Risky Business #817 – Less carnage than your usual Thanksgiving

Podcast Summary and Show Notes
Date: December 3, 2025
Host: Patrick Gray
Guest Analyst: Adam Boileau
Sponsor Interview Guest: Damien Lukey (Nebuloc)

Episode Overview

This week's Risky Business dives into a wide array of infosec stories, including a freak cosmic ray incident causing global airline chaos, new insights into the Shailude worm supply chain attack, the unglamorous reality of malicious browser and VSCode extensions, the latest on some “advanced persistent teenagers,” updates from Microsoft and Fortinet, a crackdown on European crypto mixers, serial data breaches in South Korea, and a deep-dive interview on improving Mac security telemetry with Sigma. As per usual, the conversation is brisk, candid, and informative—a must-listen for security professionals (minus the sponsor fluff and the waffling).

Key Discussion Points and Insights

1. Airbus A320 Cosmic Ray Bit-Flip Incident

[01:41–06:49]

Incident: A controller in the Airbus A320 experienced a bit flip (allegedly from cosmic rays), causing an uncommanded pitch-down event mid-flight—resulting in emergency firmware rollback orders and global airline disruption.
Software Engineering Lessons: The older firmware handled bit flips more robustly—possibly due to trade-offs for new features in the updated version.
Quote — Patrick Gray:
"You wonder why the updated version … couldn’t deal with a flipped bit whereas the previous one could. Maybe they took out some check summing or something … needed the processing headroom for these new features." [03:52]
Both hosts note the value of rigorous patch management in aviation—and compare it favorably to the IT industry's less cautious approach (“no OTA updates for your Airbus”).

2. Congress Grills AI Providers Over China-Linked Attacks

[06:51–08:51]

Context: Congress wants Anthropic (AI company) to explain how Chinese APTs used their tech for cyber campaigns.
Analysis: Hosts downplay the focus on it being a "US AI" problem—attackers would use whatever platform is available.
Quote — Patrick Gray:
"I don’t think the 'oh wow, it used US technology' angle is particularly interesting here." [07:29]

3. Shailude Worm Supply Chain Attack Postmortem

[08:51–13:44]

Victim’s Perspective: PostHog, as a “patient zero,” shares detailed analysis showing attackers exploited ambiguous GitHub integration workflows to sneak in malicious commits.
NPM/GitHub Response: Movement toward gating publish operations via CI/CD pipelines and enforcing U2F (phishing-resistant) authentication.
Key Insight: Short-lived tokens and automation help, but attackers may still succeed within those windows. The ultimate goal is to push security up the chain—making manual review stronger and long-lived tokens rarer.
Quote — Adam Boileau [on new mitigations]:
"Anything that means you are less likely to leave tokens lying around … absolutely improves the resilience of the ecosystem." [13:23]

4. Malicious VSCode & Browser Extensions—Ongoing Supply Chain Mess

[13:44–19:57]

Research: John Tuckner (SecureAnnex) and Koi group detail large campaigns sneaking fake or hijacked VSCode and Chrome extensions into trusted stores—often indistinguishable from genuine.
Notable Campaign: “Shadypanda” infected over 4 million Chrome/Edge users over 7 years.
Business Response: SecureAnnex monitors extension integrity for paying customers; Airlock Digital offers allow-listing.
Quote — Adam Boileau:
"Even people who will sell their extensions after they’ve got bored of them … update them with malware. That’s something that people have done with great success in the past." [15:31]
"Browser extensions don’t make me feel good." [19:57]

5. Brian Krebs Doxes Teenage Scattered Spider/Lapsus$ Member

[20:17–23:06]

Story: Krebs identifies a 15-year-old in Jordan as a major player via an unredacted password slip-up in a Telegram screenshot. The teen says he's quitting hacking; Krebs isn’t convinced.
Youth in Cybercrime: Recent research suggests many “advanced persistent teenagers” outgrow cybercrime by their 20s (if they avoid jail).
Quote — Patrick Gray:
"By the time they’re in their 20s, they all go off and get real jobs … see if you can avoid prison in the meantime, guys." [22:29]

6. Wiretaps, Airplane Wi-Fi Hacks, and Real Consequences

[23:47–25:30]

Case: Michael Klapsus, Australian airport Wi-Fi “pineapple” attacker, received over seven years in prison after stealing private images via phishing hotspots.
Unusual Severity: A heavy sentence in Australia for non-violent computer crime; a sign of court outrage over the nastiness of the offense.

7. The Reuters “Hack”: When Guessing URLs Isn’t Hacking

[25:30–28:25]

Incident: Reuters published a UK government report before embargo by simply manipulating predictable URLs, sparking official allegations of “hacking.”
Perspective: Patrick recounts a similar case from 2002; stresses that pre-publishing a public URL is not a security control.
Quote:
"If you publish information, you can’t get mad that people read it." [26:27]

8. Myanmar Scam Compound Blown Up—But Only for Show

[28:25–29:29]

Follow-up: New satellite imagery confirms only a small section of the infamous KK Park scam compound was destroyed—a half-hearted, “performative” gesture by authorities.

9. Microsoft Upgrades Content Security Policy on Login Pages

[29:29–33:23]

Change: Microsoft finally restricts non-Microsoft script on login forms, mitigating XSS risk.
Surprise: Both hosts astonished such a control wasn’t already standard—highlighting the challenge of scaling security retrofits at Microsoft’s size.

10. More Fortinet Flaws—This Time in “End of Life” Products

[33:23–37:00]

Finding: Rapid7 finds vulnerabilities from newer FortiWeb WAF also impact unsupported legacy devices—no patches will be made for these.
Industry Humor: Fortinet’s constant presence in both sponsorship and vulnerability news leads to in-show jokes about “Forti-balls” and what it must feel like to work there.
Quote — Adam Boileau:
"If you’re running unsupported Fortinet anything on the internet, you’ve probably already been owned 47 times." [34:47]

11. European Police Take Down Swiss Crypto Mixer

[37:00–38:40]

Seizure: $29M in bitcoin and 12TB of data taken down—unclear if logs will allow tracing of laundered funds.
Historical Note: Once upon a time, would-be Bitcoin OPSEC warriors on Silk Road failed to realize blockchain’s forensic transparency.

12. North Korea’s Lazarus Group Hits South Korean Crypto Exchange

[38:40–40:27]

Heist: $30M stolen from Upbit, either via technical wallet key shenanigans or (most likely) social engineering and insider access.
Perspective:
"If you will give your money to a cryptocurrency exchange, you kind of expect it to end up in North Korea’s nuclear weapons program anyway." [40:27]

13. Another Epic South Korean Data Breach

[40:27–42:25]

Breach: An e-commerce giant leaks customer information affecting two-thirds of the Korean population—order histories, personal details, possibly more.
Trend: South Korea’s per-capita data breach scale is unparalleled, with hosts dubbing them "World champions" in getting owned.

14. NSA Contractor Caught Catfishing with Government Computer

[42:25–44:30]

Incident: Booz Allen Hamilton NSA contractor is caught using his government work computer to catfish girls on Reddit for nudes.
Detection: NSA’s endpoint monitoring allegedly caught it, and the FBI was tipped off.
Quote — Patrick Gray:
"This guy deserves everything he gets, not only for being a catfishing creep, but also for being a massive dumbass." [43:27]

Interview: Vibe Hunting on macOS — Filling Telemetry Gaps with Core Sigma

[46:57–60:23]
Guest: Damien Lukey (Nebuloc)

Problem: Mac endpoint security is a “second class citizen”—EDR tools offer little transparency, Sigma rules for Mac lag far behind Windows.
Solution: Nebuloc has produced "Core Sigma," an open framework that dramatically increases Sigma rule coverage and normalization for macOS events, allowing advanced threat hunting and detection.
Key Features:
- 50+ production-ready Sigma rules for macOS
- Rules for unsigned kernel extension loads, SIGKILL events against security tooling, and visibility into native malware quarantining (XProtect)
- Fully open-source, intended for both their product and the broader community
Quotes:
- Damien Lukey:
  "We saw that there was this gap in signal mapping from what was happening on macOS to how to interpret it as a Sigma rule. So we created a framework to help with that." [48:06]
- On unsigned kernel extensions:
  "By the time an unsigned kernel extension is popping up on a box, things have gone really sideways." [51:19]
- On remote access tools and Mac malware:
  "On the customer side, where macOS visibility has been really helpful, is in macOS specific malware and remote access tools." [57:28]
- On broad adoption:
  "99.99% of all enterprise security environments … have some sort of Mac presence. We want to give security teams the ability to normalize that data, to have the same level of visibility." [48:57]

Memorable Moments & Quotes

"Anything that means you are less likely to leave tokens lying around … absolutely improves the resilience of the ecosystem."
— Adam Boileau [13:23]
"If you publish information, you can't get mad that people read it."
— Patrick Gray [26:27]
"If you will give your money to a cryptocurrency exchange, you kind of expect it to end up in North Korea’s nuclear weapons program anyway."
— Adam Boileau [40:27]
"Browser extensions don't make me feel good."
— Adam Boileau [19:57]
"This guy deserves everything he gets, not only for being a catfishing creep, but also for being a massive dumbass."
— Patrick Gray [43:27]

Overall Tone

Candid, witty, and skeptical with Patrick and Adam offering both technical depth and security industry side-eyes. They mix insightful critique, dark humor, and practical takeaways, making even the worst of security news palatable.

For references and further reading, check out the show notes at Risky Business.

Risky Business #817 – Less carnage than your usual Thanksgiving

Podcast Summary and Show Notes
Date: December 3, 2025
Host: Patrick Gray
Guest Analyst: Adam Boileau
Sponsor Interview Guest: Damien Lukey (Nebuloc)

Episode Overview

Key Discussion Points and Insights

1. Airbus A320 Cosmic Ray Bit-Flip Incident

[01:41–06:49]

Incident: A controller in the Airbus A320 experienced a bit flip (allegedly from cosmic rays), causing an uncommanded pitch-down event mid-flight—resulting in emergency firmware rollback orders and global airline disruption.
Software Engineering Lessons: The older firmware handled bit flips more robustly—possibly due to trade-offs for new features in the updated version.
Quote — Patrick Gray:
"You wonder why the updated version … couldn’t deal with a flipped bit whereas the previous one could. Maybe they took out some check summing or something … needed the processing headroom for these new features." [03:52]
Both hosts note the value of rigorous patch management in aviation—and compare it favorably to the IT industry's less cautious approach (“no OTA updates for your Airbus”).

2. Congress Grills AI Providers Over China-Linked Attacks

[06:51–08:51]

Context: Congress wants Anthropic (AI company) to explain how Chinese APTs used their tech for cyber campaigns.
Analysis: Hosts downplay the focus on it being a "US AI" problem—attackers would use whatever platform is available.
Quote — Patrick Gray:
"I don’t think the 'oh wow, it used US technology' angle is particularly interesting here." [07:29]

3. Shailude Worm Supply Chain Attack Postmortem

[08:51–13:44]

Victim’s Perspective: PostHog, as a “patient zero,” shares detailed analysis showing attackers exploited ambiguous GitHub integration workflows to sneak in malicious commits.
NPM/GitHub Response: Movement toward gating publish operations via CI/CD pipelines and enforcing U2F (phishing-resistant) authentication.
Key Insight: Short-lived tokens and automation help, but attackers may still succeed within those windows. The ultimate goal is to push security up the chain—making manual review stronger and long-lived tokens rarer.
Quote — Adam Boileau [on new mitigations]:
"Anything that means you are less likely to leave tokens lying around … absolutely improves the resilience of the ecosystem." [13:23]

4. Malicious VSCode & Browser Extensions—Ongoing Supply Chain Mess

[13:44–19:57]

Research: John Tuckner (SecureAnnex) and Koi group detail large campaigns sneaking fake or hijacked VSCode and Chrome extensions into trusted stores—often indistinguishable from genuine.
Notable Campaign: “Shadypanda” infected over 4 million Chrome/Edge users over 7 years.
Business Response: SecureAnnex monitors extension integrity for paying customers; Airlock Digital offers allow-listing.
Quote — Adam Boileau:
"Even people who will sell their extensions after they’ve got bored of them … update them with malware. That’s something that people have done with great success in the past." [15:31]
"Browser extensions don’t make me feel good." [19:57]

5. Brian Krebs Doxes Teenage Scattered Spider/Lapsus$ Member

[20:17–23:06]

Story: Krebs identifies a 15-year-old in Jordan as a major player via an unredacted password slip-up in a Telegram screenshot. The teen says he's quitting hacking; Krebs isn’t convinced.
Youth in Cybercrime: Recent research suggests many “advanced persistent teenagers” outgrow cybercrime by their 20s (if they avoid jail).
Quote — Patrick Gray:
"By the time they’re in their 20s, they all go off and get real jobs … see if you can avoid prison in the meantime, guys." [22:29]

6. Wiretaps, Airplane Wi-Fi Hacks, and Real Consequences

[23:47–25:30]

Case: Michael Klapsus, Australian airport Wi-Fi “pineapple” attacker, received over seven years in prison after stealing private images via phishing hotspots.
Unusual Severity: A heavy sentence in Australia for non-violent computer crime; a sign of court outrage over the nastiness of the offense.

7. The Reuters “Hack”: When Guessing URLs Isn’t Hacking

[25:30–28:25]

Incident: Reuters published a UK government report before embargo by simply manipulating predictable URLs, sparking official allegations of “hacking.”
Perspective: Patrick recounts a similar case from 2002; stresses that pre-publishing a public URL is not a security control.
Quote:
"If you publish information, you can’t get mad that people read it." [26:27]

8. Myanmar Scam Compound Blown Up—But Only for Show

[28:25–29:29]

Follow-up: New satellite imagery confirms only a small section of the infamous KK Park scam compound was destroyed—a half-hearted, “performative” gesture by authorities.

9. Microsoft Upgrades Content Security Policy on Login Pages

[29:29–33:23]

Change: Microsoft finally restricts non-Microsoft script on login forms, mitigating XSS risk.
Surprise: Both hosts astonished such a control wasn’t already standard—highlighting the challenge of scaling security retrofits at Microsoft’s size.

10. More Fortinet Flaws—This Time in “End of Life” Products

[33:23–37:00]

Finding: Rapid7 finds vulnerabilities from newer FortiWeb WAF also impact unsupported legacy devices—no patches will be made for these.
Industry Humor: Fortinet’s constant presence in both sponsorship and vulnerability news leads to in-show jokes about “Forti-balls” and what it must feel like to work there.
Quote — Adam Boileau:
"If you’re running unsupported Fortinet anything on the internet, you’ve probably already been owned 47 times." [34:47]

11. European Police Take Down Swiss Crypto Mixer

[37:00–38:40]

Seizure: $29M in bitcoin and 12TB of data taken down—unclear if logs will allow tracing of laundered funds.
Historical Note: Once upon a time, would-be Bitcoin OPSEC warriors on Silk Road failed to realize blockchain’s forensic transparency.

12. North Korea’s Lazarus Group Hits South Korean Crypto Exchange

[38:40–40:27]

Heist: $30M stolen from Upbit, either via technical wallet key shenanigans or (most likely) social engineering and insider access.
Perspective:
"If you will give your money to a cryptocurrency exchange, you kind of expect it to end up in North Korea’s nuclear weapons program anyway." [40:27]

13. Another Epic South Korean Data Breach

[40:27–42:25]

Breach: An e-commerce giant leaks customer information affecting two-thirds of the Korean population—order histories, personal details, possibly more.
Trend: South Korea’s per-capita data breach scale is unparalleled, with hosts dubbing them "World champions" in getting owned.

14. NSA Contractor Caught Catfishing with Government Computer

[42:25–44:30]

Incident: Booz Allen Hamilton NSA contractor is caught using his government work computer to catfish girls on Reddit for nudes.
Detection: NSA’s endpoint monitoring allegedly caught it, and the FBI was tipped off.
Quote — Patrick Gray:
"This guy deserves everything he gets, not only for being a catfishing creep, but also for being a massive dumbass." [43:27]

Interview: Vibe Hunting on macOS — Filling Telemetry Gaps with Core Sigma

[46:57–60:23]
Guest: Damien Lukey (Nebuloc)

Problem: Mac endpoint security is a “second class citizen”—EDR tools offer little transparency, Sigma rules for Mac lag far behind Windows.
Solution: Nebuloc has produced "Core Sigma," an open framework that dramatically increases Sigma rule coverage and normalization for macOS events, allowing advanced threat hunting and detection.
Key Features:
- 50+ production-ready Sigma rules for macOS
- Rules for unsigned kernel extension loads, SIGKILL events against security tooling, and visibility into native malware quarantining (XProtect)
- Fully open-source, intended for both their product and the broader community
Quotes:
- Damien Lukey:
  "We saw that there was this gap in signal mapping from what was happening on macOS to how to interpret it as a Sigma rule. So we created a framework to help with that." [48:06]
- On unsigned kernel extensions:
  "By the time an unsigned kernel extension is popping up on a box, things have gone really sideways." [51:19]
- On remote access tools and Mac malware:
  "On the customer side, where macOS visibility has been really helpful, is in macOS specific malware and remote access tools." [57:28]
- On broad adoption:
  "99.99% of all enterprise security environments … have some sort of Mac presence. We want to give security teams the ability to normalize that data, to have the same level of visibility." [48:57]

Memorable Moments & Quotes

"Anything that means you are less likely to leave tokens lying around … absolutely improves the resilience of the ecosystem."
— Adam Boileau [13:23]
"If you publish information, you can't get mad that people read it."
— Patrick Gray [26:27]
"If you will give your money to a cryptocurrency exchange, you kind of expect it to end up in North Korea’s nuclear weapons program anyway."
— Adam Boileau [40:27]
"Browser extensions don't make me feel good."
— Adam Boileau [19:57]
"This guy deserves everything he gets, not only for being a catfishing creep, but also for being a massive dumbass."
— Patrick Gray [43:27]

Overall Tone

For references and further reading, check out the show notes at Risky Business.

Risky Business #817 -- Less carnage than your usual Thanksgiving

Powered by Wave AI

Summary

Risky Business #817 – Less carnage than your usual Thanksgiving

Episode Overview

Key Discussion Points and Insights

1. Airbus A320 Cosmic Ray Bit-Flip Incident

2. Congress Grills AI Providers Over China-Linked Attacks

3. Shailude Worm Supply Chain Attack Postmortem

4. Malicious VSCode & Browser Extensions—Ongoing Supply Chain Mess

5. Brian Krebs Doxes Teenage Scattered Spider/Lapsus$ Member

6. Wiretaps, Airplane Wi-Fi Hacks, and Real Consequences

7. The Reuters “Hack”: When Guessing URLs Isn’t Hacking

8. Myanmar Scam Compound Blown Up—But Only for Show

9. Microsoft Upgrades Content Security Policy on Login Pages

10. More Fortinet Flaws—This Time in “End of Life” Products

11. European Police Take Down Swiss Crypto Mixer

12. North Korea’s Lazarus Group Hits South Korean Crypto Exchange

13. Another Epic South Korean Data Breach

14. NSA Contractor Caught Catfishing with Government Computer

Interview: Vibe Hunting on macOS — Filling Telemetry Gaps with Core Sigma

Memorable Moments & Quotes

Suggested Listening by Topic

Overall Tone

Summary

Risky Business #817 – Less carnage than your usual Thanksgiving

Episode Overview

Key Discussion Points and Insights

1. Airbus A320 Cosmic Ray Bit-Flip Incident

2. Congress Grills AI Providers Over China-Linked Attacks

3. Shailude Worm Supply Chain Attack Postmortem

4. Malicious VSCode & Browser Extensions—Ongoing Supply Chain Mess

5. Brian Krebs Doxes Teenage Scattered Spider/Lapsus$ Member

6. Wiretaps, Airplane Wi-Fi Hacks, and Real Consequences

7. The Reuters “Hack”: When Guessing URLs Isn’t Hacking

8. Myanmar Scam Compound Blown Up—But Only for Show

9. Microsoft Upgrades Content Security Policy on Login Pages

10. More Fortinet Flaws—This Time in “End of Life” Products

11. European Police Take Down Swiss Crypto Mixer

12. North Korea’s Lazarus Group Hits South Korean Crypto Exchange

13. Another Epic South Korean Data Breach

14. NSA Contractor Caught Catfishing with Government Computer

Interview: Vibe Hunting on macOS — Filling Telemetry Gaps with Core Sigma

Memorable Moments & Quotes

Suggested Listening by Topic

Overall Tone