Summary6 min read

CyberWire Daily — "Stabilized but Smaller"

Date: January 22, 2026

Host: Dave Bittner (N2K Networks)
Guest Interview: Kaushik Deveretti, AI Data Scientist, Fable Security

Episode Overview

This episode covers the stabilization of the US Cybersecurity and Infrastructure Security Agency (CISA) after a turbulent year, major software vulnerabilities and threat campaigns in the wild, new phishing and social engineering trends, notable arrests for cyber-enabled crimes, and heightened concerns about AI and quantum risk at the World Economic Forum in Davos. The featured interview dives into a new flavor of “click-fix” malware attacks using fake AI browser installers.

Key News and Analysis Segments

1. CISA Organizational Update & Congressional Hearings

[01:20 - 03:55]

CISA’s Acting Director Madhu Gadamukkala told the House Homeland Security Committee the agency has stabilized after 2025’s staff cuts, funding disruptions, and internal restructuring.
- CISA staff shrank to 2,400, down 1,000 from the start of the Trump administration.
- Quote: “[CISA] does not expect further organizational changes in fiscal year 2026 ... [and] now has the workforce it needs.” — Gadamukkala [02:30]
- Republicans praised a more focused operational scope, while Democrats warned further budget cuts threaten civilian cyber defense.
- Looming DHS funding showdown anticipated.

2. Major Vulnerabilities & Exploits in the Wild

[03:56 - 07:10]

Google Chrome / Chromium Browsers:
- Emergency update fixes a critical V8 JavaScript engine “race condition” allowing sandbox escapes and code execution (patch released Jan 20, 2026).
- Advice: Users urged to update immediately.
Cisco Enterprise Communications:
- Emergency patches for unauthenticated code injection in web-based management interfaces. No workarounds available; patching is mandatory.
- Products affected: Unified Communications Manager, Unity Connection, WebEx Calling Dedicated Instance.
Fortinet FortiGate Firewalls:
- Ongoing automated attacks exploit a possible unknown vulnerability in FortiGate’s SSO feature, creating rogue accounts and exporting firewall configs.
- Quote: “Arctic Wolf says it remains unclear whether current attacks are fully addressed by existing patches ... Fortinet is expected to release additional updates.” [06:04]
- Exposure: Nearly 11,000 devices online at risk per Shadowserver.
- Advice: Disable FortiCloud SSO as interim mitigation.

3. Social Engineering Campaigns and Attacker Trends

[07:11 - 09:22]

Zendesk Relay Spam:
- Attackers exploit unsecured Zendesk support settings to turn ticketing systems into spam engines, flooding inboxes with hundreds of strange/fake emails.
- Bypasses spam filters by leveraging trusted brands (Discord, Dropbox, Riot Games affected).
- Zendesk is rolling out fixes and recommends restricting ticketing to verified users.
LastPass Phishing Wave:
- Ongoing campaign sending fake LastPass notifications demanding urgent password vault backups, directing to credential-stealing sites.
- Advice: LastPass never asks for the master password; users must avoid urgency-fueled prompts.
- Quote: “A compromised master password could expose many additional accounts.” [09:00]

4. Arrest in Greek Cell Tower Scam

[09:23 - 10:39]

Greek police arrested two foreign nationals suspected of running an “SMS blaster” that impersonated mobile telecom towers using a mobile computer and concealed antenna.
- Tactics: Forced phones from 4G to insecure 2G, collected identities, used data for smishing (fraudulent SMS phishing).

5. Davos Developments: AI and Quantum Risk

[10:40 - 12:30]

AI Security Concerns:
- EY’s Raj Sharma: Criticizes immaturity of AI agent security frameworks—agents can access critical data with poor identity controls.
- KPMG’s Tim Walsh: AI-related cyber risk is a top CEO concern and is slowing some AI adoption; flags quantum computing as a looming encryption threat.
  - Quote: “Quantum computing ... could break current encryption and force widespread reengineering.” —Tim Walsh [11:34]

6. Pwn2Own Automotive 2026: Hacking Cars for Cash

[12:31 - 13:57]

Day 2 saw $439,000+ in prizes for successful car and charger hacks—total for two days over $955,000.
Targets: EV chargers, car infotainment systems, automotive-grade Linux.
Teams: Fuzzware IO led with $213,000; Tesla tech featured.
Vendors now have 90 days to patch bugs found at the event.

Featured Interview: Kaushik Deveretti on Fake ChatGPT Browser Installer

[14:44 - 21:43]

Background

Kaushik Deveretti, AI Data Scientist at Fable Security, describes exploring a new “AI browser” tool (ChatGPT Atlas) and running into a cleverly disguised malware campaign via Google Ads.

Key Discussion Points

Discovery of the Attack
- On searching for “ChatGPT Atlas,” Deveretti noticed the top (sponsored) Google ad was a fake but visually identical website, hosted on Google Sites.
- Quote: “There was really no way to tell that this was a malicious website other than the domain itself not being chatgpts.” — Deveretti [15:54]
Attack Mechanics: “ClickFix” Twist
- Clicking “download” led not to a file, but instructions to run a terminal command on the user’s machine; command was encoded in base64 and fetched a remote script (malware).
- Novelty: Traditional “clickfix” attacks mimic troubleshooting/fixes, but this one presented as a legitimate installer workflow.
- Quote: “The deception strategy and the entry point was very different from a traditional clickfix attack.” — Deveretti [16:54]
Execution and Analysis
- The download process required the user’s system password to proceed—suggesting elevated privileges were needed for malware persistence.
- Upload to VirusTotal found no matches; EDR solution failed to flag it as malicious.
- Quote: “The EDR did not pick up that it was a malicious file.” — Deveretti [19:23]
Defense and Takeaways
- Awareness: Don’t run commands from untrusted sources, especially via copy-paste in terminal.
- Technical Controls: Restrict terminal/root access for non-developer users where possible.
- Layered Approach: Technical safeguards are important, but awareness and education are vital for users with legitimate need for elevated access (e.g., developers).
- Quote: “I think at a very basic level we should be educating people that they should not be running arbitrary commands on their computer.” — Deveretti [20:27]

Notable Q&A

Host (Dave Bittner):
- “As a Mac user…for someone to ask you to invoke the terminal and enter a command—that rarely happens. So that was a red flag for you.” [19:35]
- Deveretti: “Correct. ...You should never run an arbitrary shell command on your computer...unless you're absolutely sure you know what it's doing.” [19:53]

Additional Security Insights

Common Passwords Remain Unchanged

[24:30 - 25:45]

Analysis of 6 billion leaked credentials: most common passwords are still “123456,” “password,” and “admin” (both personal and enterprise systems).
- Numeric strings and trivial passwords remain prevalent, creating easy targets for attackers.
- “Attackers innovate, users reuse, and security teams clean up the mess.” [25:44]

Memorable Quotes & Moments

On CISA’s approach:
- “We now have the workforce we need and plan targeted initiatives in 2026 to address the most critical cyber risk gaps.” — Madhu Gadamukkala [02:34]
On the click-fix malware evolution:
- “While clickfix attacks are well known, the deception strategy and the entry point was very different from a traditional clickfix attack.” — Kaushik Deveretti [16:54]
On end-user best practice:
- “Never run an arbitrary shell command on your computer unless…you’re absolutely sure you know what it’s doing.” — Kaushik Deveretti [19:53]
On persistent password problems:
- “Attackers innovate, users reuse, and security teams clean up the mess.” [25:44]

Timestamps for Key Segments

CISA Stabilization & Congressional Testimony: 01:20 – 03:55
Major Vulnerability and Patch Alerts: 03:56 – 07:10
Social Engineering / Spam & Phishing Campaigns: 07:11 – 09:22
Greek Cell Tower Scam Arrests: 09:23 – 10:39
AI and Quantum Risk at Davos: 10:40 – 12:30
Pwn2Own Automotive Bug Bounties: 12:31 – 13:57
Featured Interview – Malware in Fake AI Installers: 14:44 – 21:43
Password Trends Analysis: 24:30 – 25:45

Closing Takeaways

Enterprise and personal cyber hygiene continue to be challenged by attacker innovation and end-user habits.
Fake installers and lookalike websites are rapidly evolving and now leverage search ads and AI hype.
Continuous education—not just technical controls—remains critical for risk mitigation, especially as attackers pivot to new lures and vectors.
AI’s intersection with cyber risk is now a front-and-center boardroom priority, with quantum computing on the horizon as a potential encryption game-changer.

For links to all referenced stories, visit TheCyberWire.com.

Loading summary

Transcript22 lines

[00:02]
A
You're listening to the Cyberwire Network, powered by N2K.
[00:15]
B
Most security conferences talk about Zero Trust Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether you're blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now@ZTW.com and take your Zero Trust strategy from theory to execution. CISA's acting director assures Congress the agency has stabilized. Google and Cisco patch critical vulnerabilities. Fortinet firewalls are being hit by automated attacks. A global spam campaign leverages unsecured ZenDesk support systems. LastPass warns of attempted account takeovers. Greek authorities make arrests in a sophisticated fake cell tower scam. Executives at Davos express concerns over AI honed to own automotive proves profitable. Our guest is Kashyyyk Devaretti, AI data scientist at Fable Security with insights on chat, GPT installer and new password. Same as the old password. It's Thursday, january 22, 2026. I'm dave bittner and this is your cyberwire intel brief. Thanks for joining us here today. It's great to have you with us. The US Cybersecurity and Infrastructure Security Agency is working to refocus on its core mission after a turbulent year marked by staffing losses, funding disruptions and internal restructuring. Acting Director Madhu Gadamukkala told the House Homeland Security Committee that the agency has stabilized and does not expect further organizational changes in fiscal year 2026. CISA now employs more than 2,400 staff, roughly a thousand fewer than at the start of the Trump administration. Gautamukkala said the reductions were part of a broader White House effort to shrink the federal workforce and and right size the agency, he argued. CISA now has the workforce it needs and plans targeted initiatives in 2026 to address the most critical cyber risk gaps. Republicans praised a narrower operational focus, while Democrats warned proposed budget cuts could weaken civilian cyber defenses as foreign threats persist. Funding debates for the Department of Homeland Security, including cisa, are expected to intensify ahead of a looming shutdown. Dead line Google has released an urgent update for Chrome and other Chromium based browsers to fix a high severity flaw in the V8 JavaScript engine. The vulnerability is a race condition that allows memory corruption and could enable attackers to escape the browser sandbox and run code on a user's system by luring them to a malicious site. The update, released January 20, applies to Windows, Mac OS and Linux. Users should update Chrome and Chromium based browsers immediately, according to Google. Elsewhere, Cisco has issued emergency patches for a critical vulnerability affecting its enterprise communications platforms, warning of active exploitation attempts. The flaw is an unauthenticated code injection issue in web based management interfaces that can allow attackers to execute commands and potentially gain full system control. Impacted products include Unified Communications Manager, unity connection and WebEx calling dedicated instance. Cisco says there are no workarounds and urges immediate patching. Researchers warn that Fortinet Fortigate firewalls are being hit by automated attacks that create rogue accounts and rapidly export firewall configurations. According to Arctic Wolf, the campaign began January 15th and appears to exploit an unknown weakness in Fortigate's single sign on feature, closely resembling attacks seen in December of last year. Arctic Wolf says it remains unclear whether current attacks are fully addressed by existing patches, and customer reports suggest a possible patch bypass. Fortinet is expected to release additional Fortaos updates to resolve the issue. Until then, defenders are advised to disable Forticloud sso. CISA has already flagged the earlier vulnerability as actively exploited, while Shadow server reports nearly 11,000 exposed devices online. A global spam campaign has flooded inboxes with hundreds of confusing emails generated through unsecured Zendesk support systems. The wave began Jan. 18 and abuses Zendesk's default settings. That allows unverified users to submit support tickets, which then trigger automated confirmation emails to whatever address is entered. Attackers iterated through large email lists, effectively turning legitimate customer support platforms into mass spam engines. The emails feature bizarre or alarming subject lines, including fake legal notices and promotional offers, often written with decorative Unicode text. While the messages do not contain malicious links, they bypass spam filters because they originate from trusted companies, making them particularly disruptive. Affected organizations include Discord, Dropbox, Riot games and government agencies. Zendesk says it's rolled out new safeguards to detect and limit this relay spam and advises customers to restrict ticket submissions to verified users. LastPass is warning users about an active phishing campaign designed to steal master passwords and take over accounts, according to the company's Threat Intelligence Mitigation and Escalation team. The campaign began Jan. 19 and is circulating widely. The phishing emails impersonate LastPass and claim users must urgently back up their Password vaults within 24 hours ahead of supposed maintenance. Links in the messages lead to a fake LastPass login page that captures credentials if entered. Because LastPass stores passwords for other services, a compromised master password could expose many additional accounts. LastPass says it will never ask for a master password or demand immediate action and is working with partners to take down the malicious domains. The company urges users to remain cautious, noting that false urgency is a common phishing tactic. Greek authorities have arrested two foreign nationals accused of running a sophisticated fake cell tower scam in the Athens area. According to Hellenic police officers discovered a mobile computing system hidden in a car trunk that acted as a rogue cellular base station, often called an SMS blaster. The setup, linked to a concealed roof antenna, impersonated legitimate telecom infrastructure and intercepted nearby mobile connections. Police say the suspects exploited known weaknesses in mobile network protocols, forcing phones to downgrade from 4G to less secure 2G connections. This allowed them to collect device identifiers and phone numbers, which were then used in smishing campaigns posing as banks or courier services. Authorities have tied the operation to several confirmed fraud cases in and around Athens, with investigations ongoing. Executives from EY and KPMG warned at the World Economic Forum in Davos that AI security is emerging as a major enterprise risk. EY's Raj Sharma told Business Insider that organizations are not adequately addressing the security and lifecycle management of AI agents, which can access sensitive data but lack clear identity and controls. He argued that industrial grade security frameworks for AI agents are still immature. KPMG US CEO Tim Walsh echoed those concerns, saying AI related cyber risk is now a top issue for CEOs and is slowing some AI deployments as firms reassess data protection. Walsh also flagged quantum computing as a future security threat, warning that it could break current encryption and force widespread re engineering of security systems. Day two of PWN to Own Automotive 2026 proved that hacking cars and chargers can be very profitable. Security researchers walked away with over $439,000 in prize money after popping 29 fresh zero day bugs at the event in Tokyo held during the Automotive world show. After two days total winnings hit over $955,000 across 660 days, Fuzzware IO led the pack with $213,000 thanks to successful hacks against multiple EV chargers. Other teams rooted infotainment systems, car operating systems like automotive grade, Linux, and more charging hardware. Even Tesla Tech made an appearance earlier in the contest. The fun continues on day three with more chargers and systems lined up for Attack. Vendors now have 90 days to patch before details go public, so the clock is ticking. Coming up after the break, my conversation with Kaushik Deveretti from Fable Security. We're discussing insights on a fake chat, GPT installer and new password. Same as the old password. Stick around. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. Kaushik Devaretti is AI data scientist at Fable Security. We recently got together to discuss insights on a fake ChatGPT installer.
[14:45]
A
So right before the Thanksgiving holidays I think we work at a startup, but even around Thanksgiving things are slowing down a little bit. Found myself with a little bit of free time to do some research, explore online, and I was very interested in the concept of The AI browser, which many of you have probably heard of. And I wanted to try it out, give it a spin, and actually test them on their susceptibility to prompt injection. So these are browsers like ChatGPT Atlas, Perplexity Comet, Atlassian's DIA. When I searched for the first one, ChatGPT Atlas, very recently released, I curiously noticed on Google, when you searched that term, the first result was actually a sponsored result. And it looked, you know, that the title and description looked identical to the second result, which was an official Google search result from ChatGPT itself. And so I immediately picked up that it was a fake site, given that it was served from a Google Sites domain, and decided to go down that rabbit hole instead to see what kind of attack this would present me with. When I clicked on that site, it was very interesting because the website looked exactly identical to the normal ChatGPT Atlas site. I pulled them both side by side to compare. And so the malicious group had stealing exactly the HTML, the styling, everything from the links themselves. And there was really no way to tell that this was a malicious website other than the domain itself not being chatgpts. And so I decided to take it one step further and look through the entire chain. And so when I clicked the download button to get the AI browser downloaded, rather than it downloading some software to my laptop, it presented me with a new screen. This is where it differs from the official ChatGPT website asking me to run a command on my laptop. Now, most of the audience may recognize this is what's commonly known as a click fix attack. But the really interesting piece here is typically click fix attacks. The name, it's called Qlik fix because it's typically prompting you to fix something on your computer. It may say, hey, Dave, your software is out of date. To continue accessing this website, please run this command. Or hey, please prove to us that you're a human. We think you're a bot. Run this command. This was very different because it was actually telling me, hey, we're going to give you this AI browser. You have this intent to download it. Here's exactly how to download it by running a command kind of on your computer. And I thought this was very interesting because while qlikfix attacks are well known, the deception strategy and the entry point was very different from a traditional clickfix attack.
[17:42]
B
Now, are you on a Mac or a PC here?
[17:45]
A
I'm on a Mac.
[17:46]
B
Okay.
[17:47]
A
Yeah. And the website actually said, gave me a download for Mac button.
[17:53]
B
Huh. So what happens next?
[17:56]
A
Totally. So if you run that command, which, if that website is still live, please do not run that command on your computer. But I actually pulled the script into a sandbox environment to see what it would actually do. And at first glance, the command looks almost benign. It's running a. It's pulling a script from the Internet and executing it. And it is encoded in base 64, so there's no way to see what the URL is that it's curling and pulling the script from. If you decode the base 64, you'll notice it's a very peculiar URL. It's a free file hosting site, and this is where the threat actor group was hosting some infostealer malware.
[18:40]
B
So had you installed this, it would have downloaded the infosteeler malware. Do you happen to know what flavor of infosteeler it was trying to put on your system?
[18:50]
A
Totally. So the curious step before it was it would actually ask you for your system password. So it's clear that the infosteer malware wouldn't be able to execute without pseudo permissions. And so if you didn't type in your password properly, it would keep prompting you over and over saying, hey, we can't install until you type your password. I ended up getting the infostealer malware and uploading it to VirusTotal to see what matches I could find. And at the time there were no specific matches that it was able to determine. But I think the really interesting piece was I running an EDR on my laptop on the sandbox and the EDR did not pick up that it was a malicious file.
[19:36]
B
As a Mac user, and I'm a Mac user myself, it's fair to say, don't you think, that for someone to ask you to invoke the terminal and enter a command that rarely happens.
[19:50]
A
Correct. Correct.
[19:51]
B
So that was a red flag for you.
[19:53]
A
Yes, yes. I think you should never run an arbitrary shell command on your computer unless, especially, you know, on a, on a corporate device which has very sensitive information, unless you're absolutely sure you know what it's doing.
[20:09]
B
So there's multiple things at play here. I mean, what are the take home lessons for you in of advising folks to best protect themselves here?
[20:20]
A
Totally. I think like traditionally when we think about click fix attacks and the way these attacks come in, typically the attack vector is it lands in your email inbox. You know, there's a phishing email which will lead you to this URL and that website will try and instruct users, hey, run this command. I think now we're starting to see, hey, there are other ways that people can land upon this click fix attack and we need to spread awareness that these other attack vectors exist. And I think at a very basic level we should be educating people that they should not be running arbitrary commands on their computer.
[21:01]
B
What if I'm in charge of administrating the computers and let's stay on the Mac here for a while. If I had denied someone access to terminal or the ability to to run as root, would that have helped?
[21:17]
A
Yeah, I think there's a certain class of users, right, that you can lock down the device a bit more, especially if they're not developers. Removing root access to the terminal is a very positive step. Now there's always going to be users who need that type of access, like software developers who are developing locally and for them a technical control may not be enough and that's why we need the awareness piece for them.
[21:43]
B
That's Kaushik Deveretti Fable Security. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Security works best in layers and when those layers actually work together, that's when things get interesting. Nord layer is a network security platform designed for modern teams. It secures connections, controls access and helps stop threats, all without hardware or long deployment cycles. Now Nordlayer has partnered with CrowdStrike to bring Falcon Endpoint protection into the mix, giving small and mid sized businesses a multi layered security approach that's practical to deploy and easy to manage. Nordlayer handles secure access and zero trust networking CrowdStrike Falcon adds endpoint visibility and protection. Together they cover more ground than either could alone without requiring a large IT staff. For business leaders, that means clearer control and easier compliance. For IT teams, IT means granular access policies, faster onboarding and protection that scales. If you're looking for enterprise grade security without enterprise grade complexity, take a look at Nordlayer. Get up to 22% off yearly plans plus an additional 10% with code CYBERWIRE10. There's even a 14 day money back guarantee. Check out nordlayer.com cyberwire daily to learn more. And finally, after another year of security training, stern warnings and posters begging users to think before you type. Passwords have once again refused to evolve. An analysis of 6 billion leaked credentials by SpecOps software using data from its parent firm, Outpost24, shows that 2025's most common passwords were the same familiar classics 123456, password and admin, apparently still doing brisk business. The report suggests this is not nostalgia but habit. Numeric strings dominate personal accounts while admin and password linger on enterprise gear from networking devices to industrial systems. That creates a predictable path for attackers who can reuse stolen Credentials to access VPNs, Active Directory or cloud services. Even more complex passwords often just decorate old favorites with a few extra characters. The lesson is dry but clear. Attackers innovate, users reuse, and security teams clean up the mess. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at TheCyberWire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire20point NQK's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Heltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insight, hands on learning, and real innovation. I'll say this plainly. I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.
[27:37]
A
Foreign.
[27:45]
B
Attackers don't go through your tools, they go around them. In our interview with Jared Atkinson, CTO at Spectrops, he reveals how attackers look to exploit our identities, steal tokens, and quietly snowball their access across active Directory, cloud apps, and GitHub. We talk through attack paths, why least privilege keeps failing, and how one misconfiguration can hand over the keys to your organization. Want to see risk as attackers do. Then check out the full interview now on TheCyberWire.com Spectrops.