophos says Amos accounted for nearly 40% of its macOS protection updates in 2025 and remains one of the most active macOS info stealers observed in customer environments. The malware also targets cryptocurrency wallet data and uses anti analysis checks to evade detection in virtualized environments. Researchers say the campaign reflects a broader trend of attackers relying on social engineering instead of exploits to bypass security protections on macOS systems. Researchers investigating a stolen iPhone discovered a large telegram based underground economy dedicated to unlocking and reselling stolen smartphones, especially high end iPhones, according to Infoblox. The ecosystem combines phishing kits, social engineering tools and unlocking software that helps criminals extract device information and trick owners into surrendering passcodes and Apple credentials, the report found. Attackers commonly use smishing messages tied to fake Apple Find my pages. Once victims enter credentials or passcodes, attackers can disable activation lock and regain full control of the device. Researchers identified more than 10,000 phishing domains linked to these campaigns and observed a 350% increase in related DNS traffic in 2025. Some tools even attempt to evade detection automatically by contesting Google Safe browsing blocks. Research says the operation is driven less by data theft and more by the resale value of unlocked devices, creating a scalable criminal marketplace with low barriers to entry and real world impacts tied directly to smartphone theft. Security researchers earned $525,000 on the opening day of PWN to own Ber 2026 after successfully demonstrating 24 previously unknown vulnerabilities across Microsoft, Linux, AI and enterprise platforms. The largest payout went to researcher Orange tsai, who received $175,000 for chaining four logic bugs to escape Microsoft Edge's sandbox protections. Windows 11 was also compromised three times through separate privilege escalation exploits. Additional successful attacks targeted OpenAI codecs, Light LLM, Nvidia Software, LM Studio, and Red Hat Linux. The competition, hosted during OffensiveCon in Berlin, focuses heavily on enterprise technologies and AI systems. The event highlights growing researcher attention on AI infrastructure and developer tooling alongside traditional operating system and browser targets. Under contest rules, affected vendors now have 90 days to develop and release patches for disclosed vulnerabilities. Coming up after the break, Maria Vermazes joins us with the latest from the T Minus Space Cyber podcast and researchers roll their eyes at ransomware reassurances. Stay with us. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. No, it's not your imagination. Risk and regulation are ramping up. Customers expect proof of security just to do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're Preparing for a SoC2 or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and RYTR report spending 82% less time on audits. That's not just faster compliance, that's more time to focus on growth. When I look around the industry, I see over 10,000 companies, from startups to big enterprises, trusting Vanta get started@vanta.com cyber. It is always my pleasure to welcome back to the show my N2K colleague and host of the T Minus Space podcast, Maria Vermazes. Maria, welcome back.

A

Thanks Dave. Good to be here.

B

So I mentioned the T Minus podcast, which has been on a bit of a hiatus lately. Can we start there? You and your T minus colleagues took a little bit of a break?

A

Yeah, we did. I mean we've been running this show on a weekly basis for a little while since a couple months ago, but we were a daily show for the last three years, so going from daily to weekly was a big change. And we had sort of a bunch of interviews that we were running, but no really new content other than that. And we kept telling people every week hang on, we're working on it in the background. We promise the wheels are turning. There's a lot of behind the scenes work going on about what the new reimagined T minus is going to be, but we need a few weeks to figure this out. And thankfully we have finally arrived at that new moment for T minus, which is. I'm very excited we finally got there.

B

Yeah, we all are. And, well, let's walk through that process a little bit. I mean, what did you all do to decide what this next iteration of T minus was gonna be?

A

Yeah, it's a good question because it was a confluence of a number of different factors. Some of it was based on feedback that we'd been getting from some of the shows that we would go to and we would talk to listeners. And I had noticed a really interesting trend when I talked to infosec professionals that would meet me at space shows and a lot of them would say, hey, I'm listening to T minus. I'm really interested in the space sector as an infosec professional, but I have no idea how to get into it. I have no idea what kind of skills are needed. And there's just a lot of information on the cybersecurity front in the space domain that is just totally unknown to me or hard to figure out. And at the same time, I was having conversations with cybersecurity professionals in the space industry or folks in the space industry who are interested in cybersecurity about sort of the same thing where there's this gap there and the gap really needs to be bridged in terms of understanding what kind of cybersecurity space systems need. But it really isn't talked about a whole lot, or at least not as much as I think is needed. And given my interest in both fields, it sort of felt like, all right, maybe this is something we need to look into a little more strongly. This is something that I've always found really fascinating. Every time it came up on T minus Space Daily, I'd go, you know, space and cybersecurity are my two favorite things together. And so I think after three years of me putting that in the show now and then, it felt like the right time for us to go, you know what, maybe we just look at this all the time because there's enough there for us to take some really deep dives and see what we can uncover.

B

So for our audience here on the Cyberwire, perhaps time for them to take a fresh look at T minus.

A

I would hope so. I would highly encourage cyberwire listeners to listen in to T minus Space Cyber Briefing. That is the show's New name, by the way, because it is no longer going to be here's all the things happening in the space industry that you may or may not want to know about. It is specifically a look at all things space as they relate to cybersecurity. So sometimes we're going to do coverage of something that might have been in the news recently that is about space cyber, and other times we're going to do a deep dive sort of magazine style into a topic in space cyber that people need to know more about. But it's a little more evergreen. It's not something that, you know, news just broke about it last week. But things like people are building out systems for the Internet and space beyond just broadband Internet, for example, what is that going to look like, what are the plans for stuff like that and how on earth are we going to secure it? Some big questions there. And this is not something that's going to be built overnight. Space moves a little slowly. So we take a look at things like that. And we want to make sure that cybersecurity professionals understand what's being built in the space domain and how it's going to affect them and their future career. Because truly the entire space domain is a world where we're dependent on it systems wise, whether we realize it or not. And there's a huge, huge, multi billion dollar movement from nations and organizations all over the world to get more infrastructure in space. And somebody's got to secure it. So let's learn what we got to do.

B

Well, it's certainly been my experience that there is a ton of crossover between people who are interested and passionate about cyber and feel the same way about space.

A

Indeed. And I know you and I are those kinds of people as well. We find both domains really interesting. I mean, us. So this is like we don't really need much amping up to be done because it kind of just naturally happens. We're all just really jazzed about this kind of thing. And honestly, that reflects a lot of the conversations I've had with listeners and people that I've met at Cons and even when we were at the Threat Locker event, Zero Trust World, I had a bunch of those conversations as well with people. It just kind of is organically happening. And I think we're seeing more and more people also noticing that space systems are making their way into the infrastructure that their organizations are using. Beyond sort of just corner cases. It's really starting to work its way in. And so to me, it's both a matter of it's Cool. It's interesting. This is sort of future tech future looking, but it's not as far off as we think, and in some cases it really is the career knowledge set of today. So we're hoping to help bridge that gap of knowledge and we specifically want our infant FOSEC folks to take a listen in because this is really for you.

B

All right, well, you'll be able to find that on our website, of course, which is thecyberwire.com but what's the best thing to search for in your favorite podcast app, Maria?

A

Yes, it's T Minus Space Cyber Briefing. That's the new name of the show. I believe we'll be dropping the show not just in the T minus feed, the podcast feed, but also in the Cyber Wire feed because we're gonna be launching our show every Sunday. So we are a Sunday show. So you can listen to us here in the Cyberwire Daily's Sunday feed.

B

All right, we'll look forward to that. Maria Vermazes is my colleague here at N2K CyberWire. She is also the co host of the Hacking Humans podcast along with Joe Kerrigan, and now relaunching T Minus. Maria, thanks so much for taking the time for us.

A

Thank you very much, Dave.

B

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker, allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker? To minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. And finally, after reaching what it called an agreement with the Shiny Hunters extortion group, Instructure assured schools that stolen canvas data tied to roughly 275 million students, teachers and staff had been destroyed. The hackers even provided shred logs, which in cybersecurity circles land somewhere between Trust us and the check is in the mail. Threat intelligence experts interviewed by the Register say they do not believe the data is truly gone. Researchers noted Shiny Hunters has a history of recycling and reselling previously deleted information. The incident reportedly escalated after attackers injected ransom messages into hundreds of school login portals during final exams, increasing pressure on schools and administrators. Security analysts say the breach highlights the brutal economics of ransomware in education, where operational chaos, reputational damage and the risk of exposing children's data can push organizations toward paying demands they publicly insist they would never pay. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Thomas Elkins from BlueVoyant. We're discussing their research unpacking Augmented Marauder's multi pronged Caspianero campaigns. That's research Saturday. Do check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Keltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher. I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Sam.