Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 10 stories across 5 topic areas, including: Iranian intelligence service behind hack of LA transit system, researchers say; MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries; Dutch government blocks US company from acquisition, citing ‘risk to public interest’.

The Record (Recorded Future) · May 27 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Attribution of the LA Metro breach to Iran's MOIS—masked behind a fake hacktivist persona—signals that state-sponsored actors are actively using hacktivist cover to attack critical infrastructure, raising threat model implications for transportation, utilities, and other critical sectors.

📖 Read full article

The Hacker News · May 26 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: MuddyWater's Q1 2026 espionage campaign spanning nine countries and targeting financial services, manufacturing, and public sector organizations demonstrates Iran's sustained, broad-scope cyber espionage activity that enterprise security teams in these verticals must actively defend against.

📖 Read full article

TechCrunch Security · May 26 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: The Dutch government blocking a US acquisition of the cloud provider hosting its national digital ID service reflects accelerating European sovereign cloud and technology independence trends that will directly affect multinational CISOs' vendor strategy and cross-border data governance decisions.

📖 Read full article

BleepingComputer · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: ShinyHunters' confirmed breach of Charter Communications—a major US telecom—highlights continued targeting of large carriers for extortion, with downstream risk to enterprise customers whose data transits or is held by Charter systems.

📖 Read full article

VentureBeat Security · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: CrowdStrike's 2026 Financial Services Threat Landscape Report identifies vishing-based MFA reset as the dominant attack vector against financial institutions, with Mutant Spider exploiting Microsoft Teams IT impersonation—a critical signal for any CISO relying on MFA as a control boundary.

📖 Read full article

BankInfoSecurity · May 27 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: A supply-chain incident via a poisoned VS Code extension compromised 3,800 GitHub repositories and forced enterprise-wide key rotation—CISOs with self-hosted git infrastructure must treat this as an immediate action item and audit developer toolchain extension policies.

📖 Read full article

BankInfoSecurity · May 27 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Federal agencies and contractors must reassess logging compliance postures as the Trump OMB replaces post-SolarWinds prescriptive logging mandates with a flexible risk-based model, potentially affecting regulatory expectations for companies doing government work.

📖 Read full article

Cybersecurity Dive · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: FBI warning about a Phishing-as-a-Service platform bypassing MFA via device code phishing in Microsoft 365 environments is directly actionable for CISOs—particularly given enterprise-wide M365 adoption—requiring review of conditional access policies and device code flow restrictions.

📖 Read full article

BankInfoSecurity · May 27 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Socket's $1B valuation Series C signals strong market validation for supply-chain security tooling beyond package managers, directly relevant as AI coding tools expand enterprise exposure to malicious dependencies and developer extensions.

📖 Read full article

Ars Technica Security · May 26 · Relevance: █████████░ 9/10

Why it matters to CISOs: A critical authentication-bypass flaw dubbed 'BadHost' in Starlette—downloaded 325 million times weekly—directly threatens enterprise AI agent infrastructure at massive scale, requiring immediate inventory and patching of any AI workloads using this package.

📖 Read full article

Alex: Welcome to Cleartext. It's Wednesday, May 27th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. So here's what caught my attention first thing this morning. A critical authentication bypass in an open-source Python package called Starlette, which underpins a staggering amount of AI agent infrastructure. Three hundred and twenty-five million weekly downloads. The vulnerability, dubbed BadHost, lets attackers bypass authentication entirely on AI workloads built on this framework. If you're running AI agents in production, and at this point most of you are, you need to know if Starlette is in your dependency tree. Today. Not Friday.

Alex: We're going to get into that, plus Iran running dual-track cyber operations behind fake hacktivist fronts, the White House gutting post-SolarWinds logging mandates, ShinyHunters hitting Charter Communications, two separate MFA bypass techniques that should make every CISO rethink their authentication architecture, and a supply chain incident that has GitHub rotating keys enterprise-wide. A lot to cover. Let's get into it.

Jordan: Let's start with Iran because there are two stories today that paint a very coherent picture. First, researchers at Gambit Security have attributed the LA Metro breach to a group called Ababil of Minab. They presented themselves as hacktivists. They are not. Gambit ties them directly to Iran's Ministry of Intelligence, MOIS. The breach caused weeks of operational disruption to LA's transit system. Weeks. This is a critical infrastructure hit by a nation-state wearing a costume.

Alex: And that's the pattern that matters here. We've been tracking the hacktivist-as-cover trend for a while, but this is a clean attribution case. A state intelligence service deliberately created a fake persona to maintain plausible deniability while attacking American critical infrastructure. For CISOs in transportation, utilities, water, energy, you need to update your threat models. The adversary isn't just the sophisticated APT that moves quietly. It's also the group that looks like script kiddies on Telegram but has a government backing its operations.

Jordan: And then layer on the second Iran story. MuddyWater, which is well-established as Iranian state-linked, ran a DLL side-loading espionage campaign across nine countries and nine organizations in Q1 of this year. Financial services, manufacturing, education, public sector. Symantec and Carbon Black's Threat Hunter Team documented the whole thing. So you've got MOIS running destructive ops behind hacktivist cover on one hand, and MuddyWater running broad-scope espionage on the other. Two different operational tempos, two different objectives, same state sponsor.

Alex: This is Iran running a full-spectrum cyber program. The post-war tensions with the US are clearly fueling an acceleration. If you're in any of those targeted verticals, especially financial services or manufacturing, MuddyWater's tradecraft here, DLL side-loading, is well-understood but still effective because too many organizations don't have adequate controls around DLL loading paths and application whitelisting. This is detectable and defensible, but you have to be looking for it.

Jordan: Now let's pivot to something that directly affects authentication architecture, and it ties together two stories. The FBI issued an advisory about a Phishing-as-a-Service platform that's using device code phishing to bypass MFA in Microsoft 365 environments. No stolen credentials required. The attacker exploits the OAuth device code authorization flow, which is a legitimate feature of the protocol. And then separately, CrowdStrike's 2026 Financial Services Threat Landscape Report identifies Mutant Spider as the most active threat to financial services over the past twelve months, and their primary technique is calling employees, impersonating IT support, and convincing them to reset their own MFA and register attacker-controlled devices.

Alex: I want CISOs to sit with this for a moment. These are two completely different attack paths, both defeating MFA, and neither one involves stealing a password. In one case, the attacker exploits a protocol flow that most security teams haven't restricted. In the other, the attacker exploits your own help desk procedures. Your MFA reset process worked exactly as designed, and the attacker still won. This is the moment where MFA as a security boundary needs to be reclassified as MFA as one layer among several.

Jordan: Specifically, for the device code phishing, you need to look at your conditional access policies in Entra ID and evaluate whether you can restrict or block device code flow entirely for most users. Most organizations don't need it broadly enabled. For the vishing vector, this is a people and process problem. Your help desk identity verification procedures need to be hardened. Call-back verification, out-of-band confirmation, something beyond voice on a Teams call.

Alex: And if your board still thinks MFA is the answer, these two stories are your briefing material. MFA is necessary. It is not sufficient.

Jordan: Let's talk about the Charter breach. ShinyHunters confirmed they breached Charter Communications, a major US telecom, and they're running the standard extortion playbook, pay or we leak. ShinyHunters have been consistently targeting large enterprises and telecom providers for high-value data.

Alex: The downstream risk here is what concerns me most. Charter isn't just a consumer ISP. Enterprise traffic transits their infrastructure. Enterprise customer data may be held in their systems. If you're a Charter customer at the enterprise level, you should be engaging your account team right now to understand scope. What data was accessed? What's the exposure to your organization? Don't wait for the press release.

Jordan: And this is a good moment to remind everyone that your third-party risk program needs to include your telecom providers. They hold metadata, traffic data, sometimes authentication data. They are high-value targets for exactly this reason.

Alex: Now, the GitHub story. This one is operationally urgent for anyone running self-hosted git infrastructure. A poisoned VS Code extension, used by a GitHub employee, led to the compromise of approximately thirty-eight hundred repositories. GitHub's own CISO, Alexis Wales, confirmed they're rotating all keys on GitHub.com as a precaution, and they've told self-hosted admins to do the same.

Jordan: The supply chain angle here is critical. This wasn't a vulnerability in git. This was a malicious developer tool extension that gave an attacker access to the development environment. We keep talking about software supply chain security in terms of packages and dependencies. This is a reminder that the developer's IDE and its extensions are part of that supply chain too. If you don't have a policy governing what extensions your developers can install in VS Code, you have a gap.

Alex: Which actually segues nicely into the Socket funding round. Socket raised sixty million at a billion-dollar valuation, Series C led by Thrive Capital. They're expanding beyond npm and PyPI package scanning to cover AI coding tools, browser extensions, and developer tooling more broadly.

Jordan: The market is validating what we just talked about. The attack surface for dependency injection is expanding dramatically as AI-assisted coding tools become standard. Socket is positioning to cover that expanded surface. If you're evaluating supply chain security tooling, they're worth a look.

Alex: Now, the BadHost vulnerability. Jordan, you opened with this. Let's give it the actionable treatment it deserves.

Jordan: BadHost is a critical authentication bypass in Starlette, which is a Python ASGI framework. If you're not familiar with it by name, you might still be running it. It's a foundational dependency for FastAPI and a huge portion of the Python web and AI agent ecosystem. Three hundred and twenty-five million weekly downloads. The flaw allows attackers to bypass authentication entirely on infrastructure built with this package. If you're running AI agents, ML inference endpoints, or any Python-based API services, you need your teams to check dependency trees immediately and patch.

Alex: This is one of those vulnerabilities where the blast radius is defined not by one product but by the dependency graph. Your application team might not even know Starlette is in their stack because it came in as a transitive dependency. This is an all-hands inventory exercise.

Jordan: Moving to governance. The White House OMB issued a new memo that replaces the Biden-era M-21-31 logging requirements, the ones that came out of the SolarWinds response. The new framework is narrower, emphasizing risk-based prioritization, threat hunting, and forensic readiness rather than prescriptive comprehensive log retention.

Alex: I have mixed feelings about this. The original M-21-31 was expensive and burdensome for agencies to implement. That's true. And a risk-based approach is philosophically sound. But the timing is concerning. We're in an environment where AI-enabled intrusions are getting faster, dwell times are shrinking, and the analysts I talk to are worried that reducing logging comprehensiveness means reducing detection capability at exactly the wrong moment.

Jordan: And for CISOs in the private sector who do government work, the compliance implications are real. If your logging posture was built to satisfy M-21-31 as a contractual requirement, you need to understand what the new baseline looks like and whether your agency customers will expect the old standard or the new one. Don't assume anything. Get it in writing.

Alex: Last story. The Dutch government blocked a US company from acquiring a cloud provider that hosts the Netherlands' national digital ID service, citing risk to public interest. This is part of a broader European pattern of asserting technology sovereignty.

Jordan: This is the trend that keeps accelerating. European governments are drawing lines around critical digital infrastructure and saying, this cannot be controlled by US entities. For multinational CISOs, this directly affects your cloud strategy, your vendor selection, and your data residency architecture. If you're running European operations on US-controlled cloud infrastructure, you need to be planning for a world where that becomes increasingly constrained.

Alex: It's not just GDPR anymore. It's sovereign control over the infrastructure layer itself. Your procurement and legal teams need to be in the room for these decisions, not just your architects.

Jordan: So stepping back, Alex, the theme I see today is the erosion of assumptions. MFA is your security boundary? Not anymore. Hacktivists are unsophisticated? Not when they're state-sponsored. Your logging mandates are stable? They just changed. Your cloud vendor choices are yours to make? Not if a foreign government disagrees.

Alex: That's exactly right. And I'd add one more. Your dependency tree is known and controlled? The Starlette vulnerability and the GitHub extension compromise both say otherwise. The common thread is that the controls and assumptions we built our security programs on two or three years ago are being systematically challenged. Not theoretically. In production.

Jordan: What I'm watching this week is whether we see more attribution of hacktivist personas to state actors. The Gambit Security research on Ababil of Minab could be the start of a wave. There are a lot of groups operating under hacktivist cover right now that haven't been formally attributed yet.

Alex: And I'm watching the OMB logging change ripple through the contractor ecosystem. That's going to create confusion and potentially gaps in the short term. If you're a federal contractor CISO, get ahead of it now.

Jordan: That's our show for today. Show notes and links to every story we covered are at cleartext.fm.

Alex: Thanks for listening. We'll see you tomorrow.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-27.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.