Too many cooks in the algorithm.

Trump hits pause on an AI executive order. Lawmakers sound alarms over CISA cuts. A sophisticated scareware campaign traps users in fake tech support scams. Ubiquiti patches critical UniFi flaws. The U.S. pours billions into quantum computing. Researchers uncover delayed Google API key revocation. Canadian authorities arrest the alleged Kimwolf botnet operator. Two Americans plead guilty in a global tech support fraud scheme. Our guest is Ankit Kumar Honey, Senior Engineering Manager for Dependabot at GitHub, discussing closing the agentic gap between alert and patch at a global scale. AI generated reports still come up short.

Today is Friday May 22nd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The President delays signing his AI executive order. 

President Trump delayed a planned executive order on AI and cybersecurity just hours before it was set to be signed, after pushback from top adviser David Sacks and several tech leaders, according to Axios. Sources said Trump objected to the order because he viewed it as unnecessary regulation that could slow U.S. AI companies as they compete with China. Meta CEO Mark Zuckerberg, xAI CEO Elon Musk, and Sacks reportedly spoke with Trump before the decision.

The delay highlights growing divisions inside both the White House and the tech industry over how aggressively AI should be regulated. Some officials and industry sources also questioned why the Treasury Department would play a leading role in identifying AI security vulnerabilities, a task typically handled by agencies like CISA and NIST. While many companies support voluntary AI testing and safeguards, disagreements remain over oversight, model-sharing rules, and government involvement.

For now, advocates of lighter AI regulation appear to have gained the upper hand, though additional White House AI security initiatives may still emerge.

Lawmakers raise concerns over CISA cuts. 

Bipartisan lawmakers are raising concerns over staffing cuts and operational strain at the Cybersecurity and Infrastructure Security Agency, warning the agency may be less prepared to defend federal and critical infrastructure networks. Reps. Don Bacon and James Walkinshaw said the Trump administration has weakened CISA through funding and workforce reductions, despite growing cyber threats and increased use of artificial intelligence to uncover zero-day vulnerabilities.

Democratic lawmakers Bennie Thompson and Delia Ramirez also requested a briefing from acting CISA Director Nick Anderson after reports that a contractor exposed privileged AWS GovCloud credentials in a public GitHub repository. They argued the incident may reflect declining security oversight following the loss of nearly 1,000 employees over the past 15 months.

CISA said it is still investigating the exposure and currently has no indication mission data was compromised. Meanwhile, lawmakers continue pressing the agency about whether it has sufficient staffing and resources to fulfill its cybersecurity mission.

Speaking of CISA, they have added two actively exploited flaws to its Known Exploited Vulnerabilities catalog: a critical Langflow origin validation flaw, CVE-2025-34291, and a Trend Micro Apex One directory traversal flaw, CVE-2026-34926. Researchers said the Langflow bug can enable full system compromise and expose sensitive API keys, while reports linked its exploitation to Iran-aligned threat group MuddyWater. Trend Micro confirmed active exploitation of the Apex One flaw in on-premise deployments. CISA ordered federal agencies to patch both vulnerabilities by June 4, 2026.

A new scareware kit pressures victims into calling fraudulent tech support lines. 

Barracuda Networks researchers detailed a sophisticated scareware kit called CypherLoc that uses browser-based tricks and psychological pressure to push victims into calling fraudulent tech support lines. Since early 2026, researchers observed roughly 2.8 million attacks using the framework.

CypherLoc begins with phishing emails that lead victims to malicious websites. The kit hides encrypted payloads that only activate under specific conditions, helping it evade scanners and sandboxes. Once triggered, it locks the browser in full-screen mode, displays fake security alerts, plays warning audio, and even shows the victim’s public IP address to increase panic. Attempts to inspect the page can intentionally slow or destabilize the browser.

Barracuda said the campaign reflects a shift from traditional malware toward browser-based social engineering attacks that rely on fear and deception rather than malicious file downloads.

Ubiquiti patches multiple vulnerabilities affecting UniFi OS devices. 

Ubiquiti released security updates for five vulnerabilities affecting UniFi OS devices, including three maximum severity flaws that remote, unauthenticated attackers could exploit. The issues include improper access control, path traversal, and command injection vulnerabilities tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. Ubiquiti also patched another critical command injection flaw and a high-severity information disclosure bug. The company said the vulnerabilities were reported through its HackerOne bug bounty program and can be exploited with low-complexity attacks. Threat intelligence firm Censys tracks nearly 100,000 internet-exposed UniFi OS endpoints worldwide.

The U.S. invests over $2 billion in quantum computing incentives. 

The United States Department of Commerce announced plans to provide more than $2 billion in CHIPS and Science Act incentives to nine quantum technology companies aimed at strengthening U.S. leadership in quantum computing. The funding includes support for quantum foundries led by IBM and GlobalFoundries, along with investments in seven quantum computing firms working across superconducting, photonic, trapped-ion, silicon-spin, and neutral-atom technologies.

Officials said the investments are intended to accelerate development of utility-scale, fault-tolerant quantum computers and address engineering challenges such as error correction, photonic loss, cryogenic systems, and qubit scalability. The administration framed the initiative as both an economic and national security priority, citing potential applications in defense, energy, finance, advanced materials, and biopharmaceutical research.

Researchers find Google API keys can continue authenticating requests after deletion. 

Researchers from Aikido found that deleted Google API keys can continue authenticating requests for up to 23 minutes after deletion because revocation propagates gradually across Google’s infrastructure. In testing across 10 trials, deleted keys remained intermittently functional for between 8 and 23 minutes, potentially allowing attackers to continue accessing enabled services, including Gemini, after a credential leak.

The researchers said the delayed revocation stems from Google’s eventually consistent infrastructure model and warned that users receive no indication a deleted key may still be active. They also observed regional inconsistencies in how quickly revocation took effect. Google reportedly closed the disclosure as “won’t fix,” describing the delay as expected system behavior.

Researchers advised organizations to treat API key deletion as a roughly 30-minute process and closely monitor usage during that window for signs of abuse.

Canadian authorities arrest the alleged operator of the Kimwolf botnet. 

Canadian authorities arrested 23-year-old Ottawa resident Jacob Butler, also known as “Dort,” on allegations he operated the Kimwolf Internet-of-Things botnet linked to massive distributed denial-of-service attacks. U.S. prosecutors allege the botnet infected millions of devices, including webcams and digital photo frames, and generated attacks reaching nearly 30 terabits per second. Authorities said Kimwolf issued more than 25,000 attack commands and caused significant financial damage, including attacks affecting Department of Defense address ranges.

Investigators tied Butler to the operation through IP addresses, transaction records, and online messaging accounts. He also allegedly participated in harassment, doxing, and swatting campaigns targeting security researchers. Canadian and U.S. authorities coordinated the investigation alongside broader efforts to seize infrastructure tied to several DDoS-for-hire services. Butler now faces criminal charges in both Canada and the United States.

Two Americans pleaded guilty to helping an India-based tech support fraud scheme. 

Two Americans pleaded guilty to charges tied to a long-running India-based tech support fraud scheme that targeted elderly and vulnerable victims across the United States. Prosecutors said Adam Young and Harrison Gevirtz provided phone numbers, call routing, and tracking services that helped scammers connect victims to fraudulent call centers in India between 2016 and 2022.

Victims were tricked through fake malware warnings and pressured into paying for bogus technical support services. In some cases, scammers gained remote access to devices and stole financial information. Investigators said the pair continued supporting the operation even after learning customers were involved in fraud, and allegedly advised scammers on ways to avoid detection by rotating phone numbers.

The case comes amid broader government efforts to combat robocalls and digital scams, which lawmakers say continue to cost Americans billions of dollars annually.

 

 

AI generated reports still come up short. 

Cisco Talos researchers spent months teaching large language models how to write cybersecurity reports without wandering off into confidently incorrect fiction, a task easier said than done when your co-author occasionally invents facts with perfect grammar. The team found that AI-generated reports often suffered from inconsistent conclusions, formatting drift, and the digital equivalent of losing the plot halfway through a meeting.

To rein things in, Talos developed tightly controlled prompt-engineering techniques, including task-specific prompts, strict source constraints, rigid templates, and structured formatting rules. In testing, the approach cut report drafting time roughly in half while improving consistency and reducing typos, a rare moment when everyone involved in incident response briefly experienced joy.

The researchers cautioned that human oversight remains essential. Models still hallucinated recommendations, mixed content between projects, and occasionally missed obvious errors while confidently flagging imaginary ones. In other words, the AI intern still needs supervision.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.