This week’s Department of Know is hosted by Rich Stroffolino, with guests Bruce Schneier, chief of security architecture, Inrupt, and Chris Ray, field CTO, GigaOm.
Missed the live show? Check it out on YouTube.
The Department of Know is live every Friday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com.
In this week’s cybersecurity news…
Microsoft slams GitHub zero-day disclosures
Microsoft is criticizing a researcher known as Chaotic Eclipse who published proof-of-concept code for multiple Windows flaws, bypassing Microsoft’s disclosure process. The company said three of the bugs, BlueHammer, RedSun, and UnDefend, which affect Defender and BitLocker, are being actively exploited, and warned that releasing details before patches are available puts customers at greater risk. The dispute escalated after the researcher’s GitHub and GitLab accounts hosting the code were removed. Chaotic Eclipse criticized Microsoft for deleting their Microsoft account used to report bugs and ignoring attempts to report the issues. They intended to release another POC on July 14, 2026.
‘Megalodon’ infects GitHub repositories
Researchers at SafeDep say a supply chain attack dubbed Megalodon infected more than 5,500 GitHub repositories after attackers pushed 5,718 malicious automated commits in a six-hour window on May 18th. The commits inserted GitHub Actions workflows that stole CI secrets including cloud credentials, SSH keys, API tokens, and database strings, while planting dormant backdoors that could be triggered later through GitHub’s API. The campaign surfaced after compromised versions of Tiledesk were published from a poisoned GitHub repository. (SecurityWeek)
Netherlands blocks sale of authentication tech to US
In November, the US firm Kyndryl announced it would acquire the Dutch company Solvinity, which operates the DigiD app platform that citizens use to authenticate identities with public authorities. In a letter to the national parliament, the Dutch government said the national authority that screens investments had advised the government to block the acquisition as it posed “a possible risk to the public interest.” This announcement comes a week before the European Commission releases a tech sovereignty policy proposal to reduce EU reliance on foreign technology, particularly in the cloud and AI.
(Politico)
No-Code comes to malware
ESET researchers published details on an Android remote access trojan called BTMOB, which ships with commercial-style packaging, and includes an APK builder to let buyers generate new payloads and reconfigure phishing lures without any coding. Ultimately, BTMOB is capable of full device takeover by abusing Android’s accessibility services. This malware-as-a-service operation is sold through Telegram channels, as well as X and Instagram accounts, offering a $5,000 lifetime license, plus additional monthly support fees.
Huge thanks to our sponsor, Guardsquare
Glassworm botnet gets shattered
CrowdStrike says it worked with Google and the Shadowserver Foundation to take down Glassworm, a self-propagating credential-stealing botnet targeting developers through poisoned software packages since early 2025. The coordinated action disrupted all four of Glassworm’s command-and-control channels at once. Researchers say the malware spread through compromised VS Code extensions, npm and Python packages, and more than 300 GitHub repos, using invisible Unicode injection plus Solana, Google Calendar, and BitTorrent DHT infrastructure to resist takedowns. (The Register)
Claude Mythos AI finds 10,000 high-severity flaws in widely used software
Anthropic disclosed that “Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities” since it went live last month. Looking at 1,000 open source projects, Mythos flagged 6200 high or critical severity vulnerabilities. Researchers looked at 1,752 of these, 62% were confirmed. Commercially, Cloudflare found over 2000 bugs in critical path systems, with 400 high or critical rated, with a better positive rate than human testers
IBM and Red Hat Commit to “Project Lightwell”
IBM and Red Hat have invested $5 billion and assigned more than 20,000 engineers to Project Lightwell, a new initiative focused on securing open source software used across enterprise supply chains. This centers on an AI-powered “enterprise clearinghouse” that will identify, prioritize and validate vulnerabilities in widely used open source projects, then work with maintainers to develop and distribute secure patches through commercial subscriptions. Major financial institutions like Bank of America, JPMorganChase and Visa are backing the effort.
(SecurityWeek, WSJ)