Cybersecurity today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless, and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com/cst. AI model finds thousands of zero-days. Fortinet [music] is back with another critical flaw. Social engineering behind massive Axio supply chain breach. North Korea continues to go wild. Iranian hackers are inside America's water and energy infrastructure. And the agency responsible for protecting US critical infrastructure is facing a $707 million budget cut. This is Cybersecurity today, and I'm your host, David Shipley. Let's get started. Fortinet is dealing with, you guessed it, another critical security flaw. And this one's already being used in

attacks. As Yogi Berra famously once said, it's déjà vu all over again. This is the second critical 40 client EMS flaw in as many weeks. Last week, it was CVE 2026-21-643, also actively exploited, also found by the same security firm, Diffused. The company has pushed out an emergency patch over the weekend for this new vulnerability in 40 client EMS, which stands for Enterprise Management Server. It's the tool organizations use to manage endpoint security software across their networks. Think of it as the control panel keeping all of the company's devices protected. This new flaw is tracked as CVE 2026-35-616. And here's what makes it serious. An attacker doesn't need a username or password to exploit it. They can send a

specially crafted request to a server and run whatever code they want. In plain terms, if your EMS server is exposed to the internet, an attacker can walk right in and take it over. Cybersecurity firm Diffused found the vulnerability and says they spotted it being actively exploited as a zero-day before they even had a chance to report it to Fortinet. They did report it responsibly, but the attacks were already underway. Internet watchdog ShadowServer has counted more than 2,000 40 client EMS instances sitting exposed online right now, most of them in the United States and Germany. This affects version 7.4.5 and 7.4.6. Fortinet has released hotfixes for both with a full fix coming in 7.4.7. Version 7.2 is not affected. Fortinet is urging customers running version 7.4.5

or 7.4.6 to apply the hotfix immediately or upgrade to 7.4.7 when it becomes available. And if you're running it on the internet open right now, I'd get putting that hotfix on. And zero-day headaches are about to get a lot worse for a lot more companies. Anthropic says one of its AI models has found thousands of high-severity zero-day vulnerabilities across every major operating system and web browser. And the company says the good news is it's not releasing this model to the public. The model is called Claude Mythos, and it's the centerpiece of a new Anthropic cybersecurity initiative called Project Glasswing. The initiative brings together a small group of major organizations, including Amazon Web Services, Apple, Cisco, Google, Microsoft, and JP Morgan Chase to use Mythos to find and fix vulnerabilities in critical software. Anthropic says

it's not releasing the model more broadly because of concerns about how its capabilities could be misused. Among the vulnerabilities Mythos preview has already found a 27-year-old bug in OpenBSD, a 16-year-old flaw in a widely used media processing library called FFmpeg, and a memory vulnerability in a type of software designed to run virtual machines. In one test, the model independently built a web browser exploit that chained four separate vulnerabilities together to break out of two layers of security protections. In another, it completed a simulated corporate network attack that Anthropic says would have taken a skilled human expert more than 10 hours. The company also disclosed a notable incident during controlled evaluation. When a researcher gave the model access to a secure sandbox computer, it found a way to escape that environment, gained internet access, and sent an email to the researcher. It then posted details

of the exploit to several publicly accessible but hard-to-find websites without being asked to do so. Anthropic described Project Glasswing as an urgent effort to use these capabilities defensively before hostile actors develop similar ones. The company is committing up to $100 million in usage credits for Mythos preview plus $4 million in direct funding to open-source security organizations. Perhaps someone at Project Glasswing should give Fortinet a call. But who needs zero-days when you can just pwn popular open-source software? I mean, that's what North Korea is doing gangbusters business lately. BleepingComputer has published a detailed postmortem on the Axio supply chain attack we reported on. That attack resulted in the theft of source code from Cisco. Now we know more about how it all went down.

The attackers gained access to a maintainer account and published two malicious versions of Axios to NPM. That's the registry where developers download these kinds of tools. The tainted versions were available for about 3 hours before being pulled, but any system that installed them during that window should be considered compromised. The malicious versions secretly installed a remote access Trojan, malware that gives attackers full control over an infected machine. According to the postmortem, the attack started weeks earlier with a carefully constructed social engineering campaign. The attackers impersonated a legitimate company, built a fake Slack workspace complete with staged conversations, fake employee profiles, and cloned branding. They then scheduled a Microsoft Teams call with the lead maintainer. During the call, a fake error message appeared telling him his software was out of date. And the fix he was prompted to

install was actually malware. Google's Threat Intelligence Group has linked the attack to a North Korean group called UNC1069, active since at least 2018, and previously connected to attacks on cryptocurrency firms. Cybersecurity firm Socket reports this was not an isolated incident. Multiple maintainers of widely used node.js packages reported being targeted with the exact same playbook: fake workspaces, fake video calls, fake error messages. In some cases, when targets refused to install the fake app, attackers tried to get them to run commands directly in their terminal. The Axios maintainers say they have wiped their affected systems and reset all credentials. And the North Korean supply chain hacking fest just keeps getting bigger. The Hacker News is reporting that the same threat actor behind the Axios attack has been spreading malicious

packages across five separate software ecosystems: NPM, PyPI, Go, Rust, and PHP. Security firm Socket says it had identified more than 1,700 malicious packages linked to this campaign since January of 2025. The campaign is tracked as Contagious Interview. The packages are designed to look like legitimate developer tools, logging utilities, license checkers, debug tools, while quietly functioning as malware loaders. Once a developer installs one and uses it, the malware reaches out to an attacker-controlled server and pulls down a second-stage payload. That payload is designed to steal data from web browsers, password managers, and cryptocurrency wallets. On Windows, Socket found a version with significantly deeper capabilities, including keystroke logging, file upload, remote access through AnyDesk, and the ability to download additional

attack modules. One detail worth noting, the malicious code doesn't trigger during installation. It's hidden inside normal-looking functions, so standard automated scans are less likely to catch it. Security Alliance reports it blocked 164 domains linked to the same group between February and mid-April. Sites impersonating Microsoft Teams and Zoom. The group runs multi-week social engineering campaigns across LinkedIn, Telegram, and Slack before delivering a fake meeting link. Once the device is compromised, the implant goes quiet, sometimes for days, while the target reschedules the failed call and goes back to work unaware anything is wrong. Microsoft told The Hacker News the group continues to evolve in its tools and infrastructure, but the underlying behavior and intent remains consistent. And now, from supply chain hacking to

critical infrastructure. Bleeping Computer is reporting that Iranian-linked hackers are targeting industrial control systems inside US critical infrastructure networks, and a coalition of US federal agencies is sounding the alarm. The warning comes in a joint advisory from the FBI, CISA, the NSA, the Environmental Protection Agency, the Department of Energy, and US Cyber Command. The agencies say the attacks have been ongoing since March and have caused financial losses and operational disruptions across multiple sectors, including government facilities, water and wastewater systems, and energy. The specific targets are programmable logic controllers, or PLCs, made by Rockwell Automation, also known as Allen-Bradley. PLCs are the computers that run physical equipments in industrial settings. Think pumps, valves, motors. When attackers get into these systems, they can manipulate what operators see on the

screens and interfere with how the equipment actually behaves. The FBI says the attackers have been extracting project files from the devices and manipulating data displayed on operator control screens, known as HMI and SCADA displays. The advisory attributes activity to an Iranian-linked APT actor and says the escalation is likely connected to recent hostilities between Iran and the United States and Israel. The agencies are advising organizations to disconnect PLCs from the public internet or put them behind a firewall, enable multi-factor authentication on operational technology networks where possible, keep firmware up-to-date, and monitor for unusual traffic, particularly from overseas hosting providers. This is not the first such warning. In November 2023, US agencies warned that an Iranian group called Cyber Avengers had compromised at least 75 similar industrial devices, half of them in

water and wastewater networks. And all of this news and dire warnings come as Silicon Angle is reporting that the White House has proposed cutting $707 million from CISA, the Cybersecurity and Infrastructure Security Agency. CISA is the federal agency responsible for protecting critical infrastructure from cyber attacks. Think power grids, water systems, financial networks, and government networks. The proposed cuts would reduce the agency's headcount from roughly 3,700 employees to about 2,600. The cuts are focused on programs tied to election security, countering misinformation, and external coordination with state and local governments. The Department of Homeland Security argues those programs fall outside the federal government's core responsibilities and that election security is a state-level function. The budget does preserve $1.4 billion for core cybersecurity activities,

including protecting federal civilian systems and defending against nation-state threats. Critics quoted in Silicon Angle's reporting pushed back on the scope of the reductions. John Bambenek, president of Bambenek Consulting, told Silicon Angle that the changes would leave state, local government, and private industry to handle these threats on their own at a time of heightened nation-state activity. Matthew Hartman, chief strategy officer at cyber investment firm Merlin Group, called CISA, {quote} the connective tissue for federal civilian cyber defense, {end quote} and said weakening it weakens the broader security ecosystem. The proposal still requires congressional approval. That's Cybersecurity Today for Thursday, April 8th, 2026. I'll be spending the next 2 days at one of Canada's best cybersecurity conferences, the Atlantic Security Conference in Halifax, or as locals call it, AltSecCon.

With 1,700-plus attendees and a host of excellent talks, if it's not on your conference circuit radar, you're missing out. And if you're there and you see me, please say hi. Thanks for listening, and thank you to everyone who's left a rating, review, subscribed, liked, or shared the show. We'd like to reach even more people this year, and we continue to need your help. I'll be back on Monday with the latest headlines, and hopefully it won't include a new Fortinet critical vulnerability. Stay safe out there. We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full-stack networking infrastructure, wired, wireless, and cellular to leading enterprises. Working with their partners, Meter designs, deploys, and manages everything required to get performant, reliable, and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments,

and run support. It's a single integrated solution that scales [music] from branch offices, warehouses, and large campuses to data centers. Book a demo at meter.com/cst. That's m e t e r.com/cst.