Podcasts
CyberWire Daily
Ep 2561
The CyberWire Daily Podcast 5.28.26
Ep 2561 | 5.28.26

The military wants to move at cyber speed.

Show Notes
Transcript

Cyber Command’s new chief pushes modernization as lawmakers warn commercial location data is exposing U.S. troops. A third-party UK visa site leaks passports and selfies. Microsoft slams unpatched zero-day disclosures. Researchers uncover a new macOS malware campaign targeting crypto developers, while SEO poisoning and AI chatbots spread cryptojacking malware. Carnival confirms a massive breach tied to ShinyHunters. Plus, the alleged VenomRAT developer is extradited to France, and a Romanian hacker is sentenced for breaching Oregon state systems. Our guest is Courtney Guss, Crisis Management Director at Semperis, discussing crisis response planning. The surveillance on the bus goes round and round.

Today is Thursday May 28th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The new Cyber Command chief looks to accelerate modernization efforts. 

The new head of U.S. Cyber Command has ordered two reviews aimed at modernizing the military’s cyber warfare operations and accelerating organizational reform.

Army Gen. Joshua Rudd, who assumed leadership of both Cyber Command and the National Security Agency in March, tasked MITRE with conducting an outside assessment of the command’s structure and acquisition processes. According to officials familiar with the effort, the review could examine how Cyber Command manages personnel and procurement under its existing congressional authorities. Rudd also launched an internal study led by senior officials with special operations backgrounds to identify rapid improvements. The findings are expected to feed into his ongoing 90-day leadership review and broader CYBERCOM 2.0 modernization efforts.

Cyber Command faces ongoing challenges retaining elite cyber talent and rapidly fielding new capabilities. Officials say the reviews reflect pressure to move faster and align cyber operations with a more aggressive national security posture.

Lawmakers warn commercial location data is exposing U.S. troops to battlefield surveillance.

U.S. military personnel deployed in active conflict zones have reportedly been targeted using commercially available location data collected through the digital advertising ecosystem.

According to a letter from U.S. Central Command shared by Senator Ron Wyden, officials received multiple threat reports involving adversaries exploiting commercial location data to surveil or target American forces in theater. Lawmakers said the data could reveal troop movements, gathering points, and behavioral patterns that could support missile, drone, or roadside bomb attacks. The concerns center on the widespread trade in smartphone location data collected by apps and sold through advertising networks and data brokers. Legislators criticized the Pentagon for not moving faster to restrict tracking features on military-issued devices.

Commercially available data, originally intended for advertising, is increasingly viewed as an operational security risk. The reports underscore how consumer surveillance infrastructure can become battlefield intelligence for hostile actors.

A third-party UK visa service exposed passport scans and selfies.  

A third-party website offering paid assistance with UK travel authorizations exposed passport scans, selfies, and location data on a publicly accessible Amazon Web Services server.

The site, UK Visa Portal, is not affiliated with the British government and is reportedly operated by UAE-registered Active Leadgen LLC. TechCrunch reported the exposed storage bucket contained at least 100,000 documents. Although the bucket did not publicly list files, researchers said anyone with the correct web address could access them. Some uploaded selfies also included embedded GPS metadata that could reveal users’ home addresses. TechCrunch said it verified the exposure by contacting affected individuals directly. The company reportedly did not respond directly to repeated security inquiries before the server was secured.

Exposed identity documents combined with geolocation data create a high-value target for identity theft, fraud, and surveillance. The incident also highlights ongoing risks tied to unofficial visa and travel-processing services collecting sensitive personal information.

Microsoft criticizes public disclosure of unpatched zero-day vulnerabilities. 

Microsoft is condemning the public release of several unpatched vulnerabilities, warning the disclosures exposed customers to unnecessary risk before fixes were available.

The company said six flaws affecting Microsoft Defender, Windows BitLocker, and the Windows Cloud Filter driver were disclosed without prior coordination. Microsoft argued the releases included proof-of-concept exploit code that could aid attackers while its teams rushed to develop mitigations and patches. The company reiterated support for coordinated vulnerability disclosure practices, where researchers privately report flaws before publication.

The dispute highlights growing tension between rapid vulnerability disclosure and defensive patch timelines, especially as artificial intelligence accelerates security research and exploit development.

A new threat actor targets crypto developers with macOS malware and poisoned code repositories. 

Researchers at Wiz have identified a new financially motivated threat actor, tracked as Jinx-0164, targeting cryptocurrency developers through fake recruiter schemes and custom macOS malware.

The campaign begins with LinkedIn outreach impersonating recruiters or business contacts, directing victims to fake meeting sites mimicking Microsoft Teams. Targets are tricked into installing a malware strain called Audiofix, a Python-based stealer and remote access tool disguised as an audio driver. According to Wiz, the malware steals credentials, cryptocurrency wallet data, cloud keys, and messaging sessions. The group then abuses stolen GitHub tokens to compromise development pipelines, injecting malware into internal repositories and spreading infections through software builds. Researchers also linked the actor to a trojanized npm package containing a secondary macOS backdoor.

The campaign blends social engineering, software supply chain compromise, and credential theft into a targeted operation against cryptocurrency firms. The activity also highlights growing threats to macOS environments and developer infrastructure.

SEO poisoning and AI chatbot manipulation spread GPU-focused cryptojacking malware. 

Microsoft researchers say threat actors are spreading GPU mining malware through poisoned search results and manipulated AI chatbot recommendations targeting users with high-performance computers.

The campaign uses fake download pages for popular utility software including CrystalDiskInfo and HWMonitor. Victims receive trojanized ZIP files containing legitimate software alongside malicious code that installs the ScreenConnect remote management tool and additional malware. According to Microsoft, the attackers use persistence mechanisms, process hollowing, and Microsoft-signed binaries to evade detection before deploying cryptocurrency miners optimized for graphics processing units.

The campaign combines SEO poisoning, AI-assisted deception, and stealthy malware techniques to maximize cryptojacking profits from powerful consumer and professional systems.

Carnival confirms nearly six million customers affected in a breach linked to ShinyHunters. 

Carnival Corporation has confirmed that a phishing-related cyberattack exposed personal information belonging to nearly six million customers following an April breach attributed by researchers to the ShinyHunters extortion group.

The cruise operator said the incident began with a social engineering attack targeting an employee on April 14. After a review of the compromised data, Carnival confirmed that names, addresses, email addresses, phone numbers, dates of birth, and state identification numbers were exposed. ShinyHunters previously claimed responsibility for stealing terabytes of company data and suggested negotiations over extortion demands had failed. Carnival has started notifying affected individuals and is offering two years of credit monitoring services through TransUnion.

The breach highlights the continuing effectiveness of phishing and social engineering attacks against major enterprises handling large volumes of sensitive consumer data. The incident also reflects the ongoing activity of financially motivated extortion groups targeting high-profile brands.

An alleged VenomRAT developer is extradited to France. 

A 39-year-old Albanian national accused of developing and selling the VenomRAT malware has been extradited from Greece to France following a multinational investigation.

Authorities say the suspect, known online as “Venom,” was arrested in Athens in November 2025 after investigators from Australia, Greece, France, and the FBI traced his digital activity across several years. Court documents allege he sold the remote access trojan at least 36 times between 2021 and 2025. Investigators reportedly linked cryptocurrency transactions, phone records, and embassy correspondence to confirm his identity.

The case highlights growing international coordination against malware developers operating across borders and commercial cybercrime marketplaces.

A Romanian hacker is sentenced for breaching an Oregon government network. 

A Romanian national has been sentenced to more than four and a half years in U.S. federal prison for hacking an Oregon state government network and selling access to other compromised systems.

Prosecutors said Catalin Dragomir breached the Oregon Department of Emergency Management in 2021 and sold stolen access alongside sensitive personal data taken from the network. Authorities said he also sold access to nearly a dozen other U.S. victims, causing at least $250,000 in losses. Dragomir was arrested in Romania in 2024 and extradited to the United States earlier this year.

Access-brokering remains a key part of the cybercrime ecosystem, enabling follow-on attacks against government and private-sector targets.

 

The surveillance on the bus goes round and round. 

BusPatrol, the company behind AI-powered stop-arm cameras on more than 40,000 U.S. school buses, is reportedly preparing to expand those systems into full-time automated license plate readers. In other words, the big yellow bus may soon be doing more than carrying kids and stopping traffic, it may also be cataloging where everyone else was driving that afternoon.

According to leaked documents reviewed by 404 Media, the upgraded system would photograph passing vehicles, log license plates and GPS locations, and make that data searchable by law enforcement, potentially through integrations with Axon. Critics warn the plan transforms a child-safety tool into a mobile surveillance network, raising concerns about warrantless tracking, ICE access, and mission creep. BusPatrol internally acknowledged the controversy but reportedly believes the child-protection angle will help sell the expansion.

Mobile ALPR systems dramatically widen surveillance coverage compared to fixed cameras. Privacy advocates say the technology risks normalizing mass tracking under the banner of public safety, a familiar pattern in the post-9/11 surveillance era.

The surveillance on the bus goes round and round.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.