For the first time, ransomware has been confirmed running entirely without human operators — JADEPUFFER exploited Langflow CVE-2025-3248, chained Nacos bypasses, and moved laterally with no one at the controls. Today's briefing also covers Scattered Spider's arrest via Windows telemetry, Oracle EBS active exploitation, SimpleHelp's Djinn Stealer campaign, and critical Roundcube patches.
Audio is available on Spreaker — see link below.
For the first time, a ransomware attack has been confirmed running entirely without human operators. No one was watching the terminal.
Langflow is an open-source Python framework for building AI agent workflows. Internet-exposed instances store API keys and cloud credentials as operational data.
Shifting to the broader vulnerability picture, SimpleHelp remote management software is now under active exploitation. CVE-2026-48558 is an authentication bypass that's being used to deploy a new malware family called Djinn Stealer.
Oracle E-Business Suite is also under pressure. The Payments module has a critical flaw, CVE-2026-46817, and active exploitation attempts have been logged since July first.
On the law enforcement side, a nineteen-year-old suspected Scattered Spider operator was arrested by the FBI and Finnish authorities. The attribution came through Windows eleven device identifier telemetry.
Two more items worth flagging quickly. Roundcube Webmail patched six vulnerability classes in releases one-point-seven-point-two and one-point-six-point-seventeen, including stored and zero-click XSS, SSRF bypasses, and session injection.
The watchpoints going forward are narrow and specific. First, patch velocity on Langflow.
Chapter summary auto-generated from the verified script. Listen to the full episode for the complete content.