NPM Supply Chain Attack Response

This chapter explores a notable supply chain attack on the NPM ecosystem, detailing the swift response from the open source community that limited the impact of the malicious packages. It also discusses recent U.S. Treasury sanctions on cyber scam individuals, along with rising phishing attacks and evolving malware threats.

Transcript

chevron_right

Play full episode

chevron_right

Transcript

Episode notes

The open source community heads off a major npm supply chain attack. The Treasury Department sanctions cyber scam centers in Myanmar and Cambodia. Scammers abuse iCloud Calendar invites to send callback phishing emails. Researchers discover a new malware variant exploiting exposed Docker APIs. Phishing attacks abuse the Axios user agent and Microsoft’s Direct Send feature. Plex warns users of a data breach. Researchers flag a surge in scans targeting Cisco ASA devices. CISA delays finalizing its incident reporting rule. The GAO says federal cyber workforce figures are incomplete and unreliable. Our guest is Kevin Magee, Global Director of Cybersecurity Startups at Microsoft Security, discussing cybersecurity education going back to school. AI earns its own Darwin awards.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.

CyberWire Guest

Today we are joined by Kevin Magee, Global Director of Cybersecurity Startups at Microsoft Security discussing cybersecurity education going back to school.

Selected Reading

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack (Bleeping Computer)

Open Source Community Thwarts Massive npm Supply Chain Attack (Infosecurity Magazine)

US sanctions companies behind cyber scam centers in Cambodia, Myanmar (The Record)

New Apple Warning, This iCloud Calendar Invite Is Actually An Attack (Forbes)

New Docker Malware Strain Spotted Blocking Rivals on Exposed APIs (HackRead)

Axios User Agent Helps Automate Phishing on “Unprecedented Scale” (Infosecurity Magazine)

Plex Urges Password Resets Following Data Breach (SecurityWeek)

Surge in networks scans targeting Cisco ASA devices raise concerns (Bleeping Computer)

CISA pushes final cyber incident reporting rule to May 2026 (CyberScoop)

US government lacks clarity into its infosec workforce (The Register)

AI Darwin Awards launch to celebrate spectacularly bad deployments (The Register)

Share your feedback.

What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.

Want to hear your company in the show?

You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.

Learn more about your ad choices. Visit megaphone.fm/adchoices

The AI-powered Podcast Player

Save insights by tapping your headphones, chat with episodes, discover the best highlights - and more!

Get the app

Home Top podcasts Popular guests Top books