Podcasts
CyberWire Daily
Ep 2535
The CyberWire Daily Podcast 4.21.26
Ep 2535 | 4.21.26

Trust lags behind technology.

Show Notes
Transcript

Anthropic’s Mythos proves irresistible despite claimed supply chain risks. Iran claims U.S. backdoors hit its networks. New Coast Guard rules target maritime OT security. A fresh NGate Android malware variant emerges. Thousands of ActiveMQ servers face active exploitation risk. CISA adds eight flaws to its KEV list. Progress patches MOVEit and LoadMaster bugs. Attackers impersonate IT staff over Microsoft Teams. A ransomware negotiator admits working with BlackCat. Our guest is Elad Koren, Vice President, Product Management, Cortex Cloud at Palo Alto Networks, discusses building AI natively into platforms. Google Gemini asks, “May we see your photos please?”

Today is Tuesday April 21st 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Anthropic’s Mythos proves irresistible despite claimed supply chain risks.

Axios reports the U.S. National Security Agency is using Anthropic’s Mythos Preview model even as the Department of Defense labels Anthropic a supply-chain risk, highlighting a growing tension between AI capability and security governance. Mythos is especially strong at finding software vulnerabilities, which makes it valuable for cyber defense but also potentially useful for offensive activity if misused. This dual-use nature reflects a broader policy challenge: agencies may depend on advanced AI tools despite concerns about vendor trust, oversight, and strategic reliance. Anthropic’s related Project Glasswing initiative aims to apply Mythos defensively with industry partners to secure critical infrastructure. The episode underscores how operational urgency is pushing governments to adopt frontier AI faster than procurement rules and risk frameworks can adapt. 

Elsewhere, security researcher Alexander Hanff reports that installing Anthropic’s Claude Desktop on macOS automatically deployed an undocumented Native Messaging “bridge” across multiple Chromium-based browsers without user notice or consent. The manifest allows approved browser extensions to launch a local helper binary outside the browser sandbox with user-level privileges, potentially enabling access to authenticated sessions, page content, and automation features if activated. Hanff says the files were installed even for browsers not present on the system and were repeatedly reinstalled after deletion. Anthropic’s documentation describes similar capabilities for its browser integration but does not document this specific bridge behavior. The author argues the design expands attack surface and weakens browser isolation, raising concerns about transparency, consent, and supply-chain trust in desktop AI integrations.

Iranian media claims U.S. intelligence used hidden backdoors or botnets. 

Iranian media claims U.S. intelligence used hidden backdoors or botnets to disable networking equipment from vendors including Cisco, Juniper, Fortinet, and MikroTik during recent wartime disruptions, even while Iran was largely disconnected from the global internet. The allegations suggest firmware-level sabotage triggered remotely, though the outages are difficult to verify due to Iran’s ongoing nationwide connectivity restrictions. Some reports instead propose compromised devices formed part of a pre-positioned botnet. Chinese state media has amplified the claims, citing them as evidence of longstanding assertions that the United States embeds surveillance capabilities in networking infrastructure. Meanwhile, monitoring group NetBlocks reports Iran’s internet blockade has lasted more than 50 days with selective access granted to favored users, underscoring the limited visibility into events on the ground. 

New Coast Guard rules flag OT security for ships and ports. 

A new U.S. Coast Guard rule requiring cybersecurity controls for operational technology in ports and large U.S.-flagged vessels is expected to significantly expand the maritime cybersecurity market amid rising geopolitical risk. Operators must appoint cybersecurity officers, conduct risk assessments, develop vessel and facility cybersecurity plans by July 2027, and comply with incident reporting and training requirements already in effect. Industry experts say the rule will help security teams justify funding, though guidance on implementation details remains limited. The Coast Guard estimates compliance will cost about $134.5 million annually, a large share of a maritime cybersecurity services market valued at $186 million globally in 2024. While larger firms may build internal capabilities, smaller operators may rely on outsourcing. Enforcement capacity remains uncertain as the Coast Guard prepares to integrate cyber checks into existing inspections.

Researchers identify a new NGate Android malware variant. 

ESET researchers identified a new NGate Android malware variant that trojanizes the legitimate HandyPay app to relay payment card NFC data and steal PINs for fraudulent ATM withdrawals and transactions. The campaign, active since November 2025, targets users in Brazil through fake lottery and counterfeit Google Play websites distributing the modified app. Researchers say the injected malicious code shows signs of possible generative AI involvement, though this remains unconfirmed. Unlike earlier NGate attacks using tools such as NFCGate, attackers modified HandyPay directly to reduce cost and suspicion. The malware forwards card data to attacker devices and exfiltrates PINs to a command-and-control server, reflecting a broader rise in NFC-enabled financial fraud.

Apache ActiveMQ servers are vulnerable to a high-severity code injection flaw. 

More than 6,400 internet-exposed Apache ActiveMQ servers are vulnerable to active exploitation of CVE-2026-34197, a high-severity code injection flaw, according to Shadowserver. The issue, caused by improper input validation, allows authenticated attackers to execute arbitrary code and was reportedly identified with assistance from the Claude AI tool after remaining undiscovered for 13 years. Apache patched the flaw in March 2026, but many systems remain unpatched. CISA has ordered federal agencies to remediate the risk by April 30, warning it poses significant enterprise security threats.

CISA adds eight vulnerabilities to its Known Exploited Vulnerabilities catalog. 

CISA has added eight vulnerabilities to its Known Exploited Vulnerabilities catalog, including three affecting Cisco Catalyst SD-WAN Manager: CVE-2026-20128 and CVE-2026-20122, which Cisco confirmed as exploited, and CVE-2026-20133, which CISA lists despite no vendor confirmation. The update also includes flaws in PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE appliances, and Synacor Zimbra Collaboration Suite, some linked to ransomware and espionage activity. Federal agencies must remediate all eight by April 20, 2026.

Progress Software patches multiple MOVEit WAF and LoadMaster vulnerabilities. 

Progress Software released patches for multiple MOVEit WAF and LoadMaster vulnerabilities that could allow authenticated attackers to execute arbitrary commands through improperly sanitized API inputs and file uploads. The flaws, including CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, and CVE-2026-4048, affect administrative functions in Progress ADC products. Another issue, CVE-2026-21876, enables specially crafted requests to bypass firewall protections. Progress says there are no reports of active exploitation but urges customers to update affected systems promptly.

Threat actors abuse Microsoft Teams chats to impersonate IT or helpdesk staff. 

Microsoft warns threat actors are abusing external Microsoft Teams chats to impersonate IT or helpdesk staff and trick employees into granting remote access to enterprise systems. In observed campaigns, attackers initiate support sessions using tools like Quick Assist, then perform reconnaissance with Command Prompt and PowerShell, establish persistence through DLL side-loading, and move laterally using Windows Remote Management (WinRM). They deploy additional remote tools and use utilities such as Rclone to selectively exfiltrate sensitive data to cloud storage. Because the activity relies heavily on legitimate software and native administrative protocols, detection is difficult. Microsoft advises organizations to treat external Teams messages as untrusted and restrict remote assistance and WinRM usage to reduce risk.

A Florida man pleads guilty to conspiring with BlackCat ransomware operators. 

A Florida man and former ransomware negotiator, Angelo Martino, pleaded guilty to conspiring with BlackCat ransomware operators to target U.S. companies in 2023. Prosecutors say Martino abused his role at a cyber incident response firm to share victims’ confidential negotiation strategies and insurance limits with attackers, helping increase ransom payments. He also joined accomplices Ryan Goldberg and Kevin Martin in deploying BlackCat ransomware against multiple victims, including an attack that yielded about $1.2 million in Bitcoin. Authorities have seized more than $10 million in assets linked to the scheme. Martino faces up to 20 years in prison, with sentencing scheduled for July. Officials say the case highlights insider risk within the ransomware response ecosystem.

 

Google Gemini asks, “May we see your photos please?”

Google’s latest Google Photos update invites users to let Gemini browse their memories in the name of convenience, and possibly creativity. By opting into its new “Personal Intelligence” feature, users allow the AI to scan photos of friends, family, and life events so it can generate more personalized images without needing detailed prompts. In theory, this saves time. In practice, it means your camera roll, that quiet archive of vacations, receipts, pets, and accidental screenshots, becomes part of Gemini’s working knowledge.

Google says the system does not directly train models on private photo libraries, though limited prompt and response data may still be used to improve performance. The feature is optional, adjustable, and launching first in the United States. Still, it quietly reframes the tradeoff: fewer instructions for the AI, more access to your life. As always with convenience upgrades, the fine print arrives slightly after the excitement.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.