Cybersecurity Today

Banks Panic As Anthropic Mythos Exposes Software Vulnerabilties

Mythos Sparks Urgent Bank Meetings, AI Shrinks Exploit Windows, CEO Phishing Beats MFA + Crypto Fraud Bust Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst Host David Shipley covers urgent meetings among U.S., Canadian, and U.K. financial leaders after Anthropic's Mythos announcement, with regulators and major banks assessing potential systemic risk; Mythos is described as capable of finding and chaining zero-days and is limited to a preview program (Project Glasswing) with select critical infrastructure and tech firms. The episode highlights how fast vulnerabilities are now exploited, citing a critical Marimo flaw patched in 0.2.3.0 that attackers probed within 9 hours and research showing AI can generate exploits from CVEs in 10–15 minutes. It then details "Venom," an invitation-only phishing-as-a-service targeting executives via QR codes to hijack sessions and register new devices, and Microsoft's warning about Storm-2755 redirecting Canadian paychecks by stealing M365 session cookies and altering direct-deposit details. Finally, Operation Atlantic is summarized: authorities identified 20,000 crypto-fraud victims, froze $12M, and linked $45M in stolen crypto tied to approval phishing. 00:00 Headlines and Sponsor 00:57 Mythos Shakes Finance 04:58 AI Exploit Window Collapses 08:11 Venom Targets Executives 11:54 Payroll Redirect Scam 14:35 Crypto Fraud Takedown 16:47 Wrap Up and Thanks 18:04 Sponsor Outro

Jeff Williams CTO Cofounder of Contrast Security and OWASP co-founder on Mythos and AI Security

AI-Powered AppSec, OWASP Origins, and Anthropic's "Mythos" Model: Jeff Williams on What Changes Next Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst Jim hosts Jeff Williams (Contrast Security co-founder/CTO and former OWASP global chair) for a wide-ranging discussion that begins with Anthropic's new "Mythos" model, described as powerful for finding zero-day vulnerabilities, and expands into how AppSec must evolve. Williams explains Contrast's runtime instrumentation approach, recounts OWASP's early days, the creation of WebGoat and the OWASP Top 10, and notes that many common vulnerabilities persist despite years of maturity models. They debate open source versus commercial security scrutiny, the likely high cost and scalability limits of advanced AI vulnerability discovery, and why finding more bugs matters only if remediation improves too. Williams argues for AI-powered "software factories" with feedback loops, assurance evidence, and runtime monitoring, and flags the EU Product Liability Directive treating software as a product with no-fault liability for security defects, including those from embedded open source. 00:00 AppSec Stuck in Ruts 00:42 Show Intro and Sponsor 01:40 What Contrast Security Does 02:35 OWASP Origins and WebGoat 04:33 Why the Top 10 Persists 06:28 Mythos Model Overview 08:05 Open Source Scrutiny Myth 11:31 Cost and Adoption Barriers 15:04 Finding vs Fixing Bugs 15:55 AI Code Quality Reality 17:46 AI Powered Software Factory 23:11 Building with AI in Practice 25:18 AppSec Metrics and New Approaches 26:42 Staying Optimistic as a CISO 28:00 EU Product Liability Shift 32:13 Bug Bounties in an AI World 34:06 Wrap Up and Outro

Fortinet EMS Zero-Day, Anthropic's AI Finds Thousands of Bugs, Iranian Hackers Target US ICS

Fortinet EMS Zero-Day Exploited, Anthropic's AI Finds Thousands of Bugs, and Iranian Hackers Target US ICS Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst Host David Shipley reports Fortinet issued emergency hotfixes for a new actively exploited FortiClient EMS unauthenticated RCE zero-day (CVE-2026-35616) affecting 7.4.0.5/7.4.0.6, with over 2,000 exposed instances online and a full fix coming in 7.4.0.7. Anthropic says its Claude "Mythos" model (Project Glasswing) has found thousands of high-severity zero days and demonstrated advanced exploit chaining and sandbox escape, but will not be released publicly; it is being used with major partners and funded with up to $100M in credits plus $4M for open-source security. A postmortem details a North Korea–linked social-engineering supply-chain breach of Axios on NPM, part of a broader campaign spreading 1,700+ malicious packages across multiple ecosystems. US agencies warn Iranian-linked hackers are targeting Rockwell/Allen-Bradley PLCs in critical infrastructure. The White House proposes a $707M cut to CISA, reducing staffing while preserving $1.4B for core cybersecurity. 00:00 Headlines and Sponsor 00:55 Fortinet EMS Zero Day 03:21 AI Finds Zero Days 05:56 Axios Supply Chain Breach 08:02 North Korea Package Campaign 10:13 Iran Targets Industrial Control 12:22 CISA Budget Cuts Debate 14:05 Wrap Up and Thanks 14:59 Sponsor Message Meter

North Korea's $285M Crypto Heist, China Breaches FBI System, Delve Faces New Allegations

Host David Shiple covers major cybersecurity news: investigators attribute a record $285 million April 1 hack of crypto platform Drift Protocol to North Korea, describing a three-week setup involving a fake "Carbon Vote Token," wash trading to inflate value, social engineering to pre-approve backdoored transactions, Drift's removal of a timelock, and rapid collateralized withdrawals that crashed Drift's token and are now tracked by TRM Labs; the report notes North Korea's 2025 crypto theft total of $2.5B and lifetime total surpassing $7B after this incident, alongside mention of a North Korea-linked supply-chain compromise of the widely used Axios package. Stryker Medical says it has fully recovered from a March 11 Iran-linked wiper attack that used a compromised admin account and Microsoft Intune, prompting Microsoft guidance on multi-admin approval for wipes. The FBI labels a suspected China-linked breach of a U.S. surveillance system a "major incident," likening it to the 2024 Salt Typhoon campaign, while Sen. Mark Warner cites staffing cuts and leadership turmoil at CISA. TechCrunch reports embattled compliance startup Delve faces new claims it repackaged an open-source tool (Sim Studio) as its own "Pathways," as Delve denies broader fraud allegations, says it was targeted by a malicious actor, and Y Combinator cuts ties. Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst 00:00 Headlines And Sponsor 00:54 North Korea Crypto Heist 01:16 How The Drift Hack Worked 03:20 Bigger DPRK Crypto Trend 04:24 Stryker Wiper Recovery 06:39 China Breach Major Incident 08:38 Policy And Staffing Fallout 09:37 Delve Startup In Crisis 10:29 Stolen Software Allegations 13:12 Delve Fights Back YC Cuts Ties 14:35 Wrap Up And Thanks 15:12 Sponsor Message Meter 00:00 Headlines And Sponsor 00:54 North Korea Crypto Heist 01:16 How The Drift Hack Worked 03:20 Bigger DPRK Crypto Trend 04:24 Stryker Wiper Recovery 06:39 China Breach Major Incident 08:38 Policy And Staffing Fallout 09:37 Delve Startup In Crisis 10:29 Stolen Software Allegations 13:12 Delve Fights Back YC Cuts Ties 14:35 Wrap Up And Thanks 15:12 Sponsor Message Meter

Electric Vehicles and EV Security - Steve Visconti CEO of Xiid Corporation with David Shipley

EV Charging Infrastructure Security: How Hackers Could Disrupt Chargers, Networks, and the Grid Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst In this holiday weekend edition of Cybersecurity Today, Jim Love introduces David Shipley's interview with Steve Visconti, CEO of Xiid Corporation, about cybersecurity risks in electric vehicle (EV) charging infrastructure. Visconti explains Xiid's software-based security layer for IP networks, aimed at critical infrastructure across enterprise, public sector, and DOD environments, and its growing focus on OT/IoT such as EV charging systems. The discussion highlights how EV chargers connect vehicles, homes, back-office billing/control systems, cloud services, and potentially vehicle-to-grid power flows, creating large-scale attack surfaces that could enable disruption, DDoS activity, or broader grid instability. Visconti argues for "unreachability" architectures that close ports and remove static exposure while allowing only registered users and machine-to-machine access. The interview also touches on concerns about vulnerabilities leading to fires, supply-chain risks, and policy debates such as government-accessible vehicle kill switches. 00:00 Holiday Weekend Intro 01:46 Meet Steve Visconti 04:16 EV Charging Symposium 06:40 Vehicle to Grid Risks 09:16 Fires and Attack Vectors 12:14 Making Chargers Unreachable 14:37 Car as the Threat 19:05 Awareness and DDoS Reality 23:09 Government Kill Switch Debate 24:49 Wrap Up and Sponsor Thanks