CyberWire Daily

NATO suspects Russia is developing a new anti-satellite weapon to disrupt the Starlink network. A failed polygraph sparks a DHS probe and deepens turmoil at CISA. A look back at Trump’s cyber policy shifts. MacSync Stealer adopts a stealthy new delivery method.  Researchers warn a popular open-source server monitoring tool is being abused. Cyber criminals are increasingly bypassing technical defenses by recruiting insiders. Scripted Sparrow sends millions of BEC emails each month. Federal prosecutors take down a global fake ID marketplace. Monday business brief. Our guest is Eric Woodruff, Chief Identity Architect at Semperis, discussing "NoAuth Abuse Alert: Full Account Takeover." Atomic precision meets Colorado weather. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today on our Industry Voices, we are joined by Eric Woodruff, Chief Identity Architect at Semperis, discussing "NoAuth Abuse Alert: Full Account Takeover." Tune into the full conversation here. Selected Reading Starlink in the crosshairs: How Russia could attack Elon Musk's conquering of space (AP News) Project West Ford (Wikipedia) Acting CISA director failed a polygraph. Career staff are now under investigation (POLITICO) Dismantling Defenses: Trump 2.0 Cyber Year in Review (Krebs on Security) MacSync macOS Malware Distributed via Signed Swift Application (SecurityWeek) From ClickFix to code signed: the quiet shift of MacSync Stealer malware (Jamf)  Hackers Abuse Popular Monitoring Tool Nezha as a Stealth Trojan (Hackread) Cyber Criminals Are Recruiting Insiders in Banks, Telecoms, and Tech (Check Point) Scripted Sparrow Sends Millions of BEC Emails Each Month (Infosecurity Magazine) FBI Seizes Fake ID Template Domains Operating from Bangladesh (Hackread) Adaptive Security raises $81 million in a Series B round led by Bain Capital Ventures. (N2K Pro) NIST tried to pull the pin on NTP servers after blackout caused atomic clock drift (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Career Notes. Principal consultant and pen tester at Secureworks, Eric Escobar, shares his career path translating his childhood favorite Legos to civil engineering and pivoting to cybersecurity. Eric was always headed toward engineering and got both his bachelor and master degrees in civil engineering. Upon breaking into a network with a friend, he was bitten by the cybersecurity bug. Making the switch to the red team and basically becoming a bankrobber for hire, Eric tests the security of many companies' networks. He feels that curiosity is an essential trait for cybersecurity and collaboration is key as no one person knows everything. He advises those interested in cybersecurity to just start. We thank Eric for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Darren Meyer, Security Research Advocate at Checkmarx, is sharing their work on "Bypassing AI Agent Defenses with Lies-in-the-Loop." Checkmarx Zero researchers introduce “lies-in-the-loop,” a new attack technique that bypasses human‑in‑the‑loop AI safety controls by deceiving users into approving dangerous actions that appear benign. Using examples with AI code assistants like Claude Code, the research shows how prompt injection and manipulated context can trick both the agent and the human reviewer into enabling remote code execution. The findings highlight a growing risk as AI agents become more common in developer workflows, underscoring the limits of human oversight as a standalone security control. The research can be found here: ⁠Bypassing AI Agent Defenses With Lies-In-The-Loop Learn more about your ad choices. Visit megaphone.fm/adchoices

Trump signs the National Defense Authorization Act for 2026. Danish intelligence officials accuse Russia of orchestrating cyberattacks against critical infrastructure.  LongNosedGoblin targets government institutions across Southeast Asia and Japan. A new Android botnet infects nearly two million devices. WatchGuard patches its Firebox firewalls. Amazon blocks more than 1,800 North Korean operatives from joining its workforce. CISA releases nine new Industrial Control Systems advisories. The U.S. Sentencing Commission seeks public input on deepfakes. Prosecutors indict 54 in a large-scale ATM jackpotting conspiracy. Our guest is Nitay Milner, CEO of Orion Security, discussing the issue with data leaking into AI tools, and how CISOs must prioritize DLP. Riot Games finds cheaters hiding in the BIOS. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Nitay Milner, CEO of Orion Security, discusses the issue with data leaking into AI tools, and how CISOs must prioritize DLP. Selected Reading Trump signs defense bill allocating millions for Cyber Command, mandating Pentagon phone security (The Record) Denmark blames Russia for destructive cyberattack on water utility (Bleeping Computer) New China-linked hacker group spies on governments in Southeast Asia, Japan (The Record) 'Kimwolf' Android Botnet Ensnares 1.8 Million Devices (SecurityWeek) New critical WatchGuard Firebox firewall flaw exploited in attacks (Bleeping Computer) Amazon blocked 1,800 suspected DPRK job applicants (The Register) CISA Releases Nine Industrial Control Systems Advisories (CISA.gov) U.S. Sentencing Commission seeks input on criminal penalties for deepfakes (CyberScoop) US Charges 54 in Massive ATM Jackpotting Conspiracy (Infosecurity Magazine) Riot Games found a motherboard security flaw that helps PC cheaters (The Verge) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Hewlett Packard Enterprise patches a maximum-severity vulnerability in its OneView infrastructure management software. Cisco warns a critical zero-day is under active exploitation. An emergency Chrome update fixes two high-severity vulnerabilities. French authorities make multiple arrests. US authorities dismantle an unlicensed crypto exchange accused of money laundering. SonicWall highlights an exploited zero-day. Researchers earn $320,000 for demonstrating critical remote code execution flaws in cloud infrastructure components. A U.S. Senator urges electronic health record vendors to give patients greater control over who can access their medical data. Our guest is Larry Zorio, CISO from Mark43, discussing first responders and insider cyber risks. A right-to-repair group puts cash on the table.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Larry Zorio, CISO from Mark43, to discuss first responders sounding the alarm on insider cyber risks. To see the full report, check it out here. Selected Reading HPE warns of maximum severity RCE flaw in OneView software (Bleeping Computer) China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear (SecurityWeek) Google Chrome patches two high severity vulnerabilities in emergency update (Beyond Machines) France arrests 22-year-old over Interior Ministry hack (The Record) France arrests Latvian for installing malware on Italian ferry  (Bleeping Computer) FBI dismantles alleged $70M crypto laundering operation (The Register) SonicWall Patches Exploited SMA 1000 Zero-Day (SecurityWeek) Zeroday Cloud hacking event awards $320,0000 for 11 zero days (Bleeping Computer) Senator Presses EHR Vendors on Patient Privacy Controls (Govinfosecurity) A nonprofit is paying hackers to unlock devices companies have abandoned (TechSpot) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices