The Defensive Line Podcast

The Defensive Line Weekly Podcast 018

The Defensive Line Weekly is a weekly intelligence briefing for blue teamers and security leaders — the stories that matter most, with clear implications and practical defensive actions. This podcast is the audio version of the weekly Defensive Line Substack newsletter, bringing the same curated analysis to your ears. Voices are AI generated, but the analysis and script is human curated. Topic 1: South Staffordshire Water — 22 Months Undetected * ICO enforcement notice [https://ico.org.uk/action-weve-taken/enforcement/2026/05/south-staffordshire-plc-and-south-staffordshire-water-plc/] * The Record [https://therecord.media/uk-water-company-had-hackers-lurking-for-years] * BleepingComputer [https://www.bleepingcomputer.com/news/security/uk-fines-water-supplier-13m-for-exposing-data-of-664k-customers/] * Help Net Security [https://www.helpnetsecurity.com/2026/05/11/ico-south-staffordshire-cyberattack-fine/] * Computer Weekly [https://www.computerweekly.com/news/366642957/ICO-fines-Cl0p-victim-South-Staffs-Water-over-data-breach] Topic 2: BlackFile — Vishing and Real-Time AitM * Google Threat Intelligence Group (GTIG) [https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/] * Push Security [https://pushsecurity.com/blog/inside-criminal-phishing-panel] Topic 3: Mini Shai-Hulud — npm Supply Chain Worm * TanStack postmortem [https://tanstack.com/blog/npm-supply-chain-compromise-postmortem] * OpenAI disclosure [https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack/] * StepSecurity (TanStack) [https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem] * Socket (TanStack) [https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack] * StepSecurity (node-ipc) [https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack] * The Record [https://therecord.media/openai-asks-macos-users-to-update-after-tanstack-npm-supply-chain-attack] * The Hacker News (TanStack) [https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html] * The Hacker News (node-ipc) [https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html] Honourable Mentions * Cisco Security Advisory CVE-2026-20182 [https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW] * Rapid7 (Cisco SD-WAN) [https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/] * Cisco Talos (SD-WAN exploitation) [https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/] * Microsoft Security — Kazuar/Secret Blizzard [https://www.microsoft.com/en-us/security/blog/] Subscribe to The Defensive Line on Substack [https://thedefensiveline.substack.com] for the full weekly written edition. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

The Defensive Line Weekly Podcast 017

The Defensive Line Weekly is a weekly intelligence briefing for blue teamers and security leaders — the stories that matter most, with clear implications and practical defensive actions. This podcast is the audio version of the weekly Defensive Line Substack newsletter, bringing the same curated analysis to your ears. Voices are AI generated, but the analysis and script is human curated. ShinyHunters / Canvas Breach * Bitdefender Technical Advisory [https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms] * Instructure Incident Update [https://www.instructure.com/incident_update] * Krebs on Security [https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/] * Push Security analysis [https://pushsecurity.com/blog/analyzing-the-instructure-breach] * Halcyon [https://www.halcyon.ai/ransomware-alerts/education-sector-in-the-crosshairs-shinyhunters-extortion-campaign-against-instructure] * PCMag [https://www.pcmag.com/news/canvas-restored-after-hack-breach-traced-to-free-for-teacher-accounts] PAN-OS CVE-2026-0300 * Palo Alto Networks Security Advisory [https://security.paloaltonetworks.com/CVE-2026-0300] * Unit 42 Threat Brief [https://unit42.paloaltonetworks.com/captive-portal-zero-day/] * Rapid7 [https://www.rapid7.com/blog/post/etr-critical-buffer-overflow-in-palo-alto-networks-pan-os-user-id-authentication-portal-cve-2026-0300/] * BleepingComputer [https://www.bleepingcomputer.com/news/security/pan-os-firewall-rce-zero-day-exploited-in-attacks-since-april-9/] * Canadian Centre for Cyber Security [https://www.cyber.gc.ca/en/alerts-advisories/palo-alto-networks-security-advisory-av26-425] Vibe-Coded Apps Leaking Corporate Data * Wired — RedAccess Research [https://www.wired.com/story/thousands-of-vibe-coded-apps-expose-corporate-and-personal-data-on-the-open-web/] * Axios [https://www.axios.com/2026/05/07/loveable-replit-vibe-coding-privacy] * PCMag [https://www.pcmag.com/news/vibe-coding-is-causing-thousands-of-data-security-vulnerabilities-says] Honourable Mentions cPanel Escalation * The Hacker News [https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html] * SecurityWeek [https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/] * watchTowr Labs [https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/] Dirty Frag Linux LPE Zero-Day * BleepingComputer [https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/] Supply Chain Infostealer Cluster * Netskope Threat Labs — OpenClaw/Hologram [https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer] * BleepingComputer — JDownloader [https://www.bleepingcomputer.com/news/security/jdownloader-site-hacked-to-replace-installers-with-python-rat-malware/] * BleepingComputer — Fake OpenAI/Hugging Face [https://www.bleepingcomputer.com/news/security/fake-openai-repository-on-hugging-face-pushes-infostealer-malware/] Ivanti EPMM Zero-Day * Ivanti Advisory [https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

The Defensive Line Weekly Podcast 016

The Defensive Line Weekly is a podcast version of our weekly Substack intelligence summary — the security stories that matter most for blue teamers and security leaders, with clear implications and practical defensive actions. AI voices are used, but the content is human curated and written with the support of AI. Topic 1: Helpdesk Impersonation Continues to Succeed * CrowdStrike — Cordial Spider adversary profile [https://www.crowdstrike.com/en-us/adversaries/cordial-spider/] * CrowdStrike — Snarky Spider adversary profile [https://www.crowdstrike.com/en-us/adversaries/snarky-spider/] * Google / Mandiant GTIG — Expansion of ShinyHunters SaaS data theft [https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft] * Unit 42 / RH-ISAC — Extortion in the enterprise: defending against BlackFile attacks [https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/] * CyberScoop — CrowdStrike names Cordial Spider and Snarky Spider [https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/] Topic 2: cPanel & WHM and CopyFail cPanel / WHM CVE-2026-41940 * watchTowr Labs — cPanel WHM authentication bypass [https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/] * cPanel vendor advisory — 28 April 2026 [https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026] * Censys — The cPanel situation [https://censys.com/blog/the-cpanel-situation-is/] * Help Net Security — cPanel zero-day exploited [https://www.helpnetsecurity.com/2026/04/30/cpanel-zero-day-vulnerability-cve-2026-41940-exploited/] * Rapid7 — CVE-2026-41940 ETR [https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/] CopyFail CVE-2026-31431 * Wiz Research — CopyFail Linux privilege escalation [https://www.wiz.io/blog/copyfail-cve-2026-31431-linux-privilege-escalation-vulnerability] * Ubuntu security advisory [https://ubuntu.com/security/CVE-2026-31431] * AlmaLinux blog [https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/] * Red Hat CVE advisory [https://access.redhat.com/security/cve/cve-2026-31431] * Microsoft Security Blog — CopyFail cloud and Kubernetes impact [https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/] * CERT-EU SA 2026-005 [https://cert.europa.eu/publications/security-advisories/2026-005/] Topic 3: Three Supply Chain Attacks in One Week * SentinelOne — Week 18 supply chain roundup [https://blog.sentinelone.com/the-good-the-bad-and-the-ugly-in-cybersecurity-week-18/] * Aikido Security — PyTorch Lightning PyPI compromise [https://www.aikido.dev/blog/pytorch-lightning-pypi-compromise-mini-shai-hulud] * Socket — PyTorch Lightning compromised [https://socket.dev/blog/lightning-pypi-package-compromised] * The Hacker News — Poisoned Ruby gems and Go modules [https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html] * The Hacker News — PyTorch Lightning supply chain [https://thehackernews.com/2026/04/pylib-poisoned-supply-chain.html] * The Register — SAP npm supply chain [https://www.theregister.com/2026/04/30/supply_chain_attacks_sap_npm/] Honourable Mentions * TRM Labs — North Korea 2026 crypto theft [https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks] * Arctic Wolf — BlueNoroff ClickFix and AI-generated Zoom lures [https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/] * NCSC — AI-driven patch wave warning [https://www.ncsc.gov.uk/] * Fortinet PSIRT FG-IR-26-100 [https://fortiguard.fortinet.com/psirt/FG-IR-26-100] * Fortinet PSIRT FG-IR-26-112 [https://fortiguard.fortinet.com/psirt/FG-IR-26-112] * The Register — Gemini CLI critical RCE [https://www.theregister.com/2026/04/30/gemini_cli_critical_rce/] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

The Defensive Line Weekly Podcast 015

Story 1: Vercel Breached via AI Tool OAuth Token Sprawl * Vercel Security Bulletin [https://vercel.com/kb/bulletin/vercel-april-2026-security-incident] * Hudson Rock / InfoStealers [https://www.infostealers.com/blog/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai] * The Register [https://www.theregister.com/2026/04/20/vercel_context_ai_security_incident/] * Push Security [https://pushsecurity.com/blog/unpacking-the-vercel-breach/] * Varonis [https://www.varonis.com/blog/vercel-breach-2026] Story 2: BlackFile Extortion Targets Retail and Hospitality * RH-ISAC / Unit 42 Joint Report [https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/] * BleepingComputer [https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs/] Story 3: The Gentlemen Ransomware Scales Fast * Check Point Research [https://blog.checkpoint.com/research/the-gentlemen-a-new-ransomware-threat-climbing-the-charts-fast/] * BleepingComputer [https://www.bleepingcomputer.com/news/security/the-gentlemen-ransomware-now-uses-systembc-for-bot-powered-attacks/] * The Hacker News [https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html] Honourable Mentions Bitwarden CLI / TeamPCP Supply Chain * Socket [https://socket.dev/blog/bitwarden-cli-compromised] * BleepingComputer [https://www.bleepingcomputer.com/news/security/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/] * The Hacker News [https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html] China-Nexus Covert Networks Advisory * NCSC Advisory [https://www.ncsc.gov.uk/news/defending-against-china-nexus-covert-networks-of-compromised-devices] * NCSC CEO Keynote — CyberUK 2026 [https://www.ncsc.gov.uk/speech/ncsc-ceo-keynote-speech-cyberuk-2026] Kyber Post-Quantum Ransomware * Rapid7 [https://www.rapid7.com] NCSC Passkeys Endorsement * NCSC [https://www.ncsc.gov.uk] Vulnerability Roundup * CVE-2026-33825 (Microsoft Windows Defender) — actively exploited * CVE-2026-33626 (LMDeploy) — exploited within 12 hours of advisory * Cisco Catalyst SD-WAN Manager — actively exploited 📰 Full written edition: https://thedefensiveline.substack.com/p/the-defensive-line-weekly-18-1926 [https://thedefensiveline.substack.com/p/the-defensive-line-weekly-18-1926] 📬 Subscribe to The Defensive Line on Substack for weekly actionable security intelligence, written for and by blue teamers. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

The Defensive Line Weekly Podcast 014

The Defensive Line Weekly is a curated weekly intelligence briefing for blue teamers and security leaders — produced as both a written Substack newsletter and this podcast. Each week we cut through the noise to the stories that actually matter for defenders, with clear implications and practical defensive actions. Topic 1: QEMU Virtual Machines Weaponised to Blind EDR * Sophos X-Ops — QEMU abused to evade detection and enable ransomware delivery [https://www.sophos.com/en-us/blog/qemu-abused-to-evade-detection-and-enable-ransomware-delivery] * BleepingComputer — Payouts King ransomware uses QEMU VMs to bypass endpoint security [https://www.bleepingcomputer.com/news/security/payouts-king-ransomware-uses-qemu-vms-to-bypass-endpoint-security/] Topic 2: Helpdesk Impersonation to Data Exfiltration * Microsoft Threat Intelligence — Cross-tenant helpdesk impersonation data exfiltration human-operated intrusion playbook [https://www.microsoft.com/en-us/security/blog/2026/04/18/crosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook/] Topic 3: Windows and Defender Zero-Days * Huntress — via Twitter/X [https://x.com/HuntressLabs/status/2044882050314817880] * BleepingComputer — Recently leaked Windows zero-days now exploited in attacks [https://www.bleepingcomputer.com/news/microsoft/recently-leaked-windows-zero-days-now-exploited-in-attacks/] * BleepingComputer — New Microsoft Defender RedSun zero-day PoC grants SYSTEM privileges [https://www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/] * The Hacker News — Three Microsoft Defender zero-days [https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html] Honourable Mentions * Darktrace — Inside ZionSiphon: OT malware targeting Israeli water systems [https://www.darktrace.com/blog/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems] * Ox Security — MCP supply chain advisory: RCE vulnerabilities across the AI ecosystem [https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/] * Aonan Guan — Comment-and-control: prompt injection credential theft via Claude, Gemini, Copilot [https://oddguan.com/blog/comment-and-control-prompt-injection-credential-theft-claude-code-gemini-cli-github-copilot/] * BleepingComputer — ATHR vishing platform uses AI voice agents for automated attacks [https://www.bleepingcomputer.com/news/security/new-athr-vishing-platform-uses-ai-voice-agents-for-automated-attacks/] * Dark Reading — Tycoon 2FA hackers adopt device code phishing [https://www.darkreading.com/threat-intelligence/tycoon-2fa-hackers-device-code-phishing] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com [https://thedefensiveline.substack.com?utm_medium=podcast&utm_campaign=CTA_1]