Now Playing
Critical Infrastructure RCEs, npm RAT & Post-Quantum Mandate
Audio is available on Spreaker — see link below.
Three critical infrastructure zero-days — Lantronix, Ubiquiti, and Cisco — moved from disclosed to actively exploited within 48 hours, while a stealthy npm supply chain attack deployed a Windows RAT against Chrome credentials. Today's briefing also covers OpenAI's GPT-5.5-Cyber defender tool, a federal post-quantum cryptography deadline, and two major Texas data breaches affecting millions.
Audio is available on Spreaker — see link below.
Three separate critical infrastructure vulnerabilities moved from disclosed to actively exploited within forty-eight hours. Lantronix, Ubiquiti, and Cisco.
Ubiquiti's UniFi OS situation is arguably more immediately scalable. Three maximum-severity flaws, tracked as CVE-2026-34908, 34909, and 34910, can be chained together in a single HTTP request to deliver full root access.
The npm ecosystem has another supply chain problem. Three packages, postcss-minify-selector-parser, postcss-minify-selector, and aes-decode-runner-pro, were designed to impersonate the widely-used PostCSS toolchain.
OpenAI released GPT-5.5-Cyber to trusted defenders, paired with a Patch the Planet initiative involving curl, NATS, and ten other major open-source projects. Early results are real: eight Linux kernel memory leaks found, along with a twenty-three-year-old OpenBSD flaw.
Executive Order fourteen four-oh-nine, signed June twenty-second, makes post-quantum cryptography binding for federal high-value assets by December thirty-first, twenty-thirty. Agencies must appoint migration leads within thirty days.
Two breach disclosures out of Texas are worth tracking together. Texas Parks and Wildlife lost data on three million hunting and fishing license holders through a vendor compromise.
Chapter summary auto-generated from the verified script. Listen to the full episode for the complete content.