Sign up to save your podcasts
Or
Share Cleartext โ May 19, 2026
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Cleartext โ May 19, 2026
Cleartext โ May 19, 2026
Daily cybersecurity briefing for CISOs and security leaders.
๐ง Listen to this episode
Episode Summary
Today's episode covers 8 stories across 3 topic areas, including: Verizon Breach Report: Vulnerability Exploitation Surges; Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering; The New Phishing Click: How OAuth Consent Bypasses MFA.
Stories Covered
๐ก Macro Trends
Verizon Breach Report: Vulnerability Exploitation Surges
BankInfoSecurity ยท May 19 ยท Relevance: โโโโโโโโโโ 9/10
Why it matters to CISOs: The 2026 Verizon DBIR is essential board-level intelligence โ the finding that half of all breaches now involve ransomware and that vulnerability exploitation continues to surge provides concrete data to justify patch management and resilience investments.
๐ Read full article
Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering
VentureBeat Security ยท May 18 ยท Relevance: โโโโโโโโโโ 8/10
Why it matters to CISOs: Four supply-chain incidents hitting OpenAI, Anthropic, and Meta in 50 days expose a critical blind spot in AI release pipelines โ CISOs adopting AI tooling must extend third-party risk assessments to cover CI/CD, dependency, and packaging integrity beyond model safety evaluations.
๐ Read full article
The New Phishing Click: How OAuth Consent Bypasses MFA
The Hacker News ยท May 19 ยท Relevance: โโโโโโโโโโ 8/10
Why it matters to CISOs: The EvilTokens PhaaS platform compromised 340+ M365 orgs in five weeks by abusing OAuth device code flows to bypass MFA entirely โ CISOs must evaluate conditional access policies and consider blocking device code authentication flows.
๐ Read full article
๐ Data Breach
CISA Admin Leaked AWS GovCloud Keys on Github
Krebs on Security ยท May 18 ยท Relevance: โโโโโโโโโโ 9/10
Why it matters to CISOs: A CISA contractor publicly exposing GovCloud credentials and internal deployment details is a worst-case supply chain and insider risk scenario โ CISOs should use this to justify stricter secrets management and CI/CD pipeline audits across their own organizations.
๐ Read full article
NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people
TechCrunch Security ยท May 18 ยท Relevance: โโโโโโโโโโ 9/10
Why it matters to CISOs: A 1.8M-record healthcare breach involving biometric data (fingerprints) raises the stakes on irreversible data exposure โ CISOs should reassess biometric data handling, storage, and incident response plans given that biometrics cannot be reset like passwords.
๐ Read full article
Grafana refuses to pay ransom after codebase theft
The Record (Recorded Future) ยท May 18 ยท Relevance: โโโโโโโโโโ 8/10
Why it matters to CISOs: Grafana's breach via a stolen GitHub token and public refusal to pay ransom is a case study in token/secret management failures and incident response transparency โ CISOs should audit PAT and service account hygiene across development environments.
๐ Read full article
7-Eleven confirms data breach claimed by the ShinyHunters gang
BleepingComputer ยท May 19 ยท Relevance: โโโโโโโโโโ 7/10
Why it matters to CISOs: ShinyHunters claiming another major retailer reinforces the persistent threat to large consumer-facing enterprises โ CISOs in retail and adjacent sectors should ensure threat intelligence covers this prolific extortion group's evolving TTPs.
๐ Read full article
๐จ Critical Vulnerability
Microsoft Exchange Zero-Day Under Attack, No Patch Available
Dark Reading ยท May 18 ยท Relevance: โโโโโโโโโโ 9/10
Why it matters to CISOs: An actively exploited Exchange zero-day (CVE-2026-42897) with no patch available demands immediate mitigation action โ CISOs with OWA-exposed environments should implement compensating controls and monitor for mailbox compromise.
๐ Read full article
Further Reading
Full Transcript
Click to expand full episode transcript
Jordan: A CISA contractor left highly privileged AWS GovCloud credentials sitting in a public GitHub repository. Not encrypted. Not rotated. Public. Security researchers are calling it one of the most egregious government data leaks in recent history. And it's Tuesday.
Alex: Welcome to Cleartext. I'm Alex Chen.
Jordan: And I'm Jordan Reeves.
Alex: Today we are not short on material. The 2026 Verizon DBIR dropped and the headline numbers deserve your attention. We've got an Exchange zero-day with no patch, a PhaaS platform that's making MFA irrelevant for hundreds of Microsoft 365 organizations, AI supply chain attacks hitting the biggest names in the industry, and two major breaches โ one involving 1.8 million people's fingerprints. Let's get into it.
Jordan: Start with the DBIR because this is your board ammunition for the next budget cycle. Verizon's 2026 report confirms two things that should not surprise anyone in this audience but will absolutely land differently when you're citing an industry benchmark. Vulnerability exploitation as an initial access vector continues to surge. And half โ half โ of all successful breaches now involve some form of ransomware action. The other number that matters: patch rollout timelines are slowing. Not holding steady. Slowing. Exploitation is going up, patching speed is going down. That's not a trend, that's a collision.
Alex: And here's the strategic framing for your CFO conversation. This report gives you third-party validation to defend every dollar you're spending on patch management tooling, vulnerability prioritization, and ransomware resilience. The board doesn't want to hear your threat model. They want to hear what happened to everyone else. The DBIR is that story. Use it.
Jordan: Speaking of patches that don't exist yet โ CVE-2026-42897. Active exploitation, no fix. This is an XSS vulnerability in Exchange hitting Outlook Web Access mailboxes. If you have OWA exposed to the internet, this is not a watch-and-wait situation.
Alex: The compensating controls conversation here is straightforward: restrict external access to OWA where you can, implement WAF rules targeting the XSS vector, and get your SOC hunting for mailbox manipulation indicators now. Don't wait for Microsoft's patch cadence to protect an exposed attack surface.
Jordan: What I'd add โ and this is worth flagging for anyone still running on-premises Exchange โ this vulnerability is a reminder that legacy mail infrastructure sitting on the perimeter is a persistent liability. The pressure to migrate isn't just about features.
Alex: Let's talk about OAuth phishing, because this is the MFA story that should make you revisit your conditional access architecture today. The EvilTokens PhaaS platform compromised more than 340 Microsoft 365 organizations across five countries in five weeks. Here's the mechanism: attackers send targets a message asking them to visit microsoft.com/devicelogin and enter a short code. The user does it. They complete their normal MFA challenge. They think they've authenticated into something legitimate. They haven't. They've handed attackers a persistent OAuth token tied to their account.
Jordan: The genius of this attack โ and I use that word reluctantly โ is that there is no phishing page. The victim goes to a real Microsoft domain, completes a real MFA prompt, and walks away feeling secure. The attack abuses the device code flow, which was designed for scenarios like smart TVs and printers that can't handle browser-based authentication. It was never intended to be an enterprise identity pathway, and it's being weaponized systematically.
Alex: The action item is direct: evaluate whether your organization actually needs device code authentication flows enabled. For most enterprise environments, the answer is no. Block it in conditional access. If you can't block it entirely, scope it tightly and alert on it. 340 organizations in five weeks is a significant deployment rate for a platform that's been live since February.
Jordan: Now let's spend some time on AI supply chain, because four incidents in 50 days across OpenAI, Anthropic, and Meta is a pattern, not a coincidence. The critical insight here is that none of these attacks targeted the model itself. They targeted the release pipeline โ CI runners, dependency hooks, packaging gates.
Alex: This is the maturity gap in how most organizations are thinking about AI risk. Vendor questionnaires ask about model safety evaluations, responsible disclosure processes, red team assessments. Almost none of them ask about artifact integrity, dependency management, or CI/CD security for the AI tooling you're ingesting. That's the gap these attackers are walking through.
Jordan: The Mini Shai-Hulud worm is the specific case worth examining. On May 11th, it published 84 malicious package versions across 42 npm packages in the tanstack namespace โ in six minutes. The packages carried valid SLSA Build Level 3 provenance. Build-level attestation did not save anyone here. The integrity signal was legitimate. The packages were not.
Alex: Which means your third-party risk program needs a new appendix. If you are onboarding AI tooling โ and you are โ your vendor security assessments need to include questions about CI/CD pipeline integrity, artifact signing beyond basic provenance, and incident response for supply chain compromise scenarios. This is not covered by most existing frameworks.
Jordan: Two breach stories that belong together because they share a root cause: secret sprawl and token hygiene.
Alex: Start with CISA, because the irony is uncomfortable. A CISA contractor maintained a public GitHub repository containing credentials to highly privileged AWS GovCloud accounts. The repo also included internal documentation on how CISA builds, tests, and deploys software. Experts are calling it one of the most egregious government data leaks in recent history. The agency responsible for protecting critical infrastructure had a contractor exposing its own deployment architecture to the public internet.
Jordan: The lesson here isn't to pile on CISA. The lesson is that this exact scenario is replicating itself silently in enterprise environments right now. Developer repos with hardcoded credentials, service account tokens committed alongside application code, CI/CD pipelines with embedded secrets that have never been audited. This is the baseline. Not the exception.
Alex: Your action coming out of this story: run a secrets scanning pass across your GitHub organizations this week. Tools exist for this. The question is whether you've prioritized it. CISA's incident should make that prioritization easier.
Jordan: Grafana reinforces it. Hackers gained access to Grafana Labs' entire codebase through a stolen GitHub access token. Grafana publicly refused to pay the ransom, which I respect as a posture, but the access vector is the story. One compromised personal access token. That's the blast radius.
Alex: And Grafana is widely deployed observability infrastructure. If you're running it in your environment, your security team should already be reviewing whether your Grafana instance has been updated and whether any downstream integrity concerns apply to your deployment.
Jordan: Quickly on 7-Eleven โ ShinyHunters has confirmed another major brand. Retail CISOs know this group well. They are systematic, they are prolific, and their TTPs evolve. If you're in consumer-facing enterprise and you're not actively tracking ShinyHunters' current playbook in your threat intel program, fix that.
Alex: The breach story with the longest tail is NYC Health + Hospitals. 1.8 million people. Stolen medical records. And fingerprints. This is where healthcare breach severity calculus changes.
Jordan: You cannot issue someone new fingerprints. That's the distinction that matters. Every other credential compromise has a remediation path โ reset the password, revoke the token, reissue the card. Biometric data is permanently compromised once it's stolen. The irreversibility changes the liability picture and it should change how you store it.
Alex: If your organization collects biometric data โ and increasingly they do, whether for access control, fraud prevention, healthcare records โ your incident response plan needs a biometric-specific track. What's your notification obligation? What's your remediation offer to affected individuals? What does recovery actually look like when the compromised data can't be replaced? Most IR playbooks haven't answered those questions yet.
Jordan: Outlook for the week. The theme I keep coming back to across everything we've covered today is that defenders are being systematically outpaced in the areas they assumed were mature. Patch management โ slowing. MFA โ bypassed. Supply chain attestation โ circumvented. Secrets management โ still failing at CISA. The adversary surface isn't expanding because attackers found new zero-days. It's expanding because the fundamentals aren't holding.
Alex: What I'd tell any CISO walking into a board meeting this week: the 2026 DBIR gives you the macro narrative. The Exchange zero-day gives you immediate urgency. The OAuth story gives you a reason to reopen your identity architecture conversation. And the CISA breach gives you the internal audit justification you may have been waiting for. This is a week where the news cycle actually hands you leverage. Use it deliberately.
Jordan: Watch the Exchange patch timeline closely. Microsoft has not committed to an out-of-band release as of this recording. If that changes, we'll flag it.
Alex: That's Cleartext for Tuesday, May 19th. Show notes and links to every story we covered today are at cleartext.fm. If this was useful, share it with a peer who needs it. We'll be back tomorrow.
Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-19.
Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.
View all episodes
By CleartextCleartext โ May 19, 2026
Daily cybersecurity briefing for CISOs and security leaders.
๐ง Listen to this episode
Episode Summary
Today's episode covers 8 stories across 3 topic areas, including: Verizon Breach Report: Vulnerability Exploitation Surges; Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering; The New Phishing Click: How OAuth Consent Bypasses MFA.
Stories Covered
๐ก Macro Trends
Verizon Breach Report: Vulnerability Exploitation Surges
BankInfoSecurity ยท May 19 ยท Relevance: โโโโโโโโโโ 9/10
Why it matters to CISOs: The 2026 Verizon DBIR is essential board-level intelligence โ the finding that half of all breaches now involve ransomware and that vulnerability exploitation continues to surge provides concrete data to justify patch management and resilience investments.
๐ Read full article
Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering
VentureBeat Security ยท May 18 ยท Relevance: โโโโโโโโโโ 8/10
Why it matters to CISOs: Four supply-chain incidents hitting OpenAI, Anthropic, and Meta in 50 days expose a critical blind spot in AI release pipelines โ CISOs adopting AI tooling must extend third-party risk assessments to cover CI/CD, dependency, and packaging integrity beyond model safety evaluations.
๐ Read full article
The New Phishing Click: How OAuth Consent Bypasses MFA
The Hacker News ยท May 19 ยท Relevance: โโโโโโโโโโ 8/10
Why it matters to CISOs: The EvilTokens PhaaS platform compromised 340+ M365 orgs in five weeks by abusing OAuth device code flows to bypass MFA entirely โ CISOs must evaluate conditional access policies and consider blocking device code authentication flows.
๐ Read full article
๐ Data Breach
CISA Admin Leaked AWS GovCloud Keys on Github
Krebs on Security ยท May 18 ยท Relevance: โโโโโโโโโโ 9/10
Why it matters to CISOs: A CISA contractor publicly exposing GovCloud credentials and internal deployment details is a worst-case supply chain and insider risk scenario โ CISOs should use this to justify stricter secrets management and CI/CD pipeline audits across their own organizations.
๐ Read full article
NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people
TechCrunch Security ยท May 18 ยท Relevance: โโโโโโโโโโ 9/10
Why it matters to CISOs: A 1.8M-record healthcare breach involving biometric data (fingerprints) raises the stakes on irreversible data exposure โ CISOs should reassess biometric data handling, storage, and incident response plans given that biometrics cannot be reset like passwords.
๐ Read full article
Grafana refuses to pay ransom after codebase theft
The Record (Recorded Future) ยท May 18 ยท Relevance: โโโโโโโโโโ 8/10
Why it matters to CISOs: Grafana's breach via a stolen GitHub token and public refusal to pay ransom is a case study in token/secret management failures and incident response transparency โ CISOs should audit PAT and service account hygiene across development environments.
๐ Read full article
7-Eleven confirms data breach claimed by the ShinyHunters gang
BleepingComputer ยท May 19 ยท Relevance: โโโโโโโโโโ 7/10
Why it matters to CISOs: ShinyHunters claiming another major retailer reinforces the persistent threat to large consumer-facing enterprises โ CISOs in retail and adjacent sectors should ensure threat intelligence covers this prolific extortion group's evolving TTPs.
๐ Read full article
๐จ Critical Vulnerability
Microsoft Exchange Zero-Day Under Attack, No Patch Available
Dark Reading ยท May 18 ยท Relevance: โโโโโโโโโโ 9/10
Why it matters to CISOs: An actively exploited Exchange zero-day (CVE-2026-42897) with no patch available demands immediate mitigation action โ CISOs with OWA-exposed environments should implement compensating controls and monitor for mailbox compromise.
๐ Read full article
Further Reading
Full Transcript
Click to expand full episode transcript
Jordan: A CISA contractor left highly privileged AWS GovCloud credentials sitting in a public GitHub repository. Not encrypted. Not rotated. Public. Security researchers are calling it one of the most egregious government data leaks in recent history. And it's Tuesday.
Alex: Welcome to Cleartext. I'm Alex Chen.
Jordan: And I'm Jordan Reeves.
Alex: Today we are not short on material. The 2026 Verizon DBIR dropped and the headline numbers deserve your attention. We've got an Exchange zero-day with no patch, a PhaaS platform that's making MFA irrelevant for hundreds of Microsoft 365 organizations, AI supply chain attacks hitting the biggest names in the industry, and two major breaches โ one involving 1.8 million people's fingerprints. Let's get into it.
Jordan: Start with the DBIR because this is your board ammunition for the next budget cycle. Verizon's 2026 report confirms two things that should not surprise anyone in this audience but will absolutely land differently when you're citing an industry benchmark. Vulnerability exploitation as an initial access vector continues to surge. And half โ half โ of all successful breaches now involve some form of ransomware action. The other number that matters: patch rollout timelines are slowing. Not holding steady. Slowing. Exploitation is going up, patching speed is going down. That's not a trend, that's a collision.
Alex: And here's the strategic framing for your CFO conversation. This report gives you third-party validation to defend every dollar you're spending on patch management tooling, vulnerability prioritization, and ransomware resilience. The board doesn't want to hear your threat model. They want to hear what happened to everyone else. The DBIR is that story. Use it.
Jordan: Speaking of patches that don't exist yet โ CVE-2026-42897. Active exploitation, no fix. This is an XSS vulnerability in Exchange hitting Outlook Web Access mailboxes. If you have OWA exposed to the internet, this is not a watch-and-wait situation.
Alex: The compensating controls conversation here is straightforward: restrict external access to OWA where you can, implement WAF rules targeting the XSS vector, and get your SOC hunting for mailbox manipulation indicators now. Don't wait for Microsoft's patch cadence to protect an exposed attack surface.
Jordan: What I'd add โ and this is worth flagging for anyone still running on-premises Exchange โ this vulnerability is a reminder that legacy mail infrastructure sitting on the perimeter is a persistent liability. The pressure to migrate isn't just about features.
Alex: Let's talk about OAuth phishing, because this is the MFA story that should make you revisit your conditional access architecture today. The EvilTokens PhaaS platform compromised more than 340 Microsoft 365 organizations across five countries in five weeks. Here's the mechanism: attackers send targets a message asking them to visit microsoft.com/devicelogin and enter a short code. The user does it. They complete their normal MFA challenge. They think they've authenticated into something legitimate. They haven't. They've handed attackers a persistent OAuth token tied to their account.
Jordan: The genius of this attack โ and I use that word reluctantly โ is that there is no phishing page. The victim goes to a real Microsoft domain, completes a real MFA prompt, and walks away feeling secure. The attack abuses the device code flow, which was designed for scenarios like smart TVs and printers that can't handle browser-based authentication. It was never intended to be an enterprise identity pathway, and it's being weaponized systematically.
Alex: The action item is direct: evaluate whether your organization actually needs device code authentication flows enabled. For most enterprise environments, the answer is no. Block it in conditional access. If you can't block it entirely, scope it tightly and alert on it. 340 organizations in five weeks is a significant deployment rate for a platform that's been live since February.
Jordan: Now let's spend some time on AI supply chain, because four incidents in 50 days across OpenAI, Anthropic, and Meta is a pattern, not a coincidence. The critical insight here is that none of these attacks targeted the model itself. They targeted the release pipeline โ CI runners, dependency hooks, packaging gates.
Alex: This is the maturity gap in how most organizations are thinking about AI risk. Vendor questionnaires ask about model safety evaluations, responsible disclosure processes, red team assessments. Almost none of them ask about artifact integrity, dependency management, or CI/CD security for the AI tooling you're ingesting. That's the gap these attackers are walking through.
Jordan: The Mini Shai-Hulud worm is the specific case worth examining. On May 11th, it published 84 malicious package versions across 42 npm packages in the tanstack namespace โ in six minutes. The packages carried valid SLSA Build Level 3 provenance. Build-level attestation did not save anyone here. The integrity signal was legitimate. The packages were not.
Alex: Which means your third-party risk program needs a new appendix. If you are onboarding AI tooling โ and you are โ your vendor security assessments need to include questions about CI/CD pipeline integrity, artifact signing beyond basic provenance, and incident response for supply chain compromise scenarios. This is not covered by most existing frameworks.
Jordan: Two breach stories that belong together because they share a root cause: secret sprawl and token hygiene.
Alex: Start with CISA, because the irony is uncomfortable. A CISA contractor maintained a public GitHub repository containing credentials to highly privileged AWS GovCloud accounts. The repo also included internal documentation on how CISA builds, tests, and deploys software. Experts are calling it one of the most egregious government data leaks in recent history. The agency responsible for protecting critical infrastructure had a contractor exposing its own deployment architecture to the public internet.
Jordan: The lesson here isn't to pile on CISA. The lesson is that this exact scenario is replicating itself silently in enterprise environments right now. Developer repos with hardcoded credentials, service account tokens committed alongside application code, CI/CD pipelines with embedded secrets that have never been audited. This is the baseline. Not the exception.
Alex: Your action coming out of this story: run a secrets scanning pass across your GitHub organizations this week. Tools exist for this. The question is whether you've prioritized it. CISA's incident should make that prioritization easier.
Jordan: Grafana reinforces it. Hackers gained access to Grafana Labs' entire codebase through a stolen GitHub access token. Grafana publicly refused to pay the ransom, which I respect as a posture, but the access vector is the story. One compromised personal access token. That's the blast radius.
Alex: And Grafana is widely deployed observability infrastructure. If you're running it in your environment, your security team should already be reviewing whether your Grafana instance has been updated and whether any downstream integrity concerns apply to your deployment.
Jordan: Quickly on 7-Eleven โ ShinyHunters has confirmed another major brand. Retail CISOs know this group well. They are systematic, they are prolific, and their TTPs evolve. If you're in consumer-facing enterprise and you're not actively tracking ShinyHunters' current playbook in your threat intel program, fix that.
Alex: The breach story with the longest tail is NYC Health + Hospitals. 1.8 million people. Stolen medical records. And fingerprints. This is where healthcare breach severity calculus changes.
Jordan: You cannot issue someone new fingerprints. That's the distinction that matters. Every other credential compromise has a remediation path โ reset the password, revoke the token, reissue the card. Biometric data is permanently compromised once it's stolen. The irreversibility changes the liability picture and it should change how you store it.
Alex: If your organization collects biometric data โ and increasingly they do, whether for access control, fraud prevention, healthcare records โ your incident response plan needs a biometric-specific track. What's your notification obligation? What's your remediation offer to affected individuals? What does recovery actually look like when the compromised data can't be replaced? Most IR playbooks haven't answered those questions yet.
Jordan: Outlook for the week. The theme I keep coming back to across everything we've covered today is that defenders are being systematically outpaced in the areas they assumed were mature. Patch management โ slowing. MFA โ bypassed. Supply chain attestation โ circumvented. Secrets management โ still failing at CISA. The adversary surface isn't expanding because attackers found new zero-days. It's expanding because the fundamentals aren't holding.
Alex: What I'd tell any CISO walking into a board meeting this week: the 2026 DBIR gives you the macro narrative. The Exchange zero-day gives you immediate urgency. The OAuth story gives you a reason to reopen your identity architecture conversation. And the CISA breach gives you the internal audit justification you may have been waiting for. This is a week where the news cycle actually hands you leverage. Use it deliberately.
Jordan: Watch the Exchange patch timeline closely. Microsoft has not committed to an out-of-band release as of this recording. If that changes, we'll flag it.
Alex: That's Cleartext for Tuesday, May 19th. Show notes and links to every story we covered today are at cleartext.fm. If this was useful, share it with a peer who needs it. We'll be back tomorrow.
Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-19.
Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.