War hits where it hurts.

Conflict in the Middle East disrupts the circuit board supply chain. The Supreme Court considers arguments on geofence searches. A new report highlights Chinese digital transnational repression. The NCSC protects HDMI and DisplayPort links. Tennessee bans cryptocurrency ATMs. Researchers expose a financially motivated subgroup of North Korea’s Lazarus Group. Medtronic confirms a ShinyHunters data breach. Tim Starks, from CyberScoop discusses telecom vulnerabilities. A helpful AI deletes everything.

Today is Tuesday April 28th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Conflict in the Middle East disrupts the circuit board supply chain. 

Conflict in the Middle East has disrupted supplies of key raw materials used to manufacture printed circuit boards, or PCBs, driving sharp price increases across the electronics sector. Shipping disruptions in the Gulf have further tightened availability. At the same time, demand for PCBs has surged due to expanding AI server production, pushing prices up as much as 40 percent between March and April, according to Goldman Sachs analysts. Additional shortages of copper foil, glass fiber, and epoxy resin have compounded pressures. Manufacturers are now renegotiating prices with customers as lead times stretch and material costs continue rising.

Meanwhile, a hacking group linked to Iran’s Ministry of Intelligence, known as Handala Hack Team, claimed it leaked personal data of 2,379 U.S. Marines in the Persian Gulf and threatened further exposure. The group said it holds detailed information on families, locations, and activities, and warned personnel they could be targeted by drones and missiles. It also signaled plans to release U.S. Navy data. 

The Supreme Court considers arguments on geofence searches. 

During oral arguments in Chatrie v. United States, the Supreme Court signaled it is likely to rule that police geofence searches of cell phone location data qualify as Fourth Amendment searches and therefore require warrants. The case centers on whether law enforcement can request data identifying all devices near a crime scene without probable cause. Several justices expressed concern about the breadth of such searches, suggesting warrants should be narrowly tailored. The discussion crossed ideological lines, with both conservative and liberal justices questioning the government’s position. Privacy advocates view the likely outcome as significant, since a ruling against warrant requirements could have enabled broader reverse searches, including keyword-based requests. Google supported the plaintiff, warning that past geofence warrants have exposed thousands of users’ location histories. While the Court appears unlikely to ban the practice entirely, it seems poised to impose constitutional limits on how location data can be collected.

A new report highlights Chinese digital transnational repression. 

Citizen Lab and ICIJ identified two China-aligned threat actors targeting diaspora activists and journalists through digital transnational repression. GLITTER CARP used phishing, fake security alerts, impersonation, and tracking pixels against Uyghur, Tibetan, Taiwanese, and Hong Kong activists, as well as ICIJ members. Its goal appeared to be stealing email credentials for possible follow-on access. SEQUIN CARP focused on journalists, including ICIJ’s Scilla Alecci, using fabricated or co-opted personas and OAuth consent phishing, which can grant persistent Gmail access without stealing a password. Citizen Lab assesses with high confidence that both actors are affiliated with the Chinese government, and with medium confidence that private contractors may be involved. The report argues these campaigns show how outsourced cyber operations can scale repression, undermine trust among civil society groups, and expand targeting from diaspora communities to journalists investigating China’s overseas repression.

The NCSC protects HDMI and DisplayPort links. 

The UK’s National Cyber Security Centre has launched SilentGlass, a plug-in device that protects HDMI and DisplayPort links between computers and monitors. Developed through NCSC-led research and licensed to Goldilock Labs, with manufacturing support from Sony UK Technology Centre, the device inspects traffic passing through display connections and blocks suspicious or unauthorized activity. NCSC says monitors can expose sensitive information and may create overlooked pathways into larger systems, especially where physical access, supply chain risk, or third-party maintenance are factors. SilentGlass is designed for simple, affordable deployment across government and business environments. Its commercialization marks a broader shift toward protecting hardware interfaces, not just software and networks, and brings national-security-grade research into wider commercial use.

Tennessee bans cryptocurrency ATMs. 

Tennessee has passed a law banning cryptocurrency ATMs starting July 1, citing their growing role in fraud schemes targeting vulnerable residents. The state follows Indiana in restricting the kiosks, while similar legislation is advancing in Minnesota. Law enforcement officials say scammers commonly use crypto ATMs in government impersonation, tech support, romance, and “pig butchering” scams, urging victims to deposit cash that is quickly converted to Bitcoin and transferred to criminal wallets. According to the FBI, 13,460 complaints in 2025 involved $389 million in losses tied to crypto ATMs, with most victims over age 60. Regulators have also sued major operators, including Bitcoin Depot, CoinFlip, and Athena, alleging the machines frequently facilitate scam activity rather than legitimate transactions.

Researchers expose a financially motivated subgroup of North Korea’s Lazarus Group. 

Arctic Wolf reports a targeted intrusion against a North American Web3 company attributed with high confidence to BlueNoroff, a financially motivated subgroup of North Korea’s Lazarus Group. The attackers impersonated a fintech legal expert and sent a spear-phishing Calendly invite with a typo-squatted Zoom link. The fake meeting interface covertly captured webcam footage and deployed clipboard injection malware, enabling rapid credential theft focused on cryptocurrency wallet extensions. The compromise progressed from initial click to full system access in under five minutes. Investigators identified more than 100 additional global targets across 20 countries, many in crypto and investment roles, with CEOs and founders heavily represented. Analysis also revealed infrastructure supporting typo-squatted domains and a pipeline combining stolen webcam footage with AI-generated images to create convincing deepfake meeting lures for future attacks.

Medtronic confirms a ShinyHunters data breach. 

Medical technology company Medtronic confirmed a cyber intrusion after the ShinyHunters group claimed it stole more than 9 million records and corporate data. The company said there is no evidence the incident affected products, patient safety, manufacturing, or hospital customer networks, which remain separately managed. Medtronic has not confirmed data theft but is investigating whether personal information was accessed. ShinyHunters later removed Medtronic from its leak site after issuing a ransom deadline, suggesting a possible payment, though this remains unconfirmed.

A helpful AI deletes everything. 

PocketOS founder Jer Crane says his company’s production database vanished in just nine seconds after an AI coding agent, Cursor running Anthropic’s Claude Opus 4.6, tried to “help.” Assigned a routine staging task, the agent instead deleted a shared cloud volume, along with every backup stored on it. When asked why, the AI reportedly confessed it “guessed instead of verifying,” skipped documentation, and ran a destructive command anyway, a refreshingly honest postmortem for software.

Crane places much of the blame on Railway’s infrastructure design, which allowed a single API call to erase both live data and backups without confirmation. The result wiped months of customer records, leaving staff reconstructing bookings from payment histories and emails. A three-month-old backup survived, but the rest required manual recovery. The episode offers a modern lesson: automation moves fast, especially when it is confidently wrong.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com. 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.