This week’s Department of Know is hosted by Sarah Lane, with guests Jack Kufahl, CISO, Michigan Medicine, and Adam Palmer, CISO, First Hawaiian Bank.
Missed the live show? Check it out on YouTube.
The Department of Know is live every Monday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com
Claude source code leaked
Solayer Labs intern Chaofan Shou posted on X that Anthropic seemed to have published a JavaScript source map file for Claude Code on its public npm registry. This source file was quickly archived and spread across GitHub. Anthropic acknowledged the leak, saying it was the result of human error, not malicious activity. The file revealed how Claude Code limits “context entropy” with a three-layer memory architecture and provides details on a background daemon mode called KAIROS. It also gives details on Anthropics’ internal model roadmap and current development milestones, and provides a prompt for an “undercover mode” to stealthily use Claude Code for public open-source contributions. (Venture Beat, Chaofan Shou)
macOS Terminal gets ClickFix attacks
Apple added a new macOS Tahoe 26.4 security feature that warns users and delays execution when pasting potentially dangerous commands into Terminal, targeting “ClickFix” social engineering attacks that trick users into running malicious code. The system alerts users that execution was blocked and explains the risks, though they can still proceed. The feature isn’t fully documented and may not trigger consistently, so users are still advised not to run unfamiliar commands, as attackers continue to exploit user-initiated actions to bypass traditional protections. (BleepingComputer)
DeepLoad to use AI for persistent evasion
Researchers at ReliaQuest uncovered a credential-stealing campaign called “DeepLoad” that uses AI-generated obfuscation and social engineering to gain persistent access, often triggered by fake browser prompts. The malware logs keystrokes, hides malicious code under massive volumes of AI-generated junk code, runs under trusted Windows processes, and can reinfect systems days later via USB spread and hidden persistence mechanisms. (CyberScoop)
Huge thanks to our sponsor, Vanta
Iran revives Pay2Key
As former CISA director Chris Krebs recently characterized, Iran seems to be “throwing everything against the wall” when it comes to cyber operations. The most recent examples, researchers at KELA’s Cyber Intelligence Center found evidence that the country revived its state-backed ransomware operation Pay2Key. This revival saw the group recruiting from Russian illicit forums, a move KELA characterized as “outsourcing geopolitical retribution to the global cybercrime talent pool.” Part of the strategy for Pay2Key appears to be to launch so-called pseudoransomware attacks, where the goal is to leave systems encrypted to cause chaos, or install other forms of wiper malware. Pay2Key also serves as an initial access broker for other threat actors. (Dark Reading)
HTTP client introduces malicious dependency
Axios, a widely used HTTP client library on npm, was hijacked by threat actors to introduce a remote-access trojan into two releases. Google’s Threat Intelligence Group chief analyst John Hultquist attributed the attack the the North Korean APT UNC1069. Axios is downloaded roughly 100 million times a week. The attackers were able to hijack the npm account of Axios’s maintainer, change the account email, and lock them out. Rather than change the Axios code directly, they added a malicious dependency, manually pushing through npm’s CLI rather than the project’s GitHub Actions pipeline to avoid detection. Researchers at StepSecurity noted this attack showed significant planning and sophistication, with separate payloads ready for Windows, macOS, and Linux. (The Register, Socket)
TeamPCP’s supply chain campaign claims new victims
A new report from Wiz tracking the activities of threat group TeamPCP reveals a methodical and fast-moving operation against the open source supply chain, building on the group’s previously reported attack on the LLM proxy library LiteLLM. Wiz observed TeamPCP validating stolen secrets from supply chain attacks within hours of exfiltration, then launching AWS discovery operations against confirmed credentials in under a day. Researchers note the group is “explicitly collaborating” with extortion outfit Lapsus$ and other ransomware organizations, operating as an initial access broker.
That connection proved out this week as three new victims emerged: Cisco confirmed attackers used credentials stolen via a malicious GitHub Actions plugin in the Trivy supply chain attack to access its internal development environment and exfiltrate source code from more than 300 repositories, while AI hiring platform Mercor disclosed a breach tied to the compromised LiteLLM project, with Lapsus$ separately claiming to have accessed Mercor data including Slack and internal platform content. And the group was pegged to a recent attack on the European Commission. (Wiz, Infosecurity Magazine, BleepingComputer, TechCrunch)