Risky Business

On this week’s show, Patrick Gray and James Wilson are joined by special guest co-host Brad Arkin. They discuss the week’s cybersecurity news, including:

The US Government says we just have to patch faster, but…

Bugs in cPanel, MoveIt and all Linux distributions this week show that patching alone isn’t enough

James gets mad about lame AI Agent adoption advice from the US and Australian Governments

James Kettle and Niels Provos both showed us that any model can find 0day like Mythos

And the cyber-assisted theft of cargo results in an astonishing loss of $725 million dollars

This week’s show is sponsored by SpecterOps. Their CTO, Jared Atkinson, chats to Pat about the big changes in the threat landscape, brought about by AI, that are causing a pivot away from detection and remediation, and toward prevention.

This episode is also available on Youtube.



Show notes



Exclusive: US officials weigh cutting deadlines to fix digital flaws amid worries over AI-powered hacking, sources say | Reuters


British cyber agency warns of looming ‘patch wave’ as AI speeds flaw discovery | The Record from Recorded Future News


Federal agencies must patch cPanel bug by Sunday, CISA says | The Record from Recorded Future News


cPanel zero-day exploited for months before patch release (CVE-2026-41940) - Help Net Security


The most severe Linux threat to surface in years catches the world flat-footed - Ars Technica


New MOVEit vulnerabilities prompt urgent patch warning | Cybersecurity Dive


US and allies urge ‘careful adoption’ of AI agents | Cybersecurity Dive


careful_adoption_of_agentic_ai_services.pdf


User just tricked Grok and Bankrbot to send tokens with Morse code - Cryptopolitan


Finding Zero-Days with Any Model


(1872) Sponsored: James Kettle built an AI hacker - YouTube


Feature Interview: Nicholas Carlini, Anthropic - Risky Business Media


Trellix investigating breach of source code repository | Cybersecurity Dive


Popular DAEMON Tools software compromised | Securelist


Komari Red: The Monitoring Tool with a Built-in Reverse Shell | Huntress


Hackers earning millions from hijacked cargo, FBI says | The Record from Recorded Future News


Congress punts FISA renewal to June | The Record from Recorded Future News


Cops Use Apple Data And Car Bluetooth To Identify Crypto Robbery Suspect


Stewart Baker, outspoken voice on cybersecurity and national security law, dies at 78 | IAPP

In this edition of the Snake Oilers podcast three vendors stop by to pitch the audience on their products:


Ent AI: Co-founder Brandon Dixon pitched Ent, an intent-aware, AI-powered endpoint security control.




Spacewalk AI: Founders Chris Fuller and Tim Wenzlau pitch Spacewalk, an AI-powered incident response platform.




Mondoo: Co-founder Dominik Richter pitches Mondoo, an AI-powered “service as software” in the vulnerability management space.



This episode is also available on YouTube.



Show notes

On this week’s show, Patrick Gray and James Wilson are joined by special guest-host Dmitri Alperovitch. They discuss the week’s cybersecurity news, including:

The US government is mad as hell about Chinese firms stealing American AI technology

Dmitri has an opinion or two about the US selling Nvidia chips to China

Speaking of Chinese AI, Kimi’s new 2.6 is very interesting

The US sanctions a Cambodian senator for earning mega bucks through scam compounds

And a ransomware family is promoting itself as being … quantum-safe?

This week’s show is sponsored by Trail of Bits. CEO and co-founder Dan Guido chats to Pat about how private inference works and Trail of Bits’ audit of WhatsApp’s private AI setup.

This episode is also available on Youtube.



Show notes



Exclusive: US State Dept orders global warning about alleged AI thefts by DeepSeek, other Chinese firms | Reuters


moonshotai/Kimi-K2.6 · Hugging Face


Discord Sleuths Gained Unauthorized Access to Anthropic’s Mythos | WIRED


Newly Deciphered Sabotage Malware May Have Targeted Iran’s Nuclear Program—and Predates Stuxnet | WIRED


Hackers deployed wiper malware in destructive attacks on Venezuela’s energy sector | The Record from Recorded Future News


Mystery Around Venezuelan Cyberattack Deepens, with New Discovery of "Highly Destructive" Wiper


Risky Business #819 -- Venezuela (credibly?!) blames USA for wiper attack - Risky Business Media


AI Tools Are Helping Mediocre North Korean Hackers Steal Millions | WIRED


CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March | The Record from Recorded Future News


US, UK authorities warn that Firestarter backdoor malware survives patching | Cybersecurity Dive


Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities | CyberScoop


UK regulator closes loophole that allowed rogue companies to track phone users' location | Reuters


US sanctions Cambodian senator for millions earned through scam compounds | The Record from Recorded Future News


Vercel says some of its customers' data was stolen prior to its recent hack | TechCrunch


Supply Chain Security Incident Update


Apple fixes bug that cops used to extract deleted chat messages from iPhones | TechCrunch


Kyle Daigle on X: "Wanted to provide more clarity about this. Yesterday, we had a regression in merge queue behavior where, in some cases, squash or rebase commits were generated from the wrong base state, making earlier changes appear reverted in branch history. 2,804 pull requests out of over 4M" / X


Securing the git push pipeline: Responding to a critical remote code execution vulnerability - The GitHub Blog


One ransomware crew now drives half of all cyber claims: At-Bay | Insurance Business


In a first, a ransomware family is confirmed to be quantum-safe - Ars Technica


What we learned about TEE security from auditing WhatsApp's Private Inference

On this week’s show, Patrick Gray and James Wilson are joined by special guest The Grugq. They discuss the week’s cybersecurity news, including:

Vercel got owned, and there’s a few infostealer and compromised employee dots to connect

Mozilla used Mythos to find 271 bugs, which feels like a sign of the bug-pocalypse

Speaking of the bug-pocalypse, is that why NIST is noping out of enriching a bunch of bugs?

The NSA is using Mythos even though the government did that whole Anthropic blacklisting thing

And DDos attacks hit a couple of smaller-player socials

This week’s episode is sponsored by Permiso. Ian Ahl chats to Pat about the subtle signals Permiso uses to detect ShinyHunters-style activity in cloud and on-prem environments.

This episode is also available on Youtube.



Show notes



Vercel April 2026 Security incident


Vercel breach linked to infostealer infection at Context.ai


Vercel confirms breach as hackers claim to be selling stolen data


Matt Johansen: “This is not a good look” | X


NIST limits vulnerability analysis as CVE backlog swells | Cybersecurity Dive


CISA Cyber on X


Ransomware attack continues to disrupt healthcare in London nearly two years later | The Record from Recorded Future News


Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks | CyberScoop


In defeat for Trump, House extends electronic spying program for just 10 days | The Record from Recorded Future News


Crypto infrastructure company blames $290 million theft on North Korean hackers | The Record from Recorded Future News


US-sanctioned currency exchange says $15 million heist done by "unfriendly states" - Ars Technica


Hackers are abusing unpatched Windows security flaws to hack into organizations | TechCrunch


Mozilla Used Anthropic’s Mythos to Find and Fix 271 Bugs in Firefox | WIRED


NSA using Anthropic's Mythos despite Defense Department blacklist


Beyond the breach: inside a cargo theft actor’s post-compromise playbook | Proofpoint US


Beware scam messages offering ships safe transit through Hormuz Strait, says security firm | The Straits Times


New Jersey men given lengthy sentences for running North Korean laptop farms | The Record from Recorded Future News


Turns Out We’re Not Alone - Volodymyr Styran


US joins nearly two dozen other countries in striking back against DDoS-for-hire platforms | Cybersecurity Dive


Bluesky blames app outage on ‘sophisticated’ DDoS attack | The Record from Recorded Future News


Mastodon says its flagship server was hit by a DDoS attack | TechCrunch


An IT expert explained under what conditions using a VPN can cause a smartphone to explode

On this week’s show, Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover:

Everyone has an opinion about Claude Mythos… even though almost nobody has used it yet

CISA adds a 2009 Excel bug to the KEV list, u wot?

Adobe also parties like it’s the 2000s, and fixes an Acrobat Reader bug

Disgraced former Trenchant exec Peter Williams’ sob story fails to resonate with … anyone

Remember those crosswalk buttons hacked to play audio mocking Trump and Zuck? They were “secured” by the password: 1234.

This week’s episode is sponsored by mobile network operator, Cape. Ajit Gokhale talks with James about the ways to get being a telco right when you’re starting from scratch and solving the security problems of 2026.

This episode is also available on Youtube.



Show notes



Lab Space


The “AI Vulnerability Storm”: Building a “Mythosready” Security Program


Polymarket on X: "JUST IN: Goldman Sachs is reportedly ramping up its cyber defenses in preparation for Claude Mythos."


Ananay on X: "Marcus Hutchins probably has the best take on Mythos doing vulnerability research"


solst/ICE of Astarte on X: "Th vast majority of CISOs do not work at Google-sized companies, and will not have to worry about 0days"


Charlie Miller on X: "we’ve gone through this before with early fuzzers, afl, etc"


James Kettle on X: "'Can AI Do Novel Security Research? Meet the HTTP Terminator' will premiere at Blackhat"


jeffrey lee funk on X: "We've been tricked, again. Many of the thousands of bugs and vulnerabilities Mythos found are in older software are impossible to exploit."


Claude is getting worse, according to Claude • The Register


Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain


OpenAI's Mac apps need updates thanks to the Axios hack | CyberScoop


Hack at Anodot leaves over a dozen breached companies facing extortion | TechCrunch


Snowflake customers hit in data theft attacks after SaaS integrator breach


Booking.com confirms hackers accessed customers’ data


CPUID hijacked to serve malware as HWMonitor downloads • The Register


Known Exploited Vulnerabilities Catalog | CISA


Adobe fixes PDF zero-day security bug that hackers have exploited for months | TechCrunch


The Sad Decline of Trenchant Exec Who Had Everything, Before Deciding to Steal and Sell Zero Days to Russian Buyer


FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database


US operation evicts Russia from hacked SOHO routers used to breach critical infrastructure | Cybersecurity Dive


Telegram Is Still Hosting a Sanctioned $21 Billion Crypto Scammer Black Market | WIRED


The Dumbest Hack of the Year Exposed a Very Real Problem | WIRED