Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 9 stories across 6 topic areas, including: China’s cyber capabilities now equal to the US, warns Dutch intelligence; Hackers deployed wiper malware in destructive attacks on Venezuela’s energy sector; Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks.

The Record (Recorded Future) · Apr 22 · Relevance: █████████░ 9/10

Why it matters to CISOs: A Western intelligence agency formally assessing China as a peer-level cyber adversary reframes risk models for any enterprise with exposure to Chinese supply chains, IP, or operations in the Asia-Pacific region.

📖 Read full article

The Record (Recorded Future) · Apr 22 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Wiper attacks on energy infrastructure signal continued escalation of destructive cyber operations against critical sectors—CISOs in energy, utilities, and adjacent industries should review resilience and recovery playbooks.

📖 Read full article

Help Net Security · Apr 23 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Hard data on ransomware severity ($508K average), remote access as the dominant entry vector (87% of ransomware claims), and rising claim frequency gives CISOs concrete evidence for board-level risk quantification and insurance renewal planning.

📖 Read full article

TechCrunch Security · Apr 22 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A breach of a national identity document agency represents a high-severity identity fraud risk for any enterprise with French employees or customers, and raises questions about government-held PII security across jurisdictions.

📖 Read full article

The Hacker News · Apr 22 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: A self-propagating worm that steals npm tokens and spreads through compromised repositories represents a novel escalation in software supply chain attacks that could affect any enterprise running JavaScript/Node.js applications.

📖 Read full article

CyberScoop · Apr 22 · Relevance: ████████░░ 8/10

Why it matters to CISOs: CISA's continued leadership vacuum directly affects federal cybersecurity guidance, threat advisories, and public-private coordination that enterprise security teams depend on for incident response and threat intelligence.

📖 Read full article

CyberScoop · Apr 22 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A federal privacy law would reshape data handling obligations, potentially preempting the patchwork of state laws that CISOs currently navigate, but lack of bipartisan support signals this may stall—worth tracking for compliance planning.

📖 Read full article

BankInfoSecurity · Apr 23 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: A Cisco acquisition of Astrix at $250-350M validates non-human identity as a critical enterprise security category and could reshape how organizations manage service accounts, API keys, and machine identities across hybrid environments.

📖 Read full article

BleepingComputer · Apr 23 · Relevance: ████████░░ 8/10

Why it matters to CISOs: An actively exploited zero-day in Microsoft Defender—a ubiquitous enterprise endpoint tool—with CISA issuing emergency patching orders means this requires immediate attention across virtually all Windows environments.

📖 Read full article

Jordan: Dutch intelligence just told the world something that most Western security leaders weren't ready to hear out loud: China is now a peer-level cyber adversary to the United States. Not close. Not approaching. Peer. Let that sit for a moment before we get into everything else today.

Alex: Welcome to Cleartext. It's Thursday, April 23rd, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we're covering the Dutch intelligence assessment on China's cyber capabilities, a wiper attack on Venezuela's energy sector, fresh data from the cyber insurance market that your CFO is going to want to see, France's national ID agency breach, a self-propagating supply chain worm in the npm ecosystem, the ongoing CISA leadership vacuum, a federal privacy bill that may or may not matter, a notable acquisition in the non-human identity space, and an actively exploited zero-day in Microsoft Defender. Tight show today. Let's get into it.

Jordan: The lead story is the Dutch AIVD assessment, and it matters for reasons beyond the headline. Western intelligence agencies don't use the word "peer" casually. For years, the framing around China was "sophisticated but below US capability." That framing is now officially retired, at least in The Hague. What the Dutch are actually saying is that Chinese cyber operations are so technically refined that they are routinely evading both intelligence agencies and commercial defenders. Routinely. That's not a warning about potential. That's a damage assessment.

Alex: And here's the board implication that CISOs need to sit with. If your current risk model treats China as a capable but detectable threat, you have a model problem. The defensive gap that the Dutch are describing—where operations are being missed at the intelligence community level—means that enterprise telemetry alone is not going to catch this. If you have IP that's competitively valuable, manufacturing in the Asia-Pacific region, or supply chain exposure to Chinese vendors, you need to be having a very different conversation about assumed compromise versus detection-first postures.

Jordan: The geopolitical context here also matters. This assessment isn't coming from Washington. It's coming from a close NATO ally with its own robust intelligence apparatus and, frankly, significant economic exposure to China. When the Dutch say this publicly, they're accepting diplomatic friction to make the point. That tells you how serious they believe the situation is. This isn't political positioning. This is a professional intelligence judgment.

Alex: Let's connect the second geopolitical story here because it's thematically related, even if the geography is different. A previously unknown wiper malware was deployed against Venezuela's energy and utilities sector. No ransom demand, no data exfiltration objective. The goal was destruction.

Jordan: Wiper campaigns are the clearest signal that an attacker's objective is not financial—it's coercive or punitive. Venezuela's energy sector has been a geopolitical flashpoint for years. Attribution here is unclear, but the target profile and the tool design both point toward state-level or state-sponsored actors. For CISOs in energy, utilities, and critical infrastructure, the takeaway is not "watch Venezuela." It's that destructive attacks on OT-adjacent environments are an active and escalating pattern globally. Your resilience and recovery posture needs to be tested, not assumed.

Alex: Now let's talk money, because the cyber insurance data out today from At-Bay is exactly what you need to walk into a board meeting or a budget conversation. Overall claim frequency up seven percent year over year. Average severity at an all-time high of two hundred twenty-one thousand dollars. But ransomware is where it gets serious: average claim severity of five hundred eight thousand dollars, up sixteen percent from last year.

Jordan: And the entry vector number is the one that should sting. Eighty-seven percent of ransomware claims in 2025 traced back to remote access services. VPNs, RDP, remote management tools. We have been saying this for years. The insurers now have a hundred thousand policy years of data that confirm it. If you're walking into an insurance renewal and you haven't made demonstrable improvements to remote access security—MFA enforcement, privileged access management, exposed service reduction—you are going to face it at the table.

Alex: Use this report. The five-hundred-eight-thousand-dollar average ransomware severity figure is a concrete number you can put in front of a CFO or a board risk committee to justify controls investment. That's the value of hard actuarial data in a domain that's spent too long arguing from hypotheticals.

Jordan: On the breach front, France confirmed that the government agency responsible for issuing national IDs and passports was compromised. Number of affected citizens: unspecified, which in government-breach language usually means large. The practical concern for enterprise security leaders is twofold. First, if you have French employees or customers, their government-issued identity documents may be compromised, which has real implications for identity verification and fraud risk. Second, this is a reminder that government-held PII repositories are high-value, high-consequence targets, and the controls protecting them are not always commensurate with that value.

Alex: Staying on breach, the CanisterSprawl story is the one your AppSec and DevOps teams need to see today. A self-propagating worm is moving through the npm ecosystem by stealing developer tokens and using those tokens to compromise downstream repositories automatically. It's not just malicious packages sitting in a registry waiting to be pulled. It's a worm that spreads from developer to developer through their own credentials.

Jordan: The exfiltration mechanism is also worth noting. Stolen data is being routed through ICP canisters—decentralized infrastructure that's significantly harder to take down than a conventional C2 server. Whoever built this thought carefully about persistence and resilience. If your engineering teams have npm packages they maintain or contribute to, token hygiene and secrets scanning in your CI/CD pipeline need to be verified, not assumed.

Alex: Two governance stories that belong together. CISA's nominated director, Sean Plankey, has withdrawn after waiting more than a year for Senate confirmation. And House Republicans have dropped a federal privacy bill with no bipartisan support. The CISA story is the more urgent of the two.

Jordan: CISA without permanent leadership during a period of escalating nation-state activity is a structural problem that affects every enterprise security team that depends on federal threat advisories, coordinated vulnerability disclosure, and public-private incident response coordination. The agency is operationally functioning, but strategic direction matters. Watch for impact on the quality and cadence of joint advisories over the coming months.

Alex: On the privacy bill—model it but don't bet on it. A federal standard preempting state law would simplify compliance architectures that are currently managing CCPA, Virginia's CDPA, and an expanding list of state frameworks simultaneously. But without bipartisan support, this stalls. Track it. Don't build a compliance program around it yet.

Jordan: Quick note on the Cisco and Astrix story. Cisco is reportedly in late-stage talks to acquire the non-human identity startup for somewhere between two-fifty and three-fifty million. That's a meaningful premium over Astrix's last valuation and a strong signal that non-human identity—service accounts, API keys, OAuth tokens, machine-to-machine credentials—is now a board-level security category, not a niche product feature. If you haven't audited your non-human identity surface recently, the market is telling you that your adversaries have.

Alex: And before we get to the outlook, the operational item you need to action today: BlueHammer. CISA has added a Microsoft Defender privilege escalation vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch immediately. This is being actively exploited as a zero-day. Microsoft Defender is deployed across the overwhelming majority of enterprise Windows environments. Patch it. Today. No further analysis required.

Jordan: Stepping back to the week's emerging theme: we are watching a maturation of the threat landscape that is outpacing defensive evolution. The Dutch assessment says China is operating at a level that evades professional defenders. The insurance data says remote access—a solved problem technically—is still responsible for nearly nine in ten ransomware entries. CanisterSprawl says supply chain attacks are gaining self-replication capability. These are not incremental changes. The gap between what sophisticated attackers can do and what most enterprise programs are resourced to stop is widening.

Alex: And the governance infrastructure that's supposed to help close that gap—CISA, federal coordination mechanisms, even something as basic as a consistent national privacy framework—is in a moment of significant uncertainty. For CISOs, the implication is that you cannot assume external scaffolding will fill the gaps. The board conversation has to shift from "are we compliant" to "are we resilient when the scaffolding isn't there."

Jordan: Which is, frankly, where it should have been all along.

Alex: That's Cleartext for Thursday, April 23rd. If this was useful, share it with a peer who needs the signal without the noise. We'll be back tomorrow. Stay sharp.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-04-23.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.