Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 10 stories across 4 topic areas, including: China's Webworm Uses Discord, Microsoft Graphs to Hack EU Governments; Belarus-linked hackers use fake training certificates to target Ukrainian officials; European authorities take down prolific cybercrime VPN service.

Dark Reading · May 22 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Chinese APT Webworm is abusing trusted enterprise platforms—Discord and Microsoft Graph API—as C2 channels to compromise EU government networks, signaling that detection strategies relying on domain reputation are increasingly insufficient.

📖 Read full article

The Record (Recorded Future) · May 21 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: GhostWriter's ongoing spear-phishing campaigns against Ukrainian government officials are a case study in credential-harvesting via trusted brand impersonation—tactics directly applicable to enterprise defense and security awareness programs.

📖 Read full article

CyberScoop · May 21 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Europol's dismantling of First VPN—a service appearing in nearly every major recent cybercrime investigation and used by over two dozen ransomware gangs—is a meaningful disruption to ransomware infrastructure that enterprise security teams should track for follow-on threat actor behavior changes.

📖 Read full article

Ars Technica Security · May 22 · Relevance: █████████░ 9/10

Why it matters to CISOs: TeamPCP's software supply chain poisoning campaign—spanning GitHub and npm at scale—represents a systemic threat to enterprise CI/CD pipelines and open-source dependencies that security leaders must assess for exposure across their development toolchains.

📖 Read full article

Infosecurity Magazine · May 21 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A threat actor compromised a developer's identity and published a trojanized VS Code extension through legitimate marketplace channels, demonstrating that IDE plugin ecosystems are now a credible enterprise attack surface requiring governance.

📖 Read full article

Help Net Security · May 22 · Relevance: ████████░░ 8/10

Why it matters to CISOs: An FBI-warned Phishing-as-a-Service platform called Kali365 is capturing Microsoft 365 OAuth tokens at scale, bypassing MFA without credential theft—directly threatening the M365 environments that form the productivity backbone of most enterprise organizations.

📖 Read full article

The Record (Recorded Future) · May 21 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: A large-scale breach of a healthcare billing services provider affecting multiple German hospitals reinforces the systemic third-party vendor risk in healthcare supply chains—a concern directly relevant to CISOs managing vendor risk in regulated industries.

📖 Read full article

CyberScoop · May 21 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Bipartisan congressional pushback on CISA budget cuts signals institutional recognition that federal cyber defense capacity has been dangerously reduced, with direct implications for public-private threat intelligence sharing and incident response support that enterprises rely on.

📖 Read full article

CyberScoop · May 21 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: The delay of a White House AI security executive order—which would have tasked NSA, Treasury, and other agencies with 90-day model security evaluations—creates regulatory uncertainty for enterprises building AI governance frameworks tied to anticipated federal guidance.

📖 Read full article

The Hacker News · May 22 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A maximum-severity unauthenticated REST API vulnerability in Cisco Secure Workload—an enterprise microsegmentation platform deployed in data center environments—requires immediate patching assessment given the sensitivity of workload telemetry and policy data it handles.

📖 Read full article

Alex: Welcome to Cleartext. It's Friday, May 22nd, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We have a packed show today. Supply chain poisoning at a scale we haven't seen before, Chinese APTs hiding in your Microsoft stack, an FBI warning about a new phishing platform eating M365 tokens for breakfast, a perfect ten Cisco vulnerability, and some important developments on the policy front with CISA funding and the delayed AI executive order. Let's start where Jordan wants to start.

Jordan: Yeah, let's start with the supply chain story because this one should be setting off alarms. A threat group called TeamPCP ran what researchers are calling the Megalodon campaign. In a six-hour window, they pushed 5,718 malicious commits across 5,561 GitHub repositories. Throwaway accounts, forged author identities, injected GitHub Actions workflows with base64-encoded payloads designed to exfiltrate CI/CD secrets. This isn't a theoretical risk anymore. This is industrial-scale poisoning of the open source ecosystem.

Alex: And this isn't happening in isolation. The related story is the Nx Console VS Code extension compromise. A threat actor posed as a legitimate Nx maintainer, published a trojanized extension through the official Visual Studio Marketplace. Grafana Labs confirmed their GitHub environment was breached through the connected TanStack npm supply chain attack. To their credit, Grafana refused extortion demands and hardened their posture, but the attack chain here is what matters. You go from a compromised developer identity to a malicious IDE plugin to enterprise source code repositories. That's three hops from a single identity compromise to crown jewels.

Jordan: What I want CISOs to internalize is that your IDE plugin ecosystem is now an attack surface that requires governance. How many of your developers are installing VS Code extensions without any review process? How many of those extensions have publish permissions that nobody's auditing? This isn't a developer productivity conversation anymore. It's an enterprise security conversation.

Alex: And on the CI/CD side, if you're not monitoring for anomalous commits, if you're not validating the provenance of your GitHub Actions workflows, if you're not treating your build pipeline with the same rigor as your production environment, you are exposed to exactly this kind of campaign. The scale of Megalodon should be a forcing function for reassessing your software supply chain controls this quarter.

Jordan: Shifting to the geopolitical landscape. China's Webworm APT is running campaigns against European government networks, and the tradecraft is notable. They're using Discord and Microsoft Graph API as command-and-control channels, plus SoftEther VPN for SOCKS proxy tunneling between victims and infrastructure.

Alex: This is the maturation of a trend we've been tracking for two years. Nation-state actors are living inside your trusted enterprise platforms. When your C2 traffic is flowing through Microsoft Graph API, your domain reputation-based detection is useless. Your firewall sees legitimate Microsoft traffic. Your proxy sees legitimate Discord traffic. The signal is buried in the noise of normal business operations.

Jordan: Exactly. And this isn't just a government problem. If you're a defense contractor, a critical infrastructure operator, a multinational with EU operations, you are in the target set. The detection challenge here requires behavioral analytics at the application layer. You need to understand what normal Graph API usage looks like for your environment and alert on deviations. Static signatures won't catch this.

Alex: The Belarus-linked GhostWriter campaign targeting Ukrainian officials with fake training certificates is worth a brief mention here because it reinforces a complementary point. These are credential-harvesting campaigns using trusted brand impersonation through a popular online learning platform. The tactical lesson for enterprise defenders is that your security awareness training needs to account for the fact that attackers are now impersonating the very platforms your employees use for professional development. The trust exploitation is getting more creative.

Jordan: Now, there's a piece of good news on the offensive infrastructure front. Europol took down First VPN, arrested its administrator, seized servers and domains. This is significant because Europol said this service appeared in nearly every major recent cybercrime investigation. Used by approximately two dozen ransomware gangs. And here's the detail I want people to notice: Europol stated they notified the service's users that they've been identified.

Alex: That's the real story. The takedown disrupts infrastructure, but the identification of users creates a chilling effect and likely leads to follow-on arrests. For enterprise security teams, the practical implication is to watch for infrastructure migration patterns over the next 30 to 60 days. When you knock out a service this central to the ransomware ecosystem, threat actors scatter and reconstitute. Your threat intel feeds should be tuned for new VPN services, new proxy networks, new infrastructure patterns emerging from this disruption.

Jordan: Let's talk about the FBI warning on Kali365. This is a Phishing-as-a-Service platform first observed in April, distributed via Telegram, and it captures Microsoft 365 OAuth tokens. It bypasses MFA without stealing passwords. Let me say that again. It bypasses MFA without credential theft by capturing the OAuth token itself.

Alex: This is the threat model that keeps M365-dependent enterprises up at night. And that's most enterprises. Kali365 provides AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture, all packaged for less-technical attackers. The democratization of this capability is what makes it dangerous. You don't need to be sophisticated to run a sophisticated attack anymore.

Jordan: The defensive response here has to go beyond MFA. You need conditional access policies that evaluate device compliance, network location, and risk signals before granting token access. You need token binding where possible. You need to monitor for anomalous token usage patterns, sessions originating from unexpected geolocations, tokens being used across multiple IP addresses. If your M365 security posture is still anchored primarily on MFA as the control, this platform is specifically designed to defeat you.

Alex: The German hospital breach through Unimed, their billing services provider, is a story we've seen variants of a hundred times, but it keeps happening because the underlying problem isn't solved. A single third-party billing provider gets breached, and patient and financial data from multiple hospitals is compromised simultaneously. If you're in healthcare or any regulated industry with concentrated vendor dependencies, your third-party risk management program needs to account for this aggregation risk. It's not just about whether your vendor is secure. It's about what happens when the vendor that serves you and your twenty peers gets compromised all at once.

Jordan: Let's hit the Cisco vulnerability quickly because this one demands action. CVE-2026-20223, CVSS 10.0, maximum severity. Unauthenticated remote access to sensitive data via insufficient REST API validation in Cisco Secure Workload. This is your microsegmentation platform. This is deployed in data center environments handling workload telemetry and policy data. If you're running Cisco Secure Workload, this is an emergency patching cycle. No confirmed active exploitation yet, but a CVSS ten with unauthenticated remote access does not stay unexploited for long.

Alex: Agreed. Don't wait for the weekend. Get your teams on this today.

Jordan: On the policy front, two stories that are connected by a common thread. First, bipartisan pushback on CISA budget cuts. Reps. Don Bacon, Republican from Nebraska, and James Walkinshaw, Democrat from Virginia, both saying the cuts have gone too far. They're citing growing threats from China at a moment when CISA's capacity has been diminished. State officials are simultaneously urging Congress to renew cyber grant programs because local governments simply lack resources to counter advanced threats.

Alex: I've been saying this for months. The public-private threat intelligence sharing that CISA enables is infrastructure that enterprises depend on, whether they realize it or not. When CISA's capacity is reduced, the information sharing degrades, the incident response support degrades, and the coordinated vulnerability disclosure process slows down. This isn't abstract. This affects your ability to get timely, actionable intelligence on the exact kind of threats we've discussed today.

Jordan: And the second policy story, the White House postponed the AI security executive order with no new timeline. The draft would have required NSA, Treasury, and other agencies to evaluate new AI models for cybersecurity and national security concerns within 90 days.

Alex: For CISOs who've been building AI governance frameworks in anticipation of federal guidance, this delay creates real uncertainty. My advice: don't wait. Build your framework based on NIST AI Risk Management guidance and the EU AI Act requirements if you have European operations. You can always adjust when federal guidance eventually lands, but you can't afford to have ungoverned AI deployments while you wait for Washington to make up its mind.

Jordan: Looking at the week in aggregate, Alex, there's a theme that's impossible to ignore. The trust boundary is dissolving. Attackers are inside your IDE extensions, inside your Microsoft Graph API traffic, inside your CI/CD pipelines, inside your OAuth token flows. Every layer of implicit trust in the enterprise stack is being weaponized.

Alex: That's exactly right. And the response can't be to add another point product for each attack vector. The response has to be architectural. Zero trust isn't a marketing term. It's the recognition that you need to verify continuously at every layer, from developer toolchains to production workloads to identity tokens. If this week's stories don't validate that strategic direction for your board, I don't know what will.

Jordan: And on a practical level, this weekend, check your Cisco Secure Workload patching status, review your VS Code extension governance, make sure your M365 conditional access policies account for token theft scenarios, and have a conversation Monday morning about what your CI/CD pipeline monitoring actually looks like. That's a full plate, but it's where the threats are.

Alex: That's our show for today. Show notes and links to every story we covered are at cleartext.fm. Have a safe weekend. We'll see you Monday.

Jordan: Stay sharp.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-22.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.