Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 17 stories across 4 topic areas, including: FBI takes down massive China-based cybercrime network that caused $1.9B in losses; U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals; Russian national charged in connection with Void Blizzard espionage campaign.

CyberScoop · Jun 12 · Relevance: █████████░ 9/10

Why it matters to CISOs: The Outsider Enterprise takedown reveals how Chinese cybercrime operations now weaponize enterprise AI tools (Gemini) at industrial scale against U.S. targets — a model that will be replicated; CISOs should brief boards on AI-enabled fraud as a systemic, not marginal, risk.

📖 Read full article

The Hacker News · Jun 13 · Relevance: █████████░ 9/10

Why it matters to CISOs: An emergency government order forcing Anthropic to disable its most advanced AI models for all foreign nationals — issued with less than an hour's notice — signals that AI model access controls are now a live national-security instrument; CISOs deploying frontier AI must model regulatory interruption as an operational risk.

📖 Read full article

CyberScoop · Jun 11 · Relevance: ████████░░ 8/10

Why it matters to CISOs: The Void Blizzard indictment confirms Kremlin-directed espionage compromised at least 11 U.S. companies, reinforcing that Russian state actors continue broad corporate IP theft campaigns beyond Ukraine-focused operations.

📖 Read full article

The Hacker News · Jun 12 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Velvet Ant's PAM/OpenSSH backdoor — surviving multiple incident-response cycles over nearly a decade — is a masterclass in persistence that should force CISOs to add integrity monitoring of authentication subsystems to their threat model, not just endpoint and network layers.

📖 Read full article

Help Net Security · Jun 12 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: The AudiA6 takedown removes a key financial rail used by multiple ransomware groups, temporarily disrupting their monetization pipeline — CISOs should monitor for retaliatory or displacement attacks as groups scramble to rebuild laundering capacity.

📖 Read full article

The Hacker News · Jun 08 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: NSO Group violating a federal court injunction to launch new WhatsApp spearphishing campaigns confirms that commercial spyware vendors remain an active threat even under legal restraint — executives and board members using consumer messaging apps remain credible targets.

📖 Read full article

BleepingComputer · Jun 12 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A breach of France's sovereign encrypted messaging platform — built specifically to protect government communications — underscores that bespoke, government-controlled secure comms tools carry their own unique attack surface and cannot be assumed safe by default.

📖 Read full article

The Hacker News · Jun 09 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Attackers compromising 73 Microsoft open-source GitHub repositories to inject infostealers targeting AI developers represents a direct supply chain threat to any enterprise consuming Azure or Microsoft AI tooling via those repos — a trust model that demands immediate third-party code provenance review.

📖 Read full article

BleepingComputer · Jun 12 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: A breach of clinical trials data at the world's largest insulin producer raises immediate concerns about proprietary pharmaceutical research theft and patient privacy obligations under HIPAA and GDPR — a dual regulatory exposure that life sciences CISOs must model explicitly.

📖 Read full article

CyberScoop · Jun 10 · Relevance: █████████░ 9/10

Why it matters to CISOs: BOD 26-04 collapses the federal patching window to as little as three days for highest-risk vulnerabilities, establishing a precedent that will reshape enterprise patch-management benchmarks and likely influence regulatory expectations across sectors.

📖 Read full article

CyberScoop · Jun 09 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Anthropic's decision to ship two versions of the same frontier model — one with cyber-offense safeguards stripped for vetted security teams — establishes a new industry template for dual-use AI access control that CISOs must understand for both procurement and risk assessment purposes.

📖 Read full article

The Record (Recorded Future) · Jun 12 · Relevance: ████████░░ 8/10

Why it matters to CISOs: South Korea's record $409M fine for Coupang's breach of 30 million customers — surpassing its own record set against SK Telecom this year — signals that Asia-Pacific regulators are now competing with GDPR in enforcement severity; multinationals must calibrate their risk exposure accordingly.

📖 Read full article

TechCrunch Security · Jun 08 · Relevance: ██████░░░░ 6/10

Why it matters to CISOs: Massachusetts joining the growing roster of state-level comprehensive privacy laws — with a specific ban on precise location data sales — adds another compliance jurisdiction for enterprises with U.S. operations, accelerating pressure for a federal standard.

📖 Read full article

The Hacker News · Jun 11 · Relevance: ██████████ 10/10

Why it matters to CISOs: An unpatched, actively exploited RCE zero-day in Oracle PeopleSoft has compromised 100+ organizations — predominantly universities — with ShinyHunters demanding ransoms; any enterprise running PeopleSoft must treat this as an emergency patch and incident-response priority.

📖 Read full article

The Hacker News · Jun 10 · Relevance: █████████░ 9/10

Why it matters to CISOs: The largest Patch Tuesday on record — driven in part by AI-accelerated vulnerability discovery — signals that enterprise patch management workflows built for a monthly cadence are now structurally inadequate; CISOs must re-evaluate SLAs and automation capacity immediately.

📖 Read full article

Help Net Security · Jun 12 · Relevance: █████████░ 9/10

Why it matters to CISOs: Public PoC release for an auth-bypass in Check Point Remote Access VPN — already exploited by a Qilin ransomware affiliate since early May — dramatically widens the attacker pool; any organization with unpatched Check Point VPN deployments faces imminent mass exploitation.

📖 Read full article

The Hacker News · Jun 12 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Mass compromise of 400+ AUR packages delivering a Rust-based credential stealer and eBPF rootkit demonstrates that developer-facing package repositories remain a high-leverage, low-detection supply chain attack vector — enterprises using Arch Linux in developer environments should treat this as an active incident.

📖 Read full article

Jordan: If I had to pick one word for this week, it's "acceleration." Everything got faster — AI-generated phishing at industrial scale, a record-breaking Patch Tuesday driven by AI vulnerability discovery, a government order to kill frontier AI access with less than an hour's notice, and a new federal patching directive that gives you three days to fix the worst bugs. The clock is compressing on every axis, and if your security program was built for a monthly cadence, this was the week that model broke.

Alex: Welcome to Cleartext, the Saturday Week in Review. I'm Alex Chen, alongside Jordan Reeves. If you couldn't keep up this week, here's what mattered and what it means. We've got four big themes to work through. First, the AI acceleration loop — how artificial intelligence is simultaneously supercharging attackers, defenders, vulnerability discovery, and government intervention, all at once. Second, the geopolitical enforcement wave — a remarkable cluster of takedowns, indictments, and disruptions from the FBI, Europol, and DOJ. Third, a vulnerability landscape that is actively on fire, with zero-days being exploited in PeopleSoft, Check Point VPN, and supply chains. And fourth, the governance and regulatory ratchet — from CISA's new patching directive to record fines in South Korea to new state privacy laws. Let's get into it.

Jordan: So let's start with AI, because it was genuinely the throughline of the entire week. The Outsider Enterprise takedown was the headline — FBI and Google jointly dismantling a China-based phishing-as-a-service network that caused $1.9 billion in losses. But the detail that matters is how they did it. They used Google's Gemini to generate phishing content at industrial scale. Two and a half million smishing texts in a two-week window. Over 9,000 fake websites. A million fraudulent URLs. This is not artisanal social engineering. This is a factory.

Alex: And that's the part I want CISOs to really internalize. We've been talking about AI-enabled phishing as a future risk for two years. This week, the FBI quantified it at $1.9 billion in actual losses. That's the number you bring to your board. AI-powered fraud is not a theoretical risk. It is a systemic, proven, billion-dollar attack model. And it's going to be replicated, because the playbook is now public.

Jordan: And the AI story didn't stop at the attacker side. Anthropic had a wild week. They released Claude Fable 5 for the public and Mythos 5 — the same model with cyber-offense guardrails stripped — for vetted security organizations. Legitimate security researchers had been complaining that Fable 5's safety classifiers were too restrictive for offensive work, which is a real operational problem. So Anthropic created this dual-track access model. And then on Friday evening, the U.S. government dropped an emergency order forcing Anthropic to disable both models for all foreign nationals with less than an hour's notice.

Alex: This is unprecedented. A commercial AI company receiving a government order at 5:21 p.m. on a Friday to immediately cut off access to its most advanced models. No advance warning to users. Anthropic said it would "abruptly disable" them. If you are a CISO who has deployed frontier AI models in production workflows, this week just handed you a new risk category: regulatory interruption of AI model availability. You need to model that. You need contingency plans for the scenario where a model you depend on goes dark with zero notice.

Jordan: And the dual-model approach itself is worth watching. Anthropic essentially said, "Here's the safe version, and here's the version without the safety rails for people we trust." That's a template other AI companies will follow. It also means CISOs need to understand the procurement implications — which version are you getting, what access controls govern the more capable version, and what happens when your red team needs Mythos-level capability but your compliance team needs Fable-level guardrails.

Alex: The third AI angle this week was on the vulnerability discovery side. Microsoft's Patch Tuesday hit 206 CVEs — an all-time record. Thirty-nine critical, fifty-six remote code execution flaws. Security analysts directly attributed the volume surge to AI-assisted vulnerability research accelerating discovery on both sides. AI is finding bugs faster, which means both Microsoft and attackers are operating on compressed timelines. CISA explicitly cited AI-enabled exploitation speed as the primary driver behind their new Binding Operational Directive 26-04, which collapses patching windows to three days for the highest-risk vulnerabilities. The entire tempo of the game just shifted.

Jordan: Let's pivot to the geopolitical enforcement wave, because this was a remarkably active week for law enforcement. You had the Outsider Enterprise takedown, which we just covered. You had Europol, FBI, and partner agencies seizing AudiA6 — a dark web crypto laundering service that processed over €336 million for ransomware groups between 2022 and 2025. The same operators ran the Dark2Web cybercrime forum, so this was a vertically integrated criminal enterprise that provided both the marketplace and the financial plumbing.

Alex: The AudiA6 takedown is operationally significant because it disrupts monetization infrastructure. Every time you remove a trusted laundering rail, ransomware groups have to scramble to rebuild those relationships. There's a window of disruption. But I'd also flag the displacement risk — when you squeeze the monetization pipeline, some groups get more aggressive, not less. CISOs should be watching for upticks in extortion pressure over the next few weeks.

Jordan: We also got the Void Blizzard indictment — Denis Obrezko charged with orchestrating Kremlin-linked cyber espionage that compromised at least eleven U.S. companies. This is the first public individual attribution for Void Blizzard, and it's a reminder that Russian state cyber operations targeting corporate IP haven't slowed down just because the geopolitical spotlight is on Ukraine. These are broad corporate espionage campaigns, and they're ongoing.

Alex: And rounding out the geopolitical picture, Meta filed a federal contempt order against NSO Group for launching new WhatsApp spearphishing campaigns in violation of a permanent court injunction. NSO Group is literally under a court ban and they're still going. If you have executives or board members using consumer messaging apps, they remain credible targets for commercial spyware. That risk hasn't diminished.

Jordan: The Velvet Ant story deserves a beat too. Sygnia disclosed that a China-nexus group backdoored PAM and OpenSSH components — the Linux login subsystem itself — and persisted on a network with no internet connectivity for close to a decade. They survived multiple incident response cycles because cleanup focused on applications and files, not authentication infrastructure. Nearly ten years. On an air-gapped network.

Alex: That story should be genuinely unsettling for anyone who assumes their remediation efforts were thorough. If your IR playbook doesn't include integrity verification of authentication subsystems — PAM modules, SSH binaries, the things that decide who's allowed to log in — you have a blind spot that a nation-state adversary has already exploited for a decade.

Jordan: Now let's talk about the vulnerability landscape, which was exceptionally hot this week. The biggest fire is CVE-2026-35273 — an unauthenticated remote code execution zero-day in Oracle PeopleSoft. ShinyHunters, tracked by Mandiant as UNC6240, exploited this starting May 27th. Oracle didn't publish its advisory until June 10th. In that two-week gap, ShinyHunters hit over 100 organizations, about two-thirds of them universities, stole gigabytes of data, and are actively extorting victims.

Alex: If you run PeopleSoft, this is an emergency. Assume data exfiltration occurred before the patch was available. This is not a patch-and-move-on situation. This is a patch, investigate, and prepare-for-extortion situation. Higher education was the primary target, but PeopleSoft runs in a lot of enterprises for HR and finance. Check your exposure today if you haven't already.

Jordan: The Check Point VPN flaw, CVE-2026-50751, is the other critical one. Authentication bypass in Remote Access VPN, CVSS 9.3. Check Point patched June 8th, but WatchTowr published the full technical analysis and a detection artifact generator on June 12th. That means the barrier to exploitation just dropped to near zero. A Qilin ransomware affiliate was already confirmed in at least one breach. CISA gave federal agencies three days to patch. If you have Check Point VPN in your environment, you're in a race.

Alex: And the supply chain attacks continued. Microsoft's Miasma incident — 73 of their open-source GitHub repositories for Azure and AI tools were compromised to inject credential-stealing malware targeting developers. Some repos are still offline. Then separately, over 400 Arch Linux AUR packages were hijacked to deploy a Rust-based infostealer and eBPF rootkit targeting developer credentials. Two different supply chain attacks in the same week, both targeting developer environments, both going after credentials and access tokens. The developer workstation is the new high-value target.

Jordan: And on breaches — France's Tchap messenger, which was built specifically as a sovereign secure communications platform for government employees, was breached. Seventy-three thousand accounts compromised. The irony is thick. You build a bespoke encrypted platform to avoid the risks of commercial messaging apps, and then that platform itself becomes the attack surface. Sovereign tech is not inherently more secure. It's differently vulnerable.

Alex: Novo Nordisk also disclosed a breach of clinical trials data. The world's largest insulin producer, dealing with unauthorized access to patient information from clinical trials. That's a dual-risk scenario — patient privacy obligations under both HIPAA and GDPR, plus potential theft of proprietary pharmaceutical R&D. Life sciences CISOs need to model that explicitly.

Jordan: Let's wrap with the governance and regulatory segment. CISA's BOD 26-04 is the one that reshapes the operational landscape. Risk-tiered remediation timelines replacing the old blanket fourteen-day window. If a vulnerability hits all four criteria — active exploitation, internet-facing, critical asset, high CVSS — you have three days. CISA was explicit: AI-enabled exploitation speed means defenders cannot take weeks to patch.

Alex: This is a federal directive, but the ripple effects will reach every sector. Insurance carriers, auditors, and regulators will calibrate their expectations against this benchmark. If CISA says three days for the worst vulnerabilities, your board is going to ask why your SLA is fourteen. And honestly, they should.

Jordan: South Korea fined Coupang $409 million for a breach affecting 30 million customers. That's the largest data breach penalty in Korean history, and it dwarfs the $88.8 million they hit SK Telecom with earlier this year. APAC regulators are now competing with GDPR on enforcement severity. And Massachusetts passed a comprehensive privacy law banning the sale of precise location data, adding another jurisdiction to the U.S. patchwork.

Alex: So stepping back — what defined this week? Jordan, you said it at the top. Acceleration. AI is compressing timelines everywhere simultaneously. Attackers are generating phishing at machine scale. Vulnerability researchers — both good and bad — are finding bugs faster than organizations can patch them. Governments are issuing emergency orders with less than an hour's notice. Regulators are collapsing patching windows from weeks to days. And the response capacity of most security programs was designed for a slower world.

Jordan: The uncomfortable truth is that a lot of enterprise security is still operating on monthly patch cycles, quarterly risk reviews, annual threat model updates. And every single story this week — from the PeopleSoft zero-day to the Anthropic shutdown to the 206-CVE Patch Tuesday — is telling you that cadence is no longer sufficient. The adversary operates continuously. The regulators are moving toward continuous. Your program has to get there too.

Alex: For next week, keep your eye on three things. One, the fallout from the Anthropic model suspension — what does the government do next, and does this set a precedent for other AI providers? Two, mass exploitation of the Check Point VPN flaw now that the PoC is public. And three, watch for displacement attacks from ransomware groups whose laundering infrastructure just got seized. When you squeeze one part of the pipeline, pressure shows up somewhere else.

Jordan: That's the week. The daily show is back Monday. Show notes and links to every story we covered are at cleartext.fm.

Alex: Thanks for listening to Cleartext. Have a good weekend, and patch your Check Point boxes before Monday.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-06-13.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.