Podcasts
CyberWire Daily
Ep 2550
The CyberWire Daily Podcast 5.12.26
Ep 2550 | 5.12.26

China’s hackers aren’t invincible.

Show Notes
Transcript

Former NSA chief says the U.S. can beat China in cyberspace. Canvas cuts a deal with hackers. The FCC proposes KYC rules for phone users. SAP patches critical flaws. A poisoned TanStack npm supply chain attack spreads malware. Humanitarian aid lures deliver spyware. Japan launches an AI-driven cyber review. Texas sues Netflix over data practices. And Harvard experts debate the future of agentic AI security. On our Threat Vector segment David Moulton welcomes, Assaf Keren, CSO at Qualtrics and author of Lessons from the Frontlines. Our guest is Tim Starks from CyberScoop discussing changes to the CyberCorps Scholarship program. The Gentleman’s guide to awful OPSEC.

Today is Tuesday May 12th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The former NSA chief argues the U.S. can counter China’s cybercampaigns. 

Former NSA and U.S. Cyber Command leader Timothy Haugh says China’s long-running cybercampaign against the United States is serious, but far from unbeatable. In a New York Times editorial, he points to intrusions tied to groups like Volt Typhoon and Salt Typhoon, which targeted utilities, telecommunications networks, and senior officials.

Haugh argues the United States already holds a major advantage through its private sector. American cybersecurity firms, cloud providers, and telecom companies operate at unmatched global scale and can often detect malicious activity faster than governments. He cites a recent Google disruption of a Chinese espionage campaign as proof that industry-led action can work quickly and effectively.

Haugh believes voluntary cooperation is no longer enough. He calls for clearer laws authorizing companies to disrupt foreign cyberoperations, more funding for critical infrastructure defense, and stronger public consequences for Chinese cyberactivity, including sanctions and coordinated disruption efforts. He also warns that U.S. Cyber Command remains underfunded relative to the scale of the threat.

Canvas pays the ransom. 

Instructure, the company behind the widely used Canvas learning platform, says it reached an agreement with the Shiny Hunters extortion group after a cyberattack disrupted services at roughly 9,000 educational institutions across the United States, Canada, Australia, and the UK.

The attackers claimed to have stolen 3.5 terabytes of university and student data and threatened to publish it online unless a ransom was paid. Instructure says the agreement resulted in the return of the data, “digital confirmation” of its destruction, and assurances that affected institutions and students would not face further extortion.

The incident interrupted exams and coursework for many students. Security experts and law enforcement agencies generally discourage ransom payments because attackers may still retain or resell stolen data. Instructure said its priority was protecting customer information and minimizing harm to students and schools.

The FCC wants KYC rules to block robocalls. 

The Federal Communications Commission is proposing new “Know Your Customer” rules aimed at reducing illegal robocalls, but critics warn the changes could create major privacy concerns and effectively end anonymous burner phones in the United States.

Under the proposed rules, prepaid phone customers could be required to provide government-issued identification, a physical address, a legal name, and an existing phone number before receiving service. The FCC is also considering behavioral “red flags,” including cryptocurrency payments, virtual office addresses, and suspicious websites or email accounts.

The FCC says telecom providers are best positioned to stop illegal calls before they reach consumers. But civil liberties advocates argue the plan could expand surveillance and make it harder for vulnerable people, including abuse survivors and refugees, to access anonymous communications. Proposed enforcement measures could fine telecom providers $2,500 per illegal call, creating strong incentives for aggressive customer monitoring.

SAP patches multiple critical vulnerabilities. 

SAP has released 15 new security notes for its May 2026 Security Patch Day, including two critical vulnerabilities with CVSS scores of 9.6 affecting S/4HANA and SAP Commerce.

The S/4HANA flaw, tracked as CVE-2026-34260, is an SQL injection vulnerability that could allow authenticated attackers to access sensitive data. A second issue, CVE-2026-34263, affects SAP Commerce and could enable unauthenticated attackers to upload malicious configurations and execute arbitrary server-side code.

SAP also patched a high-severity OS command injection flaw in Forecasting & Replenishment, along with additional medium and low-severity bugs across multiple products.

SAP says there is no evidence these vulnerabilities are being actively exploited, but customers are urged to apply patches quickly.

Attackers published 84 malicious versions of official TanStack npm packages. 

Attackers published 84 malicious versions of official TanStack npm packages in a six-minute supply chain attack that exposed developers to credential theft, self-propagating malware, and potential disk wiping.

Researchers say the attackers exploited a GitHub Actions cache-poisoning weakness to steal npm publishing tokens without compromising TanStack maintainers directly. The malicious packages, uploaded on May 11, were removed within roughly 30 minutes after detection by StepSecurity.

Analysis from Socket and StepSecurity found the malware searched more than 100 locations for cloud credentials, SSH keys, crypto wallets, and developer secrets. Researchers also identified a “dead-man’s switch” that could wipe an infected system if stolen GitHub tokens were revoked.

The incident highlights ongoing risks in software supply chains and the danger posed by routine package installation commands in developer environments.

Operation HumanitarianBait uses fake humanitarian aid documents to deliver spyware. 

Researchers at Cyble Research and Intelligence Labs have identified a new espionage campaign called Operation HumanitarianBait that uses fake humanitarian aid documents to deliver Python-based spyware to Russian-speaking targets.

The attack begins with phishing emails carrying a malicious shortcut file hidden inside a RAR archive. The malware uses PowerShell and fileless execution techniques to evade automated detection, while displaying a decoy PDF related to humanitarian assistance. Researchers say the spyware is hosted through GitHub Releases and heavily obfuscated using PyArmor.

Once installed, the malware can steal browser credentials, Telegram session data, cryptocurrency wallets, and screenshots, while also logging keystrokes and enabling remote desktop access through RustDesk or AnyDesk.

The campaign demonstrates how attackers are increasingly blending trusted services, social engineering, and stealth-focused malware to maintain long-term access and evade security tools.

Japan orders a government-wide cybersecurity review following concerns over advanced AI models. 

Japanese Prime Minister Sanae Takaichi has ordered a government-wide cybersecurity review following concerns that advanced artificial intelligence models, including Anthropic’s bug-hunting system Mythos, could dramatically increase the speed and scale of cyberattacks.

Takaichi directed cybersecurity minister Hisashi Matsumoto to assess whether government agencies and critical infrastructure operators can effectively detect and remediate vulnerabilities. The move reflects growing concern that AI systems capable of rapidly identifying software flaws may also help attackers automate exploitation efforts.

The announcement follows broader warnings from regulators and security experts worldwide that frontier AI models could reshape the cyber threat landscape. Some researchers, however, argue Mythos does not uncover vulnerabilities beyond human capability and may not significantly outperform existing open-source tools.

Governments are increasingly treating AI-enabled cyber risk as a national security issue requiring policy-level response and infrastructure readiness.

Texas sues Netflix over alleged data sharing. 

Texas Attorney General Ken Paxton has sued Netflix, alleging the streaming company collected and shared sensitive user data with advertisers, data brokers, and ad tech firms without meaningful consent from subscribers.

The lawsuit claims Netflix tracked viewing habits, device information, locations, and behavioral data from both adults and children, despite past public statements from company leadership suggesting the platform did not engage in advertising-related data collection. Texas also alleges Netflix combined user demographics, IP-based location data, and viewing activity to build detailed advertising profiles.

The state is seeking financial penalties and a court order barring what it describes as unlawful data collection practices. Texas also wants Netflix to disable autoplay by default on children’s profiles.

The case highlights growing scrutiny of how streaming platforms collect, analyze, and monetize behavioral data, particularly involving children’s accounts and targeted advertising ecosystems.

A Harvard panel of experts ponder AI policy. 

Cybersecurity researchers and policy experts say increasingly autonomous “agentic AI” systems could transform both cyber defense and cybercrime, raising urgent questions about regulation, liability, and national security.

During a discussion hosted by Harvard’s Berkman Klein Center, experts pointed to rising AI-assisted cyberattacks, including phishing campaigns and software exploitation efforts that can rapidly identify vulnerabilities. IBM data cited during the panel showed attacks targeting public-facing applications rose 44 percent year over year in 2026.

Panelists argued businesses and governments need clearer security standards and liability frameworks before AI-driven threats escalate further. Concerns included AI-enhanced phishing, autonomous cyber retaliation, and the difficulty of securing sprawling software ecosystems.

At the same time, researchers said agentic AI could strengthen defenses by detecting fraud patterns and suspicious behavior in real time.

 

The Gentleman’s guide to awful OPSEC. 

In a development that might qualify as occupational irony, the ransomware-as-a-service group known as The Gentlemen has itself been hacked, with thousands of lines of internal chats and operational details spilled online.

The leaked data reportedly includes discussions about compromised Fortinet credentials, command-and-control tooling, “EDR Killer” software, and even recommended YouTube tutorials for sharpening ransomware skills. Researchers at DynaRisk say the chats provide a rare real-time look inside a modern extortion operation, complete with bitcoin wallet addresses, infrastructure management, and debates over fake CVE scripts.

The Gentlemen emerged in 2025 and quickly built a reputation for aggressive attacks targeting healthcare, manufacturing, and critical infrastructure organizations. Researchers say the group relied heavily on credential theft, living-off-the-land techniques, and careful reconnaissance before deploying encryption.

The leak exposes both the industrialization and the occasional fragility of modern ransomware operations. Even cybercriminals, it seems, struggle with operational security.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.