Home / Episodes / May 28, 2026
Episode show notesMay 28's Top Cyber News NOW! - Ep 1141
At a glance
CrowdStrike and Google dismantled the Glassworm botnet by coordinating a simultaneous takedown of all four C2 channels, disrupting a year-long supply chain attack. Meanwhile, AI is drastically accelerating exploit development—from 125 days to 12 hours—while critical vulnerabilities in widely-used packages like Starllet expose millions of systems. The threat landscape is moving faster than defenders can patch.
Stories covered
How did CrowdStrike and Google dismantle the Glassworm botnet?
What happened: CrowdStrike, Google, and the Shadow Server Foundation coordinated a simultaneous takedown of all four command-and-control channels operated by Glassworm, a self-propagating botnet that stole credentials via poisoned npm, Python, and VS Code packages since early 2025. The malware used Solana blockchain, BitTorrent DHT, and Google Calendar as C2 infrastructure to evade takedowns.
Why it matters: This demonstrates a sophisticated supply chain attack affecting developers and the broader software ecosystem. The simultaneous C2 strike prevented automated failover and redundancy from protecting the threat actors, but—critically—does not clean already-compromised endpoints still attempting to beacon.
What to do: Hunt for Glassworm IOCs and indicators of compromise across your environment immediately. Assume infected systems are still trying to reach out for commands. Review npm, Python, and GitHub repository dependencies in your applications for the affected packages.
Why is AI slashing vulnerability exploit development from months to hours?
What happened: Research from Cogent Security found attackers are using AI to reduce exploit development time for disclosed vulnerabilities from approximately 125 days (early 2025) to just 12 hours (April 2026), outpacing vulnerability scanners from Tenable, Qualys, and Rapid7. Eighty-three percent of critical CVEs create a visibility gap, with over half never receiving scanner coverage before exploits circulate.
Why it matters: Patch windows are collapsing. Threat actors can reverse-engineer patches within hours and exploit unpatched systems before your organization can test, validate, and deploy fixes across large environments. The risk window now favors attackers significantly.
What to do: Shift from traditional vulnerability scanning to exposure management. Prioritize patching critical CVEs within 24–48 hours of release. Coordinate with your exposure management and scanner vendors to ensure they're integrating AI-driven detection and are not weeks behind threat actors.
What is China's AI-powered mass surveillance network doing?
What happened: The Financial Times reports China is upgrading its decade-old surveillance infrastructure with AI-powered cameras and software from vendors like Hikvision and Huawei that automatically identify people, analyze behavior, and flag potential unrest in real time using computer vision and LLMs.
Why it matters: This is infrastructure deployment at scale. While framed around public safety and crime deterrence, once deployed, oversight and safeguards erode over time—as evidenced by incidents like the Madison Square Garden facial recognition case (2022) used to deny entry to a lawyer suing the venue owner.
Monitor for now.
Why did Shiny Hunters breach Charter Communications through voice phishing?
What happened: The extortion group Shiny Hunters breached Charter Communications via a voice phishing attack targeting an employee's Microsoft Entra account on April 1st, 2026. They then exported millions of customer records from Salesforce, including names, contact details, plan information, and support tickets, before demanding ransom.
Why it matters: This represents a high-value supply chain attack on critical infrastructure. Shiny Hunters is escalating—moving from ransomware to data theft without encryption, enabling rapid extortion before defenders respond. Law firms, healthcare, and finance remain prime targets.
What to do: Conduct tabletop exercises specifically against Shiny Hunters as the threat actor, not generic ransomware. Implement MFA enforced on all administrative and M365 Entra accounts. Restrict Salesforce export permissions to least-privilege roles. Monitor for voice phishing indicators and educate staff on verification procedures for IT support requests.
How is the Silent Ransom Group impersonating IT support to breach law firms?
What happened: The FBI warned that Silent Ransom Group (also known as Luna Moth, Chatty Spider, UNCC3753) is impersonating IT support via phishing emails and phone calls to trick employees—especially at U.S. law firms—into granting remote access. The group uses legitimate tools like AnyDesk, TeamViewer, and LogMeIn, and may send attackers on-site for physical access.
Why it matters: Law firms hold client communications, financial records, and attorney-client privileged information. SRG focuses on rapid data theft without encryption, maximizing extortion pressure. Legitimate remote access tools evade endpoint detection, making this attack technique effective against organizations with weak identity verification processes.
What to do: Establish and enforce an approved IT support procedure. Train staff to hang up, verify the caller independently by calling the help desk directly, and confirm whether IT support was actually requested. Implement zero-trust endpoint controls (e.g., Threat Locker) that block unapproved remote access tools like AnyDesk if not explicitly required by your organization.
What vulnerability in Starllet exposes millions of AI agents to bypass attacks?
What happened: A critical authorization bypass vulnerability ("bad host") in the Python framework Starllet affects systems built on FastAPI, Litestar, LLM, and other Starllet-based tools. The flaw allows attackers to manipulate HTTP host headers, enabling SSRF, data theft, and potentially RCE. Starllet has 325 million weekly downloads, exposing healthcare, finance, email, cloud, and cybersecurity systems.
Why it matters: Dependency vulnerabilities at this scale create cascading exposure across the AI agentic ecosystem. Organizations rapidly deploying AI agents may not have visibility into their underlying frameworks. Patch validation and rollout across distributed AI infrastructure will be slow, leaving a prolonged exploitation window.
What to do: Immediately identify all internal applications using Starllet or Starllet-based frameworks. Upgrade to Starllet 1.0.1 or later. Scan exposed systems and log files for exploitation attempts. If you cannot patch immediately, implement WAF rules to detect and block manipulated Host headers.
Why was a Romanian national sentenced for breaching Oregon government systems?
What happened: Catalin Dragamir was sentenced to 56 months in prison for breaching the Oregon Office of Emergency Management and 10 other U.S. companies. He stole employee credentials and personal data (SSNs) and sold access on dark web forums, causing at least $250,000 in damages. He was arrested in Romania in 2024, extradited to the U.S. in 2025, and pleaded guilty in 2026.
Why it matters: State and local government systems are chronically under-resourced and heavily targeted. This case demonstrates that international extradition is possible and that cybercriminals face significant prison time—a deterrent, albeit imperfect, for lower-tier threat actors.
Monitor for now.
What is the UK cyber intelligence chief warning about AI as a weaponized force?
What happened: Anne Kee Butler, head of the UK's GCHQ, warned that AI is becoming an unstoppable, increasingly weaponized force operating just below the threshold of war. She cited Russia's daily hybrid attacks on critical infrastructure and called for faster AI development in the West to maintain competitive advantage against Russia and China.
Why it matters: This is a policy signal that oversight and guardrails on AI development are being deprioritized in favor of speed and capability parity. The narrative frames responsible AI governance as a competitive liability.
Monitor for now.
Key takeaways
- Supply chain and dependency risk are amplifying. Glassworm's 300+ poisoned repos and Starllet's 325M weekly downloads show how deeply malicious or vulnerable code can penetrate. Inventory your dependencies ruthlessly.
- AI is collapsing patch windows. Exploit development went from 125 days to 12 hours. Patching within 48 hours is now a baseline requirement, not best practice. Exposure management, not scanning alone, is the path forward.
- Identity compromise remains the crown jewel. Shiny Hunters and Silent Ransom Group both start with MFA-less credential theft via phishing and vishing. Enforce MFA on every administrative and cloud identity without exception.
- Law firms and state/local government are high-priority targets. Both hold sensitive data and operate with constrained security budgets. If you operate in these sectors, assume you are being actively targeted.
- AI-powered mass surveillance infrastructure is normalizing. Oversight erodes slowly. Understand the trajectory and the precedents (Madison Square Garden 2022) before infrastructure is too entrenched to challenge.
Topics covered
glassworm botnet, supply chain attack, vulnerability exploitation, starllet framework, ai-driven exploit development, charter communications, shiny hunters, silent ransom group, credential compromise, voice phishing, law firm security, state and local government breach, exposure management, zero trust, ai surveillance, china hikvision huawei, solana blockchain c2, critical cve patch windows
Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.