CyberWire Daily

International law enforcement takes down a darknet drug marketplace. The Washington Post is investigating a cyberattack targeting several journalists' email accounts. Anubis ransomware adds destructive capabilities. The GrayAlpha threat group uses fake browser update pages to deliver advanced malware. Researchers uncover a stealthy malware campaign that hides a malicious payload in a JPEG image. Tenable patches three high-severity vulnerabilities in Nessus Agent. Attackers can disable Secure Boot on many Windows devices by exploiting a firmware flaw. Lawmakers introduce a bipartisan bill to strengthen coordination between CISA and HHS. Harry Coker reflects on his tenure as National Cyber Director. Maria Varmazis checks in with Brandon Karpf on agentic AI. When online chatbots overshare, it’s no laughing Meta.  CyberWire Guest Joining us today to discuss Agentic AI and it relates to cybersecurity and space with T-Minus Space Daily host Maria Varmazis is Brandon Karpf [https://www.linkedin.com/in/brandon-karpf/], friend of the show, founder of T-Minus Space Daily [https://space.n2k.com/podcasts/t-minus], and cybersecurity expert. Selected Reading Police seizes Archetyp Market drug marketplace, arrests admin [https://www.bleepingcomputer.com/news/security/police-seizes-archetyp-market-drug-marketplace-arrests-admin/] (Bleeping Computer) Washington Post investigating cyberattack on journalists' email accounts, source says [https://www.reuters.com/world/us/washington-post-investigating-cyberattack-journalists-wsj-reports-2025-06-15/](Reuters) Anubis Ransomware Packs a Wiper to Permanently Delete Files [https://www.securityweek.com/anubis-ransomware-packs-a-wiper-to-permanently-delete-files/](SecurityWeek) GrayAlpha Hacker Group Weaponizes Browser Updates to Deploy PowerNet Loader and NetSupport RAT [https://cybersecuritynews.com/grayalpha-hacker-group-weaponizes-browser-updates/] (Cyber Security News) Malicious Payload Uncovered in JPEG Image Using Steganography and Base64 Obfuscation [https://cybersecuritynews.com/malicious-payload-uncovered-in-jpeg-image-using-steganography/] (Cyber Security News) Tenable Fixes Three High-Severity Flaws in Vulnerability Scanner Nessus [https://www.infosecurity-magazine.com/news/tenable-fixes-flaws-nessus/] (Infosecurity Magazine) Microsoft-Signed Firmware Module Bypasses Secure Boot [https://www.govinfosecurity.com/microsoft-signed-firmware-module-bypasses-secure-boot-a-28703] (Gov Infosecurity) Bipartisan bill aims to create CISA-HHS liaison for hospital cyberattacks [https://therecord.media/bill-proposes-cisa-hhs-liaison-hospital-cyberattacks] (The Record) Coker: We can’t have economic prosperity or national security without cybersecurity [https://therecord.media/coker-interview-no-economic-security-without-cybersecurity] (The Record) The Meta AI app is a privacy disaster [https://techcrunch.com/2025/06/12/the-meta-ai-app-is-a-privacy-disaster/] (TechCrunch) Audience Survey Complete our annual audience survey [https://www.surveymonkey.com/r/JDV3B73] before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

Please enjoy this encore of Career Notes. Distinguished Cloud Strategist at Lacework, Mark Nunnikhoven, has gone from taking technology to its limits for his own understanding to providing clarity about security for others. Mark fell in love with his Commodore 128 and once he realized he could bend the machine to his will, it set him on the path to technology. While he had some bumps in the road, dropping out of high school and not following the traditional path in college, Mark did complete his masters in information security. His professional life took him from Canadian public service to the private sector where Mark noted the culture shift was an eye-opening experience. Mark always looks to learn something new and share that with others and that is evidenced as his includes teaching as a facet of his career. We thank Mark for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

This week, Dave is joined by ⁠Ziv Karliner⁠ [https://www.linkedin.com/in/zivk/], ⁠Pillar Security⁠ [https://www.pillar.security/]’s Co-Founder and CTO, sharing details on their work on "New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents." Vibe Coding - where developers use AI assistants like GitHub Copilot and Cursor to generate code almost instantly - has become central to how enterprises build software today. But while it’s turbo-charging development, it’s also introducing new and largely unseen cyber threats. The team at Pillar Security identified a novel attack vector, the ⁠"Rules File Backdoor"⁠ [https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents], which allows attackers to manipulate these platforms into generating malicious code. It represents a new class of supply chain attacks that weaponizes AI itself, where the malicious code suggestions blend seamlessly with legitimate ones, bypassing human review and security tools.  The research can be found here: * ⁠New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents [https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents] Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

Cloudflare says yesterday’s widespread outage was not caused by a cyberattack. Predator mobile spyware remains highly active. Microsoft is investigating ongoing Microsoft 365 authentication services issues. An account takeover campaign targets Entra ID users by abusing a popular pen testing tool. Palo Alto Networks documents a JavaScript obfuscation method dubbed “JSFireTruck.” Trend Micro and Mitel patch multiple high-severity vulnerabilities. CISA issues multiple advisories. My Hacking Humans cohost Joe Carrigan joins us to discuss linkless recruiting scams. Uncle Sam wants an AI chatbot.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest Today, we are joined by Joe Carrigan [https://www.linkedin.com/in/joecarrigan/], one of Dave’s Hacking Humans [https://thecyberwire.com/podcasts/hacking-humans] co-hosts, to talk about linkless recruiting scams. You can learn more in this article from The Record: FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters [https://therecord.media/fin6-recruitment-scam-malware-campaign]. Tune in to Hacking Humans each Thursday on your favorite podcast app to hear the latest on the social engineering scams that are making the headlines from Joe, Dave and their co-host Maria Varmazis.  Selected Reading Cloudflare: Outage not caused by security incident, data is safe [https://www.bleepingcomputer.com/news/security/cloudflare-outage-not-caused-by-security-incident-data-is-safe/] (Bleeping Computer) Predator Mobile Spyware Remains Consistent with New Design Changes to Evade Detection [https://cybersecuritynews.com/predator-mobile-spyware-remains-consistent/] (Cyber Security News) Microsoft confirms auth issues affecting Microsoft 365 users [https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-auth-issues-affecting-microsoft-365-users/] (Bleeping Computer) TeamFiltration Abused in Entra ID Account Takeover Campaign [https://www.securityweek.com/teamfiltration-abused-in-entra-id-account-takeover-campaign/] (SecurityWeek) 270K websites injected with ‘JSF-ck’ obfuscated code [https://www.scworld.com/news/270k-websites-injected-with-jsf-ck-obfuscated-code] (SC Media) Palo Alto Networks Patches Series of Vulnerabilities [https://www.infosecurity-magazine.com/news/palo-alto-networks-patches-series/] (Infosecurity Magazine) SimpleHelp Vulnerability Exploited Against Utility Billing Software Users [https://www.securityweek.com/simplehelp-vulnerability-exploited-against-utility-billing-software-users/] (SecurityWeek) Trend Micro fixes critical vulnerabilities in multiple products [https://www.bleepingcomputer.com/news/security/trend-micro-fixes-six-critical-flaws-on-apex-central-endpoint-encryption-policyserver/] (Bleeping Computer) Critical Vulnerability Exposes Many Mitel MiCollab Instances to Remote Hacking [https://www.securityweek.com/critical-vulnerability-exposes-many-mitel-micollab-instances-to-remote-hacking/] (SecurityWeek) CISA Releases Ten Industrial Control Systems Advisories [https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-ten-industrial-control-systems-advisories] (CISA) Trump team leaks AI plans in public GitHub repository [https://www.theregister.com/2025/06/10/trump_admin_leak_government_ai_plans/] (The Register) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]

Interpol’s Operation Secure dismantles a major cybercrime network, and Singapore takes down scam centers. GitLab patches multiple vulnerabilities in its DevSecOps platform. Researchers unveil a covert method for exfiltrating data using smartwatches. EchoLeak allows for data exfiltration from Microsoft Copilot. Journalists are confirmed targets of Paragon’s Graphite spyware. France calls for comments on tracking pixels. Fog ransomware operators deploy an unusual mix of tools. Skeleton Spider targets recruiters by posing as job seekers on LinkedIn and Indeed. Erie Insurance suffers ongoing outages following a cyberattack. Our N2K Lead Analyst Ethan Cook shares insights on Trump’s antitrust policies. DNS neglect leads to AI subdomain exploits. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing [https://thecyberwire.com/newsletters/daily-briefing], and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn [https://www.linkedin.com/company/10454826/admin/feed/posts/]. CyberWire Guest Today, we share a selection from today’s Caveat [https://thecyberwire.com/podcasts/caveat] podcast where Dave Bittner and Ben Yelin are joined by N2K’s Lead Analyst, Ethan Cook, to take a Policy Deep Dive into “The art of the breakup: Trump’s antitrust surge.” You can listen to the full episode here [https://thecyberwire.com/podcasts/caveat/265/notes] and find new episodes of Caveat in your favorite podcast app each Thursday.   Selected Reading Interpol takes down 20,000 malicious IPs and domains [https://cnews.link/interpol-takes-down-20000-malicious-ips-and-domains-2/] (Cybernews) Singapore leads multinational operation to shutter scam centers tied to $225 million in thefts [https://therecord.media/asia-scam-center-takedowns-singapore-police] (The Record) GitLab patches high severity account takeover, missing auth issues [https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity-account-takeover-missing-auth-issues/] (Bleeping Computer) SmartAttack uses smartwatches to steal data from air-gapped systems [https://www.bleepingcomputer.com/news/security/smartattack-uses-smartwatches-to-steal-data-from-air-gapped-systems/] (Bleeping Computer) Critical vulnerability in Microsoft 365 Copilot AI called EchoLeak enabled data exfiltration [https://beyondmachines.net/event_details/critical-vulnerability-in-microsoft-365-copilot-ai-called-echoleak-enabled-data-exfiltration-9-w-s-e-v/gD2P6Ple2L] (Beyond Machines) Researchers confirm two journalists were hacked with Paragon spyware [https://techcrunch.com/2025/06/12/researchers-confirm-two-journalists-were-hacked-with-paragon-spyware/] (TechCrunch) Tracking pixels: CNIL launches public consultation on its draft recommendation [https://www.cnil.fr/fr/consultation-publique-projet-recommandation-pixels-de-suivi] (CNIL) Fog ransomware attack uses unusual mix of legitimate and open-source tools [https://www.bleepingcomputer.com/news/security/fog-ransomware-attack-uses-unusual-mix-of-legitimate-and-open-source-tools/] (Bleeping Computer) FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters [https://therecord.media/fin6-recruitment-scam-malware-campaign] (The Record) Erie Insurance confirms cyberattack behind business disruptions [https://www.bleepingcomputer.com/news/security/erie-insurance-confirms-cyberattack-behind-business-disruptions/] (Bleeping Computer) Why Was Nvidia Hosting Blogs About 'Brazilian Facesitting Fart Games'? [https://www.404media.co/spam-blogs-ai-slop-domains-wowlazy/] (404 Media)  Secure your public DNS presence from subdomain takeovers and dangling DNS exploits [https://www.silentpush.com/blog/subdomain-takeovers-and-dangling-dns-exploits/] (Silent Push) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit [https://docsend.com/view/5ncb2vvpz2ntg95q]. Contact us at cyberwire@n2k.com [cyberwire@n2k.com] to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices [https://megaphone.fm/adchoices]