[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights,
[00:03] Announcer: Intelligence for Defenders, Leaders, and Decision Makers.
[00:11] Aaron Cole: Welcome to Prime Cyber Insights for March 24th, 2026. I'm Aaron Cole.
[00:17] Aaron Cole: Aaron, we're tracking a significant escalation in supply chain risk this morning.
[00:21] Aaron Cole: Today, Ars Technica detailed a campaign by a group known as Team PCP.
[00:26] Aaron Cole: They've successfully poisoned the Trivi Vulnerability Scanner along with over two dozen NPM packages
[00:32] Aaron Cole: using a self-propagating worm dubbed Canister Worm.
[00:36] Aaron Cole: What makes this particularly aggressive is the automation.
[00:39] Aaron Cole: It targets CI CD pipelines to steal NPM tokens and then automatically leases any package those tokens can access with malicious code.
[00:48] Aaron Cole: It effectively turns the developer's own infrastructure against the entire ecosystem.
[00:53] Lauren Mitchell: It creates a viral loop that is incredibly difficult to prune, Lauren.
[00:58] Lauren Mitchell: The speed of the automation is what practitioners need to note.
[01:01] Lauren Mitchell: Researchers at Aikido observed the worm hitting 28 packages in under 60 seconds.
[01:07] Lauren Mitchell: Curiously, the group added a wiper component called kamikaze that only triggers if the infected machine is in the Iranian time zone or configured for that locale.
[01:17] Lauren Mitchell: While Team PCP has traditionally focused on financial gain, this shift toward targeted
[01:23] Lauren Mitchell: destruction suggests they may be seeking higher visibility or perhaps transitioning into a state-aligned
[01:29] Lauren Mitchell: role.
[01:30] Aaron Cole: It's a clear reminder that containment is only as good as the cleanup.
[01:33] Aaron Cole: Aqua Security attempted to rotate credentials after an initial breach in February, but be
[01:38] Aaron Cole: But because that rotation was incomplete, it left the door open for this latest wave.
[01:43] Aaron Cole: Shifting from the actors to the legal fallout, 26-year-old Russian national Alexei Volkov
[01:49] Aaron Cole: was sentenced today to 81 months in prison.
[01:52] Aaron Cole: Volkov operated as a high-level initial access broker or IAB, facilitating dozens of ransomware
[01:58] Aaron Cole: attacks for prominent crews like Jan Luawang.
[02:01] Aaron Cole: The United States Department of Justice reports that his work led to at least $9 million in actual losses.
[02:08] Lauren Mitchell: The legal net is definitely widening, Lauren.
[02:10] Lauren Mitchell: We're also seeing the first major consequences for the specialized infrastructure that surrounds these attacks.
[02:16] Lauren Mitchell: Prosecutors have now charged Angelo Martino, a negotiator for digital mint,
[02:22] Lauren Mitchell: for allegedly assisting the Black Cat gang and extorting higher payouts from victims.
[02:26] Lauren Mitchell: It signals a strategic pivot for the DOJ.
[02:29] Lauren Mitchell: They are moving beyond just the malware authors to target the entire ecosystem of brokers and negotiators
[02:36] Lauren Mitchell: who make the ransomware business model viable and profitable.
[02:39] Aaron Cole: Speaking of that business model, Google's Mandiant released its annual Mtrends report this week,
[02:45] Aaron Cole: and the data on initial access shows a major shift.
[02:48] Aaron Cole: Voice phishing, or vishing, is now the number two method for gaining access overall and is the top tactic for breaking into cloud environments.
[02:57] Aaron Cole: Attackers are simply calling corporate helpdesks to register their own devices for MFA or to request password resets.
[03:05] Aaron Cole: It's a low-tech approach, but the success rate in cloud-heavy organizations is forcing a fundamental rethink of helpdesk verification protocols.
[03:15] Lauren Mitchell: The report also highlights what Mandiant calls living on the edge.
[03:19] Lauren Mitchell: Espionage groups, specifically a Chinese-linked cluster tracked as UNC6201,
[03:26] Lauren Mitchell: are aggressively compromising edge devices like firewalls and routers
[03:30] Lauren Mitchell: where endpoint security rarely reaches.
[03:33] Lauren Mitchell: They are deploying back doors like BrickStorm and sitting undetected for an average of 393 days.
[03:40] Lauren Mitchell: When you combine that with the fact that some ransomware handoffs now happen in under 30 seconds,
[03:47] Lauren Mitchell: the defensive window is either non-existent or massive,
[03:51] Lauren Mitchell: with almost no middle ground for IT teams to find.
[03:55] Aaron Cole: The takeaway for practitioners is clear.
[03:57] Aaron Cole: Identity and edge infrastructure are the primary battlegrounds in 2026.
[04:03] Aaron Cole: Whether it's the automated supply chain poisoning of Team PCP or the human-centric vishing identified by Mandiant,
[04:10] Aaron Cole: the common thread is the exploitation of trusted paths.
[04:14] Aaron Cole: Organizations must prioritize a comprehensive audit of their CICD tokens and strictly validate all helpdesk identity requests.
[04:24] Aaron Cole: As a reminder, this podcast is for informational purposes and does not constitute professional security advice.
[04:31] Lauren Mitchell: That's the briefing for today. For more technical deep dives and full transcripts, visit pci.neuralnewscast.com.
[04:39] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed. View our AI transparency policy at neuralnewscast.com.
[04:47] Lauren Mitchell: I'm Aaron Cole.
[04:48] Aaron Cole: And I'm Lauren Mitchell. We'll see you in the briefing room tomorrow.
[04:52] Aaron Cole: Neural Newscast is AI-assisted, human-reviewed.
[04:56] Aaron Cole: View our AI transparency policy at neuralnewscast.com.
[04:59] Announcer: This has been Prime Cyber Insights on Neural Newscast.
[05:03] Announcer: Intelligence for defenders, leaders, and decision makers.