The CyberWire Daily Podcast 7.9.26
Ep 2589 | 7.9.26

Who you gonna call?

Transcript

GhostApproval puts AI coding assistants under the microscope. Microsoft fixes the RoguePlanet zero-day. More than 70 cybersecurity firms back a new AI Charter. An Ohio county may have paid a $1 million ransom. AssuranceAmerica discloses a breach affecting nearly seven million people. Australia bricks thousands of broadband routers. Israeli fintech Nayax reports a cyber incident. KDDI confirms a massive telecom data breach. A global anti-fraud operation leads to thousands of arrests. Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies explains the EU Cloud and AI Development Act. Slopfix fights fire with fire.

Today is Thursday July 9th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

GhostApproval exploits symlinks with AI coding assistants. 

Wiz Research has disclosed a flaw, dubbed GhostApproval, affecting six AI coding assistants: Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The issue exploits symbolic links, or symlinks, to disguise writes to sensitive files as harmless project edits. In Wiz’s proof of concept, an AI agent following routine setup instructions overwrote a developer’s SSH keys after the approval prompt displayed only an innocent-looking filename, potentially enabling passwordless remote access and, in the worst case, remote code execution. Amazon, Google, and Cursor have released fixes, with Cursor assigning CVE-2026-50549. Augment and Windsurf acknowledged the reports but had not issued fixes at publication, while Anthropic disputed the issue as a vulnerability. Wiz recommends resolving symlinks before approval prompts and warning users about writes outside the project.

Microsoft patches RoguePlanet. 

Microsoft has patched CVE-2026-50656, a Microsoft Defender zero-day dubbed RoguePlanet, a race condition that allows a local attacker to gain SYSTEM privileges on fully patched Windows 10 and 11 systems, even with real-time protection disabled. The flaw exploits a timing gap in Defender’s file scanning process, allowing an attacker to swap a scanned file with a malicious payload that executes with elevated privileges. A public proof of concept has been released, though Microsoft says it has not seen the vulnerability exploited in the wild. The flaw affects the Microsoft Malware Protection Engine up to version 1.1.26050.11 and is fixed in version 1.1.26060.3008, which updates automatically. Administrators should verify engine versions, restrict local administrative privileges, and monitor for suspicious file activity to reduce potential impact

Over 70 cybersecurity organizations sign a new AI Charter. 

More than 70 cybersecurity organizations have signed CREST’s AI Charter, committing to nine principles for the responsible use of artificial intelligence in cybersecurity. The framework emphasizes accountability, transparency, documentation, human oversight, data sovereignty, security, secure AI development, supply chain risk management, and business continuity. Signatories pledge to disclose when AI is used, maintain audit trails, protect client data, and ensure qualified personnel retain final oversight of AI-driven decisions. The charter also calls for securing AI tools throughout their lifecycle, managing third-party AI risks, and planning for AI-related disruptions. CREST said the principles were developed with industry input and reflect the growing role of AI, with nearly 70% of cybersecurity providers now using AI daily. The organization hopes the charter will establish common industry standards and reduce the need for formal regulation while improving trust and interoperability.

A small Ohio county may have paid a million dollar ransom. 

Ransom-ISAC reports that a U.S. government entity, believed to be Union County, Ohio, paid the Kairos cyber extortion group $1 million after attackers stole roughly 2TB of data in a May 2025 breach. Negotiation records show the attackers reduced their demand from $3 million before payment was made in Bitcoin. The incident involved data theft and extortion, not file encryption. Ransom-ISAC cautioned there is no reliable way to verify the attackers actually deleted the stolen data, despite providing proof-of-deletion artifacts.

AssuranceAmerica suffers a data breach affecting nearly seven million individuals. 

AssuranceAmerica has disclosed a data breach affecting nearly seven million individuals after attackers gained unauthorized access to its network in March 2026. The insurer said the intrusion began on March 16 by targeting an employee, allowing attackers to access parts of its IT environment and copy customer data. Exposed information may include names, contact details, insurance policy and claims information, driver and vehicle records, and driver’s license numbers. After detecting the breach on March 17, the company disabled compromised accounts, terminated unauthorized sessions, isolated affected systems, notified law enforcement, and strengthened security with password resets, enhanced monitoring, and employee training. AssuranceAmerica completed its review of impacted files in June and is notifying affected individuals, advising them to monitor financial accounts and report suspicious activity.

Thousands of Australian routers are intentionally bricked. 

Thousands of SamKnows routers used in the Australian Competition & Consumer Commission’s Measuring Broadband Australia (MBA) program were remotely disabled after the initiative ended on June 30, 2026, prompting criticism over unnecessary electronic waste. The routers, distributed to volunteers beginning in 2020 to measure broadband performance, remain functional hardware but were intentionally bricked as part of the program’s shutdown. Volunteers were instructed to recycle the devices, although some users have successfully reflashed them with the open source OpenWRT operating system to restore full router functionality. Critics argue SamKnows or its parent company, Cisco, could have released a final firmware update instead of disabling the devices. Neither SamKnows, Cisco, nor the ACCC provided a clear explanation for the decision, despite concerns about avoidable e-waste.

An Israeli Fintech company reports a data breach. 

Israeli Fintech company Nayax has disclosed a cybersecurity incident after detecting suspicious activity in a cloud account belonging to one of its subsidiaries. The company said the affected account was immediately secured and emphasized that its production environment, payment processing systems, and business operations were not impacted. The incident follows online extortion claims threatening to publish allegedly stolen data on July 21, though Nayax cautioned that cybercriminals often exaggerate such claims to pressure victims. The company is working with cybersecurity experts and law enforcement in Israel and the United States while investigating the scope of any exposed data. Nayax said it does not currently believe material information was compromised but will provide updates if significant findings emerge. The disclosure was also reported to the U.S. Securities and Exchange Commission.

Japanese telecom giant KDDI confirms a cyberattack. 

Japanese telecom giant KDDI confirmed that a June cyberattack exposed the data of 12.2 million people after attackers exploited a zero-day vulnerability in software supporting the email infrastructure of five internet service providers. Stolen data included email addresses and 7.6 million passwords, though KDDI’s own mobile and fixed-line email services were unaffected. The company says it removed the attackers, is coordinating password resets with affected providers, and is working on a patch and broader security improvements.

A global anti-fraud initiative arrests thousands of suspects. 

Operation First Light 2026, a global anti-fraud initiative coordinated by Interpol, led to the arrest of 5,811 suspects, the identification of more than 15,600 suspects and 142,000 victims, and the seizure of $293 million in illicit assets. Conducted between January and April across 97 countries and territories, the operation targeted social engineering scams, including romance fraud, business email compromise, and related money laundering. Authorities froze more than 31,000 bank accounts and numerous cryptocurrency wallets, while dismantling criminal networks in multiple countries. One notable raid in Eswatini uncovered an elaborate impersonation scheme involving a fake Brazilian police station. Interpol said the operation also helped solve nearly 24,000 fraud cases and highlighted the value of international collaboration against cyber-enabled financial crime.

 

Slopfix fights fire with fire. 

In what may be the most delightfully circular startup idea of the year, a company called Slopfix has built a business around cleaning up AI-generated code, using AI coding agents to do the cleaning. For a starting fee of $10,000 a week, its three engineers promise to shrink bloated codebases, while preserving functionality. The catch? They get paid based on how much code they delete. Before touching a project, Slopfix documents every screen and endpoint as a regression checklist, then delivers a leaner codebase, guardrails to prevent future bloat, and a two-week warranty. The timing is no accident. GitClear reports duplicated code has surged 81% since 2023 while refactoring has nearly disappeared, as AI-generated “vibe coding” increasingly produces sprawling, repetitive software. Slopfix’s premise is simple: use AI to clean up AI’s mess. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.