The fixes keep coming.

Brace for an AI-driven patch surge. Google fixes a critical Android flaw. Trellix confirms a source code breach. Apache Software Foundation ships urgent fixes. Data tied to Liberty Mutual leaks. CloudZ evolves to steal OTPs. Ouroboros persistence raises the stakes. A vishing suspect faces U.S. charges. Our guest is Markus Rauschecker, Executive Director for the University of Maryland Center for Cyber, Health and Hazard Strategies (CHHS), on the importance of the non-technical aspects of good cybersecurity preparedness and response. Our Threat Vector segment focuses on incident response. If you think UK age verification is working, I mustache you a question.

Leaders say brace for a wave of AI driven patches. 

Security leaders warn UK organizations to prepare for a surge in software patches driven by advanced AI tools used by vendors to uncover vulnerabilities. National Cyber Security Centre CTO Ollie Whitehouse describes this as a “forced correction” of long-standing technical debt. Tools from Anthropic and OpenAI are currently restricted to vendors, enabling rapid bug discovery and remediation.

Organizations are urged to prioritize external attack surfaces, enable automated patching, and adopt risk-based frameworks like SSVC. However, patching alone is insufficient for unsupported legacy systems, which may require replacement.

In the US, Cybersecurity and Infrastructure Security Agency may shorten patch deadlines, raising concerns about feasibility. Experts like Morey Haber note most organizations lack the automation and visibility needed to respond at such speed.

Indeed, most organizations are using AI tools, but fewer than half have formal policies to manage the risks, raising exposure concerns.

New research from ISACA finds 90% of digital trust professionals report employee AI use. Yet only 38% have comprehensive policies, and 25% have none. This gap fuels “shadow AI,” where employees use tools without oversight, potentially exposing sensitive data. Many respondents say they lack visibility into these tools and remain uncertain about incident response timelines or shutdown procedures.

Unmanaged AI use increases the risk of data leaks, phishing, and trust erosion. Security teams face reduced visibility and slower response. Effective governance, strong data controls, and leadership awareness are now critical to safely scale AI adoption.

Google patches a critical Android flaw. 

Google has released an Android update addressing a critical flaw that allows remote code execution without user interaction.

The vulnerability, CVE-2026-0073, affects Android’s System component, specifically the Android Debug Bridge daemon, or ADB, which manages device-to-computer communication. Successful exploitation could allow attackers to execute code as the shell user without additional privileges. Google reports no evidence of active exploitation and notes no patches this cycle for several platforms, including Wear OS and Pixel Watch.

Zero-interaction flaws raise the risk of silent compromise at scale. Even without active exploitation, organizations should prioritize rapid patching to reduce exposure.

Trellix reveals a breach of its source code repository. 

Trellix has disclosed a breach in which attackers accessed part of its source code repository.

The company says it detected unauthorized access and is investigating with forensic experts and law enforcement. Trellix reports no evidence that its code distribution process was compromised or that the code has been exploited. Details on attribution remain unclear. Experts warn that access to security vendor code can reveal how defenses work and expose potential weaknesses.

Attacks on security vendors can create downstream risk across customers. Source code access may give adversaries insight into detection logic, increasing the potential for supply chain-style attacks.

Apache patches multiple critical vulnerabilities. 

Apache Software Foundation has released updates addressing multiple critical vulnerabilities in HTTP Server and MINA, including remote code execution risks.

Apache HTTP Server 2.4.67 fixes 11 flaws, most affecting all prior versions. These include memory handling issues and protocol weaknesses that could enable denial of service or arbitrary code execution. Additional bugs expose data or allow response manipulation. Separate MINA updates resolve critical flaws tied to incomplete fixes for earlier vulnerabilities, also enabling potential code execution.

Widely deployed infrastructure software presents broad attack surfaces. Organizations should patch quickly and follow configuration guidance to reduce exploitation risk.

Hackers leak data allegedly stolen from Liberty Mutual. 

The Everest ransomware group has begun leaking data it claims was stolen from Liberty Mutual, after alleging the firm did not respond to extortion demands.

The group says it exfiltrated 108 gigabytes of data, including policyholder details such as names and financial information. Liberty Mutual confirms it is investigating but reports no evidence its own systems were compromised, suggesting a potential third-party vendor incident. Attribution and full impact remain unclear.

An updated CloudZ RAT steals one-time passcodes.  

A new version of the CloudZ remote access trojan is using a plugin called Pheno to steal one-time passcodes through Microsoft Phone Link.

Researchers at Cisco Talos report the malware monitors active Phone Link sessions and accesses its local database to capture SMS messages and authentication codes. This allows attackers to intercept sensitive data without compromising the mobile device itself. The campaign, active since at least January, begins with a fake software update and uses multiple evasion techniques to avoid detection.

This challenges traditional assumptions about mobile security. Attackers can extract authentication data through trusted desktop integrations, weakening SMS-based protections and exposing enterprise credentials.

Ouroboros exploits delegated Managed Service Accounts to extract credentials. 

Researchers at Huntress have identified “Ouroboros,” a persistence technique that exploits delegated Managed Service Accounts, or dMSAs, in Windows Server 2025 to continuously extract credentials.

The method abuses two design elements. It plants a Shadow Credential for authentication and modifies GroupMSAMembership to let the dMSA authorize itself. This creates a loop where the account both authenticates and approves access to a linked account’s credentials. The chain survives password resets and even deletion of the original attacker account. Microsoft addressed related issues previously but does not classify this behavior as a vulnerability.

This matters because it enables durable, low-noise persistence using legitimate features. Defenders may struggle to detect or remediate without deleting affected dMSAs entirely.

A Romanian man faces vishing charges in the U.S. 

A Romanian man has appeared in U.S. court after extradition to face charges tied to a voice phishing bank fraud scheme.

Federal prosecutors say Gavril Sandu was indicted in 2017 and extradited from Romania on April 30, 2026. The indictment alleges Sandu and co-conspirators hacked small businesses’ Voice over Internet Protocol, or VoIP, systems from 2009 to 2010. They allegedly used scripted calls to trick bank customers into providing debit card numbers and PINs. Prosecutors say Sandu created magnetic stripe cards and withdrew victim funds from ATMs.

Vishing remains a cross-border fraud threat that blends telecom abuse, stolen credentials, and money mule activity. The case also shows long-running international enforcement efforts.

If you think UK age verification is working, I mustache you a question.

New research suggests the UK’s tougher online age checks are proving less formidable than intended, with kids finding ways around them, occasionally with little more than a drawn-on mustache.

A survey by UK online safety group Internet Matters found 46 percent of children say age verification is easy to bypass, though only about a third admit actually doing so. Workarounds range from fake birthdays and borrowed IDs to using video game characters for selfie checks. Some parents are not exactly reinforcing the rules either, with a notable share either helping or ignoring these rules. Meanwhile, nearly half of children report still encountering harmful content online.

Technical controls alone are not shaping behavior. Without stronger enforcement and parental alignment, safeguards risk becoming performative rather than protective.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com. 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.