The CyberWire Daily Podcast 7.2.26
Ep 2585 | 7.2.26

The people's AI?

Transcript

OpenAI considers an equity plan to share AI wealth with the public. Cisco confirms active exploitation of its unified CM platform. Researchers discover autonomous ransomware. The Vect ransomware operation partners with TeamPCP. The FortiBleed credential-harvesting campaign is linked to ransomware attacks. Veil#Drop stealthily deploys the PureLog Stealer. Scammers target small businesses with fake law enforcement emails. Apple’s Hide My Email feature…doesn’t. An alleged Scattered Spider member is extradited to the United States. Our guest is Ben Yelin, Dave's Caveat cohost, on the Supreme Court’s geofence warrants ruling. Microsoft’s quantum claims leave physicists in two states at once.

Today is Thursday July 2nd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

OpenAI considers an equity plan to share AI wealth with the public. 

OpenAI is reportedly considering a proposal that would give the Trump administration a 5% stake in the company, according to the Financial Times. The idea is part of early discussions that could see other leading US artificial intelligence companies offer similar stakes to the government. OpenAI CEO Sam Altman has argued that the arrangement would let the public share in the financial gains from AI as the technology reshapes the economy. The talks come as the White House increases oversight of advanced AI models and weighs closer partnerships with the industry. Any agreement would likely require congressional approval. The proposal also comes as OpenAI and rival Anthropic prepare for potential public stock offerings and as the administration continues to prioritize US leadership in artificial intelligence.

Cisco confirms active exploitation of its unified CM platform. 

Cisco has confirmed that attackers are actively exploiting a recently patched vulnerability in its Unified Communications Manager, or Unified CM, the platform that manages Cisco IP telephony systems. The flaw, tracked as CVE-2026-20230, is a server-side request forgery vulnerability that can be exploited remotely without authentication by sending a crafted HTTP request. Cisco initially said it had seen proof-of-concept exploit code but no evidence of attacks. That changed after security researchers documented active exploitation and published technical details. Cisco now urges customers to upgrade to fixed software releases immediately or disable the vulnerable WebDialer service until patches can be applied. More than 200 internet-facing Unified CM systems remain exposed, according to Shadowserver, increasing the risk of compromise.

Researchers discover autonomous ransomware. 

Security researchers at Sysdig say they have documented what they believe is the first known ransomware attack carried out autonomously by an artificial intelligence agent. The operation, dubbed JADEPUFFER, exploited a critical vulnerability in an exposed Langflow server to gain initial access, harvest credentials, and move laterally to a production database. Researchers say the AI agent adapted to a failed attempt to create an administrator account, corrected its own mistake within 31 seconds, and continued the attack without human intervention. It then encrypted more than 1,300 Nacos configuration records, deleted key database tables, and left a ransom demand. Sysdig says the case highlights how AI agents could dramatically accelerate attacks by exploiting known vulnerabilities, reinforcing the need for prompt patching, credential protection, and continuous monitoring.

The Vect ransomware operation partners with TeamPCP. 

Researchers at Sophos’ Counter Threat Unit have detailed a partnership between the Vect ransomware-as-a-service operation and TeamPCP, a threat group known for large-scale credential theft and software supply chain attacks. Announced in March 2026, the alliance combines TeamPCP’s ability to compromise trusted software and steal credentials with Vect’s ransomware deployment infrastructure. TeamPCP has been linked to attacks targeting widely used developer tools, including Trivy, Checkmarx, LiteLLM, and the Telnyx Python SDK, allowing attackers to harvest credentials and spread malware through legitimate software updates. Researchers say the partnership creates a direct pipeline from supply chain compromise to ransomware deployment, lowering barriers for affiliates. They recommend organizations inventory open-source dependencies, verify software updates before deployment, and avoid assuming ransom payments will guarantee successful data recovery because of flaws in Vect’s encryption.

The FortiBleed credential-harvesting campaign is linked to ransomware attacks.

Researchers at SOCRadar say the FortiBleed credential-harvesting campaign is now directly linked to ransomware attacks involving the INC Ransom and Lynx groups. Since at least February, attackers have targeted hundreds of thousands of FortiGate firewalls, stealing an estimated 110 million credentials. Investigators observed attackers gaining administrative access to hundreds of organizations, compromising VPNs and domain controllers before deploying ransomware in at least 12 confirmed cases. SOCRadar says evidence from the attackers’ own infrastructure indicates the same operators behind FortiBleed are also involved in ransomware operations, demonstrating how stolen credentials are being rapidly monetized through extortion.

Veil#Drop stealthily deploys the PureLog Stealer. 

Researchers at Securonix have identified Veil#Drop, a sophisticated, multi-stage malware delivery framework designed to deploy the PureLog Stealer while leaving minimal forensic evidence. The campaign begins with a JavaScript file disguised as a document, which launches PowerShell to retrieve additional payloads from attacker-controlled Blogspot pages, leveraging Google’s trusted infrastructure to evade detection. The framework uses multiple layers of obfuscation, in-memory execution, reflective .NET loading, and trusted Microsoft utilities, known as Living-off-the-Land Binaries, or LOLBins, to avoid writing malware to disk and bypass security controls. Once deployed, PureLog Stealer harvests browser credentials, cookies, autofill data, cryptocurrency wallet information, and system details. Researchers say the campaign’s combination of fileless execution, cloud-hosted infrastructure, and trusted tools makes it particularly difficult for traditional security products to detect.

Scammers target small businesses with fake law enforcement emails. 

Bitdefender researchers have identified a phishing campaign targeting small businesses with fake law enforcement emails designed to deliver ransomware. The messages, which impersonate Interpol, claim to contain evidence of suspicious company activity and direct recipients to a password-protected archive hosted on Proton Drive. The supposed evidence is actually a ransomware payload disguised as a video file. Researchers say the malware is relatively simple and does not appear to be linked to a major ransomware-as-a-service operation, instead relying on convincing social engineering to trick victims into infecting themselves. Organizations across Europe, Asia, the Middle East, and the United States have been targeted. The campaign highlights that even unsophisticated ransomware can be highly effective when combined with fear, urgency, and trusted branding.

Apple’s Hide My Email feature…doesn’t. 

A security researcher says a flaw in Apple’s Hide My Email feature can reveal users’ real email addresses, undermining a privacy tool designed to keep them anonymous. Tyler Murphy, co-founder of EasyOptOuts, reported the issue to Apple more than a year ago and says it remains exploitable despite repeated assurances that a fix was in progress. Tests by 404 Media confirmed the vulnerability could expose the email address tied to an Apple account. Murphy warns the flaw could put users at risk because exposed email addresses can often be linked to personal information through public records. Apple has acknowledged the issue and said it plans to address it in a future security update but has not publicly explained the delay.

An alleged Scattered Spider member is extradited to the United States. 

An alleged member of the Scattered Spider cybercrime group has been extradited from Finland to the United States to face federal charges related to hacking, fraud, and computer intrusion. Prosecutors allege that 19-year-old Peter Stokes, a dual U.S. and Estonian citizen, was part of the group behind more than 100 network intrusions that generated over $100 million in ransom payments and caused millions more in damages. According to the criminal complaint, Stokes helped target a luxury jewelry retailer in 2025, stealing data and demanding roughly $8 million in cryptocurrency, although no ransom was paid. U.S. officials say the case demonstrates ongoing international cooperation to identify, arrest, and prosecute cybercriminals operating across national borders.

 

Microsoft’s quantum claims leave physicists in two states at once. 

Microsoft’s latest quantum computing announcement has sparked as much skepticism as excitement. The company claims its new Majorana-based quantum processor is a thousand times more reliable than its predecessor, despite the fact that the elusive Majorana particle remains theoretical and has never been conclusively observed. Microsoft argues its topological approach could produce more stable qubits, a longstanding challenge in quantum computing. Critics, however, say the company’s evidence falls well short. Several physicists have questioned the underlying research, pointing to a retracted 2018 paper, disputed testing methods, and a lack of publicly available data. Some have gone so far as to accuse Microsoft of overstating, or even misrepresenting, its progress. For now, the debate resembles Schrödinger’s breakthrough: either a revolutionary advance in quantum computing or an extraordinarily expensive exercise in wishful thinking, with independent verification still pending.And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

Programming notes: 

Our team will be observing the Independence Day holiday and the 250th anniversary of  the United States on Friday and Saturday. 

In place of our regular programming on Friday, we are sharing the next installment on our 10th anniversary conversations. Maria Varmazis and I talk about “The vulnerabilities, zero‑days, and hardware flaws over the last decade.”

On Saturday in place of our usual Research Saturday, we are sharing an episode of a newer show on our network, AI Security Brief by our partners at TrendAI with hosts Dustin Childs and Johnny Hand. We hope you enjoy the programming and have a happy and safe holiday weekend. Happy birthday, USA! 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.