Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 8 stories across 5 topic areas, including: Australia launches cyber review board modeled on version disbanded in US; Everest Group Begins Leaking Alleged Liberty Mutual Data; Trellix discloses data breach after source code repository hack.

The Record (Recorded Future) · May 05 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Australia's new no-fault Cyber Incident Review Board signals a global trend toward systemic post-incident analysis; CISOs with APAC operations should prepare for potential participation in reviews and align incident response processes accordingly.

📖 Read full article

BankInfoSecurity · May 05 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A major insurer suffering a 108GB data leak including policyholder details has direct implications for any enterprise relying on cyber insurance—CISOs should assess third-party risk exposure and review whether their own policy data may be affected.

📖 Read full article

BleepingComputer · May 04 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A security vendor's own source code being breached raises serious supply chain trust questions; CISOs running Trellix products should assess whether compromised code could introduce vulnerabilities into their environments.

📖 Read full article

BankInfoSecurity · May 05 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Five Eyes joint guidance on agentic AI risks sets the baseline for how regulators and auditors will evaluate enterprise AI governance; CISOs deploying autonomous agents need to align with zero trust enforcement and human oversight recommendations now.

📖 Read full article

The Hacker News · May 04 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Given MOVEit's history as a major breach vector (2023 Cl0p campaign), any critical auth bypass in MOVEit products demands immediate CISO attention and accelerated patching of MFT infrastructure before exploitation begins.

📖 Read full article

BankInfoSecurity · May 05 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Cisco's potential $250M-$350M acquisition of Astrix validates non-human identity as a strategic security category; CISOs should evaluate how machine identity governance fits into their IAM roadmap, especially as this market consolidates.

📖 Read full article

TechCrunch Security · May 04 · Relevance: █████████░ 9/10

Why it matters to CISOs: An actively exploited Linux kernel vulnerability affecting every mainstream distribution since 2017 poses immediate risk to virtually all enterprise server and container infrastructure; CISOs must prioritize emergency patching of Linux fleets.

📖 Read full article

TechCrunch Security · May 04 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Mass exploitation of cPanel's authentication bypass affects web infrastructure broadly; CISOs should verify whether any business units or partners use cPanel-managed hosting and ensure immediate patching or mitigation.

📖 Read full article

Jordan: Your Linux servers. All of them. Every major distribution built since 2017. Being actively exploited, right now. That's where we're starting today.

Alex: Welcome to Cleartext. It's Tuesday, May 5th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we've got a full board. An actively exploited Linux kernel vulnerability that touches virtually every enterprise data center and container fleet on the planet. A ransomware gang leaking data from one of the largest insurers in the US. A security vendor's own source code gets breached. Five Eyes dropping joint guidance on agentic AI. A critical MOVEit patch that you do not want to sit on. Australia standing up a cyber review board modeled on the one the US just walked away from. And Cisco making a move in the non-human identity space. Let's get into it.

Jordan: So CopyFail. CISA confirmed active exploitation yesterday of a Linux kernel vulnerability that affects every mainstream distribution built since 2017. That's not hyperbole — that's the advisory. Successful exploitation gives an attacker root access. Full stop. If you are running Linux servers, containers, cloud workloads on standard distributions — and you are — this is your emergency patch event for the week. CISA has it on the Known Exploited Vulnerabilities catalog, which means federal agencies have a deadline. But honestly, so should you.

Alex: The operational calculus here is straightforward. You have a confirmed, active exploit chain targeting infrastructure that underpins most of enterprise computing. Your patching cadence does not matter this week. This supersedes it. Get your Linux fleet inventoried, get patches tested and deployed, and if you can't patch immediately, start thinking about compensating controls — network segmentation, privilege restrictions, enhanced monitoring on those hosts. Brief your team today.

Jordan: And while you're in that mode, cPanel. Separate issue, but same urgency window. Critical authentication bypass in cPanel and WHM, and we're already seeing mass exploitation. Thousands of sites compromised, attacks including ransomware deployment. If any part of your organization or your third-party web infrastructure runs cPanel-managed hosting, you need to know that today. This one has a narrower blast radius than CopyFail, but it's being actively weaponized at scale.

Alex: That brings us to a story that should make every CISO uncomfortable on multiple levels. Everest Group is now publicly leaking what they claim is 108 gigabytes of data from Liberty Mutual. Policyholder details. And they say the insurer failed to respond to their demands.

Jordan: The irony is almost too pointed. A cyber insurer, breached. Policyholder data — which could include details about the security posture and coverage limits of other enterprises — potentially in the hands of a ransomware gang. That's not a hypothetical threat chain. That's a live one.

Alex: There are two things I want CISOs to take from this. First: if you're a Liberty Mutual customer, you need to understand what data they hold about you, what your policy documents contain, and whether that information could inform targeting. Insurance applications are essentially detailed inventories of your weaknesses. Second, and more broadly — your cyber insurer is a third party. They hold sensitive information about you. How often are they in your third-party risk review cycle? For most organizations, the honest answer is not often enough.

Jordan: Liberty Mutual hasn't confirmed the breach scope yet, which is its own problem. When a ransomware gang is publishing your data and you're not communicating, you're losing the narrative entirely.

Alex: Now let's talk about a story that hits closer to home for a lot of us. Trellix disclosed a breach of a portion of its source code repository. Trellix, for context, is a major enterprise security vendor — XDR, endpoint, email security. If you're running Trellix in your environment, your question right now should be: what was in that code, and could a threat actor use it to identify vulnerabilities in the product before patches exist?

Jordan: This is the supply chain trust problem in its purest form. You deploy a security product specifically to defend your environment. That product's source code is now in unauthorized hands. The disclosure says "a portion" of the repository — which is the kind of qualifier that typically means we don't yet know what we don't know. Watch for any follow-on advisories from Trellix closely, and make sure your Trellix deployment is current on patches. If something new drops, you want zero lag time.

Alex: This is also a board conversation. Not necessarily this week, but the pattern — security vendors being breached — is something boards need to understand when they ask about your vendor stack. It's not just about the product. It's about trusting the vendor's own security posture.

Jordan: Switching gears. Five Eyes — the intelligence alliance covering the US, UK, Canada, Australia, and New Zealand — issued joint guidance yesterday on agentic AI. Autonomous AI systems. The kind that don't just answer questions but take actions across your environment.

Alex: And the timing is not coincidental. Enterprises are deploying these systems now, in many cases faster than governance can keep up. The Five Eyes guidance calls out three specific risk domains: identity — these agents need credentials and permissions, and managing that is genuinely hard. Visibility — autonomous agents create action chains that are difficult to audit after the fact. And control — the systems can outpace human decision-making by design.

Jordan: What they're recommending is essentially a zero trust framework applied to AI agents. Least privilege, continuous monitoring, and — this is the one that will create friction — meaningful human oversight checkpoints. The guidance stops short of mandating specifics, but here's what I'd tell CISOs: regulators and auditors will use this document. This is your baseline.

Alex: If you're in a regulated industry and you're deploying autonomous AI agents, you want to be able to demonstrate that you've read this guidance and that your deployment reflects it. Not because you have to today, but because you will have to, and "we weren't aware" is not a defensible position when it's a Five Eyes advisory.

Jordan: MOVEit. I know. I know. But yes, again. Progress Software patched a critical authentication bypass in MOVEit Automation. No confirmed active exploitation yet — emphasis on yet. We all know what happened in 2023. The Cl0p campaign that hit hundreds of organizations in a matter of weeks. MOVEit vulnerabilities do not stay unexploited for long.

Alex: Patch it now. Before the weekend. This is one of those cases where the history of the product tells you everything you need to know about threat actor interest. If you have MOVEit in your environment and you haven't patched by end of week, you're making a bet I wouldn't make.

Jordan: Now let's go to Australia, and this one matters strategically. Australia just launched a Cyber Incident Review Board — no-fault, post-incident reviews of significant attacks on government and industry, focused on systemic lessons. And yes, it's explicitly modeled on the US Cyber Safety Review Board that the current administration disbanded earlier this year.

Alex: The geopolitical read here is interesting. Other Five Eyes partners are essentially picking up governance frameworks the US has walked away from. For CISOs with APAC operations, this is practical: you may be asked to participate in one of these reviews. That means your incident documentation, your post-mortems, your timeline reconstruction all need to be ready for external scrutiny. The no-fault framing is important — this isn't litigation. But it does require transparency.

Jordan: And the bigger picture: as the US retreats from certain multilateral cyber governance structures, allies are filling the gap. That creates a patchwork of obligations for multinationals. If you operate across Five Eyes jurisdictions, you could be subject to review frameworks in multiple countries with different scope and processes. That's worth a conversation with your legal team now, not after an incident.

Alex: Quick note on the Cisco-Astrix story before we hit the outlook. Cisco is reportedly in talks to acquire Astrix Security — a non-human identity startup — for somewhere between 250 and 350 million dollars. Astrix focuses on service accounts, API keys, OAuth tokens. The messy, sprawling identity surface that most organizations have dramatically undercounted.

Jordan: The validation signal here is clear. Non-human identities now outnumber human identities in most enterprise environments by a significant factor. The market is consolidating. If you don't have a non-human identity governance program, you're behind the curve and the vendors are about to make it harder to ignore.

Alex: For the outlook this week, the through-line is pretty stark. CopyFail tells us active exploitation of foundational infrastructure is not slowing down. The Liberty Mutual breach tells us that the institutions we rely on to backstop cyber risk are themselves targets. Trellix tells us that security vendors are not exempt. And the Five Eyes AI guidance tells us that the governance frameworks for the next generation of enterprise risk are being written right now, whether we're at the table or not.

Jordan: What I'm watching: whether CopyFail spawns a secondary wave of intrusions we'll see documented over the next thirty to sixty days, and whether any of the Liberty Mutual policyholder data surfaces in ways that enable targeted attacks against named enterprises. Both of those have meaningful downstream consequences.

Alex: And on the governance side, I'll be watching how quickly APAC regulators begin operationalizing that AI guidance and whether the EU follows with something similar. The patchwork is growing.

Jordan: That's Cleartext for Tuesday, May 5th. Thanks for listening.

Alex: Show notes and links to everything we covered today are at cleartext.fm. We'll be back tomorrow.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-05.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.