Podcasts about supply chain attacks

This episode unpacks the jaw-dropping surge in vulnerabilities unearthed by AI, revealing how Microsoft shattered its own patch records while adversaries and defenders race to outpace each other. The conversation gets real about whether AI is fixing our broken software or just making attacks easier for everyone. Rootkits found in more than 400 ArchLinux User Repository packages. The US government requests Anthropic to remove Mythos and Fable. CISA responds to AI-driven attacks with new patching requirements. NPM to switch to more secure install defaults. Will it help. Our listeners react to last week's PHP commentary. June shows that AI has arrived for vulnerability discover Show Notes - https://www.grc.com/sn/SN-1083-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow canary.tools/twit - use code: TWIT joindeleteme.com/twit-biz zscaler.com/security adaptivesecurity.com

This episode unpacks the jaw-dropping surge in vulnerabilities unearthed by AI, revealing how Microsoft shattered its own patch records while adversaries and defenders race to outpace each other. The conversation gets real about whether AI is fixing our broken software or just making attacks easier for everyone. Rootkits found in more than 400 ArchLinux User Repository packages. The US government requests Anthropic to remove Mythos and Fable. CISA responds to AI-driven attacks with new patching requirements. NPM to switch to more secure install defaults. Will it help. Our listeners react to last week's PHP commentary. June shows that AI has arrived for vulnerability discover Show Notes - https://www.grc.com/sn/SN-1083-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow canary.tools/twit - use code: TWIT joindeleteme.com/twit-biz zscaler.com/security adaptivesecurity.com

This episode unpacks the jaw-dropping surge in vulnerabilities unearthed by AI, revealing how Microsoft shattered its own patch records while adversaries and defenders race to outpace each other. The conversation gets real about whether AI is fixing our broken software or just making attacks easier for everyone. Rootkits found in more than 400 ArchLinux User Repository packages. The US government requests Anthropic to remove Mythos and Fable. CISA responds to AI-driven attacks with new patching requirements. NPM to switch to more secure install defaults. Will it help. Our listeners react to last week's PHP commentary. June shows that AI has arrived for vulnerability discover Show Notes - https://www.grc.com/sn/SN-1083-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow canary.tools/twit - use code: TWIT joindeleteme.com/twit-biz zscaler.com/security adaptivesecurity.com

This episode unpacks the jaw-dropping surge in vulnerabilities unearthed by AI, revealing how Microsoft shattered its own patch records while adversaries and defenders race to outpace each other. The conversation gets real about whether AI is fixing our broken software or just making attacks easier for everyone. Rootkits found in more than 400 ArchLinux User Repository packages. The US government requests Anthropic to remove Mythos and Fable. CISA responds to AI-driven attacks with new patching requirements. NPM to switch to more secure install defaults. Will it help. Our listeners react to last week's PHP commentary. June shows that AI has arrived for vulnerability discover Show Notes - https://www.grc.com/sn/SN-1083-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow canary.tools/twit - use code: TWIT joindeleteme.com/twit-biz zscaler.com/security adaptivesecurity.com

This episode unpacks the jaw-dropping surge in vulnerabilities unearthed by AI, revealing how Microsoft shattered its own patch records while adversaries and defenders race to outpace each other. The conversation gets real about whether AI is fixing our broken software or just making attacks easier for everyone. Rootkits found in more than 400 ArchLinux User Repository packages. The US government requests Anthropic to remove Mythos and Fable. CISA responds to AI-driven attacks with new patching requirements. NPM to switch to more secure install defaults. Will it help. Our listeners react to last week's PHP commentary. June shows that AI has arrived for vulnerability discover Show Notes - https://www.grc.com/sn/SN-1083-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow canary.tools/twit - use code: TWIT joindeleteme.com/twit-biz zscaler.com/security adaptivesecurity.com

This episode unpacks the jaw-dropping surge in vulnerabilities unearthed by AI, revealing how Microsoft shattered its own patch records while adversaries and defenders race to outpace each other. The conversation gets real about whether AI is fixing our broken software or just making attacks easier for everyone. Rootkits found in more than 400 ArchLinux User Repository packages. The US government requests Anthropic to remove Mythos and Fable. CISA responds to AI-driven attacks with new patching requirements. NPM to switch to more secure install defaults. Will it help. Our listeners react to last week's PHP commentary. June shows that AI has arrived for vulnerability discover Show Notes - https://www.grc.com/sn/SN-1083-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow canary.tools/twit - use code: TWIT joindeleteme.com/twit-biz zscaler.com/security adaptivesecurity.com

This episode unpacks the jaw-dropping surge in vulnerabilities unearthed by AI, revealing how Microsoft shattered its own patch records while adversaries and defenders race to outpace each other. The conversation gets real about whether AI is fixing our broken software or just making attacks easier for everyone. Rootkits found in more than 400 ArchLinux User Repository packages. The US government requests Anthropic to remove Mythos and Fable. CISA responds to AI-driven attacks with new patching requirements. NPM to switch to more secure install defaults. Will it help. Our listeners react to last week's PHP commentary. June shows that AI has arrived for vulnerability discover Show Notes - https://www.grc.com/sn/SN-1083-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow canary.tools/twit - use code: TWIT joindeleteme.com/twit-biz zscaler.com/security adaptivesecurity.com

This episode unpacks the jaw-dropping surge in vulnerabilities unearthed by AI, revealing how Microsoft shattered its own patch records while adversaries and defenders race to outpace each other. The conversation gets real about whether AI is fixing our broken software or just making attacks easier for everyone. Rootkits found in more than 400 ArchLinux User Repository packages. The US government requests Anthropic to remove Mythos and Fable. CISA responds to AI-driven attacks with new patching requirements. NPM to switch to more secure install defaults. Will it help. Our listeners react to last week's PHP commentary. June shows that AI has arrived for vulnerability discover Show Notes - https://www.grc.com/sn/SN-1083-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow canary.tools/twit - use code: TWIT joindeleteme.com/twit-biz zscaler.com/security adaptivesecurity.com

Send us Fan MailSomeone is stealing encrypted data right now and they are not trying to read it today. They are saving it for later, betting that quantum computing will eventually break the encryption that protects it. I dig into the “Harvest Now, Decrypt Later” strategy, why it matters most for long-term confidentiality, and how security leaders can talk about it as a present-day risk instead of science fiction.From there, I get practical with post-quantum planning: what the NIST post-quantum cryptography standards signal, why quantum key distribution is still niche for most organisations, and the big architectural idea to remember for the CISSP and for real enterprise security programs: crypto agility. We walk through concrete steps like building a cryptographic inventory, mapping where RSA and elliptic curve crypto live, identifying data with 10 to 20 year secrecy needs, and pushing vendors for a clear PQC roadmap.Then we pivot into CISSP Domain 1 supply chain risk management (SCRM and CSCRM). I explain why supply chains are a prime target, how modern supply chain attacks can ride in through poisoned open source packages, and what SolarWinds showed the world about scale and impact. We close with the nuts and bolts that actually reduce third-party risk: lifecycle supplier management, meaningful assessments (on-site when it matters), document and policy review, audits, and minimum security requirements baked into contracts and SLAs.If you want more training, check out CISSP Cyber Training, subscribe for weekly updates, share this with a friend who owns risk, and leave a quick review so more CISSP candidates can find the show.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

RubyGems adds dependency-cooldowns to counter supply chain attacks, AT&T and IBM are accused of hiding foreign hacks, Cisco warns of a new SD-WAN zero-day, and Google layoffs hit security teams. Show notes Risky Bulletin: RubyGems adds dependency cooldowns to counter supply chain attacks

Send us Fan MailYour software is only as trustworthy as the dependencies you quietly inherit and attackers know it. Today I break down the NCSC warning on software supply chain security and why open source package ecosystems have become a high-value target for real-world compromises that spread fast through CI/CD pipelines.I walk through the attack patterns that keep showing up in incidents: maintainer account compromise, expired domain takeover, typosquatting, and credential chaining. We connect each technique to the CISSP mindset so you can spot it in scenario questions and, more importantly, recognise it in your own environment. Along the way, I explain why Node.js, Python, and Rust projects are especially exposed, how automation can turn “latest version” convenience into an enterprise incident, and why developer environments often become an overlooked attack surface.Then we get practical with controls you can actually implement: pausing automatic dependency updates when compromise is suspected, adding human approval for critical packages, rotating credentials immediately, enforcing MFA on developer and registry accounts, and using private or trusted registries to mirror and vet dependencies. I also zoom out to show how to build supply chain security into the secure SDLC with software composition analysis (SCA), code signing, checksum verification, audit logging, continuous monitoring, and an SBOM so you can respond fast when a package turns toxic.If this helps you tighten your dependency management and level up your CISSP prep, subscribe, share this with a teammate, and leave a quick review so more security pros can find the show.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Allie Luhrs and Mario Samolis from Microsoft Security to explore the growing threat of open source software supply chain attacks. They discuss how malicious NPM packages, compromised developer ecosystems, AI-generated attacks, and software dependency risks are reshaping modern incident response, while sharing insights from their recent presentation at BlueHat IL 2025.   In this episode you'll learn:       How attackers are targeting open source software ecosystems at scale  Why AI is accelerating both cyberattacks and threat detection  What was uncovered during their BlueHat presentation on modern software supply chain attacks  Some questions we ask:      What patterns did you uncover in NPM attack campaigns?  Should developers rely on dependencies or build everything themselves?  Why should organizations pay closer attention to open source security risks?  Resources:   View Allie Luhrs on LinkedIn   View Mario Samolis on LinkedIn   View Sherrod DeGrippo on LinkedIn     Related Microsoft Podcasts:                    Afternoon Cyber Tea with Ann Johnson  The BlueHat Podcast  Uncovering Hidden Risks        Discover and follow other Microsoft podcasts at microsoft.com/podcasts     Get the latest threat intelligence insights and guidance at Microsoft Security Insider    The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network. 

Thanks Pressable for supporting the show! Get your special hosting deal at https://pressable.com/wpminuteBecome a WP Minute Supporter & Slack member at https://thewpminute.com/supportOn this episode of The WP Minute+ podcast, Anchor Hosting owner Austin Ginder joins Eric to discuss the recent surge in supply chain attacks affecting WordPress plugins. Austin shares his experiences managing security for thousands of WordPress sites and how AI has transformed his approach to identifying vulnerabilities. It all led him to launch WP Beacon, a tool designed to uncover compromised plugins and enhance security measures. This episode is packed with actionable advice for keeping your WordPress websites safe and secure.Takeaways:Supply chain attacks are increasingly common in WordPress plugins.AI is revolutionizing the way developers approach security.Regular code audits are essential for maintaining site security.WP Beacon aims to identify and report compromised plugins.The cleanup process for hacked sites can be complex and challenging.Security measures must evolve to keep pace with AI advancements.Collaboration with security teams is crucial for effective responses.Identifying patterns in compromised plugins can help prevent future attacks.Site owners should prioritize vulnerability scanning and malware detection.The future of WordPress security relies on proactive measures and AI integration.Important Links:WP BeaconThe Great Security Reset of 2026Connect with Austin: LinkedIn | Twitter/X | WebsiteThe WP Minute+ Podcast: thewpminute.com/subscribe ★ Support this podcast ★

AI subscriptions are becoming as essential as internet bills - and just as expensive. The vBrownBag gang takes a hard look at the real cost of LLMs and what happens when the free ride ends. Chris, Shala, and Damian dig into the Anthropic pricing plot twist, why AI data centers consume 10x the power of traditional racks, the DeepSeek distillation controversy, and what happens when the first hit's free phase ends. You'll learn practical strategies for reducing token burn, why local models are becoming a viable cost escape hatch, how to pick the right model for the right job, and why blindly using Opus for everything is lighting money on fire. This is the unfiltered conversation every AI practitioner needs to have - before the subsidies disappear and the real bills arrive. Timestamps 0:00 Cold Open: Get These Darn Kids Off My Lawn 1:27 Chris's Big News: Leaving IBM for Six Feet Up 8:09 How Many AI Subscriptions Do You Have? 16:41 Stack Overflow Is Dead, Long Live Claude 17:12 Don't Just Blindly Copy and Paste (AI Edition) 31:00 Anthropic Gross Margin 2025: Negative 53% 35:30 When Token Costs Exceed a Junior Dev's Salary 42:02 Find the Model That Fits the Job 46:11 AI Multitasking Is a Lie (Just Like Humans) 49:05 We Are Uniquely Bad at Making Money Off This Show 53:19 Supply Chain Attacks and GitHub Actions 54:45 Did We Solve Anything? Yes. No. Maybe. 55:58 Grateful for Friends & Wrapping Up Links from the show:

Sean Juroviesky is a senior security engineer at SoundCloud. In this episode, he joins host Paul John Spaulding to discuss his background and work at SoundCloud, as well as the pervasiveness of supply chain attacks, third party tools, autonomous agents, and more. • For more on cybersecurity, visit us at https://cybersecurityventures.com

Cisco Catalyst, Canvas, Exchange 0-Days, BitLocker Bypass, Mini Shai Hulud, Node IPC, Patch Tuesday, GPT-5.5, Supply Chain Attacks, and More on the Security Weekly News Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-581

Cisco Catalyst, Canvas, Exchange 0-Days, BitLocker Bypass, Mini Shai Hulud, Node IPC, Patch Tuesday, GPT-5.5, Supply Chain Attacks, and More on the Security Weekly News Show Notes: https://securityweekly.com/swn-581

Cisco Catalyst, Canvas, Exchange 0-Days, BitLocker Bypass, Mini Shai Hulud, Node IPC, Patch Tuesday, GPT-5.5, Supply Chain Attacks, and More on the Security Weekly News Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-581

Cisco Catalyst, Canvas, Exchange 0-Days, BitLocker Bypass, Mini Shai Hulud, Node IPC, Patch Tuesday, GPT-5.5, Supply Chain Attacks, and More on the Security Weekly News Show Notes: https://securityweekly.com/swn-581

March 2026 made supply chain attacks feel a lot less theoretical, but what made these incidents different? The hosts discuss compromised publishing credentials, automatic execution hooks like post-install scripts and Python `.pth` files, and how both humans and security tools caught the malicious releases. They also talk through concrete ways to make developer environments harder to abuse.  We are always happy to answer any questions, hear suggestions for new episodes, or hear from you, our listeners. DevSecOps Talks podcast LinkedIn page DevSecOps Talks podcast website DevSecOps Talks podcast YouTube channel

Anthropic has built an AI model so sharp it's being withheld from the public, sparking debate over who gets access to world-changing tech and who's left behind. Hear how this "too dangerous" AI could tip the balance for the world's most powerful players. This episode unpacks the fresh moral minefields created when cutting-edge tech collides with politics, security, and human lives. Anthropic says its most powerful AI cyber model is too dangerous to release publicly — so it built Project Glasswing Sam Altman Fire Bombing Response OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters Samsung flags eightfold jump in quarterly profit as AI chip demand pumps prices SpaceX Posted Nearly $5 Billion Loss Last Year from AI Spending Trump administration plans to cut cybersecurity agency's budget by $700 million CPUID hijacked to serve malware as HWMonitor downloads GTA 6 Developer Rockstar Reportedly Hacked, Data Being Ransomed FBI used iPhone notification data to retrieve deleted Signal messages - 9to5Mac ICE acknowledges it is using powerful spyware Helium Is Hard to Replace John Deere to Pay $99 Million in Monumental Right-to-Repair Settlement France's government is ditching Windows for Linux, calling US tech dependence a strategic risk The disturbing white paper Red Hat is trying to erase from the internet DOJ Top Antitrust Litigators Exit After Ticketmaster Settlement My Quest to Solve Bitcoin's Great Mystery Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% 'Abhorrent': the inside story of the Polymarket gamblers betting millions on war Host: Leo Laporte Guests: Doc Rock, Jason Hiner, and Mike Elgan Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit ZipRecruiter.com/twit threatlocker.com/twit joindeleteme.com/twit promo code TWIT meter.com/twit

Anthropic has built an AI model so sharp it's being withheld from the public, sparking debate over who gets access to world-changing tech and who's left behind. Hear how this "too dangerous" AI could tip the balance for the world's most powerful players. This episode unpacks the fresh moral minefields created when cutting-edge tech collides with politics, security, and human lives. Anthropic says its most powerful AI cyber model is too dangerous to release publicly — so it built Project Glasswing Sam Altman Fire Bombing Response OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters Samsung flags eightfold jump in quarterly profit as AI chip demand pumps prices SpaceX Posted Nearly $5 Billion Loss Last Year from AI Spending Trump administration plans to cut cybersecurity agency's budget by $700 million CPUID hijacked to serve malware as HWMonitor downloads GTA 6 Developer Rockstar Reportedly Hacked, Data Being Ransomed FBI used iPhone notification data to retrieve deleted Signal messages - 9to5Mac ICE acknowledges it is using powerful spyware Helium Is Hard to Replace John Deere to Pay $99 Million in Monumental Right-to-Repair Settlement France's government is ditching Windows for Linux, calling US tech dependence a strategic risk The disturbing white paper Red Hat is trying to erase from the internet DOJ Top Antitrust Litigators Exit After Ticketmaster Settlement My Quest to Solve Bitcoin's Great Mystery Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% 'Abhorrent': the inside story of the Polymarket gamblers betting millions on war Host: Leo Laporte Guests: Doc Rock, Jason Hiner, and Mike Elgan Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit ZipRecruiter.com/twit threatlocker.com/twit joindeleteme.com/twit promo code TWIT meter.com/twit

Anthropic has built an AI model so sharp it's being withheld from the public, sparking debate over who gets access to world-changing tech and who's left behind. Hear how this "too dangerous" AI could tip the balance for the world's most powerful players. This episode unpacks the fresh moral minefields created when cutting-edge tech collides with politics, security, and human lives. Anthropic says its most powerful AI cyber model is too dangerous to release publicly — so it built Project Glasswing Sam Altman Fire Bombing Response OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters Samsung flags eightfold jump in quarterly profit as AI chip demand pumps prices SpaceX Posted Nearly $5 Billion Loss Last Year from AI Spending Trump administration plans to cut cybersecurity agency's budget by $700 million CPUID hijacked to serve malware as HWMonitor downloads GTA 6 Developer Rockstar Reportedly Hacked, Data Being Ransomed FBI used iPhone notification data to retrieve deleted Signal messages - 9to5Mac ICE acknowledges it is using powerful spyware Helium Is Hard to Replace John Deere to Pay $99 Million in Monumental Right-to-Repair Settlement France's government is ditching Windows for Linux, calling US tech dependence a strategic risk The disturbing white paper Red Hat is trying to erase from the internet DOJ Top Antitrust Litigators Exit After Ticketmaster Settlement My Quest to Solve Bitcoin's Great Mystery Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% 'Abhorrent': the inside story of the Polymarket gamblers betting millions on war Host: Leo Laporte Guests: Doc Rock, Jason Hiner, and Mike Elgan Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit ZipRecruiter.com/twit threatlocker.com/twit joindeleteme.com/twit promo code TWIT meter.com/twit

Anthropic has built an AI model so sharp it's being withheld from the public, sparking debate over who gets access to world-changing tech and who's left behind. Hear how this "too dangerous" AI could tip the balance for the world's most powerful players. This episode unpacks the fresh moral minefields created when cutting-edge tech collides with politics, security, and human lives. Anthropic says its most powerful AI cyber model is too dangerous to release publicly — so it built Project Glasswing Sam Altman Fire Bombing Response OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters Samsung flags eightfold jump in quarterly profit as AI chip demand pumps prices SpaceX Posted Nearly $5 Billion Loss Last Year from AI Spending Trump administration plans to cut cybersecurity agency's budget by $700 million CPUID hijacked to serve malware as HWMonitor downloads GTA 6 Developer Rockstar Reportedly Hacked, Data Being Ransomed FBI used iPhone notification data to retrieve deleted Signal messages - 9to5Mac ICE acknowledges it is using powerful spyware Helium Is Hard to Replace John Deere to Pay $99 Million in Monumental Right-to-Repair Settlement France's government is ditching Windows for Linux, calling US tech dependence a strategic risk The disturbing white paper Red Hat is trying to erase from the internet DOJ Top Antitrust Litigators Exit After Ticketmaster Settlement My Quest to Solve Bitcoin's Great Mystery Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% 'Abhorrent': the inside story of the Polymarket gamblers betting millions on war Host: Leo Laporte Guests: Doc Rock, Jason Hiner, and Mike Elgan Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit ZipRecruiter.com/twit threatlocker.com/twit joindeleteme.com/twit promo code TWIT meter.com/twit

Anthropic has built an AI model so sharp it's being withheld from the public, sparking debate over who gets access to world-changing tech and who's left behind. Hear how this "too dangerous" AI could tip the balance for the world's most powerful players. This episode unpacks the fresh moral minefields created when cutting-edge tech collides with politics, security, and human lives. Anthropic says its most powerful AI cyber model is too dangerous to release publicly — so it built Project Glasswing Sam Altman Fire Bombing Response OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters Samsung flags eightfold jump in quarterly profit as AI chip demand pumps prices SpaceX Posted Nearly $5 Billion Loss Last Year from AI Spending Trump administration plans to cut cybersecurity agency's budget by $700 million CPUID hijacked to serve malware as HWMonitor downloads GTA 6 Developer Rockstar Reportedly Hacked, Data Being Ransomed FBI used iPhone notification data to retrieve deleted Signal messages - 9to5Mac ICE acknowledges it is using powerful spyware Helium Is Hard to Replace John Deere to Pay $99 Million in Monumental Right-to-Repair Settlement France's government is ditching Windows for Linux, calling US tech dependence a strategic risk The disturbing white paper Red Hat is trying to erase from the internet DOJ Top Antitrust Litigators Exit After Ticketmaster Settlement My Quest to Solve Bitcoin's Great Mystery Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% 'Abhorrent': the inside story of the Polymarket gamblers betting millions on war Host: Leo Laporte Guests: Doc Rock, Jason Hiner, and Mike Elgan Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit ZipRecruiter.com/twit threatlocker.com/twit joindeleteme.com/twit promo code TWIT meter.com/twit

Anthropic has built an AI model so sharp it's being withheld from the public, sparking debate over who gets access to world-changing tech and who's left behind. Hear how this "too dangerous" AI could tip the balance for the world's most powerful players. This episode unpacks the fresh moral minefields created when cutting-edge tech collides with politics, security, and human lives. Anthropic says its most powerful AI cyber model is too dangerous to release publicly — so it built Project Glasswing Sam Altman Fire Bombing Response OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters Samsung flags eightfold jump in quarterly profit as AI chip demand pumps prices SpaceX Posted Nearly $5 Billion Loss Last Year from AI Spending Trump administration plans to cut cybersecurity agency's budget by $700 million CPUID hijacked to serve malware as HWMonitor downloads GTA 6 Developer Rockstar Reportedly Hacked, Data Being Ransomed FBI used iPhone notification data to retrieve deleted Signal messages - 9to5Mac ICE acknowledges it is using powerful spyware Helium Is Hard to Replace John Deere to Pay $99 Million in Monumental Right-to-Repair Settlement France's government is ditching Windows for Linux, calling US tech dependence a strategic risk The disturbing white paper Red Hat is trying to erase from the internet DOJ Top Antitrust Litigators Exit After Ticketmaster Settlement My Quest to Solve Bitcoin's Great Mystery Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% 'Abhorrent': the inside story of the Polymarket gamblers betting millions on war Host: Leo Laporte Guests: Doc Rock, Jason Hiner, and Mike Elgan Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit ZipRecruiter.com/twit threatlocker.com/twit joindeleteme.com/twit promo code TWIT meter.com/twit

Supply chain attacks targeting AI have recently been making headlines — and keeping the CrowdStrike OverWatch team busy. Jared Myers, director of CrowdStrike OverWatch, joins Adam in this episode to discuss his team's approach to detecting and responding to these attacks. When a supply chain attack uses a zero-day vulnerability to breach a target, it's often the CVE that grabs attention. But the zero-day isn't what CrowdStrike OverWatch is after, Jared says. It's the follow-on tradecraft once the adversary is inside. He takes listeners behind the scenes of the team's response to recent supply chain attacks, including the MOVEit attack of 2023 and the Axios supply chain incident of March 2026, to share the technical details of how the team learns and acts on information as attacks are unfolding. Identity is an essential component in supply chain attacks, Jared explains. Once an adversary is in, they're looking for a user account to help them move laterally. He shares advice with listeners and key takeaways from the team's identity threat hunting. CrowdStrike OverWatch is a 24/7/365 operation, with experts working around the clock across time zones with visibility into trillions of events per day. By the time an attack makes headlines, CrowdStrike OverWatch may have known about it for months. “We don't ever stop looking; we don't ever stop hunting,” says Jared. Notes: • Blog: STARDUST CHOLLIMA Likely Compromises Axios npm Package [https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/] • Blog: From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise [https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/]

The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity. Apple's 26.4 age queries catches many by surprise. LinkedIn's 2.7 MB of privacy-invading javascript. Microsoft starts forcing Win11 24H2 to 25H2. Cisco loses source code to the Trivy supply-chain mess. Proton introduces privacy-first voice and video "Meet." GitHub to fix lagging security of its Actions feature. Cloudflare reaffirms the privacy of its 1.1.1.1 DNS. Cloudflare uses AI to re-code better secure Wordpress. The FCC drops a ban on all new consumer-grade routers. Show Notes - https://www.grc.com/sn/SN-1073-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow zscaler.com/security material.security bitwarden.com/twit hoxhunt.com/securitynow

The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity. Apple's 26.4 age queries catches many by surprise. LinkedIn's 2.7 MB of privacy-invading javascript. Microsoft starts forcing Win11 24H2 to 25H2. Cisco loses source code to the Trivy supply-chain mess. Proton introduces privacy-first voice and video "Meet." GitHub to fix lagging security of its Actions feature. Cloudflare reaffirms the privacy of its 1.1.1.1 DNS. Cloudflare uses AI to re-code better secure Wordpress. The FCC drops a ban on all new consumer-grade routers. Show Notes - https://www.grc.com/sn/SN-1073-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow zscaler.com/security material.security bitwarden.com/twit hoxhunt.com/securitynow

The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity. Apple's 26.4 age queries catches many by surprise. LinkedIn's 2.7 MB of privacy-invading javascript. Microsoft starts forcing Win11 24H2 to 25H2. Cisco loses source code to the Trivy supply-chain mess. Proton introduces privacy-first voice and video "Meet." GitHub to fix lagging security of its Actions feature. Cloudflare reaffirms the privacy of its 1.1.1.1 DNS. Cloudflare uses AI to re-code better secure Wordpress. The FCC drops a ban on all new consumer-grade routers. Show Notes - https://www.grc.com/sn/SN-1073-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow zscaler.com/security material.security bitwarden.com/twit hoxhunt.com/securitynow

The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity. Apple's 26.4 age queries catches many by surprise. LinkedIn's 2.7 MB of privacy-invading javascript. Microsoft starts forcing Win11 24H2 to 25H2. Cisco loses source code to the Trivy supply-chain mess. Proton introduces privacy-first voice and video "Meet." GitHub to fix lagging security of its Actions feature. Cloudflare reaffirms the privacy of its 1.1.1.1 DNS. Cloudflare uses AI to re-code better secure Wordpress. The FCC drops a ban on all new consumer-grade routers. Show Notes - https://www.grc.com/sn/SN-1073-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow zscaler.com/security material.security bitwarden.com/twit hoxhunt.com/securitynow

The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity. Apple's 26.4 age queries catches many by surprise. LinkedIn's 2.7 MB of privacy-invading javascript. Microsoft starts forcing Win11 24H2 to 25H2. Cisco loses source code to the Trivy supply-chain mess. Proton introduces privacy-first voice and video "Meet." GitHub to fix lagging security of its Actions feature. Cloudflare reaffirms the privacy of its 1.1.1.1 DNS. Cloudflare uses AI to re-code better secure Wordpress. The FCC drops a ban on all new consumer-grade routers. Show Notes - https://www.grc.com/sn/SN-1073-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow zscaler.com/security material.security bitwarden.com/twit hoxhunt.com/securitynow

The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity. Apple's 26.4 age queries catches many by surprise. LinkedIn's 2.7 MB of privacy-invading javascript. Microsoft starts forcing Win11 24H2 to 25H2. Cisco loses source code to the Trivy supply-chain mess. Proton introduces privacy-first voice and video "Meet." GitHub to fix lagging security of its Actions feature. Cloudflare reaffirms the privacy of its 1.1.1.1 DNS. Cloudflare uses AI to re-code better secure Wordpress. The FCC drops a ban on all new consumer-grade routers. Show Notes - https://www.grc.com/sn/SN-1073-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow zscaler.com/security material.security bitwarden.com/twit hoxhunt.com/securitynow

The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity. Apple's 26.4 age queries catches many by surprise. LinkedIn's 2.7 MB of privacy-invading javascript. Microsoft starts forcing Win11 24H2 to 25H2. Cisco loses source code to the Trivy supply-chain mess. Proton introduces privacy-first voice and video "Meet." GitHub to fix lagging security of its Actions feature. Cloudflare reaffirms the privacy of its 1.1.1.1 DNS. Cloudflare uses AI to re-code better secure Wordpress. The FCC drops a ban on all new consumer-grade routers. Show Notes - https://www.grc.com/sn/SN-1073-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow zscaler.com/security material.security bitwarden.com/twit hoxhunt.com/securitynow

The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity. Apple's 26.4 age queries catches many by surprise. LinkedIn's 2.7 MB of privacy-invading javascript. Microsoft starts forcing Win11 24H2 to 25H2. Cisco loses source code to the Trivy supply-chain mess. Proton introduces privacy-first voice and video "Meet." GitHub to fix lagging security of its Actions feature. Cloudflare reaffirms the privacy of its 1.1.1.1 DNS. Cloudflare uses AI to re-code better secure Wordpress. The FCC drops a ban on all new consumer-grade routers. Show Notes - https://www.grc.com/sn/SN-1073-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: meter.com/securitynow zscaler.com/security material.security bitwarden.com/twit hoxhunt.com/securitynow

Chris Nyhuis, CEO of private cybersecurity firm Vigilant, breaks down how a recent AI supply‑chain attack exposed vulnerabilities in open‑source software, allowing nation‑state actors to infiltrate millions of applications. He explains why cybersecurity leaders like Palo Alto Networks (PANW) and CrowdStrike (CRWD) are critical as AI expands the global threat surface.======== Schwab Network ========Empowering every investor and trader, every market day.Options involve risks and are not suitable for all investors. Before trading, read the Options Disclosure Document. http://bit.ly/2v9tH6DSubscribe to the Market Minute newsletter - https://schwabnetwork.com/subscribeDownload the iOS app - https://apps.apple.com/us/app/schwab-network/id1460719185Download the Amazon Fire Tv App - https://www.amazon.com/TD-Ameritrade-Network/dp/B07KRD76C7Watch on Sling - https://watch.sling.com/1/asset/191928615bd8d47686f94682aefaa007/watchWatch on Vizio - https://www.vizio.com/en/watchfreeplus-exploreWatch on DistroTV - https://www.distro.tv/live/schwab-network/Follow us on X – https://twitter.com/schwabnetworkFollow us on Facebook – https://www.facebook.com/schwabnetworkFollow us on LinkedIn - https://www.linkedin.com/company/schwab-network/About Schwab Network - https://schwabnetwork.com/about

(Presented by Thinkst Canary: Most Companies find out way too late that they've been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching 'em giving you the one alert, when it matters. With zero admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents.) Three Buddy Problem - Episode 84: We process the cybersecurity fallout from the latest Epstein document dump, focusing on why redactions fail in the AI era and how quickly modern tools can unravel them. The conversation moves from sloppy redaction practices and exploit mythology to harder questions about ethics, accountability, and silence within the infosec community. Plus, inside the Notepad++ supply-chain compromise attributed to a known Chinese APT, Microsoft's security executive changes, Anthropic's AI-driven vulnerability discovery, China-linked network implants, and Lockdown Mode thwarting FBI investigators. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

In this panel episode, the crew discusses AI platform consolidation, open-source sustainability, and the future of web development. We break down Anthropic's acquisition of Bun, what it means for the JavaScript ecosystem, and whether open-source projects can remain independent as AI companies invest heavily in infrastructure. We also discuss Zig leaving GitHub, growing concerns around AI-first developer tools, npm security vulnerabilities, and supply-chain risk in modern software. The episode wraps with hot takes on AI infrastructure costs, developer productivity, and practical advice for engineers navigating today's rapidly changing tech landscape. Resources Anthropic acquires Bun as Claude Code hits $1B milestone: https://www.anthropic.com/news/anthropic-acquires-bun-as-claude-code-reaches-usd1b-milestone Zig quits GitHub, says Microsoft's AI obsession ruined the service: https://ziglang.org/news/migrating-from-github-to-codeberg/ Shai-Hulud: 1K+ npm packages & 27K repos infected: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24 IBM CEO says AI data center spending “won't pay off” at current costs: https://www.businessinsider.com/ibm-ceo-big-tech-ai-capex-data-center-spending-2025-12 We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Fill out our listener survey (https://t.co/oKVAEXipxu)! https://t.co/oKVAEXipxu Let us know by sending an email to our producer, Elizabeth, at elizabeth.becz@logrocket.com (mailto:elizabeth.becz@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Check out our newsletter (https://blog.logrocket.com/the-replay-newsletter/)! https://blog.logrocket.com/the-replay-newsletter/ Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we'll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Chapters 01:00 – Meet the Panel: Paige, Jack, and Paul 02:00 – Anthropic Acquires Bun: First Reactions 05:30 – What the Bun Acquisition Means for JavaScript Runtimes 09:00 – Open Source Funding, Independence, and New Exit Models 14:30 – Zig Leaves GitHub: AI-First Platforms and OSS Friction 20:30 – GitHub, Copilot, and Developer Experience Tradeoffs 24:30 – npm Security, Supply Chain Attacks, and Trust at Scale 31:00 – Are We Too Dependent on Big Tech Platforms? 36:30 – AI Infrastructure Costs and the Sustainability Question 43:00 – Small Models, Local AI, and the Future of Inference 50:30 – Hot Takes: Subscriptions, Burnout, and Developer Frustration 58:30 – Security Alerts, Tooling Wins, and Final Thoughts Special Guest: Jack Herrington.

This week on Destination Linux, we are joined by a special guest host: Craig Rowland, the CEO of Sandfly Security! We're diving deep into the reality of modern security—specifically when third-party code knocks over your castle. From malicious VSCode extensions to the "React2Shell" vulnerability, we discuss why "Open Source" doesn't automatically mean "Safe" and how to protect your supply chain. Then, is it possible to have the macOS experience without the Apple ecosystem? Ryan explores ravynOS, a daring new project with "macOS vibes and a BSD soul." It's attempting to bring the Aqua interface—and eventually Mac app compatibility—to the open-source world. Plus, Jill brings us massive news from Canonical and AMI. You might soon be installing Ubuntu directly from your motherboard's BIOS without ever needing a USB drive. We break down how this partnership changes the game for hardware. Finally, we read an incredible listener story. Show Notes: 00:00:00 Intro 00:02:39 Extended Intro: Open Source or Bust 00:03:08 Community Feedback: A Pentester's Origin Story 00:10:03 Guest Host: Sandfly Security & Agentless Protection 00:15:53 Security Deep Dive: Supply Chain Attacks, Malicious VSCode Extensions & React2Shell 00:44:31 ravynOS: The Open Source Mac Killer? 00:56:05 News: Canonical + AMI: Installing Ubuntu from the BIOS 01:08:07 Outro 01:09:33 Post-Show Shenanigans Support the Show: Sponsored by Sandfly Security: destinationlinux.net/sandfly - Get 50% off the Home Edition with code DESTINATION50 Special Guest: Craig Rowland.

In this episode of Security Matters, host David Puner welcomes back David Higgins, senior director in CyberArk's Field Technology Office, for a timely conversation about the evolving cyber threat landscape. Higgins explains why today's attackers aren't breaking in—they're logging in—using stolen credentials, AI-powered social engineering, and deepfakes to bypass traditional defenses and exploit trust.The discussion explores how the rise of AI is eroding critical thinking, making it easier for even seasoned professionals to fall for convincing scams. Higgins and Puner break down the dangers of instant answers, the importance of “never trust, always verify,” and why zero standing privilege is essential for defending against insider threats. They also tackle the risks of shadow AI, the growing challenge of misinformation, and how organizations can build a culture of vigilance without creating a climate of mistrust.Whether you're a security leader, IT professional, or just curious about the future of digital trust, this episode delivers actionable insights on identity security, cyber hygiene, and the basics that matter more than ever in 2026 and beyond.

Modern software relies heavily on open source dependencies, often pulling in thousands of packages maintained by developers all over the world. This accelerates innovation but also creates serious supply chain risks as attackers increasingly compromise popular libraries to spread malware at scale. Feross Aboukhadijeh is the founder and CEO of Socket which is a security The post Blocking Software Supply Chain Attacks with Feross Aboukhadijeh appeared first on Software Engineering Daily.

Modern software relies heavily on open source dependencies, often pulling in thousands of packages maintained by developers all over the world. This accelerates innovation but also creates serious supply chain risks as attackers increasingly compromise popular libraries to spread malware at scale. Feross Aboukhadijeh is the founder and CEO of Socket which is a security The post Blocking Software Supply Chain Attacks with Feross Aboukhadijeh appeared first on Software Engineering Daily.

The latest episode of Absolute AppSec is here, with Ken Johnson and Seth Law checking in during the busy Q4 holiday season to share some fascinating insights on the evolving landscape of security and technology. They kick off by reflecting on their intensive, ever-changing "Harnessing LLMs for Application Security" courses, noting how rapidly the underlying tech evolves. The conversation quickly turns to a compelling debate: How will the rise of generative AI impact career paths for newcomers, especially given that LLMs fundamentally rely on the contributions of existing experts? While pathways may change, they agree that core human activities—like networking, contributing to projects, and maintaining a hacker mindset—will remain crucial. The hosts then dive into a fascinating discussion on the darker side of SEO, introducing the concept of Generative AI Engine Optimization (GEO), where marketers exploit AI search results through tricks like keyword-stuffed files to game rankings. They tie this to historical examples of exploitation, harkening back to Google hacking days. Finally, they cover the recent Shai Hulud 2 supply chain attack, which infected hundreds of NPM packages and utilized even more sophisticated obfuscation and delayed execution tactics than its predecessor.

Josh chats with Charlie Eriksen, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with recent security breaches, the challenges of maintaining trust in open source software, and the importance of proactive measures to safeguard open source. The rapid pace of change is impacting our security practices and what steps can be taken to foster resilience in the face of evolving threats. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-npm-charlie/

SummaryIn this episode, hosts Andy Jaw and Adam Brewer discuss the newly announced iPhone 17 and its enhanced security features, particularly the memory integrity enforcement that aims to protect user data from spyware. They also delve into Microsoft's response to allegations regarding the use of Azure by the Israeli Defense Force for surveillance purposes, emphasizing the company's commitment to privacy. The conversation concludes with a discussion on recent supply chain attacks affecting NPM packages and the proactive measures being taken to enhance security in the software development ecosystem.----------------------------------------------------YouTube Video Link: ⁠⁠⁠⁠⁠https://youtu.be/YLTiud1ibhU----------------------------------------------------Documentation:https://www.theverge.com/news/775234/iphone-17-air-a19-memory-integrity-enforcement-mte-securityhttps://security.apple.com/blog/memory-integrity-enforcement/https://blogs.microsoft.com/on-the-issues/2025/09/25/update-on-ongoing-microsoft-review/https://www.bleepingcomputer.com/news/security/self-propagating-supply-chain-attack-hits-187-npm-packages/https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/----------------------------------------------------Contact Us:Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://bluesecuritypod.comBluesky: https://bsky.app/profile/bluesecuritypod.comLinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/company/bluesecpodYouTube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/c/BlueSecurityPodcast-----------------------------------------------------------Andy JawBluesky: https://bsky.app/profile/ajawzero.comLinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/andyjaw/Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠andy@bluesecuritypod.com⁠----------------------------------------------------Adam BrewerTwitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajbrewerLinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/adamjbrewer/Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠adam@bluesecuritypod.com

Dr. Ilia Shumailov - Former DeepMind AI Security Researcher, now building security tools for AI agentsEver wondered what happens when AI agents start talking to each other—or worse, when they start breaking things? Ilia Shumailov spent years at DeepMind thinking about exactly these problems, and he's here to explain why securing AI is way harder than you think.**SPONSOR MESSAGES**—Check out notebooklm for your research project, it's really powerfulhttps://notebooklm.google.com/—Take the Prolific human data survey - https://www.prolific.com/humandatasurvey?utm_source=mlst and be the first to see the results and benchmark their practices against the wider community!—cyber•Fund https://cyber.fund/?utm_source=mlst is a founder-led investment firm accelerating the cybernetic economyOct SF conference - https://dagihouse.com/?utm_source=mlst - Joscha Bach keynoting(!) + OAI, Anthropic, NVDA,++Hiring a SF VC Principal: https://talent.cyber.fund/companies/cyber-fund-2/jobs/57674170-ai-investment-principal#content?utm_source=mlstSubmit investment deck: https://cyber.fund/contact?utm_source=mlst— We're racing toward a world where AI agents will handle our emails, manage our finances, and interact with sensitive data 24/7. But there is a problem. These agents are nothing like human employees. They never sleep, they can touch every endpoint in your system simultaneously, and they can generate sophisticated hacking tools in seconds. Traditional security measures designed for humans simply won't work.Dr. Ilia Shumailovhttps://x.com/iliaishackedhttps://iliaishacked.github.io/https://sequrity.ai/TRANSCRIPT:https://app.rescript.info/public/share/dVGsk8dz9_V0J7xMlwguByBq1HXRD6i4uC5z5r7EVGMTOC:00:00:00 - Introduction & Trusted Third Parties via ML00:03:45 - Background & Career Journey00:06:42 - Safety vs Security Distinction00:09:45 - Prompt Injection & Model Capability00:13:00 - Agents as Worst-Case Adversaries00:15:45 - Personal AI & CAML System Defense00:19:30 - Agents vs Humans: Threat Modeling00:22:30 - Calculator Analogy & Agent Behavior00:25:00 - IMO Math Solutions & Agent Thinking00:28:15 - Diffusion of Responsibility & Insider Threats00:31:00 - Open Source Security Concerns00:34:45 - Supply Chain Attacks & Trust Issues00:39:45 - Architectural Backdoors00:44:00 - Academic Incentives & Defense Work00:48:30 - Semantic Censorship & Halting Problem00:52:00 - Model Collapse: Theory & Criticism00:59:30 - Career Advice & Ross Anderson TributeREFS:Lessons from Defending Gemini Against Indirect Prompt Injectionshttps://arxiv.org/abs/2505.14534Defeating Prompt Injections by Design. Debenedetti, E., Shumailov, I., Fan, T., Hayes, J., Carlini, N., Fabian, D., Kern, C., Shi, C., Terzis, A., & Tramèr, F. https://arxiv.org/pdf/2503.18813Agentic Misalignment: How LLMs could be insider threatshttps://www.anthropic.com/research/agentic-misalignmentSTOP ANTHROPOMORPHIZING INTERMEDIATE TOKENS AS REASONING/THINKING TRACES!Subbarao Kambhampati et alhttps://arxiv.org/pdf/2504.09762Meiklejohn, S., Blauzvern, H., Maruseac, M., Schrock, S., Simon, L., & Shumailov, I. (2025). Machine learning models have a supply chain problem. https://arxiv.org/abs/2505.22778 Gao, Y., Shumailov, I., & Fawaz, K. (2025). Supply-chain attacks in machine learning frameworks. https://openreview.net/pdf?id=EH5PZW6aCrApache Log4j Vulnerability Guidancehttps://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance Bober-Irizar, M., Shumailov, I., Zhao, Y., Mullins, R., & Papernot, N. (2022). Architectural backdoors in neural networks. https://arxiv.org/pdf/2206.07840Position: Fundamental Limitations of LLM Censorship Necessitate New ApproachesDavid Glukhov, Ilia Shumailov, ...https://proceedings.mlr.press/v235/glukhov24a.html AlphaEvolve MLST interview [Matej Balog, Alexander Novikov]https://www.youtube.com/watch?v=vC9nAosXrJw

*Threat Hunting Management Workshop: The Business Value of Threat Hunting October 29, 2025 | 12:00 - 12:30 PM ET Sign Up: https://www.intel471.com/resources/webinars/threat-hunting-management-workshop-the-business-value-of-threat-hunting ---------- Top Headlines: LastPass | Large-Scale Attack Targeting Macs via GitHub Pages Impersonating Companies to Attempt to Deliver Stealer Malware: https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages Cisco Talos BlogCisco Talos Blog | How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking: https://blog.talosintelligence.com/how-rainyday-turian-and-a-new-plugx-variant-abuse-dll-search-order-hijacking/?&web_view=true Trend MicroTrend Micro | AI-Powered App Exposes User Data, Creates Risk of Supply Chain Attacks: https://www.trendmicro.com/en_us/research/25/i/ai-powered-app-exposes-user-data.html?&web_view=true SentinelOne | Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware: https://www.sentinelone.com/labs/prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware/ ---------- Stay in Touch! Twitter: https://twitter.com/Intel471Inc LinkedIn: https://www.linkedin.com/company/intel-471/ YouTube: https://www.youtube.com/channel/UCIL4ElcM6oLd3n36hM4_wkg Discord: https://discord.gg/DR4mcW4zBr Facebook: https://www.facebook.com/Intel471Inc/

Cybersecurity isn't just about firewalls and passwords anymore. It's an all-out battle where hackers run businesses with customer support desks, insider threats can be disguised as your newest hire, and artificial intelligence is both the weapon and the shield. In this special episode of IT Visionaries, host Chris Brandt switches roles and sits in the hot seat while Lacey Peace, host of Experts of Experience, interviews him about the three biggest cyber threats IT leaders must prepare for in 2025. From the rise of ransomware-as-a-service to North Korean nationals infiltrating U.S. companies, and AI reshaping the entire security landscape, Chris reveals what's really happening behind the scenes of today's most dangerous attacks. With stories from his career building high-security facilities — including an EMP-shielded data center buried under a mountain — Chris shares the lessons that every business leader needs to hear about resilience, recovery, and why it's no longer a matter of “if” but “when.” Don't miss this candid and eye-opening conversation. Watch the full episode now and learn how to protect your organization before it's too late. Key Moments: 00:00: Lacey Peace Interviews Chris Brandt04:45 Cyber Extortion and Ransomware08:17 Supply Chain Attacks18:20 Creating an Isolated Recovery Environment20:08 Threat Number Two: IT Worker Attacks22:14 The Rise of Phishing Attacks27:26 The Evolution of Social Engineering30:19 The Role of AI in Cybersecurity33:01 Challenges in Reporting Cyber Incidents33:46 The Complexity of Cyber Incident Recovery34:45 The Role of Governments in Cybersecurity -- This episode of IT Visionaries is brought to you by Meter - the company building better networks. Businesses today are frustrated with outdated providers, rigid pricing, and fragmented tools. Meter changes that with a single integrated solution that covers everything wired, wireless, and even cellular networking. They design the hardware, write the firmware, build the software, and manage it all so your team doesn't have to. That means you get fast, secure, and scalable connectivity without the complexity of juggling multiple providers. Thanks to meter for sponsoring. Go to meter.com/itv to book a demo.---Mission.org is a media studio producing content alongside world-class clients. Learn more at mission.org Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Is the web breaking under the weight of AI crawlers, platform consolidation, and nonstop security breaches? We dive into the state of browsers, developer burnout, and whether tech regulation can actually keep up. In this panel discussion: We debate if robots.txt and AI licensing standards like RSL can realistically control how AI scrapes the web. The fallout from DIA's acquisition by Atlassian and what it means for indie browser innovation (like the Helium browser, Zen) in a Chromium-dominated world. Why Google's antitrust victory might embolden other tech giants, and what that means for competition. How supply chain attacks like the NPM malware and Shai Hulud worm are exploiting GitHub workflows and package vulnerabilities. The pushback against AI mandates at work, including Coinbase's controversial policy requiring developers to use Copilot. Resources Inside the battle for the future of the web: https://www.businessinsider.com/google-microsoft-openai-fight-standards-limit-ai-access-websites-2025-9 The web has a new system for making AI companies pay up: https://www.theverge.com/news/775072/rsl-standard-licensing-ai-publishing-reddit-yahoo-medium The Browser Company, maker of Arc and Dia, is being acquired: https://www.theverge.com/web/770947/browser-company-arc-dia-acquired-atlassian Google stock jumps 8% after search giant avoids worst-case penalties in antitrust case: https://www.cnbc.com/2025/09/02/google-antitrust-search-ruling.html Massive data breach sees 16 million PayPal accounts leaked online - here's what we know, and how to stay safe:https://www.techradar.com/pro/massive-data-breach-sees-16-million-paypal-accounts-leaked-online-heres-what-we-know-and-how-to-stay-safe PayPal's Glitch Puts €10 Billion on Ice Across European Banks: https://fintechnews.ch/payments/paypal-glitch-freezes-european-banks-10-billion-transactions/77974/ npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack Coinbase CEO explains why he fired engineers who didn't try AI immediately: https://techcrunch.com/2025/08/22/coinbase-ceo-explains-why-he-fired-engineers-who-didnt-try-ai-immediately/ Chapters We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Fill out our listener survey (https://t.co/oKVAEXipxu)! Let us know by sending an email to our producer, Em, at emily.kochanek@logrocket.com (mailto:emily.kochanek@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we'll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today. (https://logrocket.com/signup/?pdr)

Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog. We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks. Links Website: https://feross.org X: https://x.com/feross GitHub: https://github.com/feross LinkedIn: https://www.linkedin.com/in/feross YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w Resources npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack Chapters 00:00 Intro: NPM supply chain attacks explained 01:10 What is a software supply chain attack? 02:00 NPM phishing campaign: Fake login pages 03:00 Prettier ecosystem compromised 04:00 The “is” package malware incident 05:30 NX package breach (August 27 attack) 06:40 AI-powered supply chain exploit 08:00 GitHub Actions misconfiguration 12:00 Lessons from recent NPM attacks 20:00 How malicious packages get published 25:00 Why install scripts are so risky 30:00 Limitations of banning install scripts 35:00 Open source maintainer challenges 40:00 Smarter approaches to dependency updates 44:00 The future of open source supply chain security 47:00 Closing thoughts and resources We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Fill out our listener survey (https://t.co/oKVAEXipxu)! Let us know by sending an email to our producer, Em, at emily.kochanek@logrocket.com (mailto:emily.kochanek@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we'll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Special Guest: Feross Aboukhadijeh.