Podcasts
CyberWire Daily
Ep 2475
The CyberWire Daily Podcast 1.26.26
Ep 2475 | 1.26.26

When encryption meets enforcement.

Show Notes
Transcript

Microsoft granted the FBI access to laptops encrypted with BitLocker. The EU opens an investigation into Grok’s creation of sexually explicit images. Glimmers of access pierce Iran’s internet blackout. Koi Security warns npm fixes fall short against PackageGate exploits. Some Windows 11 devices fail to boot after installing the January Patch Tuesday updates. CISA warns of active exploitation of multiple vulnerabilities across widely used enterprise and developer software. ESET researchers have attributed the cyberattack on Poland’s energy sector to Russia’s Sandworm. This week's business breakdown. Brandon Karpf joins us to talk space and cyber. CISA sits out RSAC.

Today is Monday January 26th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft granted the FBI access to laptops encrypted with BitLocker. 

A recent court case in Guam highlights a little-known privacy tradeoff in Windows security. During a federal investigation into alleged COVID-19 relief fraud, the Federal Bureau of Investigation accessed encrypted laptops protected by BitLocker without breaking the encryption. Instead, investigators obtained the recovery keys directly from Microsoft after securing a warrant.

The reason this was possible is that many Windows users choose to back up their BitLocker recovery keys to their Microsoft accounts for convenience. When those keys are stored in the cloud, Microsoft can legally provide them to authorities. Microsoft says it fulfills about 20 such requests a year.

The case underscores a familiar tradeoff between convenience and control. Users who want maximum privacy can store recovery keys offline, rather than in the cloud, ensuring only they can unlock their data.

The EU opens an investigation into Grok’s creation of sexually explicit images. 

The European Commission has opened a new investigation into X over concerns that its generative AI model, Grok, enabled the creation of sexually explicit images, including sexualized images of children. The probe is being conducted under the Digital Services Act, which requires platforms to assess and mitigate systemic risks such as illegal content and serious harm to users.

The Commission says Grok may have exposed EU citizens to significant harm and will assess whether X met its legal obligations. X says it has zero tolerance for child sexual exploitation and has taken steps to restrict image generation, including limiting it to paying users. The investigation could lead to fines of up to six percent of X’s global turnover and expands existing DSA proceedings already underway.

Glimmers of access pierce Iran’s internet blackout. 

After more than 17 days of a near-total internet blackout, some Iranians are gaining brief, sporadic online access amid a violent crackdown on nationwide protests. These short windows have allowed people to reassure families and share videos and testimony with journalists and rights groups, offering new insight into the scale of repression. Human rights organizations now believe deaths may far exceed earlier estimates of about 5,200.

The shutdown, imposed as protests escalated into calls to overthrow the Islamic Republic, has severely limited reporting by outlets such as The New York Times. Experts at NetBlocks and the digital rights group Miaan say the fleeting access likely reflects government experiments with tightly controlled, tiered internet access. The blackout remains the longest and most extensive Iran has imposed.

Koi Security warns npm fixes fall short against PackageGate exploits. 

Security researchers have identified weaknesses in defenses introduced after the Shai-Hulud supply-chain attacks that allow attackers to bypass protections in JavaScript package managers using Git-based dependencies. The issues, dubbed PackageGate, were discovered by researchers at Koi Security and affect tools including pnpm, vlt, Bun, and npm.

The findings stem from mitigations added after Shai-Hulud compromised hundreds of packages and exposed hundreds of thousands of developer secrets. While measures such as disabling lifecycle scripts with --ignore-scripts were recommended, Koi found that npm installs from Git repositories can be abused via malicious configuration files to achieve full code execution even when scripts are disabled. The researchers say this technique has already been used in proof-of-concept attacks.

Other package managers patched similar flaws, including Bun, pnpm, and vlt. npm rejected the report, saying the behavior works as expected. Parent company GitHub said it is scanning for malware and urged stronger supply-chain security practices, according to reporting by BleepingComputer.

Some Windows 11 devices fail to boot after installing the January Patch Tuesday updates. 

Microsoft is investigating reports that some Windows 11 devices fail to boot after installing the January 2026 Patch Tuesday updates. The issue affects Windows 11 24H2 and 25H2 systems that installed cumulative update KB5074109, triggering an “UNMOUNTABLE_BOOT_VOLUME” stop error during startup. Affected physical devices cannot boot into Windows and require manual recovery, while virtual machines appear unaffected. Microsoft has asked users to submit reports via Feedback Hub and says it is still determining whether the problem is update-related, according to reporting first noted by AskWoody.

CISA warns of active exploitation of  multiple vulnerabilities across widely used enterprise and developer software. 

CISA has warned that attackers are actively exploiting multiple vulnerabilities across widely used enterprise and developer software, adding them to its Known Exploited Vulnerabilities catalog. The flaws affect products from Versa, Zimbra, the Vite JavaScript framework, and the Prettier code formatter. Exploitation includes authentication bypasses, improper access controls, and supply-chain attacks involving malicious npm packages. CISA also flagged a separate, critical heap overflow vulnerability in VMware vCenter Server that enables remote code execution and has no workaround beyond patching. Federal civilian agencies are required to apply fixes or mitigations by mid-February 2026 under Binding Operational Directive 22-01. CISA has not disclosed details about the attacks or their connection to ransomware.

ESET researchers have attributed the cyberattack on Poland’s energy sector to Russia’s Sandworm.

Researchers at ESET have attributed a major late-2025 cyberattack on Poland’s energy sector to the Russia-aligned advanced persistent threat group Sandworm. The incident, described as Poland’s largest cyberattack in years, involved data-wiping malware that ESET has dubbed DynoWiper, detected as Win32/KillFiles.NMO. Based on malware analysis and overlapping tactics, techniques, and procedures, ESET says it made the attribution with medium confidence, though it found no evidence the attack caused a successful disruption.

The timing is notable, coming during the 10th anniversary of Sandworm’s 2015 attack on Ukraine’s power grid, the first malware-induced blackout. ESET says Sandworm continues to regularly target critical infrastructure, particularly in Ukraine, using destructive wiper attacks.

Biz brief. 

The global cybersecurity sector saw a wave of funding and consolidation, with multiple startups raising capital and a surge of mergers and acquisitions across five countries. Belgium-based developer security firm Aikido led funding with a $60 million Series B, while post-quantum security startup Project Eleven raised $20 million. Additional funding rounds supported firms focused on human risk management, cyber intelligence, software security, and digital forensics across Europe, the U.S., and India.

M&A activity was equally strong, with 10 announced deals. Notable transactions include Infoblox acquiring exposure management firm Axur, Delinea buying StrongDM, and Thinkst Canary acquiring DeceptIQ. The deals reflect continued investment in identity security, managed services, AI governance, and proactive threat detection as the market matures.

 

 

CISA sits out RSAC. 

The Cybersecurity and Infrastructure Security Agency has decided it will not attend the RSA Conference this March, a move that leaves much of the cybersecurity world blinking in confusion. This is, after all, the industry’s largest annual gathering, a weeklong exercise in talking about threats, resilience, and coordination. Exactly the sort of thing a national cyber defense agency might be expected to show up for.

CISA says the decision reflects a renewed focus on core statutory duties and alignment with President Donald Trump’s security priorities, along with careful use of taxpayer dollars. Fair enough, except RSAC has long been where CISA delivered its message, rallied vendors, and talked directly to defenders.

The absence lands days after former CISA director Jen Easterly became RSAC’s CEO, her latest stop after a politically turbulent exit from government and a rescinded role at United States Military Academy at West Point.

Once, CISA officials headlined RSA. Now they are skipping it. For an agency tasked with national cyber coordination, opting out of the one place everyone coordinates feels less strategic and more baffling.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed.  

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.