YusufOnSecurity.com

275 - The Mercor Breach-When Your Security Scanner Becomes the Attack Vector

Enjoying the content? Let us know your feedback! [https://www.buzzsprout.com/1673686/fan_mail/new] Today's episode is one of those stories that, when you start pulling the thread, the whole thing just keeps unravelling. We are going to talk about the Mercor breach. Now, if that name doesn't ring a bell, Mercor is a ten-billion-dollar AI recruiting startup. They match human experts with companies like OpenAI, Meta, and Anthropic to help train AI models. Big clients. Big data. Big target. Towards the end of March of this year, a threat group called TeamPCP  and no, that is not a household cleaning detergent type of product - managed to steal roughly four terabytes of data from Mercor. And the way they did it? They didn't attack Mercor directly. They didn't even attack the software Mercor relied on directly. They attacked the security tool that was supposed to protect that software. Let me say that again. They compromised the vulnerability scanner.  We have all that coming up next in this week's episode. - https://securitylabs.datadoghq.com [https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/]: LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP supply chain campaign - https://www.securityweek.com [https://www.securityweek.com/mercor-hit-by-litellm-supply-chain-attack/]: SecurityWeek — Mercor Hit by LiteLLM Supply Chain Attack: Be sure to subscribe!  You can also stream from https://yusufonsecurity.com [https://yusufonsecurity.com] In there, you will find a list of all previous episodes in there too.

274 - Ransomware Hit a Water Plant - Why Your Tap Water Is a Cybersecurity Problem

Enjoying the content? Let us know your feedback! [https://www.buzzsprout.com/1673686/fan_mail/new] Today's episode is one of those stories that really does hit home. Not a bank breach. Not some government leak. I want to talk about the water coming out of your tap. On March 14th, 2026, hackers dropped ransomware on a water treatment plant in Minot, North Dakota. Staff walked in that morning, saw a ransom note sitting on a server screen, and had to unplug the whole thing. For the next sixteen hours, plant operators were physically walking through the facility, reading gauges by hand — old school, the way it was done decades ago — while the FBI got the call. The city says the water stayed safe. Nobody got sick. But this incident ripped the cover off a problem the cybersecurity community has been warning about for years: water infrastructure is dangerously exposed. And most people have no idea. Today I want to unpack what happened in Minot, why water utilities are such soft targets, what SCADA systems actually are and why they are so difficult to defend, and what defenders and regulators are doing — and should be doing — about all of this. - https://therecord.media [https://therecord.media/north-dakota-ransomware-water-plant]: North Dakota Ransomware Water Plant - https://www.cisa.gov [https://www.cisa.gov/news-events/alerts/2026/04/01/adapting-zero-trust-principles-operational-technology]: CISA — Adapting Zero Trust Principles to Operational Technology Be sure to subscribe!  You can also stream from https://yusufonsecurity.com [https://yusufonsecurity.com] In there, you will find a list of all previous episodes in there too.

273 - Project Glasswing (Mythos) - Anthropic Watershed Moment for Cybersecurity - Part 2

Enjoying the content? Let us know your feedback! [https://www.buzzsprout.com/1673686/fan_mail/new] This is Part 2 of our deep dive into Anthropic's Claude Mythos Preview and Project Glasswing. In Part 1, we covered what Mythos is, how it fits into the Claude model family, and why Anthropic is pushing the boundaries of extended thinking and complex reasoning. Today, we are picking up right where we left off and turning our attention to Project Glasswing — what it is, what it means for security professionals, and why this convergence of advanced AI reasoning and autonomous capability should be on every defender's radar. If you have not listened to Part 1 yet, I would recommend going back and starting there, but if you are already caught up, let us get right into it. https://www.forrester.com [https://www.forrester.com/blogs/project-glasswing-the-10-consequences-nobodys-writing-about-yet/]: Project Glasswing The 10 Consequences Nobody Writing About Yet - https://www.anthropic.com [https://www.anthropic.com/project/glasswing]: Project Glasswing - https://blogs.cisco.com [https://blogs.cisco.com/news/rising-to-the-era-of-ai-powered-cyber-defense]: Rising To the Era of AI Powered Cyber Defense - https://www.wired.com [https://www.wired.com/story/mozilla-used-anthropics-mythos-to-find-271-bugs-in-firefox/]: Mozilla Used Anthropics Mythos To Find 271 Bugs In Firefox Be sure to subscribe!  You can also stream from https://yusufonsecurity.com [https://yusufonsecurity.com] In there, you will find a list of all previous episodes in there too.

272 - Project Glasswing (Mythos) - Anthropic Watershed Moment for Cybersecurity - Part 1

Enjoying the content? Let us know your feedback! [https://www.buzzsprout.com/1673686/fan_mail/new] About three weeks ago, on the 7th of April, Anthropic — the company behind the Claude family of AI models — announced something called Claude Mythos Preview. They paired the announcement with a coordinated industry effort they're calling Project Glasswing. And the headlines that followed have been, frankly, alarming. Fortune ran a piece headlined that Mythos can hack nearly anything, and we aren't ready. Coindesk reported that banks like JP Morgan, and crypto exchanges like Coinbase and Binance, are already approaching Anthropic to test it. And Anthropic's own researchers described this as a watershed moment — meaning, a before-and-after divide in how we think about software security. So let's break this down. What is Mythos? What can it actually do? And — most importantly — what should you and I, as defenders, be doing about it starting today? - https://www.anthropic.com [https://www.anthropic.com/project/glasswing]: Project Glasswing - https://blogs.cisco.com [https://blogs.cisco.com/news/rising-to-the-era-of-ai-powered-cyber-defense]: Rising To the Era of AI Powered Cyber Defense - https://www.wired.com [https://www.wired.com/story/mozilla-used-anthropics-mythos-to-find-271-bugs-in-firefox/]: Mozilla Used Anthropics Mythos To Find 271 Bugs In Firefox Be sure to subscribe!  You can also stream from https://yusufonsecurity.com [https://yusufonsecurity.com] In there, you will find a list of all previous episodes in there too.

271 - $21 Billion Lost to Cybercrime — FBI's 2025 Report and Microsoft's Massive April Patch Tuesday

Enjoying the content? Let us know your feedback! [https://www.buzzsprout.com/1673686/fan_mail/new] We have got two big stories to get through today. First, the FBI just released its 2025 Internet Crime Report — and the numbers are not just record-breaking, they are genuinely alarming. We are talking about over twenty billion dollars in reported losses in a single year. And for the first time ever, the report includes a dedicated section on how criminals are using artificial intelligence to supercharge their scams. Then, we are going to pivot to Microsoft's April 2026 Patch Tuesday — one of the largest patch cycles we have seen in a long time. A hundred and sixty-seven vulnerabilities fixed, including an actively exploited zero-day in SharePoint Server. If your organisation runs SharePoint, and most do, you are going to want to hear this. Be sure to subscribe!  You can also stream from https://yusufonsecurity.com [https://yusufonsecurity.com] In there, you will find a list of all previous episodes in there too.