Summary5 min read

Risky Bulletin: Russia Will Revoke Licenses for Unruly ISPs

Podcast: Risky Bulletin by Risky Business Media
Date: April 3, 2026
Host: Patrick Gray (filling in for Claire Ed)
Summary Prepared by: Catalin Cimpanu

Episode Overview

This episode delivers the latest roundup of global cybersecurity news, with a focus on regulatory crackdowns, high-impact breaches, attacks on public infrastructure, and major security updates. The headliner: Russia’s move to eliminate small ISPs that fail government censorship and surveillance demands.

Key Discussion Points and News Segments

1. Russia Targets Small ISPs for Censorship Non-Compliance

[00:25] Russia is preparing to shut down small Internet service providers (ISPs) that fail to enforce online censorship and surveillance mandates.
- Small ISPs are considered weak points in Russia’s bid to control web access.
- Some have failed to block restricted content or install mandated SORM traffic interception gear.
- The proposed laws streamline power for the Ministry of Digital Development to revoke ISPs’ licenses without needing a court order.
“Russia is preparing to shut down small ISPs that fail to meet the country’s censorship requirements.” — Patrick Gray [00:25]

2. Signal and WhatsApp Under Spy Threat

[01:00] European officials warned to avoid discussing sensitive matters on Signal, after discovery of a group containing high-ranking officials.
- Intelligence agencies in the EU and US warn of Russian attempts to hack Signal and WhatsApp accounts, targeting espionage.

3. US State Department Fights Foreign Info Ops

[01:24] US State Department mandates embassies to counter foreign influence operations.
- Info ops from Iran, China, and Russia leverage the Middle East war to discredit US policies.
- The US previously shut down its own counter-disinformation units, complicating its response.

4. Disruptive Attacks on US Newspaper Archive

[02:07] A late-February cyberattack continues to disrupt a Utah-based digital newspaper archive service.
- Over 16,000 publications from 3,500 cities remain affected; service restoration is delayed.

5. Hasbro Cyberattack Causes Extended Disruption

[02:48] Hasbro, the US toymaker, expects weeks of recovery after a hack, per SEC filings.
- Temporary systems in place; no group has claimed responsibility.

6. Major AI Startup Breached via Supply Chain Attack

[03:13] Mercor, a $10B AI training startup, was compromised through an attack on the Light LLM Python library.
- Breach quickly contained after discovery.
- Illustrates ongoing risk in software supply chains.

7. EU Cloud Breach Linked to Trivy Supply Chain Compromise

[03:50] European Commission’s Amazon cloud environment hacked via compromised Trivy security scanner.
- Stolen credentials resold, leading to 90GB of data leaked by Shiny Hunters.
- “The credentials appear to have been sold to other hacking groups who used them to steal data and extort victims.” — Patrick Gray [04:25]

8. Emergency Services in Massachusetts Hit by Hack

[05:00] Police and fire departments in four Massachusetts towns affected by an attack on the regional emergency comms center.
- Non-emergency services disrupted, impacting Ashby, Dunstable, Pepperell, Townsend.

9. $280 Million in Crypto Stolen from Drift DeFi Platform

[05:36] Hackers used pre-approved multisig transactions (via Security Council) to move funds.
- Attack “prepared weeks in advance.”

10. WhatsApp Spyware Outbreak via Fake iOS App

[06:02] WhatsApp users in Italy targeted by spyware through counterfeit app.
- WhatsApp has notified 200+ victims; sent cease and desist to Italian vendor Sio Spa.

11. Extradition of Prince Group Operator for Cybercrimes

[06:39] Cambodian officials extradite Li Zhong, core Prince Group member, to China.
- Prince Group and Hui Wan Group sanctioned for cyber scam operations and money laundering.

12. North Korean Hackers Infecting GitHub Repos

[07:11] Over 400 repositories infected with malicious tasks using VS Code’s auto-execute feature.
- Malware triggers if user loads/clones repo with tampered JSON file.

13. Android Play Store Rootkit Surfaces

[07:45] “No Voice” malware present in 50+ apps (2.3M downloads), targets WhatsApp sessions, survives factory resets.
- Affects only devices running Android 7 or older.

14. Node.js Pauses Bug Bounty

[08:28] Node.js bug bounty program on hold due to lapsed external funding.
- Had run since 2016, supported by industry leaders like Microsoft, Meta, Adobe.
- “Node.js is used by about 6% of Internet sites.” — Patrick Gray [08:41]

15. Apple and Google Patch Major Exploits

[09:00] Apple backports patches against the Dark Sword hacking framework, found in wild and believed to enable mass exploitation.
[09:20] Google patches its fourth Chrome zero-day this year, a memory bug in the Dawn web graphics component.

16. Critical Server Vulnerabilities Patched

[09:40] FreeBSD: Patches remote code execution in Generic Security Services (GSS) API.
[09:50] Mongoose Web Server: Fixes authentication bypass and two RCE bugs (affecting embedded devices).
[10:10] Progress ShareFile: Patches vulnerabilities that could be chained for remote code execution; only version 5 vulnerable out of 30,000+ online instances.

Notable Quotes & Memorable Moments

On Russia’s ISP clampdown:

“Proposed new laws would allow the Russian Ministry… to revoke ISP licenses without a court order.” — Patrick Gray [00:50]
On the scale of breached EU data:

“Shiny Hunters group subsequently stole 90 gigabytes of data from the EU’s AWS account and leaked it on the Dark Web.” — Patrick Gray [04:34]
On Node.js ecosystem impact:

“Node.js is used by about 6% of Internet sites.” — Patrick Gray [08:41]

Important Timestamps

[00:25] Russia threatens small ISPs
[01:00] European officials warned about Signal, WhatsApp
[03:13] Major AI supply chain attack at Mercor
[03:50] EU Commission cloud environment breached
[05:00] Massachusetts emergency comms center hacked
[05:36] $280 million DeFi hack
[08:28] Node.js pauses bug bounty program
[09:00] Apple and Google patch critical exploits

Tone and Conclusion

Patrick Gray maintains a brisk, informative tone, weaving through a high-volume update of security news without editorializing, focusing on facts and verified developments. The episode reinforces growing supply chain risks, the persistent threat of state-led cyber operations, and the vulnerabilities affecting both public infrastructure and high-profile tech projects.

For more in-depth updates, visit Risky Business Media or listen to the next Risky Bulletin.

Loading summary

Transcript1 lines

[00:00]
A
Foreign Russia wants to revoke small ISP licenses A cyber attack has disrupted access to US newspaper archives. Node JS pauses its bug bounty program after its funding lapses and Apple Backport's patches for Dark Sword. This is the risky bulletin prepared by Catalan Kimpanu and read by me, Patrick Gray filling in for Claire Ed, who is not feeling well. Claire, we hope you feel better soon. Today is April 3rd and this podcast episode is brought to you by Knock Knock. That's Knoc Knoc Russia is preparing to shut down small ISPs that fail to meet the country's censorship requirements. Small ISPs have been a weak spot in Russia's attempt to control the Internet. Some have failed to block websites or deploy SARM traffic interception equipment. Proposed new laws would allow the Russian Ministry of Digital Development, Communications and Mass Media to revoke ISP licences without a court order. European officials and staff have been told to stop discussing sensitive information on Signal. The warning came after the European Commission learned of a signal group which contained many high ranking officials. Intelligence agencies in both the EU and the US have warned that Russia is attempting to hack signal and WhatsApp accounts for espionage. The US State Department has ordered embassies and consulates to push back against foreign influence operations. Iranian, Chinese and Russian info ops are currently leveraging the war in the Middle east to discredit US policies. The State Department shut down its counter disinformation units last year. A cyber attack on a US newspaper archiving firm is still disrupting access to its digital records. The incident against newspaper archive occurred in late February. The company had hoped to restore services by the end of March. The Utah company archives more than 16,000 publications from 3,500 US cities. American toymaker Hasbro says it will take weeks to recover from a recent hack. In an SEC filing, the company says it shut down affected systems and deployed temporary infrastructure to continue fulfilling orders. No group has taken credit yet. AI training startup Mercor has disclosed a security breach. The company says the breach was a result of the supply chain attack on the Light LLM Python library. Mercor said it contained the breach as soon as it was discovered. The company connects other AI firms with experts in various fields to train specialised models. It's valued at more than $10 billion. A recent breach of the European Commission's Amazon Cloud Environment has been linked to the Trivi supply chain attack. The hacking group Team PCP compromised the Trivey security scanner last week to steal credentials and access tokens. The credentials appear to have been sold to other hacking groups who used them to steal data and extort victims. Certeu says the Shiny Hunters group subsequently stole 90 gigabytes of data from the EU's AWS account and leaked it on the Dark Web. Hackers have disrupted police and fire departments in at least four towns in Massachusetts. The attack targeted the Patriot Regional Emergency Communications Centre, which handles communications for first responders. The hack impacted non emergency and business phone services. The towns of Ashby, Dunstable, Pepperell and Townsend have reported disruptions. Hackers have stolen $280 million worth of crypto from the Drift Defi platform. The company said the attack had been prepared weeks in advance. Drift said the attackers obtained multisig transaction approvals from its Security Council in advance, allowing them to move funds. WhatsApp has notified users who were infected with spyware after installing a fake iOS version of the app. Most of the 200 victims are located in Italy. WhatsApp has sent a cease and desist letter to the spyware's maker, Italian surveillance vendor Sio Spa. The company's website says it only works with intelligence and law enforcement agencies. Cambodian officials have extradited another member of the Prince Group to China. Chinese state media described Li Zhong as a core member of the organisation. He also served as chairman of Hui Wan Group, a subsidiary of the Prince Group. Both organisations have been sanctioned by the United States. The Prince Group was sanctioned for running cyber scam compounds, while Hui Won laundered the proceeds. North Korean hackers have breached more than 400 GitHub repositories to plant malicious tasks. JSON files VS code Users who load or clone the repos would be infected by malware. The campaign abuses a VS code feature that auto executes instructions placed in the JSON file. A rootkit has been spotted inside more than 50 Android apps in the Play Store. The no voice malware is designed to steal WhatsApp sessions and can survive factory resets. It only works on smartphones running Android 7 or earlier, which last received security updates in in 2021, according to McAfee. The infected apps have been downloaded more than 2.3 million times. The Node JS project has paused its bug bounty program after a lapse in its external funding. The program had been running since 2016. It was sponsored by the Internet Bug Bounty, a program funded by several tech giants, including Microsoft Meta and Adobe. No node JS is used by about 6% of Internet sites. Apple has backported security updates to iOS 18. The updates patch exploits used in the Dark Sword hacking framework, which appeared online last month. Dark Sword has been used in the wild and mass exploitation is expected. Google has patched a Chrome zero day that was being used in the wild. The flaw was a memory corruption bug in Chrome's web graphics component, Dawn. It is the fourth Chrome Zero day to be patched this year. The FreeBSD project has patched a remote code execution attack in a kernel component. The vulnerability resides in Generic Security Services, an API that is used to set up encrypted communications. Oversized packets sent to the GSS service can allow attackers to run malicious commands. The Mongoose Web Server project has patched three major vulnerabilities this week, an authentication bypass and two remote code execution issues. The Mongoose server is typically used on embedded devices due to its lightweight and built in TLS support. Progress has patched authentication bypass and remote code execution vulnerabilities in its ShareFile servers. The bugs can be combined to upload web shells to unpatched servers. There are more than 30,000 sharefile instances available online to, but only version 5 is vulnerable to attacks. And that's all for this podcast edition. Today's show was brought to you by Knock Knock Knoc Knoc, a fabulous product that helps you really reduce your attack surface both externally and internally by allowing you to allow list network connections. It's really great stuff. You can find them at Knoc Knoc IO. And that's all from me for now. We do hope you enjoyed this bulletin. Until next time, I've been Patrick Gray Goodbye Sam.