Announcer

You're listening to the Cyberwire Network powered by N2K

Home Depot Advertiser

Spring starts at the Home Depot and we are bringing the heat to your backyard this season. Fire up the flavor with our wide variety of grills for under $300 like the next grill 4 burner gas grill that's perfect for hosting your spring cookout. Then set the scene and turn your outdoor space into the go to spot the patio sets for every budget. Bring it this season with grills that deliver flavor and patios that set the VI vibe from the Home Depot. Start your spring with low prices guaranteed at the Home Depot. Exclusion supplies to home depot.com price match for details.

Dave Bittner

The UK's cybersecurity chief urges a full court press against threats We've got highlights from RSAC the US State Department has launched a Bureau of Emerging Threats. The Team PCP Cyber Criminal Group targets an open source library TP link patches multiple router vulnerabilities. A critical vulnerability hits Windchill and Flex PLM platforms. A phishing campaign impersonates Palo Alto networks recruiters. Malicious chrome extensions are harvesting users conversations with AI tools. Intern Kevin Files his latest report from the RSAC show floor and your private Zoom call may already have a podcast deal. Foreign. March 25, 2026 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Hello everyone. Thanks for joining us here today. We are coming to you from the RSA 2026 Conferen in San Francisco. We're spending the week talking with security leaders, researchers and practitioners about what's shaping the threat landscape right now, from AI risks to supply chain security and the latest moves from nation state actors. Stay with us for insights, interviews and the stories. Security teams are watching closely as rsac continues. The UK's cybersecurity chief is urging governments, industry and allies to mount a coordinated, full court press against increasingly complex cyber threats. In a keynote at the RSA conference, National Cybersecurity Center CEO Richard Horn warned cyber risks now carry greater consequences, driven by cooperation between state and criminal actors. He said no single measure will suffice and pointed to actions spanning organizational resilience, shared infrastructure, protection and disruption of adversary networks. Horn argues sustained collective pressure across law enforcement, regulation, offensive cyber activity and secure by design software is required to counter attacks growing in scale and sophistication, including those amplified by AI. To that point, UK police arrested more than 500 suspects in a national fraud crackdown under Operation Hen House, freezing and seizing millions in suspected criminal proceeds. The National Crime Agency and City of London Police said the fifth annual operation led to 557 arrests, 172 voluntary interviews, 249 cease and desist notices and freezes on £9 million alongside £18.1 million in asset seizures. Authorities also blocked millions of scam calls and identified overseas fraud call centers. Officials say Coordinated national enforcement disrupts large fraud ecosystems affecting individuals and businesses across both digital and offline channels. Day two of the RSA conference featured a wave of announcements focused on securing AI systems identities and software supply chains as vendors rolled out new defensive capabilities. Security Week reported launches spanning AI visibility tools from Cyber Haven, Identity Security posture management features from RSA and Savant and generative AI agents from Securonix designed to reduce analyst workload. Other updates included Qualys protections for machine learning pipelines, recorded future malware intelligence automation, and Sonatype enhancements to software repository malware defenses. Several announcements also emphasized compliance automation, cloud data security and storage level cyber resilience. The volume and direction of launches signal an industry shift toward protecting AI workflows and consolidating identity and data risk visibility across enterprise environments. The U.S. state Department has launched a Bureau of Emerging Threats to counter adversaries weaponization of technologies such as AI, cyberspace and space systems, officials told ABC News. The bureau will address risks from Iran, China, Russia, North Korea and foreign terrorist organizations. It includes offices focused on cybersecurity, critical infrastructure, disruptive technology, space security and threat assessment, officials said. The effort supports long term national security planning and coordination across foreign policy tools. The department formally notified Congress the same day the White House released a national Artificial Intelligence policy Framework. Officials say adversaries are increasingly exploiting emerging technologies, requiring coordinated diplomatic and security responses. Beyond traditional cyber defense, A malicious update to the Light LLM open Source library is the latest supply chain attack attributed to the Team PCP Cybercriminal Group. Researchers at Future Search first identified the issue after executing the payload locally. Sonatype later confirmed that multiple versions on PYPI contained a credential stealer and malware dropper. Because Light LLM brokers connections between applications and multiple large language model providers, it can expose API keys, environment variables, and other secrets. Investigators link the incident to earlier compromises affecting Trivi checkmarks, extensions, and several NPM packages. Attackers are targeting tools embedded deep in AI development pipelines, where access to credentials can enable broader downstream compromise across enterprise environments. TP Link has patched multiple vulnerabilities in its Archer NX router series, including a critical flaw that could let attackers bypass authentic and upload malicious firmware. The issue affects multiple versions of the routers and stems from a missing authentication check in certain HTTP server endpoints. TP Link said attackers could perform privileged actions without logging in. The company also fixed a hardcoded cryptographic key flaw and two command injection vulnerabilities that allowed administrators to execute arbitrary commands. Router level compromise can enable persistent access and configuration control at the network edge, increasing exposure for home and small office environments if patches are not applied promptly, PTC is warning customers about a critical vulnerability in its windchill and FlexPLM platforms that could enable remote code execution, with German authorities taking the unusual step of directly alerting affected organizations. The flaw involves deserialization of trusted data and affects most supported versions and critical patch sets of both products. PTC said no patches are yet available and urged administrators to block access to a specific servlet path or disconnect exposed systems if mitigation is not possible. The company also released indicators of compromise and reported credible evidence of an imminent third party exploitation attempted. These product lifecycle management systems are widely used in industrial and engineering environments, increasing potential downstream risk if exploitation occurs before patches are released. A phishing campaign impersonating Palo Alto Network's recruiters is targeting senior professionals with fake hiring outreach designed to extract payment under the guise of resume processing requirements. According to Palo Alto attackers use scraped LinkedIn data and realistic corporate branding to build credibility before claiming candidates failed Automated Applicant Tracking System checks. Victims are then referred to a supposed third party specialist who offers to fix the issues for fees ranging from $400 to $800. The campaign relies on urgency and procedural realism to pressure targets into paying quickly. The operation shows how threat actors are adapting business process impersonation tactics to exploit executive job seekers directly for financial gain. Security researchers are warning that malicious Chrome extensions are harvesting users conversations with AI tools in a tactic known as prompt poaching. Expel said it observed several dozen incidents in the past month involving extensions that monitor open tabs, detect AI clients and capture questions and responses through API interception or page scraping before sending the data to external servers. Attackers either impersonate legitimate AI helper extensions or introduce malicious features after building a large user base. As seen with Urban VPN proxy stolen prompts may expose intellectual property, customer information or other sensitive data that can support phishing, identity theft or resale on underground forums. Coming up after the break, intern Kevin files his latest report from the RSAC show floor and your private Zoom call may already have a podcast deal. Stick around. No, it's not your imagination. Risk and regulation really are ramping up, and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me, it comes down to over 10,000 companies from startups to large enterprises. Trust Vanta to help prove their security. Get started@vanta.com cyber.

Announcer

Get in the game with the college branded Venmo Debit Card Wreck your team with every tap and earn up to 5% cash back with Venmo Stash, a new rewards program from Venmo. No monthly fee, no minimum balance, just school pride and spending power. Get in the game and sign up for the Venmo debit card@venmo.com collegecard the Venmo MasterCard is issued by the Vanccorp Bank N.A. select schools available. Venmo stash terms and exclusions apply at Venmo me stash terms max $100 cash per month.

Dave Bittner

Kevin McGee is global director of Cybersecurity Startups at Microsoft for Startups but this week at the RSAC conference, Kevin is my intern.

Kevin McGee (Intern)

What's your name please?

Dale Hoch

Dale Hoch. I'm the CISO at regscale.

Kevin McGee (Intern)

Welcome to the show. Great to see you again. Now we've go back a little while, so tell me, what are you working on nowadays?

Dale Hoch

So at regscale we're doing the transition to AI security. So we're really operationalizing our security operations center and spending a lot of time with the hardening and the hows and whys around AI, which is why I love the RSA theme this year and coming here and being able to talk to all the innovators and speak to all the other players in the space, it kind of build the roadmap for the future as we get around. You know how it's one thing to keep lines of business open, but it's another thing to open up new lines of business. And if you're not leaning hard into AI, you're way behind. So that's what, that's what we've been working on at Ringscale.

Kevin McGee (Intern)

Now I got to tell you, I used to think compliance was pretty boring, but it's probably one of the hottest things in the market. It's Picks and shovels in a gold mine.

Dale Hoch

It really is. And when you start to get. When you start to wrap automations up with AI and continuous controls monitoring I think right now we're looking at the death of compliance really. And you're looking at it moving to key security indicators are what my buddy Roland Cloutier calls dynamic operational controls assurance to where you're proving everything in your operational tech stack and your cyber resilience automatically all the time. And that, that point in time checklist is going away.

Kevin McGee (Intern)

You talk about compliance as code. Tell me a little bit about that.

Dale Hoch

Yeah, so when you start to take, you know, DevSecOps has been around for a while but when you start to take where you build compliance and security into your pipeline and then you start to automate it and you. So you get away from. Okay, my access controls are right, check. My, my configuration management is done, check. You're automatically gathering all your evidence and you're doing it at the start of your code so you don't have to do that panic state whenever you get into the production level. So building in compliance into your pipelines is the key to the future. If you're not looking at doing it now, you're going to be forced to do it in two years.

Kevin McGee (Intern)

Awesome. Well, thanks for your time, have a great show.

Dale Hoch

Fantastic. I appreciate being here. Great to catch up with you again, Kevin.

Kevin McGee (Intern)

All right, tell me who you are and what you do.

David Delappell

Hey, thanks so much for having me Kevin. I'm David Delappell, co founder and CEO of Dune Security.

Kevin McGee (Intern)

And what does Dune Security do?

David Delappell

So at Dune we prevent social engineering and insider threat across every channel. We have built the best replacement for things like security awareness training as well as we just released our red teaming, our agentic red teaming product on the

Kevin McGee (Intern)

user layer and I just got a chance to try that out and I got to make myself a deep fake of my boss, Dave Bittner.

David Delappell

Yeah, exactly. And so it's a really crazy time right where attackers can get into companies really through any modality using deepfake where possible. We've created what we think is the industry leading adversarial AI within one hour. We're creating a new adversary emulation pathway which is a specific Persona, method and target.

Kevin McGee (Intern)

So you're taking this beyond awareness training, you're taking this almost to a red teaming in the physical world of deepfakes and phishing and vishing and all those other things as well?

David Delappell

That's right, yeah. Our focus has always been on the user is really the attack surface right and so you need to pull in unlimited input source data to truly quantify user risk accurately in the enterprise. And in the enterprise, I mean, they're getting hammered by these deepfake phone calls or encrypted channel attacks. Right. And so you kind of have to meet the market where it is and really emulate the attackers.

Kevin McGee (Intern)

All right, walk me through one example that always blows everyone away when they see it. When they. When they see your product in action.

David Delappell

Yeah. I mean, one data point I can give is, you know, we're working with a lot of large GSI's and BPOs with large call center populations around the world. And what we found is, on average, roughly 1% of employees are complicit, meaning they'll accept a bribe from our AI. And so that's pretty insane. And of course, those people did get terminated in some of our customers. And now we've created deterrence, which is great. And now it's way less than 1% the problem.

Kevin McGee (Intern)

And I did some physical pen testing back in the 90s. If you've just got one person, you could only do one attack vector and only the imagination of one individual. But you can now do the set scale.

David Delappell

Yeah, it's, It's. Right, exactly. We're able to send, you know, a thousand phone calls, deep fake phone calls at once. Right. And people can have conversations with this. And, you know, we're partnered with a company called Reality Defender. And what Reality Defender does better than we think anyone is deep fake detection. They've been building this for over five years now. And they have really, really deep, you know, technical mode over their competitors. But what we do is we'll, we'll, we'll flood the zone with realistic outreach like phone calls, and we'll find, okay, roughly 90% will pick up the phone, right, in a call center. Maybe 40, 50% are actually having a conversation with the thing and not knowing it's AI. And then we're able to get a non zero amount of users to be complicit or socially engineered. Now, if you put Reality Defender on it, though, we can block everything. Right, because it detects it.

Kevin McGee (Intern)

That's fantastic. Well, thanks, and have a great rsa.

David Delappell

Thanks so much, Kevin. It's great to talk to you today.

Kevin McGee (Intern)

So it's Kevin the intern coming live from the streets of San Francisco. And because I'm an intern, I don't have much of a budget. But luckily the ARM cybervan is passing out free burritos, so I'm here scrounging burritos. Tell me who you are and what do you do.

Jason Williams

So, Jason Williams and I'm with ARM Cyber and I'm the Global Director of Solution Architecture Worldwide.

Kevin McGee (Intern)

Awesome. And what does ARM Cyber do specifically? Great.

Jason Williams

So ARM Cyber is a data resilience, preemptive ransomware mitigation solution, providing organizations with peace of mind to not only stop threats that come against their organization, but to be able to recover data in a moment's notice.

Kevin McGee (Intern)

That's awesome. I've heard you described as sort of the cloaking device for data. Is that true? Ekt.

Jason Williams

Yep, pretty much. So we are able to understand where data assists the critical information within an organization and then be able to be that endpoint of the future for them.

Kevin McGee (Intern)

All right, now tell me the story behind the burrito truck. Is this getting a lot of press here?

Jason Williams

Oh, it's definitely getting a lot of press. Everybody loves burritos. We're in the hot spot here at RSA conference, giving out, you know, burritos that are chicken and veggie, and people are coming by and enjoying it. So free to everybody.

Kevin McGee (Intern)

Fantastic. What's the most popular one? Chicken. Chicken, hands down. Well, thank you for your time today.

Jason Williams

Thank you. Have a great one.

Dave Bittner

That's intern Kevin, also known as Kevin McGee, global director of Cybersecurity Startups at Microsoft for Startup. Foreign.

Announcer

This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C. According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

David Delappell

Zootopia 2 has come home to Disney.

Jason Williams

Let's go get ready for a new case.

David Delappell

We're the greatest partners of all time. New friends Gary the Snake and your

Dave Bittner

last name, the Snake Dream Team Pick new habitats.

Announcer

Zootopia has a secret reptile population.

David Delappell

You can watch the record breaking phenomenon at home. Zootopia 2, now available on Disney. Rated PG. And right now you can get Disney and hulu for just $4.99 a month for three months with a special limited time offer.

Jason Williams

Ends March 24.

David Delappell

After three months, Plan Auto renews at 1299amonth. Terms apply.

Dave Bittner

And finally, a site called Webinar TV is drawing attention after quietly recording publicly linked zoom meetings and republishing them as AI generated podcasts, sometimes without participants realizing their conversations were captured at all. According to reporting from 404 Media and a cyber Alberta analysis webinar TV scans for meeting links, joins sessions using browser extensions or related tools, then records and republishes content with summaries, chapters, and even AI hosts discussing the calls. Some users only discovered this after receiving promotional emails congratulating them on their surprise podcast debut. Zoom said the activity happens outside its platform environment and relies on publicly shared meeting links rather than a software vulnerability. Organizations often treat webinars as semi private working spaces, yet publicly shared links can quietly turn them into searchable, replayable content libraries for someone else's business model. The safest assumption may be that if a meeting link can be shared widely, it can also be replayed widely and possibly narrated by Phil and Amy. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Ramazas, our executive producer is Jennifer Ibin, Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.