Risky Business

On this week’s show, Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover:

Anthropic’s new Mythos model hunts bugs and chains exploits together so well that… you cant have it…

…Unless you’re one of their Project Glasswing partners

The world isn’t short on bugs, though. F5, Fortinet, Progress ShareFile, and TrueConf are all getting rekt by humans

GPU Rowhammering goes in the GPU, past the IOMMU and back into the host-side Nvidia driver

North Korea is spending serious time and money on its crypto hacking

Just when the US needs CISA most, they slash its budget some more!

This week’s episode is sponsored by identity verification firm, Persona. Tying digital actions to actual human identities isn’t just for banking know-your-customer any more. Persona’s Benjamin Chait says know-your-staff checks belong in high-value flows inside your organisation, too.

This episode is also available on Youtube.



Show notes



Claude Mythos Preview \ red.anthropic.com


Anthropic Claims Its New A.I. Model, Mythos, Is a Cybersecurity ‘Reckoning’ - The New York Times


Anthropic Teams Up With Its Rivals to Keep AI From Hacking Everything | WIRED


FFmpeg on X: "Thank you to @AnthropicAI for sending FFmpeg patches" / X


Critical flaw in F5 BIG-IP faces wide exploitation risk | Cybersecurity Dive


React2Shell vulnerability helps hackers steal credentials, AI platform keys and other sensitive data | Cybersecurity Dive


Critical flaw in FortiClient EMS under exploitation | Cybersecurity Dive


Researchers warn of critical flaws in Progress ShareFile | Cybersecurity Dive


CISA gives agencies two weeks to patch video conferencing bug exploited by Chinese hackers | The Record from Recorded Future News


New Rowhammer attacks give complete control of machines running Nvidia GPUs - Ars Technica


North Korea's hijack of one of the web's most used open source projects was likely weeks in the making | TechCrunch


Drift crypto platform confirms $280 million stolen in hack as researchers point finger at North Korea | The Record from Recorded Future News


Drift on X: "Drift Protocol — Incident Background Update " / X


Trump’s FY2027 budget again targets CISA | Cybersecurity Dive


CISA’s vulnerability scans, field support on chopping block in Trump budget | Cybersecurity Dive


Iranian hackers break into U.S. industrial systems, agencies warn


FBI labels suspected China hack of law enforcement data 'a major cyber incident'


Russia Hacked Routers to Steal Microsoft Office Tokens – Krebs on Security


Massachusetts hospital turning ambulances away after cyberattack | The Record from Recorded Future News


Exclusive | 'Ghost Murmur,' a never-used secret tool, deployed to find lost airman in Iran in daring mission


A Secure Chat App’s Encryption Is So Bad It Is ‘Meaningless’

In this special documentary episode, Patrick Gray and Amberleigh Jack take a look back at hacking throughout the 1990s, from the feel-good vibes of the early hacking communities to the antics of young hackers who wound up on the run from the FBI.

Part one features recollections from:

Jeff Moss (The Dark Tangent), DefCon and Black Hat founder

Chris Wysopal (Weld Pond), L0pht member, co-founder, @Stake

Kevin Poulsen (Dark Dante), 1990s hacker turned journalist

Elias Levy (Aleph One), author of Smashing the Stack for Fun and Profit, Phrack, 1996

How the World Got Owned is produced in partnership with SentinelOne.



Show notes



Elias Levy (Aleph1), Former Principle Engineer, Google


Kevin Poulsen, Journalist


Jeff Moss, DefCon founder


Chris Wysopal, @Stake founder, L0pht member


Hackers testifying at the United States Senate, May 19, 1998


Hackers May ‘Net’ Good PR for Studio


DefCon Archives | DefCon 1


A Not So Terribly Brief History of the Electronic Frontier Foundation


Innocent Hackers Want Their Computers Back


Breakdowns in Computer Security


Unsolved Mysteries, Season 3, Episode 4


The Last Hacker: He Called Himself Dark Dante. His Compulsion Led Him to Secret Files and, Eventually, The Bar of Justice


Justia appeal summary, Kevin Poulsen, 1994


Smashing the Stack for Fun and Profit, Phrack Magazine, November 1996


From subversives to CEOs: How radical hackers built today’s cybersecurity industry

On this week’s show, Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover:

Those pesky North Koreans shim a backdoor into a 100M-downloads-a-week npm package

TeamPCP appear to have ransacked Cisco’s source and cloud environments

AI is getting legitimately good at being told to “just go find some 0day in this”

Kaspersky says Coruna and Triangulation do share code lineage

Iranian hackers dump Kash Patel’s gmail spool

Oh, and of course there’s a Citrix Netscaler memory leak being exploited in the wild

This week’s episode is sponsored by Dropzone AI, who make automated AI SOC analysts. Head honcho Ed Wu explains how they’ve built pre-canned ‘hunt packs’ to lead the AI off into your environment to find weird, interesting and security relevant things.

This episode is also available on Youtube.



Show notes



Google links axios supply chain attack to North Korean group | The Record from Recorded Future News


Cisco source code stolen in Trivy-linked dev environment breach


chiefofautism on X: "someone at ANTHROPIC just showed CLAUDE finding ZERO DAY vulnerabilities in a live conference demo"


h0mbre on X: "Claude is somehow better at kernel exploitation than creating meal plans."


Vulnerability Research Is Cooked — Quarrelsome


MAD Bugs: vim vs emacs vs Claude - Calif


MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)


A Risky Biz Experiment: Hunting for iOS 0day with AI - Risky Business Media


Security leaders say the next two years are going to be 'insane' | CyberScoop


Coruna framework: an exploit kit and ties to Operation Triangulation | Securelist


Apple says no one using Lockdown Mode has been hacked with spyware | TechCrunch


Reverse engineering Apple’s silent security fixes - Calif


Jury finds Meta's platforms are harmful to children in 1st wave of social media addiction lawsuits | PBS News


Meta and YouTube found liable in social media addiction trial


Iranian hackers publish emails allegedly stolen from Kash Patel


Iran Us War: 'Legitimate targets': Iran issues warning to US tech firms including Google, Amazon, Microsoft, Nvidia - The Times of India


Drop Site on X: "IRGC: From now on, for every assassination, an American company will be destroyed"


OSINTtechnical on X: "Starlink shutdowns are forcing Russian troops even deeper into Ubiquiti’s ecosystem. "


Citrix NetScaler products confirmed to be under exploitation | Cybersecurity Dive


CISA tells federal agencies to patch Citrix NetScaler bug by Thursday | The Record from Recorded Future News


Using a VPN May Subject You to NSA Spying | WIRED


Post reporters called the White House. Their phones showed ‘Epstein Island.’ - The Washington Post

In this sponsored Soap Box edition of the show, Patrick Gray and James Wilson talk about red teaming AI systems with Russel Van Tuyl, Vice President of Services at elite penetration testing firm SpecterOps.

SpecterOps is the company behind attack path enumeration tool Bloodhound and Bloodhound Enterprise, but they’re also a pentest and red teaming shop with world class expertise in popping shells on all sorts of interesting systems in all sorts of interesting places.

This episode is also available on Youtube.



Show notes

On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They talk through:

TeamPCP’s supply chain attack on Github, and they threw in an anti-Iran wiper, because why not?!

Anthropic hooks up its models to just… use your whole computer

After Stryker’s Very Bad Day, CISA says maybe add some more controls around your Intune?

Another iOS exploit kit shows up in the cyber bargain-bin

The FTC decides to ban… all new home routers?! U wot m8?!

Supermicro founder was personally sanction-busting Nvidia GPUs into China?!

This week’s episode is sponsored by enterprise browser maker, Island. Chief Customer Officer Bradon Rogers joins Pat to explain how its customers are using Island to control the use of personal AI services in regulated industries.

This episode is also available on Youtube.



Show notes



‘CanisterWorm’ Springs Wiper Attack Targeting Iran


TeamPCP deploys CanisterWorm on NPM following Trivy compromise


Andrej Karpathy on X: "Software horror: litellm PyPI supply chain" attack


Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags


Felix Rieseberg on X: "Today, we’re releasing a feature that allows Claude to control your computer"


A Top Google Search Result for Claude Plugins Was Planted by Hackers


Lockheed Martin targeted in alleged breach by pro-Iran hacktivist


CISA urges companies to secure Microsoft Intune systems after hackers mass-wipe Stryker devices


FBI seems to seize website tied to Iranian cyberattack on Stryker


Stryker confirms cyberattack is contained and restoration underway


Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild


Someone has publicly leaked an exploit kit that can hack millions of iPhones


Russia-linked hackers use advanced iPhone exploit to target Ukrainians


Apple rolls out first 'background security' update for iPhones, iPads, and Macs to fix Safari bug


Post by @wartranslated.bsky.social — Bluesky


Signal’s Creator Is Helping Encrypt Meta AI


Hacker says they compromised millions of confidential police tips held by US company


Millions of 'anonymous' crime tips exposed in massive Crime Stoppers hack


Feds Disrupt IoT Botnets Behind Huge DDoS Attacks


FCC bans import of consumer-grade routers amid national security concerns


White House pours cold water on cyber ‘letters of marque’ speculation


Google launches threat disruption unit, stops short of calling it ‘offensive'


Supermicro’s cofounder was just arrested for allegedly smuggling $2.5 billion in GPUs to China


Cyberattack on vehicle breathalyzer company leaves drivers stranded across the US


Man pleads guilty to $8 million AI-generated music scheme


Two Israelis AI generated "intelligence" and sold it to Iran