Podcasts
CyberWire Daily
Ep 2516
The CyberWire Daily Podcast 3.25.26
Ep 2516 | 3.25.26

Your private call isn’t so private.

Show Notes
Transcript

The UK’s cyber security chief urges a “full court press” against threats. RSAC highlights. The U.S. State Department has launched a Bureau of Emerging Threats. The TeamPCP cybercriminal group targets an open source library. TP-Link patches multiple router vulnerabilities. A critical vulnerability hits Windchill and FlexPLM platforms. A phishing campaign impersonates Palo Alto Networks recruiters. Malicious Chrome extensions are harvesting users’ conversations with AI Today is Wednesday March 25th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Hello, everyone. I’m Dave Bittner, coming to you from the RSA Conference 2026 here in San Francisco.

We’re spending the week talking with security leaders, researchers, and practitioners about what’s shaping the threat landscape right now, from artificial intelligence risks to supply chain security and the latest moves from nation-state actors. Stay with us for insights, interviews, and the stories security teams are watching closely as RSAC continues.

The UK’s cyber security chief urges a “full court press” against threats.

The UK’s cyber security chief is urging governments, industry, and allies to mount a coordinated “full court press” against increasingly complex cyber threats.

In a keynote at the RSA Conference, National Cyber Security Centre CEO Richard Horne warned cyber risks now carry greater consequences, driven by cooperation between state and criminal actors. He said no single measure will suffice, and pointed to actions spanning organizational resilience, shared infrastructure protection, and disruption of adversary networks.

Horne argues sustained, collective pressure across law enforcement, regulation, offensive cyber activity, and secure-by-design software is required to counter attacks growing in scale and sophistication, including those amplified by artificial intelligence.

To that point, UK police arrested more than 500 suspects in a nationwide fraud crackdown under Operation Henhouse, freezing and seizing millions in suspected criminal proceeds.

The National Crime Agency and City of London Police said the fifth annual operation led to 557 arrests, 172 voluntary interviews, 249 cease-and-desist notices, and freezes on £9 million, alongside £18.1 million in asset seizures. Authorities also blocked millions of scam calls and identified overseas fraud call centers.

Officials say coordinated national enforcement disrupts large fraud ecosystems affecting individuals and businesses across both digital and offline channels.

RSAC highlights. 

Day two of the RSA Conference featured a wave of announcements focused on securing artificial intelligence systems, identities, and software supply chains as vendors rolled out new defensive capabilities.

SecurityWeek reported launches spanning AI visibility tools from Cyberhaven, identity security posture management features from RSA and Saviynt, and generative-AI agents from Securonix designed to reduce analyst workload. Other updates included Qualys protections for machine learning pipelines, Recorded Future malware intelligence automation, and Sonatype enhancements to software repository malware defenses. Several announcements also emphasized compliance automation, cloud data security, and storage-level cyber resilience.

The volume and direction of launches signal an industry shift toward protecting AI workflows and consolidating identity and data risk visibility across enterprise environments.

The U.S. State Department has launched a Bureau of Emerging Threats. 

The U.S. State Department has launched a Bureau of Emerging Threats to counter adversaries’ weaponization of technologies such as artificial intelligence, cyberspace, and space systems.

Officials told ABC News the bureau will address risks from Iran, China, Russia, North Korea, and foreign terrorist organizations. It includes offices focused on cybersecurity, critical infrastructure, disruptive technology, space security, and threat assessment. Officials said the effort supports long-term national security planning and coordination across foreign policy tools. The department formally notified Congress the same day the White House released a national artificial intelligence policy framework.

Officials say adversaries are increasingly exploiting emerging technologies, requiring coordinated diplomatic and security responses beyond traditional cyber defense.

The TeamPCP cybercriminal group targets an open source library. 

A malicious update to the LiteLLM open source library is the latest supply chain attack attributed to the TeamPCP cybercriminal group.

Researchers at FutureSearch first identified the issue after executing the payload locally. Sonatype later confirmed versions 1.82.7 and 1.82.8 on PyPI contained a credential stealer and malware dropper. Because LiteLLM brokers connections between applications and multiple large language model providers, it can expose API keys, environment variables, and other secrets. Investigators linked the incident to earlier compromises affecting Trivy, CheckMarx extensions, and several NPM packages.

Attackers are targeting tools embedded deep in AI development pipelines, where access to credentials can enable broader downstream compromise across enterprise environments.

TP-Link patches multiple router vulnerabilities. 

TP-Link has patched multiple vulnerabilities in its Archer NX router series, including a critical flaw that could let attackers bypass authentication and upload malicious firmware.

Tracked as CVE-2025-15517, the issue affects Archer NX200, NX210, NX500, and NX600 routers and stems from a missing authentication check in certain HTTP server endpoints. TP-Link said attackers could perform privileged actions without logging in. The company also fixed a hardcoded cryptographic key flaw and two command injection vulnerabilities that allowed administrators to execute arbitrary commands.

Router-level compromise can enable persistent access and configuration control at the network edge, increasing exposure for home and small office environments if patches are not applied promptly.

A critical vulnerability hits Windchill and FlexPLM platforms. 

PTC is warning customers about a critical vulnerability in its Windchill and FlexPLM platforms that could enable remote code execution, with German authorities taking the unusual step of directly alerting affected organizations.

Tracked as CVE-2026-4681, the flaw involves deserialization of trusted data and affects most supported versions and critical patch sets of both products. PTC said no patches are yet available and urged administrators to block access to a specific servlet path or disconnect exposed systems if mitigation is not possible. The company also released indicators of compromise and reported credible evidence of an imminent third-party exploitation attempt.

These product lifecycle management systems are widely used in industrial and engineering environments, increasing potential downstream risk if exploitation occurs before patches are released.

A phishing campaign impersonates Palo Alto Networks recruiters. 

A phishing campaign impersonating Palo Alto Networks recruiters is targeting senior professionals with fake hiring outreach designed to extract payment under the guise of résumé processing requirements.

According to Palo Alto, attackers use scraped LinkedIn data and realistic corporate branding to build credibility before claiming candidates failed automated Applicant Tracking System checks. Victims are then referred to a supposed third-party specialist who offers to “fix” the issue for fees ranging from $400 to $800. The campaign relies on urgency and procedural realism to pressure targets into paying quickly.

The operation shows how threat actors are adapting business-process impersonation tactics to exploit executive job seekers directly for financial gain.

Malicious Chrome extensions are harvesting users’ conversations with AI tools. 

Security researchers are warning that malicious Chrome extensions are harvesting users’ conversations with artificial intelligence tools in a tactic known as prompt poaching.

Expel said it observed several dozen incidents in the past month involving extensions that monitor open tabs, detect AI clients, and capture questions and responses through application programming interface interception or page scraping before sending the data to external servers. Attackers either impersonate legitimate AI helper extensions or introduce malicious features after building a large user base, as seen with Urban VPN Proxy.

Stolen prompts may expose intellectual property, customer information, or other sensitive data that can support phishing, identity theft, or resale on underground forums.

 

Intern Kevin hits the floor at RSAC 2026. 

 

 

Your “private” zoom call may already have a podcast deal. 

A site called WebinarTV is drawing attention after quietly recording publicly linked Zoom meetings and republishing them as AI-generated podcasts, sometimes without participants realizing their conversations were captured at all.

According to multiple reports and a CyberAlberta analysis, WebinarTV scans for meeting links, joins sessions using browser extensions or related tools, then records and republishes content with summaries, chapters, and even AI hosts discussing the calls. Some users only discovered this after receiving promotional emails congratulating them on their surprise podcast debut. Zoom said the activity happens outside its platform environment and relies on publicly shared meeting links rather than a software vulnerability.

This matters because organizations often treat webinars as semi-private working spaces, yet publicly shared links can quietly turn them into searchable, replayable content libraries for someone else’s business model. ​​The safest assumption may be that if a meeting link can be shared widely, it can also be replayed widely, and possibly narrated by Phil and Amy.

 

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.