The Defensive Line Podcast

The Defensive Line Weekly Podcast 021

The Defensive Line Weekly podcast is the audio version of our weekly Defensive Line Substack intelligence summary — the same curated briefing for blue teamers and security leaders, in a format you can listen to on the move. This week: A self-spreading supply chain worm hits npm, PyPI and GitHub; AI turns up as both an attacker’s tool and an attack surface; and a five-month email espionage campaign against a stock-exchange executive. Supply chain worm (Miasma / Shai-Hulud) * Microsoft [https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/] * Socket [https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave] * The Hacker News [https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html] * Dark Reading — IronWorm [https://www.darkreading.com/cyberattacks-data-breaches/rust-written-ironworm-npm-supply-chain] (further reading) AI on both sides — Meta AI support bot & EDR evasion * KrebsOnSecurity [https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/] * Check Point [https://blog.checkpoint.com/ai-security/the-meta-ai-account-recovery-incident-wasnt-just-a-chatbot-problem/] * Sophos [https://www.sophos.com/en-us/blog/pointing-a-cursor-at-evading-detection] * Dark Reading [https://www.darkreading.com/endpoint-security/attackers-automate-edr-evasion-testing] Five-month email espionage * Symantec Threat Hunter Team [https://www.security.com/threat-intelligence/stock-exchange-espionage] * Dark Reading [https://www.darkreading.com/cyberattacks-data-breaches/global-stock-exchange-hit-monthslong-email-campaign] Honourable mentions * Google Gemini voice assistant — Dark Reading [https://www.darkreading.com/application-security/malicious-notifications-could-trick-google-gemini-users] * Claude Code GitHub Action — Microsoft [https://www.microsoft.com/en-us/security/blog/2026/06/05/securing-ci-cd-in-agentic-world-claude-code-github-action-case/] * FFmpeg — 21 vulnerabilities — The Hacker News [https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html] * Palo Alto Networks PAN-OS — Unit 42 [https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/] * Palo Alto Networks advisory [https://security.paloaltonetworks.com/CVE-2026-0257] * SolarWinds Serv-U — The Hacker News [https://thehackernews.com/2026/06/cisa-adds-actively-exploited-solarwinds.html] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

The Defensive Line Weekly Podcast 020

Gogs unpatched remote code execution * Rapid7 [https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/] * BleepingComputer [https://www.bleepingcomputer.com/news/security/new-gogs-zero-day-flaw-lets-hackers-get-remote-code-execution/] * SecurityWeek [https://www.securityweek.com/gogs-zero-day-exposes-servers-to-remote-code-execution/] ShinyHunters: Charter and Carnival * BleepingComputer — Charter [https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/] * BleepingComputer — Carnival [https://www.bleepingcomputer.com/news/security/carnival-cruise-confirms-data-breach-affecting-nearly-6-million-people/] * The Record [https://therecord.media/cruise-giant-carnival-confirms-data-breach] * Carnival Corporation notice [https://www.carnivalcorp.com/wp-content/uploads/2026/05/Website-Notice-Substitute-Notice-05.27.26.pdf] FBI warning: Silent Ransom Group * FBI IC3 Advisory [https://www.ic3.gov/CSA/2026/260526.pdf] * The Record [https://therecord.media/fbi-warns-hackers-visit-law-firms-to-steal-data] * SecurityWeek [https://www.securityweek.com/fbi-hackers-sending-operatives-in-person-to-insert-usb-drives-and-steal-data/] * CyberScoop [https://cyberscoop.com/fbi-warning-silent-ransom-group-law-firms/] Honourable mentions * Palo Alto GlobalProtect: Rapid7 [https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/], Palo Alto Networks advisory [https://security.paloaltonetworks.com/CVE-2026-0257], CISA KEV [https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-0257] * ChatGPT share links: Push Security [https://pushsecurity.com/blog/llmshare-malvertising-campaign], BleepingComputer [https://www.bleepingcomputer.com/news/security/chatgpt-share-links-abused-to-host-fake-outage-pages-to-deliver-malware/] * GREYVIBE: WithSecure Labs [https://labs.withsecure.com/publications/greyvibe], The Hacker News [https://thehackernews.com/2026/05/new-russian-linked-greyvibe-targets.html] * npm supply chain: Microsoft Security Blog [https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

The Defensive Line Weekly Podcast 019

Story 1: Developer Supply Chains Under Sustained Assault * OX Security — TeamPCP / GitHub breach [https://www.ox.security/blog/teampcp-strikes-again-how-a-trojan-vs-code-extension-brought-down-github/] * StepSecurity — Nx Console VS Code extension [https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised] * GitHub Security Blog — Investigating unauthorised access [https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/] * SafeDep — Megalodon mass GitHub repo backdooring [https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows] * StepSecurity — Megalodon CI/CD secrets exfiltration [https://www.stepsecurity.io/blog/megalodon-mass-github-actions-secret-exfiltration-across-5-500-public-repositories] * Aikido Security — Laravel-Lang supply chain attack [https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer] * Snyk — Laravel-Lang supply chain advisory [https://snyk.io/blog/laravel-lang-supply-chain-advisory/] * The Hacker News — Packagist supply chain attack [https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html] * Socket — TrapDoor cross-ecosystem campaign [https://socket.dev/blog/trapdoor-crypto-stealer-supply-chain-attack] Story 2: Kali365 — FBI Warns of oh-auth Token Theft Platform * FBI IC3 Public Service Announcement [https://www.ic3.gov/PSA/2026/PSA260521] * Arctic Wolf — Kali365 token and session theft [https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/] * The Record — FBI warns of Kali365 [https://therecord.media/fbi-warns-of-kali365-phishing-attacks] * Microsoft — Protect against consent phishing [https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/protect-against-consent-phishing] * Microsoft — Configure user consent [https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent] * Microsoft — Block device-code flow with Conditional Access [https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows] Story 3: A Zombie Account Hands Over the Water Supply * The Register — Zombie user account let hackers control the city’s water [https://www.theregister.com/security/2026/05/21/zombie-user-account-let-hackers-control-the-citys-water/5243724] Honourable Mentions * Check Point Research — Nimbus Manticore operations during the Iranian conflict [https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/] * Microsoft Security Blog — Fox Tempest malware-signing service [https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/] * Malwarebytes — NYC Health + Hospitals breach [https://www.malwarebytes.com/blog/news/2026/05/biometrics-diagnoses-and-bank-details-exposed-in-major-healthcare-breach] * Aikido Security — Google API key 23-minute deletion window [https://www.aikido.dev/blog/vs-code-extension-github-breach] * MSRC — Microsoft Defender CVE-2026-41091 [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091] * Dark Reading — Microsoft Exchange OWA zero-day [https://www.darkreading.com/application-security/microsoft-exchange-zero-day-under-attack-no-patch-available] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

The Defensive Line Weekly Podcast 018

The Defensive Line Weekly is a weekly intelligence briefing for blue teamers and security leaders — the stories that matter most, with clear implications and practical defensive actions. This podcast is the audio version of the weekly Defensive Line Substack newsletter, bringing the same curated analysis to your ears. Voices are AI generated, but the analysis and script is human curated. Topic 1: South Staffordshire Water — 22 Months Undetected * ICO enforcement notice [https://ico.org.uk/action-weve-taken/enforcement/2026/05/south-staffordshire-plc-and-south-staffordshire-water-plc/] * The Record [https://therecord.media/uk-water-company-had-hackers-lurking-for-years] * BleepingComputer [https://www.bleepingcomputer.com/news/security/uk-fines-water-supplier-13m-for-exposing-data-of-664k-customers/] * Help Net Security [https://www.helpnetsecurity.com/2026/05/11/ico-south-staffordshire-cyberattack-fine/] * Computer Weekly [https://www.computerweekly.com/news/366642957/ICO-fines-Cl0p-victim-South-Staffs-Water-over-data-breach] Topic 2: BlackFile — Vishing and Real-Time AitM * Google Threat Intelligence Group (GTIG) [https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/] * Push Security [https://pushsecurity.com/blog/inside-criminal-phishing-panel] Topic 3: Mini Shai-Hulud — npm Supply Chain Worm * TanStack postmortem [https://tanstack.com/blog/npm-supply-chain-compromise-postmortem] * OpenAI disclosure [https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/] * StepSecurity (TanStack) [https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem] * Socket (TanStack) [https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack] * StepSecurity (node-ipc) [https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack] * The Record [https://therecord.media/openai-asks-macos-users-to-update-after-tanstack-npm-supply-chain-attack] * The Hacker News (TanStack) [https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html] * The Hacker News (node-ipc) [https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html] Honourable Mentions * Cisco Security Advisory CVE-2026-20182 [https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW] * Rapid7 (Cisco SD-WAN) [https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/] * Cisco Talos (SD-WAN exploitation) [https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/] * Microsoft Security — Kazuar/Secret Blizzard [https://www.microsoft.com/en-us/security/blog/] Subscribe to The Defensive Line on Substack [https://thedefensiveline.substack.com] for the full weekly written edition. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

The Defensive Line Weekly Podcast 017

The Defensive Line Weekly is a weekly intelligence briefing for blue teamers and security leaders — the stories that matter most, with clear implications and practical defensive actions. This podcast is the audio version of the weekly Defensive Line Substack newsletter, bringing the same curated analysis to your ears. Voices are AI generated, but the analysis and script is human curated. ShinyHunters / Canvas Breach * Bitdefender Technical Advisory [https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms] * Instructure Incident Update [https://www.instructure.com/incident_update] * Krebs on Security [https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/] * Push Security analysis [https://pushsecurity.com/blog/analyzing-the-instructure-breach] * Halcyon [https://www.halcyon.ai/ransomware-alerts/education-sector-in-the-crosshairs-shinyhunters-extortion-campaign-against-instructure] * PCMag [https://www.pcmag.com/news/canvas-restored-after-hack-breach-traced-to-free-for-teacher-accounts] PAN-OS CVE-2026-0300 * Palo Alto Networks Security Advisory [https://security.paloaltonetworks.com/CVE-2026-0300] * Unit 42 Threat Brief [https://unit42.paloaltonetworks.com/captive-portal-zero-day/] * Rapid7 [https://www.rapid7.com/blog/post/etr-critical-buffer-overflow-in-palo-alto-networks-pan-os-user-id-authentication-portal-cve-2026-0300/] * BleepingComputer [https://www.bleepingcomputer.com/news/security/pan-os-firewall-rce-zero-day-exploited-in-attacks-since-april-9/] * Canadian Centre for Cyber Security [https://www.cyber.gc.ca/en/alerts-advisories/palo-alto-networks-security-advisory-av26-425] Vibe-Coded Apps Leaking Corporate Data * Wired — RedAccess Research [https://www.wired.com/story/thousands-of-vibe-coded-apps-expose-corporate-and-personal-data-on-the-open-web/] * Axios [https://www.axios.com/2026/05/07/loveable-replit-vibe-coding-privacy] * PCMag [https://www.pcmag.com/news/vibe-coding-is-causing-thousands-of-data-security-vulnerabilities-says] Honourable Mentions cPanel Escalation * The Hacker News [https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html] * SecurityWeek [https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/] * watchTowr Labs [https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/] Dirty Frag Linux LPE Zero-Day * BleepingComputer [https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/] Supply Chain Infostealer Cluster * Netskope Threat Labs — OpenClaw/Hologram [https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer] * BleepingComputer — JDownloader [https://www.bleepingcomputer.com/news/security/jdownloader-site-hacked-to-replace-installers-with-python-rat-malware/] * BleepingComputer — Fake OpenAI/Hugging Face [https://www.bleepingcomputer.com/news/security/fake-openai-repository-on-hugging-face-pushes-infostealer-malware/] Ivanti EPMM Zero-Day * Ivanti Advisory [https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]