The Defensive Line Podcast

The Defensive Line Podcast

The Defensive Line Weekly Podcast 016

16 min · 6. maj 2026

episode The Defensive Line Weekly Podcast 016 cover

Description

The Defensive Line Weekly is a podcast version of our weekly Substack intelligence summary — the security stories that matter most for blue teamers and security leaders, with clear implications and practical defensive actions. AI voices are used, but the content is human curated and written with the support of AI. Topic 1: Helpdesk Impersonation Continues to Succeed * CrowdStrike — Cordial Spider adversary profile [https://www.crowdstrike.com/en-us/adversaries/cordial-spider/] * CrowdStrike — Snarky Spider adversary profile [https://www.crowdstrike.com/en-us/adversaries/snarky-spider/] * Google / Mandiant GTIG — Expansion of ShinyHunters SaaS data theft [https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft] * Unit 42 / RH-ISAC — Extortion in the enterprise: defending against BlackFile attacks [https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/] * CyberScoop — CrowdStrike names Cordial Spider and Snarky Spider [https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/] Topic 2: cPanel & WHM and CopyFail cPanel / WHM CVE-2026-41940 * watchTowr Labs — cPanel WHM authentication bypass [https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/] * cPanel vendor advisory — 28 April 2026 [https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026] * Censys — The cPanel situation [https://censys.com/blog/the-cpanel-situation-is/] * Help Net Security — cPanel zero-day exploited [https://www.helpnetsecurity.com/2026/04/30/cpanel-zero-day-vulnerability-cve-2026-41940-exploited/] * Rapid7 — CVE-2026-41940 ETR [https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/] CopyFail CVE-2026-31431 * Wiz Research — CopyFail Linux privilege escalation [https://www.wiz.io/blog/copyfail-cve-2026-31431-linux-privilege-escalation-vulnerability] * Ubuntu security advisory [https://ubuntu.com/security/CVE-2026-31431] * AlmaLinux blog [https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/] * Red Hat CVE advisory [https://access.redhat.com/security/cve/cve-2026-31431] * Microsoft Security Blog — CopyFail cloud and Kubernetes impact [https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/] * CERT-EU SA 2026-005 [https://cert.europa.eu/publications/security-advisories/2026-005/] Topic 3: Three Supply Chain Attacks in One Week * SentinelOne — Week 18 supply chain roundup [https://blog.sentinelone.com/the-good-the-bad-and-the-ugly-in-cybersecurity-week-18/] * Aikido Security — PyTorch Lightning PyPI compromise [https://www.aikido.dev/blog/pytorch-lightning-pypi-compromise-mini-shai-hulud] * Socket — PyTorch Lightning compromised [https://socket.dev/blog/lightning-pypi-package-compromised] * The Hacker News — Poisoned Ruby gems and Go modules [https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html] * The Hacker News — PyTorch Lightning supply chain [https://thehackernews.com/2026/04/pylib-poisoned-supply-chain.html] * The Register — SAP npm supply chain [https://www.theregister.com/2026/04/30/supply_chain_attacks_sap_npm/] Honourable Mentions * TRM Labs — North Korea 2026 crypto theft [https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks] * Arctic Wolf — BlueNoroff ClickFix and AI-generated Zoom lures [https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/] * NCSC — AI-driven patch wave warning [https://www.ncsc.gov.uk/] * Fortinet PSIRT FG-IR-26-100 [https://fortiguard.fortinet.com/psirt/FG-IR-26-100] * Fortinet PSIRT FG-IR-26-112 [https://fortiguard.fortinet.com/psirt/FG-IR-26-112] * The Register — Gemini CLI critical RCE [https://www.theregister.com/2026/04/30/gemini_cli_critical_rce/] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

Comments

0

Be the first to comment

Sign up now and become a member of the The Defensive Line Podcast community!

All episodes

24 episodes

The Defensive Line Weekly Podcast 023

The Defensive Line Weekly podcast is the audio version of the weekly Defensive Line Substack intelligence summary. Written by humans but read by AI. It turns the week’s key cyber stories into a practical conversation between Carter and Lizzie. FortiBleed and edge credential exposure * CISA — CISA urges hardening Fortinet devices after reports of credential exposure [https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposure] * NCSC — Advice following global targeting of Fortinet firewalls and VPN gateways [https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways] * The Hacker News — CISA warns Fortinet customers as compromised credentials leak [https://thehackernews.com/2026/06/cisa-warns-fortinet-customers-as.html] Klue, OAuth tokens and SaaS integration risk * Huntress — Klue breach investigation [https://www.huntress.com/blog/klue-breach-investigation] * Klue — Update on recent Klue security incident [https://klue.com/blog/an-update-on-recent-klue-security-incident] * The Hacker News — Salesforce disables Klue app [https://thehackernews.com/2026/06/salesforce-disables-klue-app.html] * BleepingComputer — Klue OAuth breach linked to Icarus Salesforce data theft attacks [https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/] Mastra, AutoJack and trusted tooling * Microsoft Threat Intelligence — Postinstall payload inside Mastra npm supply chain compromise [https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/] * Microsoft Defender Security Research — AutoJack: single-page RCE on host running AI agent [https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/] * BleepingComputer — Microsoft links Mastra AI supply-chain attack to North Korean hackers [https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/] * The Hacker News — 144 Mastra npm packages compromised [https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html] * The Hacker News — AutoJack attack lets one web page execute code [https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html] * BleepingComputer — Microsoft fixes AutoGen Studio flaw [https://www.bleepingcomputer.com/news/security/microsoft-fixes-autogen-studio-flaw-that-enabled-code-execution/] Honourable mentions * ESET Research — Killing me gently: inside Gentlemen’s EDR killer framework [https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/] * The Hacker News — F5 patches two critical NGINX Open Source flaws [https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html] * The Hacker News — Hackers exploit Gravity SMTP WordPress plugin [https://thehackernews.com/2026/06/hackers-exploit-gravity-smtp-wordpress.html] * Dark Reading — Novo Nordisk breach exposes dev pipeline risk [https://www.darkreading.com/cyber-risk/novo-nordisk-breach-exposes-dev-pipeline-risk] * The Hacker News — Operation Endgame disrupts SocGholish [https://thehackernews.com/2026/06/operation-endgame-disrupts-socgholish.html] * The Hacker News — AryStinger malware infects legacy D-Link routers [https://thehackernews.com/2026/06/arystinger-malware-infects-4300-legacy.html] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

Yesterday12 min

The Defensive Line Weekly Podcast 022

The Defensive Line Weekly podcast is the audio version of the weekly Defensive Line Substack intelligence summary — the same curated briefing for blue teamers and security leaders, in a format you can listen to on the move. This week: PeopleSoft zero-day hits universities; AUR packages hijacked; AI agents turn ordinary inputs into code paths. ShinyHunters / Oracle PeopleSoft Oracle Security Alert [https://www.oracle.com/security-alerts/alert-cve-2026-35273.html] Google Cloud / Mandiant [https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/] Rapid7 [https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-20273/] Dark Reading [https://www.darkreading.com/vulnerabilities-threats/shinyhunters-oracle-zero-day-higher-ed] The Record [https://therecord.media/university-of-nottingham-cyber-incident-shiny-hunters] Software supply chain — Arch AUR and npm The Hacker News — Arch AUR [https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html] The Hacker News — GitHub / npm [https://thehackernews.com/2026/06/github-to-disable-npm-install-scripts.html] AI agents as attack surface Check Point Research — LangGraph [https://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer/] Field Effect — Langflow [https://fieldeffect.com/blog/langflow-flaw-active-exploitation-no-patch] The Hacker News — Agentjacking [https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html] The Hacker News — OpenClaw [https://thehackernews.com/2026/06/new-attacks-trick-openclaw-ai-agent.html] Honourable mentions The Hacker News — The Gentlemen ransomware [https://thehackernews.com/2026/06/the-gentlemen-ransomware-claims-478.html] PRODAFT — Inside the Phantom Mantis Operation [https://catalyst.prodaft.com/public/report/inside-the-phantom-mantis-operation/overview] The Hacker News — Velvet Ant [https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html] Sekoia — APT28 [https://blog.sekoia.io/apt28-an-evolution-of-tradecraft/] Splunk Advisory [https://advisory.splunk.com/advisories/SVD-2026-0603] Ivanti Security Advisory [https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US] The Record — Great Marlow School [https://therecord.media/british-school-sends-students-home-cyberattack] The Register — Plymouth City Council [https://www.theregister.com/security/2026/06/12/plymouth-council-exposes-hundreds-in-latest-local-government-email-gaffe/5254707] The Register — Novo Nordisk [https://www.theregister.com/security/2026/06/12/novo-nordisk-says-hackers-stole-clinical-trial-data/5254812] The Hacker News — Google smishing lawsuit [https://thehackernews.com/2026/06/google-sues-chinese-smishing-network.html] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

17. juni 202612 min

The Defensive Line Weekly Podcast 021

The Defensive Line Weekly podcast is the audio version of our weekly Defensive Line Substack intelligence summary — the same curated briefing for blue teamers and security leaders, in a format you can listen to on the move. This week: A self-spreading supply chain worm hits npm, PyPI and GitHub; AI turns up as both an attacker’s tool and an attack surface; and a five-month email espionage campaign against a stock-exchange executive. Supply chain worm (Miasma / Shai-Hulud) * Microsoft [https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/] * Socket [https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave] * The Hacker News [https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html] * Dark Reading — IronWorm [https://www.darkreading.com/cyberattacks-data-breaches/rust-written-ironworm-npm-supply-chain] (further reading) AI on both sides — Meta AI support bot & EDR evasion * KrebsOnSecurity [https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/] * Check Point [https://blog.checkpoint.com/ai-security/the-meta-ai-account-recovery-incident-wasnt-just-a-chatbot-problem/] * Sophos [https://www.sophos.com/en-us/blog/pointing-a-cursor-at-evading-detection] * Dark Reading [https://www.darkreading.com/endpoint-security/attackers-automate-edr-evasion-testing] Five-month email espionage * Symantec Threat Hunter Team [https://www.security.com/threat-intelligence/stock-exchange-espionage] * Dark Reading [https://www.darkreading.com/cyberattacks-data-breaches/global-stock-exchange-hit-monthslong-email-campaign] Honourable mentions * Google Gemini voice assistant — Dark Reading [https://www.darkreading.com/application-security/malicious-notifications-could-trick-google-gemini-users] * Claude Code GitHub Action — Microsoft [https://www.microsoft.com/en-us/security/blog/2026/06/05/securing-ci-cd-in-agentic-world-claude-code-github-action-case/] * FFmpeg — 21 vulnerabilities — The Hacker News [https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html] * Palo Alto Networks PAN-OS — Unit 42 [https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/] * Palo Alto Networks advisory [https://security.paloaltonetworks.com/CVE-2026-0257] * SolarWinds Serv-U — The Hacker News [https://thehackernews.com/2026/06/cisa-adds-actively-exploited-solarwinds.html] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

11. juni 202612 min

The Defensive Line Weekly Podcast 020

Gogs unpatched remote code execution * Rapid7 [https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/] * BleepingComputer [https://www.bleepingcomputer.com/news/security/new-gogs-zero-day-flaw-lets-hackers-get-remote-code-execution/] * SecurityWeek [https://www.securityweek.com/gogs-zero-day-exposes-servers-to-remote-code-execution/] ShinyHunters: Charter and Carnival * BleepingComputer — Charter [https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/] * BleepingComputer — Carnival [https://www.bleepingcomputer.com/news/security/carnival-cruise-confirms-data-breach-affecting-nearly-6-million-people/] * The Record [https://therecord.media/cruise-giant-carnival-confirms-data-breach] * Carnival Corporation notice [https://www.carnivalcorp.com/wp-content/uploads/2026/05/Website-Notice-Substitute-Notice-05.27.26.pdf] FBI warning: Silent Ransom Group * FBI IC3 Advisory [https://www.ic3.gov/CSA/2026/260526.pdf] * The Record [https://therecord.media/fbi-warns-hackers-visit-law-firms-to-steal-data] * SecurityWeek [https://www.securityweek.com/fbi-hackers-sending-operatives-in-person-to-insert-usb-drives-and-steal-data/] * CyberScoop [https://cyberscoop.com/fbi-warning-silent-ransom-group-law-firms/] Honourable mentions * Palo Alto GlobalProtect: Rapid7 [https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/], Palo Alto Networks advisory [https://security.paloaltonetworks.com/CVE-2026-0257], CISA KEV [https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-0257] * ChatGPT share links: Push Security [https://pushsecurity.com/blog/llmshare-malvertising-campaign], BleepingComputer [https://www.bleepingcomputer.com/news/security/chatgpt-share-links-abused-to-host-fake-outage-pages-to-deliver-malware/] * GREYVIBE: WithSecure Labs [https://labs.withsecure.com/publications/greyvibe], The Hacker News [https://thehackernews.com/2026/05/new-russian-linked-greyvibe-targets.html] * npm supply chain: Microsoft Security Blog [https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

3. juni 202610 min

The Defensive Line Weekly Podcast 019

Story 1: Developer Supply Chains Under Sustained Assault * OX Security — TeamPCP / GitHub breach [https://www.ox.security/blog/teampcp-strikes-again-how-a-trojan-vs-code-extension-brought-down-github/] * StepSecurity — Nx Console VS Code extension [https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised] * GitHub Security Blog — Investigating unauthorised access [https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/] * SafeDep — Megalodon mass GitHub repo backdooring [https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows] * StepSecurity — Megalodon CI/CD secrets exfiltration [https://www.stepsecurity.io/blog/megalodon-mass-github-actions-secret-exfiltration-across-5-500-public-repositories] * Aikido Security — Laravel-Lang supply chain attack [https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer] * Snyk — Laravel-Lang supply chain advisory [https://snyk.io/blog/laravel-lang-supply-chain-advisory/] * The Hacker News — Packagist supply chain attack [https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html] * Socket — TrapDoor cross-ecosystem campaign [https://socket.dev/blog/trapdoor-crypto-stealer-supply-chain-attack] Story 2: Kali365 — FBI Warns of oh-auth Token Theft Platform * FBI IC3 Public Service Announcement [https://www.ic3.gov/PSA/2026/PSA260521] * Arctic Wolf — Kali365 token and session theft [https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/] * The Record — FBI warns of Kali365 [https://therecord.media/fbi-warns-of-kali365-phishing-attacks] * Microsoft — Protect against consent phishing [https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/protect-against-consent-phishing] * Microsoft — Configure user consent [https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent] * Microsoft — Block device-code flow with Conditional Access [https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows] Story 3: A Zombie Account Hands Over the Water Supply * The Register — Zombie user account let hackers control the city’s water [https://www.theregister.com/security/2026/05/21/zombie-user-account-let-hackers-control-the-citys-water/5243724] Honourable Mentions * Check Point Research — Nimbus Manticore operations during the Iranian conflict [https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/] * Microsoft Security Blog — Fox Tempest malware-signing service [https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/] * Malwarebytes — NYC Health + Hospitals breach [https://www.malwarebytes.com/blog/news/2026/05/biometrics-diagnoses-and-bank-details-exposed-in-major-healthcare-breach] * Aikido Security — Google API key 23-minute deletion window [https://www.aikido.dev/blog/vs-code-extension-github-breach] * MSRC — Microsoft Defender CVE-2026-41091 [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091] * Dark Reading — Microsoft Exchange OWA zero-day [https://www.darkreading.com/application-security/microsoft-exchange-zero-day-under-attack-no-patch-available] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

27. maj 202615 min