There are too many stories to cover! - Threat Wire

This week's cybersecurity news roundup covers a range of significant incidents and trends, including ongoing fallout from Team PCP's attacks, critical vulnerabilities in web browsers, the rise of AI in vulnerability discovery, and important updates to DNS security guidance. The threat actor group Team PCP continues to be a major concern, with Cisco now confirmed to be a victim of their supply chain attacks. Team PCP previously infiltrated platforms like GitHub Actions, Docker Hub, NPM, OpenVSX, and PyPI using compromised credentials. In the Cisco incident, attackers gained access to credentials and data from build and development environments, including AWS keys. These keys were then used for unauthorized activities across several Cisco AWS accounts. The broader issue of software supply chain attacks is highlighted by a significant compromise of Axios, a popular package on the NPM registry. Two versions of Axios, with tens of millions of weekly downloads, were found to contain a malicious package, plain-crypto-js version 4.2.1. This malicious code was capable of arbitrary command execution and data exfiltration. Attackers reportedly compromised the account of Axios's lead maintainer, changed his email to one they controlled, and actively suppressed warnings about the compromised package. Google researchers suggest these attacks, attributed to North Korea and Team PCP, are indicative of a growing trend, potentially leading to widespread compromised secrets, further supply chain attacks, SaaS compromises, ransomware, and cryptocurrency theft. The speaker advises changing all secrets associated with public NPM packages or any public-facing assets as a proactive measure. Critical vulnerabilities have also been discovered in both Chrome and Firefox. Chrome and Chromium were affected by CVE-2026-5281, a zero-day, use-after-free vulnerability in DAWN, the open-source implementation of WebGPU. This could allow hackers to compromise the renderer process through arbitrary code execution via a crafted HTML page. Firefox experienced CVE-2026-4688, a sandbox escape vulnerability stemming from a use-after-free bug in the Disability Access API component, impacting Firefox and related browsers. The speaker notes an observed increase in use-after-free vulnerabilities and seeks community input on languages susceptible to these attacks and best practices for code review to prevent them. The segment introduces a new section called "B-Sides News," inspired by the community-driven cybersecurity conferences. B-Sides events are described as more informal and community-focused alternatives to larger, more business-oriented conferences like Black Hat. Examples of popular B-Sides conferences include B-Sides SF, B-Sides Charm City, and B-Sides Pyongyang, with the suggestion that readers check for local events. In cloud security, AWS has launched the AWS Security Agent and AWS DevOps Agent, designed for autonomous AI-powered penetration testing and incident resolution. This launch follows a previous report on Threatwire about AWS attributing recent outages to AI-generated code. Railway, a hosting platform, disclosed a significant misconfiguration in its CDN that led to incorrect caching of data. This affected approximately 0.05% of their hosted domains, potentially exposing authenticated data to unauthenticated users through HTTP GET requests. AI has also been instrumental in finding vulnerabilities in Emacs and Vim. The Vim vulnerability involved a tab panel exploit to escape the sandbox and has been patched. The Emacs vulnerability, related to a well-formed file and a .git folder, was not accepted by the Emacs team, who deemed it an issue with Git itself. Both vulnerabilities were reportedly discovered using AI with a single prompt. LinkedIn is facing accusations of illegally collecting user information by scanning browser plugins and selling this data to third parties. A human error at Anthropic led to the accidental release of all of Anthropic Cloud Code's source code into the Cloud Code NPM package. This exposed code was then used to identify a vulnerability in the deny rules used by Cloud Code for cURL and wget. NIST has updated its guidance for DNS security for the first time in over a decade. The new deployment guide offers recommendations for protecting DNS services, their role in zero-trust architecture, and guidance on hosting DNS information. The speaker also gives a shout-out to the YouTube channel Chuppel for an expose on the 5 Minutes Craft YouTube network and its alleged ties to Russian cybercrime. Finally, the speaker addresses feedback regarding the coverage of the ban on commercial routers in the US, acknowledging that more in-depth reporting was needed and attributing the oversight to the show being a "one-woman show" with the help of an editor. The speaker concludes by thanking viewers and encouraging engagement, noting the show is nearing one million subscribers.