On this week’s show, Patrick Gray and James Wilson are joined by special guest The Grugq. They discuss the week’s cybersecurity news, including: * Vercel got owned, and there’s a few infostealer and compromised employee dots to connect * Mozilla used Mythos to find 271 bugs, which feels like a sign of the bug-pocalypse * Speaking of the bug-pocalypse, is that why NIST is noping out of enriching a bunch of bugs? * The NSA is using Mythos even though the government did that whole Anthropic blacklisting thing * And DDos attacks hit a couple of smaller-player socials This week's episode is sponsored by Permiso. Ian Ahl chats to Pat about the subtle signals Permiso uses to detect ShinyHunters-style activity in cloud and on-prem environments. Show notes: Vercel April 2026 Security incident https://vercel.com/kb/bulletin/vercel-april-2026-security-incident Vercel Breach linked to infostealer infection at Context.ai https://www.infostealers.com/article/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai/ Vercel confirms breach as hackers claim to be selling stolen data https://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/ Matt Johansen: “This is not a good look” | X https://x.com/mattjay/status/2046222804555608574?s=46&t=VLIuBKdOq3MvRk4IpV-_-A NIST limits vulnerability analysis as CVE backlog swells | Cybersecurity Dive https://www.cybersecuritydive.com/news/nist-vulnerability-analysis-criteria-nvd-cve/817683/ CISA Cyber on X https://x.com/CISACyber/status/2046284602218549277 Ransomware attack continues to disrupt healthcare in London nearly two years later | The Record from Recorded Future News https://therecord.media/ransomware-nhs-cyberattack-disruption Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks | CyberScoop https://cyberscoop.com/lawmakers-ponder-terrorism-designations-homicide-charges-over-hospital-ransomware-attacks/ In defeat for Trump, House extends electronic spying program for just 10 days | The Record from Recorded Future News https://therecord.media/fisa--trump-congress-extension-surveillance Crypto infrastructure company blames $290 million theft on North Korean hackers | The Record from Recorded Future News https://therecord.media/crypto-north-korea-theft-kelp US-sanctioned currency exchange says $15 million heist done by "unfriendly states" - Ars Technica https://arstechnica.com/security/2026/04/russia-friendly-exchange-says-western-special-service-behind-15-million-cyberattack/ Hackers are abusing unpatched Windows security flaws to hack into organizations | TechCrunch https://techcrunch.com/2026/04/17/hackers-are-abusing-unpatched-windows-security-flaws-to-hack-into-organizations/ Mozilla Used Anthropic’s Mythos to Find and Fix 271 Bugs in Firefox | WIRED https://www.wired.com/story/mozilla-used-anthropics-mythos-to-find-271-bugs-in-firefox/ NSA using Anthropic's Mythos despite Defense Department blacklist https://www.axios.com/2026/04/19/nsa-anthropic-mythos-pentagon Beyond the breach: inside a cargo theft actor’s post-compromise playbook | Proofpoint US https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook Beware scam messages offering ships safe transit through Hormuz Strait, says security firm | The Straits Times https://www.straitstimes.com/world/middle-east/scam-messages-offering-ships-safe-transit-through-hormuz-security-firm-warns New Jersey men given lengthy sentences for running North Korean laptop farms | The Record from Recorded Future News https://therecord.media/new-jersey-men-sentenced-north-korean-laptop-farms Turns Out We’re Not Alone - Volodymyr Styran https://arunninghacker.substack.com/p/turns-out-were-not-alone US joins nearly two dozen other countries in striking back against DDoS-for-hire platforms | Cybersecurity Dive https://www.cybersecuritydive.com/news/ddos-service-takedowns-arrests-operation-poweroff/817814/ Bluesky blames app outage on ‘sophisticated’ DDoS attack | The Record from Recorded Future News https://therecord.media/bluesky-blames-app-outage-on-ddos Mastodon says its flagship server was hit by a DDoS attack | TechCrunch https://techcrunch.com/2026/04/20/mastodon-says-its-flagship-server-was-hit-by-a-ddos-attack/ An IT expert explained under what conditions using a VPN can cause a smartphone to explode https://www.kuban.kp.ru/online/news/6926840/

Srsly Risky Biz: Open weight models make the Mythos debate moot
494 views

Risky Business (843): Fortibleed is kinda awesome, actually
751 views

Pitching security startups to VCs in the AI era
203 views

Between Two Nerds: The PRC vs AI
342 views

Srsly Risky Biz: Anthropic has artificial, but not emotional, intelligence
460 views

Risky Business Weekly (842): Anthropic needs an adult in the C suite
1.2K views