Maria Varmazis

You're listening to the Cyberwire Network powered by N2K. Do you know how the space and cybersecurity domains connect? T Minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis host here at N2K CyberWire and I'm excited to share that T Minus is back now as a weekly podcast, the T Minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together. Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth.

Ashu Savanni

Earth.

Maria Varmazis

So join me for T Minus Space Cyber Briefing. New episodes every Sunday.

Dave Bittner

Maybe that's an urgent message from your CEO. Or maybe it's a deep fake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more. Doppel outpacing what's next in social engineering? Learn more@doppel.com that's D O P E L dot com. Anthropic brings Mythos to the NSA A Palantir executive emerges as a possible Sisypic. A Linux flaw is under active attack. Minecraft malware goes commercial. An NPM package gets caught in the Miasma worm campaign. Researchers document the first AI driven container escape, a browser supply chain compromise and a university breach with unexpected victims. Our guest is Ashu Savanny, co founder at Trihackme, discussing building high performing SoC and IR teams and the Web becomes machine majority. It's Friday, june 5th, 2026. I'm dave buettner and this is your cyberwire intel briefing. Thanks for joining us here today and happy Friday. It is great as always to have you with us. Anthropic is reportedly helping the US National Security Agency deploy its advanced AI model Mythos for cybersecurity purposes, including potential offensive cyber operations. According to the Financial Times, people familiar with the arrangement say Anthropic has embedded several engineers within the NSA to customize the technology and support its deployment, although it remains unclear whether they are involved in active operations. The partnership comes amid an ongoing legal dispute between Anthropic and the Pentagon over restrictions the company sought to place on government use of its AI, including limits on mass surveillance and autonomous weapons. Despite the conflict, Mythos has attracted significant attention for its ability to identify and exploit software vulnerabilities, capabilities that could aid both cyber defense and offensive operations. Anthropic recently expanded access to mythos to 150 organizations across 15 countries, reflecting growing demand for advanced, cyber focused AI tools. The development highlights the increasing role of AI in national security as governments race to integrate powerful models into cyber operations. It also coincides with broader U.S. efforts to evaluate AI cybersecurity risks and strengthen defenses, including a new federal framework for reviewing advanced AI systems before public release. Reporting from the Record says the Trump administration is considering Shyam Sankar, chief technology officer of Palantir Technologies, to lead the Cybersecurity and Infrastructure Security Agency, according to sources familiar with the search. A White House official later disputed the report, stating the information was not accurate at this time. CISA has lacked a Senate confirmed director since Jenn Easterly's departure in January 2025 and previous nominee Sean Plenke withdrew after facing confirmation delays. Homeland Security Secretary Mark Wayne Mullen recently told lawmakers that a nominee is expected soon. Sancar's potential candidacy comes as the administration increases its focus on AI and cybersecurity. Palantir has deep ties to the administration and is a major provider of AI and defense technologies. CISA is expected to play a central role in implementing the administration's new AI Executive Order, including forthcoming cybersecurity directives for federal agencies. Sancar has publicly argued that AI should streamline government operations rather than create additional bureaucracy. CISA is warning that attackers are actively exploiting a Linux kernel flaw that allows container escape and full host compromise. The vulnerability affects cgroups v1 and enables attackers to execute malicious scripts with root privileges. But by manipulating the release agent file, organizations should prioritize kernel updates that patch the issue and consider migrating to Cgroup's version 2, which removes the vulnerable feature entirely. Additional Protections include enforcing AppArmor, SELinux or Seccomp policies and avoiding the use of privileged containers or unnecessary administrative permissions. Researchers at McAfee Labs have uncovered Weed Hack, a large malware as a service campaign targeting Minecraft players through fake mods, clients and third party tools. Active since January of this year, the operation has distributed more than 3,800 malicious files through over 240 URLs, using SEO, poisoning and YouTube videos to lure victims. The malware includes credential theft capabilities targeting browsers, cryptocurrency wallets, Discord, Steam, Telegram, and Minecraft accounts Premium subscribers paying as little as $5 per month gain remote access features such as webcam controls, key logging, screen sharing, file management and remote command execution. Researchers found the campaign has generated more than 116,000 visits and and uses advanced techniques including Ethereum based command and control infrastructure. McAfee also linked the operation to a Telegram community with more than 850 members, noting that many users appear to be teenagers. Using the malware for cyberbullying, harassment and surveillance of other young victims, researchers at DTEX examined Anthropic's Claude Cowork Chrome plugin and dispatch features to assess how AI agents agents could enable insider threat activity through simulated workflows. They demonstrated how AI agents could summarize Salesforce data into Outlook drafts and archive and transfer files, highlighting potential pathways for data exfiltration. The research found that mobile based AI agents can interact with enterprise applications, files and cloud services using existing permissions, often with limited visibility into prompts and actions. Researchers identified consistent behavioral patterns including browser plugin communications, command line activity and API interactions that can aid detection. Key concerns include unauthorized data access, external communications and reduced visibility on unmanaged devices. DTEX recommends organizations improve monitoring of AI agent activity, analyze prompts and intent, attribute actions to AI versus human users, restrict unnecessary privileges and browser extensions, and implement behavior based detection to manage emerging AI driven insider risks. Researchers at Endor Labs identified four malicious versions of the popular NPM package AISDK Ollama, published within seconds as part of the ongoing Miasma supply chain malware campaign. The attacker left the package's legitimate functionality intact, but abused NPM's native build process through a malicious binding JIP file, allowing code execution during installation without using traditional post install scripts. The malware employed layered obfuscation and downloaded additional payloads designed to steal credentials from cloud platforms to developer tools and software registries. Researchers say the activity aligns with a self replicating worm capable of spreading through compromised maintainer accounts. Highlighting the growing sophistication of software supply chain attacks targeting open source ecosystems, researchers at Sysdig observed what they describe as the first fully agent driven attack to perform container escape and Kubernetes credential theft without human intervention. Exploiting a vulnerable Marimo notebook, the AI powered attacker systematically probed its environment, identified a mounted docker socket, escaped the container, accessed host files including password hashes and SSH keys, and then used a Kubernetes service account token to dump secrets from the cluster. The operation displayed clear signs of autonomous decision making, including testing its own payload delivery methods, adapting tactics based on results and selecting multiple escalation paths. Sysdig warns that exposed docker sockets and overly permissive Kubernetes service accounts can enable rapid host and cluster compromise. The company recommends patching Marimo, removing docker socket mounts, restricting container privileges, tightening Kubernetes RBAC permissions, and rotating exposed credentials. During routine certification testing, Sophos XOps discovered an undeclared executable Me Exe being delivered alongside the OLA browser. The file was not part of the application certified component list and exhibited several suspicious characteristics, including obfuscated code, lack of code signing, no timestamp, and memory write capabilities. Researchers suspected a supply chain issue because the file appeared inconsistently across test runs, suggesting delivery path variation rather than a fixed installer component. After Sophos reported the issue through AP Esteem's certification program, Hola investigated and confirmed that Me Exe was not intended to be distributed. According to the company, an internal review and independent forensic investigation by Signia determined the incident resulted from a supply chain compromise that affected approximately 0.1% of users. Hola says it has rebuilt its distribution pipeline, strengthened code signing controls, and implemented additional monitoring and access restrictions to prevent similar incidents. An investigation by Ars technica into Columbia University's 2024 data breach revealed that some victims had no connection to the school, yet their Social Security numbers were exposed alongside those of students and employees. After months of inquiries, Columbia acknowledged that before 2012 it collected prospective student data, including Social Security numbers from testing services, scholarship programs and recruitment databases. Although the university stopped using Social Security numbers as student identifiers and attempted to purge old records, it inadvertently missed a legacy database that remained exposed in the breach. The discovery has raised concerns about decades long data retention practices and the challenges of tracking the origins of historical personal information. Colombia says it has since deleted the affected database and is responding to questions from unaffiliated victims. The incident highlights the long term risks of retaining sensitive data and may expand legal scrutiny surrounding the breach, which exposed 1.8 million Social Security numbers. Coming up after the the break My conversation with Ashu Savanni, co founder at Try Hack Me. We're discussing building high performing SOC and IR teams and the web becomes machine majority. Stay with us. What's the one thing in business that's spreading as fast as AI? AI risk. Every new tool your team signs up for. Every vendor that turns on AI features, every new integration, each one creates another opportunity for something to go wrong. And most security programs just weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform used by more than 16,000 fast moving companies like Ramp Cursor and Harvey to help ensure they're always audit ready. And now Vanta is helping companies watch for the risks that show up between audits across vendors, AI tools and their entire environment. The Vanta agent works like a 24.7grc engineer in the background finding issues, drafting fixes and cutting vendor assessment time by up to 50%. Whether you're a fast growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today@vanta.com cyber that's V A N T A dot com cyber.

Maria Varmazis

When you need to build up your team to handle the growing chaos at work, use Indeed Sponsor jobs. It gives your job post the boost it needs to be seen seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored Jobs.

Dave Bittner

Ashu Savanni is co founder at Try Hack Me and in today's sponsored Industry Voices segment we discuss building high performing SOC and IR teams.

Ashu Savanni

I think the ultimate goal of a security team is to protect an organization, right? So they want to identify attackers quickly, they want to detect them as quickly as possible, and they want to respond to attackers that have gotten in before they do any damage. So when I think about what a world class SOC team looks like, it is how can a, how can an organization meet all these, all these goals within the constraints they have, right? Whether this is a constraint on tooling, whether this is a constraint on headcount, or just a constraint on the way the organization works.

Dave Bittner

Do you find that there's sometimes a disconnect between how organizations measure SOC performance and what actually matters during an incident?

Ashu Savanni

Yep, yep, exactly that. I think what tends to happen is as with a lot of similar teams, is a lot of soc teams can be very metrics driven with the way they're working. So whether this metric is how long did you take to respond to an alert, how long did you take to find an attacker? How many detections have you deployed? The challenge with these metrics is they don't tell the full picture of what does it really take for a security team to respond to an attacker? Because ultimately you want to make sure that your team is prepped to behave under pressure, your team is prepped to deal with an incident. And a lot of this ultimately comes from preparation. Right? So while a lot of soc teams use metrics to measure the performance, a lot of what world class soc teams are doing is they're preparing for when they're going into an incident they're preparing for, do they have the right processes in place? Do their teams have the right skill sets? Do they understand how to respond across various different scenarios? So those are all the, all the things good soc teams do, whereas the failure points is just looking at a metric and trying to understand whether that metric is an accurate representation of soc performance.

Dave Bittner

I know you advocate that maturity is deeper than just completion rates and things like training hours. What do you suppose real maturity looks like in practice?

Ashu Savanni

Yep. So when we think about maturity, we think maturity should drive three to four key behaviors in a soc. One is a lot of soc teams should be adversary forward, so they should be constantly thinking about what does an attacker doing, what does an attacker look like, how does that feed into their processes? We think a lot of great soc teams that are highly mature should be continuously improving. So whether this is tuning their detection rules, whether this is improving playbooks, just becoming better over time is so important. So we also think that some of the best soc teams are proactive, right? So instead of waiting for an attacker, they're doing everything they can before the attacker gets into their organization. Whether this is proactively writing detection rules, whether this is patching security issues, and four, which I think is underrated. And the most important one is team culture. So the best soc teams actually have such a great culture of learning, being a blameless environment, such that when teams do come under pressure, these teams work together really well. And when we think about how these behaviors actually manifest, again, a lot of it comes down to preparation. Like you said, Dave, there are a lot of surface level things that teams can do, right? As they can look at processes, they can look at training metrics and completions, they can look at soc metrics like MTTR and dwell time. But ultimately these teams that are mature are changing their behavior, right? They're, they're, they're taking all these four drivers that we spoke about and then they're embedding them into their day to day processes.

Dave Bittner

Well, let's touch on AI. I think it's fair to say that every security vendor is talking about AI these days. From your point of view, how do you separate the hype from the real advantages that AI can bring?

Ashu Savanni

Yeah, that's a great question. I think the world has definitely changed, right? And is going to continue to change with how advanced AI is becoming. But the reality is, like everything else, AI is ultimately tooling and technology, right? And tooling and technology can only be deployed when, one, your foundations are right and two is when your team have the right skill sets there. So when I think about what can AI do and where is that hype, what is that hype really saying? You can see a lot of vendors promising reduction in incidents, promising reduction in core metrics. And while some of those things are true, organizations really need to make sure they have their foundations in place to deploy AI, right? So examples of these things are they need to make sure they have the right logs. They need to make sure that those logs are ingested in the right way, that their data is not messy. When it comes to deploying AI, we need to make sure people who are actually deploying AI know how the understanding technology works. So when I think about what separates the hype from what is it that AI can truly bring? AI can do a lot of things right. It can enrich context, it can summarize things for you. But all of these can truly only work when you have some of those foundations in place like we spoke about. And the second thing is, because AI is so new, it's important that your teams have the right skill sets, not just on understanding the fundamentals, right, which are how do technology work, how do attackers work? But a lot of security teams need to have a good understanding on how do you deploy AI safely across the organization. That's a pretty big part of it, right? AI is still in a phase where it may not entirely be accurate. You need to have his guardrails defined. So the people deploying and running these AI systems need to be knowing what to do there.

Dave Bittner

Can we touch on consistency and discipline? I think people, it's understandable that people will celebrate the big wins, the big saves, big incident response items. But I know you make the point that these small habits, these disciplines really turn into major advantages over time.

Ashu Savanni

Yeah, yeah, exactly. That, you know, when you look at, when you look at generally how organizations have been breached across the last couple of years, it typically comes down to four things that are, that relate to well known security hygiene, right? And this tends to be make sure you have multifactor authentication, make sure your net networks are segmented properly, making sure you're patching different, different technologies. So when you look at these, right, a lot of how you can protect yourself comes down to good security hygiene, which does come down from like one good discipline. But when you look at security teams, especially SOC and instant response teams, these teams are operating under pressure, right? Like when incidents do hit, when attackers get in, it can be very hard for you to know whether you're making the right decision. A lot of this comes down to process, and how do we make sure that our processes actually work and stand up under pressure. That comes down to consistencies, consistency, and discipline of testing these processes. Running instant response drills, running tabletop exercises to determine what an attacker happens. So the more you are consistent with some of these processes and some of these actions, the better you are going to be to respond to an attacker. And some of these things are not very hard to do. Right. Like running a tabletop exercise, which is a simulated scenario you can do to 10, 15 minutes on a lunch break or at the end of the day. Incident response drills are slightly harder, but it's definitely possible to run those at a very low cost. So doing these things that are easy to do, that takes short amount of time, and doing them frequently can help you prepare for what an attacker is doing.

Dave Bittner

I want to touch on the human side of the equation here. I mean, obviously cybersecurity talks a lot about technology, but burnout is really, well, it's practically normalized in the industry these days. I'm curious, what are your insights when it comes to that?

Ashu Savanni

Yeah, that's a great question. And we see this happen a lot. Right. Because security still tends to be a very specialized role where there are not a lot of people with the right skill sets on it. Right. And sometimes the way these security teams run don't necessarily prioritize the people in these. In these teams. So I think, again, this is not across the board, but just because of the nature of the role and how specialized the skill set is, it's more prevalent for these teams to face burnout. Right. Because if you think about it, when incidents do happen, people have to work 18, 20 hours for a couple of weeks and even a couple of months, and then they have to go back to their normal security work, which is so very high pressure. And what we've seen at TrihackMe is some of the best teams that are highly mature, that actually do the best job under pressure. So they treat their teams really well. Right. So they give their teams amazing growth opportunities. They make sure their teams are well staffed, they make sure they're really taking care of them. And the more you create this environment for your team where they're learning and growing, but they're also taking care of themselves, the better security outcomes you're going to see. What we also see is because teams do tend to get burned out, they tend to be a lot of turnover in teams where individuals tend to jump from company to company. Right. Because these environments aren't great. So it's also in a company's best interest to make sure that they're reducing burnout and they're retaining teams because that has a lot of benefit with understanding the company, making sure they have the right knowledge to respond, and ultimately producing the best security outcomes for these companies.

Dave Bittner

What's your advice to folks who are in those leadership positions? To try to minimize that turnover and create a culture where people want to stick around.

Ashu Savanni

Yeah, I'd say like the. Probably the first thing is making sure, like running any other team, making sure your team have the right opportunities to grow and learn. I think we're starting to see that soc teams are going to change in structure. So typically where you'd have tiered soc teams, where a tier one team is doing the same kind of repetitive work, soc teams are now going to be more flat where each individual is going to be able to do the end to end job of a security analyst. So less of the repetitive triage work, but more of the end to end investigation work. And that's an example of how these teams are getting more opportunity. Right. They're getting to do interesting work, they're feeling motivated, so they're more likely to perform under pressure. So one is giving them opportunity. And even thinking about can you change the structure of your SOC team to make sure teams are getting these opportunities is quite important. But a lot of it also comes down to how does the team truly perform under pressure and under an incident. Right. So making sure that you have the right processes in place, making sure that where you can, that environment isn't as stressful, the team is working together well. And most importantly, making sure that there's a blameless culture when it comes to working in security. There are some environments where when an attacker does come in and does produce damage. So whether this is deleting infrastructure, stealing sensitive data, security tends to take the blame for that. And that doesn't really create a healthy environment for people to do their best work. So a lot of that also comes down to not just the culture of the security team, but the culture of the company itself.

Dave Bittner

That's Ashu Savanny from Try Hack Me.

Ashu Savanni

Study and Play. Come together on a Windows 11 PC and for a limited time, college students get the best of both worlds, get the UNREAL College Deal everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc so good, so good, so good.

Maria Varmazis

Everything you want for summer is at Nordstrom Rack stores now and up to 60% off. Stock up and save on the brands you love, like Vince Sam, Edelman Frame and Free people. Join the NordicLub to unlock exclusive discounts. Shop new arrivals first and more. Plus, buy online and pick up at your favorite Rack store for free. Great brands, great prices. That's why you Rack.

Dave Bittner

And finally, the robots are no longer knocking at the door. According to Cloudflare CEO Matthew Prince, they've already moved in and taken over the guest room. Cloudflare reports that automated traffic now accounts for just under 58% of HTTP requests, marking the first time bots have surpassed human Web traffic. Even Prince seemed surprised, admitting the milestone arrived much sooner than his prediction of 2027. These aren't the traditional web crawlers and spam bots of old. Increasingly, the traffic comes from AI agents acting on behalf of users, comparing prices, researching products, booking services, and gathering information for AI systems. While humans still dominate overall screen time through streaming social media and endless scrolling, AI agents are generating far more web requests. Cloudflare's data suggests the Internet is quietly shifting from a place humans browse directly to one increasingly navigated by software assistance, whether we realize it or not. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com and Maria

Maria Varmazis

Varmas is here from T Minus Space Cyber Briefing. This week's episode, we are finishing up our two parter on GPS and what cybersecurity professionals need to know. We're focusing on GPS jamming and spoofing this week. That's Sunday's episode of T Minus Space Cyber Briefing. Don't miss it.

Dave Bittner

Be sure to check out this weekend's Research Saturday and my conversation with Ismael Valenzuela, Arctic Wolf's VP of Labs Threat Research at Intelligence Intelligence. The research we're discussing is titled Blue Noroff uses click fix, fileless PowerShell and AI generated fake Zoom meetings to target the Web3 sector. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a radio rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes were mixed by Trey Hester with original music and sound designed by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

Maria Varmazis

Your next chapter in health care starts at Carrington College's School of Nursing in Portland. Join us for our open house on Tuesday, January 13th from 4 to 7pm you'll tour our campus, see live demos, meet instructors and learn about our Associate Degree in Nursing program that prepares you to become a registered nurse. Take the first step toward your nursing career. Save your spot now at Carrington Edu Events. For information on program outcomes, visit carrington. Edu Sci.