The CyberWire Daily Podcast 7.7.26
Ep 2587 | 7.7.26

Welcome home, hacker.

Transcript

CERT/CC warns of an unpatched Tenda router backdoor. Adobe highlights an actively exploited ColdFusion flaw. Canada pulls back the curtain on offensive cyber operations. Anthropic quietly removes hidden tracking from Claude Code. Chinese AI gains momentum as U.S. providers sweeten the deal. U.S. cloud firms challenge South Korea’s new security rules. Microsoft’s device telemetry helps unmask an alleged Scattered Spider hacker. And Spanish police arrest an alleged pro-Russia hacktivist. Orla Daly, CIO at Skillsoft, discusses if AI is already bypassing its own guardrails and why most organizations aren't ready. The stochastic parrot is back, and it’s tired of being misquoted.

Today is Tuesday July 7th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CERT/CC warns of an unpatched backdoor affecting multiple Tenda routers.

CERT/CC is warning of an unpatched authentication backdoor, tracked as CVE-2026-11405, affecting multiple Tenda router firmware versions, including the FH1201, W15E, AC10, AC5, and AC6. The flaw allows anyone with a hidden password to bypass normal authentication and gain full administrative access through the router’s web interface, regardless of the configured username or password. According to the advisory, the firmware checks an undocumented password stored in the device configuration after normal authentication fails, and any username will be accepted if the backdoor password matches. Successful exploitation enables complete device takeover, including changing network settings, disabling security features, and compromising connected systems. Tenda has not responded or released a patch. CERT/CC recommends disabling remote management and changing the default LAN IP address to reduce exposure until a firmware update becomes available.

Adobe urges immediate patching of a ColdFusion bug under active exploitation. 

Adobe is urging ColdFusion customers to apply the latest security updates immediately after researchers reported active exploitation of CVE-2026-48282, a maximum severity path traversal flaw that can lead to remote code execution. The vulnerability is one of six critical bugs addressed in Adobe’s June 30 APSB26-68 bulletin. With hundreds of internet-exposed ColdFusion instances still online, organizations are advised to patch without delay. Adobe recently announced it will move to a twice-monthly security advisory schedule, citing AI-driven vulnerability discovery and the need to accelerate patch releases.

Canada reveals state-authorized offensive cyber operations. 

Canada’s Communications Security Establishment (CSE) revealed it conducted three state-authorized offensive cyber operations last year targeting threats to national security. The agency said it disrupted overseas brokers supplying chemicals used to produce fentanyl, undermined an extremist group’s online recruitment and propaganda efforts, and dismantled a ransomware-as-a-service operation by rendering its infrastructure inoperable and deleting much of its data. CSE also carried out technical disruptions against 10 major ransomware groups targeting Canada and conducted one defensive cyber operation that disrupted a phishing campaign aimed at Canadian government institutions and other critical systems. While the agency withheld operational details and locations to protect its methods, the report offers a rare public look at how Canadian intelligence uses offensive cyber capabilities to counter cybercrime, extremism, and other foreign threats.

Anthropic removes hidden tracking code from its Claude Code developer tool.

Anthropic removed hidden tracking code from its Claude Code developer tool after security researcher “Thereallo” discovered it was quietly identifying users potentially connected to China by monitoring signals such as time zones and proxy use. Anthropic engineer Thariq Shihipar said the code was introduced as a March experiment to combat account abuse and AI model distillation, and was removed because stronger protections are now in place. Privacy advocates criticized the undisclosed tracking as a breach of user trust, arguing it should have been transparent. The incident comes amid growing tensions over Chinese AI companies allegedly distilling U.S. models. Following reports of the tracker, Alibaba banned employees from using Claude Code, citing security concerns. Anthropic maintains that large-scale distillation poses a significant threat to AI security and competitiveness.

Chinese AI models gain ground while U.S. providers offer incentives. 

Chinese AI models are rapidly gaining adoption among U.S. companies as they deliver competitive performance at significantly lower cost than leading American systems. Platforms such as OpenRouter report Chinese models now account for more than 30% of weekly token usage by U.S. developers, driven by offerings from companies including DeepSeek and Z.ai. Some businesses have migrated workloads from premium U.S. models, citing dramatic cost savings while maintaining acceptable performance for many applications. Industry observers say Chinese open-source and open-weight models are closing the capability gap with top U.S. systems while costing 60% to 90% less for certain workloads. The trend highlights growing pressure on U.S. AI companies, as organizations increasingly prioritize affordability and flexibility alongside cutting-edge performance when selecting AI models.

OpenAI, Anthropic, and major cloud providers are aggressively offering startups millions of dollars in AI compute and token credits to attract long-term customers. According to The Wall Street Journal, some startups have received competing offers exceeding $3 million, while companies like Google Cloud, Microsoft, and Amazon Web Services are also providing generous incentives. The competition comes as AI vendors face pressure to grow revenue ahead of potential IPOs and fend off lower-cost rivals. The incentives are designed to lock startups into their platforms before they establish lasting infrastructure and development workflows.

U.S. cloud providers urge Washington to challenge South Korea’s cloud security overhaul. 

Major U.S. cloud providers are urging Washington to challenge South Korea’s proposed overhaul of its public-sector cloud security certification program, arguing the changes could unfairly disadvantage foreign providers and violate the Korea-U.S. Free Trade Agreement. The companies are particularly concerned that revised rules could require physical network separation, forcing providers such as Amazon Web Services, Microsoft Azure, and Google Cloud to build dedicated infrastructure in South Korea at significant cost. South Korea says the overhaul is intended to strengthen national security and streamline approvals under the National Intelligence Service, not discriminate against foreign firms. The dispute adds to broader U.S.-South Korea tensions over digital regulation, with U.S. officials and lawmakers closely monitoring the proposed rules and their potential impact on trade and broader bilateral security cooperation.

VPNs don’t hide Global Device Identifiers. 

Court documents allege that 19-year-old Peter Stokes, an American-Estonian accused of involvement with the Scattered Spider cybercrime group, was linked to an alleged US$8 million ransomware demand through Microsoft’s Global Device Identifier (GDID). According to an FBI affidavit, Microsoft provided device telemetry that allowed investigators to correlate a unique Windows device identifier with ngrok access records, despite Stokes’ use of a virtual private network. The GDID was then matched with IP addresses linked to his Snapchat, Apple, and Facebook accounts across multiple countries, strengthening the attribution. Stokes faces six charges, including four related to the alleged ransomware scheme and two conspiracy counts tied to Scattered Spider. His prosecution is part of the FBI’s broader Operation Riptide targeting the prolific cybercriminal group.

Spanish police collar an alleged pro-Russia hacktivist. 

Spanish police have arrested a man accused of supporting several pro-Russia hacktivist groups linked to cyberattacks against critical national infrastructure. Authorities allege the suspect, arrested in March following an FBI tip, maintained close ties to CyberArmy of Russia Reborn (CARR), Z-Pentest, and NoName057(16), helping coordinate activities and provide logistical support. Investigators also claim he assisted a CARR member’s escape to Russia in 2025 and seized computer equipment and cryptocurrency assets believed to be connected to cybercrime. The arrest is part of the FBI’s Operation Red Circus, which targets Russian-aligned hacktivist networks. Western intelligence agencies have warned that while these groups often rely on distributed denial-of-service attacks, they have also been linked to more serious intrusions targeting critical infrastructure, including water and energy systems.

 

The stochastic parrot is back, and it’s tired of being misquoted. 

Five years after the influential Stochastic Parrots paper landed in the middle of an AI firestorm, its lead author, computational linguist Emily Bender, says many people still misunderstand its central point. The paper argued that large language models generate fluent text by predicting statistically likely word sequences, not by understanding language or meaning. In other words, they are remarkably good at sounding like they know what they’re talking about, which, as history reminds us, is not a uniquely machine problem. Bender says the “stochastic parrot” metaphor was never intended as an insult, only as a concise explanation of how these systems produce synthetic text. She also argues that the catchall term “artificial intelligence” lumps together fundamentally different technologies, making public debate and regulation harder. Looking back, Bender says she would expand the paper to address another major issue: the exploitative labor practices and widespread use of creators’ work that underpin many modern AI systems.

It’s a good reminder that humans remain remarkably willing to mistake confidence for comprehension, whether it comes from a chatbot or across the conference table.

Poly wants a token.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.