Nation-State Supply Chains, Iran's PLC Gambit, and the AI Exploit Machine

33:1812 scenes9 speakersBriefing

01 Cold Open: Three Crises, One Briefing

Chapters

01Cold Open: Three Crises, One Briefing

02Sponsor — Blue Cortex AI

03Axios Compromise: Kill Chain and Blast Radius

04How Deep Does the Axios Blast Radius Go?

05DPRK's Two-Pronged Supply Chain Strategy

06nginx-ui CVE 2026 33032: Two Requests to Full Server Control

07Iran's PLC Campaign: Reconnaissance or Pre-Positioning for Destruction?

08OT Defense Reality Check: What You Can Actually Do

09Claude Mythos: The AI That Found Zero-Days Faster Than Anyone

10The Mythos Governance Problem and the Asymmetry Trap

11Regulatory Obligations: NIS2, SEC, NERC CIP, and the Notification Clocks

12Synthesis: What You Do in the Next 48 Hours

Speakers

HalilAlexLenaPierreJamesDr.SaraDr.Dr.

▶01Cold Open: Three Crises, One Briefing00:00

HalilA North Korean APT socially engineered their way into a package downloaded eighty-three million times a week — and used it to touch OpenAI's code-signing certificates. That happened. Today we talk about what it means.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilThree threads today. First: the Axios npm supply chain compromise — UNC1069, the blast radius, and what actually happened to those OpenAI certificates.

HalilSecond: CVE 2026 33032 in nginx-ui — CVSS nine point eight, two thousand six hundred eighty-nine exposed instances, active mass exploitation, and a patch that exists but nobody's applying.

HalilThird: Iran's IRGC is writing ladder logic to Rockwell PLCs inside U.S. water and energy facilities. Six federal agencies confirmed it. And separately — Anthropic shelved an AI that autonomously found thousands of vulnerabilities with a seventy-two percent exploit success rate on Firefox.

HalilDense day. Let's go.

▶02Sponsor — Blue Cortex AI01:25

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03Axios Compromise: Kill Chain and Blast Radius02:32

HalilAlex, walk us through the kill chain. How does a North Korean unit go from zero to touching OpenAI's macOS signing certificates?

AlexSo — step one, UNC1069 spearfished the Axios maintainer, Jason Saayman. Fake video conference, voice call social engineering. Classic. He ran something, and it deployed WAVESHAPER.V2 — a cross-platform remote access trojan.

AlexThe RAT harvested his npm credentials. Two-factor auth was enabled — didn't matter. They own the endpoint, they just use the authenticated session.

HalilSo they bypassed two-factor entirely by owning the machine.

AlexExactly. Then they published malicious versions one point fourteen point one and zero point thirty point four directly via npm CLI — bypassed the trusted publishing workflow entirely. No git tags, no GitHub verification.

AlexAnd here's the clever part — they pre-seeded a clean decoy package called plain-crypto-js version four point two point zero six hours earlier. Build registry reputation, then drop the malicious four point two point one. The postinstall script drops the RAT.

LenaThat reputation pre-seeding is textbook UNC1069. We've seen this exact staging behavior in prior campaigns.

HalilLena, how confident are you in the UNC1069 attribution?

LenaHigh confidence. WAVESHAPER.V2 code similarity to previous UNC1069 campaigns, C2 infrastructure resolving to a known address, and Google Threat Intelligence explicitly attributes this. UNC1069 ties to BlueNoroff — that's North Korea's cryptocurrency-focused cyber unit. The tradecraft is mature.

AlexAnd the OpenAI angle — their GitHub Actions workflow used a floating tag instead of a pinned commit hash. No minimum release age check. So their pipeline pulled the malicious version within minutes of publication.

HalilThat workflow had access to macOS signing certificates for ChatGPT Desktop, Codex, Codex CLI, Atlas — and Apple notarization credentials.

AlexRight. But here's where I push back on the panic. OpenAI found no evidence of credential exfiltration or misuse. Extracting a signing cert from a macOS keychain during a CI run is non-trivial. Three hours is tight for that kind of multi-stage operation.

LenaHmm. Agreed on the forensics. But the certificate rotation was still the right call — you don't leave that question open.

▶04How Deep Does the Axios Blast Radius Go?05:19

HalilPierre, let's talk numbers. Eighty-three million weekly downloads. How bad is the blast radius actually?

PierreSo — the malicious versions were live for roughly three and a half hours. Assuming half a percent to one percent of the weekly install base caught it, we're looking at five hundred thousand to one million potentially affected machines.

PierreTwo hundred thirty-four thousand GitHub repositories depend on Axios. Each organization needs a full dependency audit, CI/CD pipeline rebuild, credential rotation, forensic investigation. My model puts ecosystem cleanup at four hundred fourteen million to two point one billion dollars.

HalilWow.

AlexI'd push back slightly on the upper end. Most production apps pin versions — so the real-world hit is organizations using latest or loose semver ranges in CI. That's a smaller population.

PierreFair — and Socket flagged the compromise in six minutes, which compressed the window. But Pierre, the Fortune 500s running loose semver in their pipelines? That's where the real cost lands.

HalilJames, from a defender's perspective — if your build ran between zero zero twenty-one and zero three thirty UTC on March 31st, what's your first move?

JamesIsolate the build machine immediately. Don't wait for forensics. The RAT had full developer environment access — SSH keys, API tokens, cloud credentials, GitHub personal access tokens, npm tokens. Assume total compromise.

JamesThen check lockfiles — run grep for axios version one point fourteen point one or zero point thirty point four across package-lock, yarn.lock, pnpm-lock. And grep for plain-crypto-js in node_modules. If it's there, you're compromised.

AlexOne thing to flag — the RAT self-destructed after execution. Limited forensic artifacts. Which means if you were in that window, you almost can't prove you weren't hit. Assume breach.

JamesExactly. And Elastic published detections already — prioritize node spawning shell processes during npm install, and file writes to those specific RAT paths. If you have EDR, run those hunts today.

▶05DPRK's Two-Pronged Supply Chain Strategy07:54

HalilLena — UNC1069 on Axios, UNC4736 on the Drift Protocol crypto hack. Are we looking at one unit shifting focus or a coordinated two-pronged operation?

LenaNeither, exactly. These are distinct tracked clusters within the broader DPRK cyber apparatus. UNC1069 and UNC4736 — that's Mandiant's tracking designation for a separate North Korean unit — operate independently. Different tradecraft, different targeting.

Dr.But the shared thesis is what matters strategically. Both hit supply chain chokepoints — a DeFi protocol and an npm package with a hundred million downloads — rather than going for direct theft.

LenaRight. And the social engineering DNA overlaps. Drift attackers built fake quant trading firms, did in-person meetings over six months. UNC1069 built fake Slack workspaces, deepfaked company founders. Both exploited the human trust layer.

Dr.This is state-directed resource allocation. OFAC sanctioned DPRK IT-worker networks on March 12th for generating roughly eight hundred million dollars in 2024 for weapons programs. The Axios attack happened March 31st. They're diversifying revenue streams under sanctions pressure.

HalilElena, you're saying this is financially motivated — not geopolitical signaling?

Dr.For DPRK? Yes. Zero operational coordination with Iran or Russia. The TTPs are entirely different. This is cybercrime infrastructure under sanctions pressure — they're optimizing for software dependencies used by high-growth AI firms because crypto laundering alone is under pressure.

LenaThat's the key point. AI companies are unique targets — they hold massive compute infrastructure, signing keys with broad trust relationships, IP with military and commercial value. This is a maturation of Lazarus Group's financial supply chain targeting since 2016. What's new is the optimization for AI firm dependencies.

HalilSo the convergence of Iran, Russia, and DPRK activity this week — you're both saying that's coincidence, not coordination?

Dr.Convergent evolution, not joint operation. All three reflect structurally similar pressures — sanctions, kinetic conflict, disrupted diplomacy — but each responded with tradecraft suited to their institutional capabilities. Iran disrupts OT because it lacks DPRK's financial cyber infrastructure. Russia exploits routers because it's cost-effective for espionage. Parallel adaptations, not a joint campaign.

LenaHmm. Agreed on the independence. The danger is treating them as unrelated — the cumulative pressure on defenders is real even if the coordination isn't.

▶06nginx-ui CVE 2026 33032: Two Requests to Full Server Control11:00

HalilLet's move to CVE 2026 33032. Alex — I need to flag something. The briefing said no patch was available. That's wrong, isn't it?

AlexYeah, that needs a correction. Patch exists — version two point three point four, released March 15th. The fix was twenty-seven characters of code: adding an auth-required middleware call to the vulnerable endpoint. This isn't a vendor failure. Two thousand six hundred eighty-nine instances are unpatched by choice or ignorance.

HalilWalk us through what an attacker actually does with this.

AlexTwo HTTP requests. That's it. nginx-ui added Model Context Protocol support — MCP is a standard for AI tool integrations. The slash-mcp endpoint has authentication. The slash-mcp-message endpoint? Missing the middleware call. Default IP whitelist is empty, which the system treats as allow-all. Classic fail-open anti-pattern.

AlexYou POST a JSON-RPC call to slash-mcp-message, write a malicious nginx config, trigger a reload. Full server control. No credentials needed.

JamesAnd once you own the nginx config — you intercept all traffic, harvest JWT secrets and API keys, exfiltrate SSL private keys if nginx terminates TLS, install persistent backdoors, pivot to the internal network. This isn't just a web app compromise. It's everything behind the web server.

HalilAlex, you said the CVSS nine point eight is actually defensible here. That's — that's notable coming from you.

AlexLook, I dismiss inflated CVSS scores constantly. This one's earned. Unauthenticated, network-accessible, complete infrastructure takeover. VulnCheck added it to the Known Exploited Vulnerabilities catalog on April 13th. Recorded Future confirmed active exploitation in March. This is not drill.

JamesIf you cannot patch right now — and some environments can't — add a reverse proxy rule returning four-oh-three on slash-mcp-message. Thirty minutes of work. Or block port nine thousand at your edge firewall entirely. Those two thousand six hundred eighty-nine Shodan-exposed instances are getting hit right now.

PierreThe sectoral exposure matters here. Finance, healthcare, government — the most expensive breach targets. Per-compromised-instance cost modeling puts this at roughly fifteen million dollars when you account for lateral movement potential.

JamesAnd deploy detection — a Sigma rule watching for POST requests to slash-mcp-message. Simple pattern, low false positives. Do that in parallel with the firewall block.

▶07Iran's PLC Campaign: Reconnaissance or Pre-Positioning for Destruction?14:00

HalilSara — six federal agencies. Advisory AA26-097A. Iranian actors writing to Rockwell PLCs in U.S. water and energy facilities. Give me the ground truth.

SaraSo — FBI, CISA, NSA, EPA, DOE, and CYBERCOM all signed off on this advisory. That's an unusual level of coordination, and it signals the government is genuinely alarmed. IRGC-linked actors are directly connecting to internet-facing Rockwell CompactLogix and Micro850 controllers using legitimate vendor engineering software — Studio 5000 Logix Designer.

SaraThey're extracting PLC project files — that's the ladder logic, the programming that runs the physical process. They're deploying Dropbear SSH for persistence. And they're manipulating HMI displays to falsify operator readings.

HalilWait — falsifying what the operator sees?

SaraThat's the part that keeps me up at night. In a water treatment plant, you think chlorine levels are normal when they're not. In a substation, you think breakers are closed when they're open. This is Level 1 and Level 2 manipulation in the Purdue model — that's PLCs talking directly to physical equipment. If this reaches Level 1, we're not talking a security incident. We're talking a safety incident.

Dr.And the timing is not incidental. The six-agency advisory explicitly states these campaigns escalated likely in response to hostilities between Iran and the U.S. and Israel. This is kinetic-cyber linkage — reactive pre-positioning for potential destructive use if geopolitical escalation warrants it.

HalilSara — is this destruction capability, or are we still in reconnaissance?

SaraReconnaissance behavior. Right now. But here's the thing — if you can write ladder logic to a PLC, you can command a pump to run dry, a valve to open at the wrong time, a turbine protection to be disabled. The difference between disruption and destruction is a few lines of code they haven't deployed yet.

SaraThey're mapping industrial processes and testing how operators respond to falsified data. That's pre-positioning. This is not a warning shot — it's a loaded weapon pointed at infrastructure.

LenaThis also represents an escalation from their 2023 Unitronics PLC campaign. That was single-vendor opportunism. This is multi-vendor, multi-sector, coordinated targeting. The capability has matured.

HalilThree thousand nine hundred Rockwell PLCs still internet-facing in the U.S. That number — is that right?

SaraPer Censys data, yes. Roughly seventy-five percent of global Rockwell PLC internet exposure is in the U.S. These aren't sophisticated zero-day exploits. They're walking in through unlocked doors.

▶08OT Defense Reality Check: What You Can Actually Do17:22

HalilJames, Sara — the obvious fix is take these PLCs off the internet. But that's not always possible in operational environments. What's the realistic forty-eight-hour response?

SaraImmediate priority — physical key switches to RUN mode on every CompactLogix and Micro850 in scope. That prevents remote program downloads. You can't write new ladder logic to a controller in RUN mode. It's a hardware lock.

JamesAnd at the network layer — block port forty-four thousand eight hundred eighteen, that's EtherNet/IP, port two thousand two hundred twenty-two, that's the Dropbear SSH they're using for persistence, and standard Modbus and DNP3 ports at the perimeter. That's firewall rules you can push in hours.

SaraRight. But James — I want to flag something. IDS in OT environments is genuinely risky. Passive monitoring is the right call here. You don't want an inline sensor tripping a safety system.

JamesAgreed — passive only. Network tap, not inline. The IOC pattern is overseas hosting providers on those specific ports. Set up monitoring to alert, not block.

HalilWhat about patching? Can you patch a CompactLogix during operations?

SaraYou cannot reboot a blast furnace controller on patch Tuesday. The maintenance window might be six months out. What you do until then is physical isolation, key switches, and monitoring. The real fix is taking them off the internet — but the interim controls buy you time.

JamesAnd coordinate with CISA per advisory AA26-097A. They have sector-specific guidance and can provide on-site support for critical infrastructure operators who've confirmed exposure. Don't go this alone.

PierreTo put a number on why this matters — water and energy sector breaches, when you factor in operational disruption, not just data costs, run well above the IBM benchmark of four point nine million per incident. A water utility taking a major disruption hit is a public safety event with liability exposure that dwarfs the IT costs.

▶09Claude Mythos: The AI That Found Zero-Days Faster Than Anyone19:50

HalilArjun — Anthropic built an AI called Claude Mythos, ran it through Project Glasswing — that's their vulnerability research consortium — and then refused to release it publicly. Seventy-two percent exploit success rate on Firefox. What did they actually build?

Dr.So — this is not hype, and I want to be clear about that. The forensic analysis from VulnCheck and others is credible. Mythos achieved roughly seventy-two percent exploit success rate on Firefox vulnerabilities versus effectively zero for prior models.

Dr.It autonomously discovered a twenty-seven-year-old OpenBSD bug. A sixteen-year-old FFmpeg vulnerability missed by five million automated scans. And it developed a twenty-gadget ROP chain — that's a return-oriented programming chain, a technique for exploiting memory-safe code — for FreeBSD remote root access at under one thousand dollars in compute.

HalilUnder a thousand dollars.

Dr.Under a thousand dollars. That's the number that changes the threat model. Vulnerability discovery at nation-state quality for the price of a laptop.

AlexThe CSO Online piece says Glasswing only has one confirmed CVE. I think that framing is completely wrong.

Dr.Exactly — the exploit development success rate is the metric that matters, not the CVE count. One confirmed CVE with a seventy-two percent exploit success rate on a major browser tells you the capability is real. The CVE count is an artifact of responsible disclosure timelines.

HalilArjun, how long before someone else builds this?

Dr.Six months is the consensus from Google Cloud and CrowdStrike analysts before open-weight models — think DeepSeek, Llama 4, whatever Mistral ships next — achieve comparable autonomous vulnerability discovery. And here's the compression mechanism: a three point six billion parameter model can already detect the Mythos FreeBSD zero-day at one hundred to one thousand times lower cost than the full model. Capability compression via distillation is already happening.

Dr.Which means the six-month window is the window for governance. After that, this capability is effectively public.

▶10The Mythos Governance Problem and the Asymmetry Trap22:23

HalilSo if open-weight models reach Mythos-tier capability in six months — what does that do to the defender side?

Dr.It creates a structural asymmetry that defenders cannot resolve with current staffing models. We were at seven hundred seventy-one days median exploit development time in 2018. We're projecting under one hour for AI-assisted exploit development in 2026. That is not incremental. That is a phase change.

JamesAnd remediation timelines haven't moved. Mean time to patch is still measured in weeks to months for most organizations. The gap between discovery and exploitation is collapsing while the time to remediate stays static. That's a structural problem.

AlexRight. Vulnerability discovery is accelerating. Remediation is not. You can't hire your way out of that asymmetry.

HalilArjun, you proposed three governance controls for Project Glasswing. Walk us through them.

Dr.First — verifiable disclosure chains. Every vulnerability Mythos discovers needs cryptographically signed attribution back to the discovering Glasswing participant, with public commitment-to-patch timelines. Transparency on when discovery happens, not just disclosure.

Dr.Second — compute and query logging with third-party audit. These models are being asked to develop exploits. That telemetry is sensitive — it reveals what vulnerabilities exist, what systems are targeted. Tamper-evident logs, external audit.

Dr.Third — and this is ironic — mandatory red-teaming of the AI security infrastructure itself. The Axios incident proves these companies have traditional CI/CD vulnerabilities that could let adversaries exfiltrate Glasswing outputs or poison the models being used for discovery.

PierreThe bug bounty market is currently two billion dollars, growing toward seven point seven billion by 2035. If Mythos-class AI displaces thirty-five to forty percent of traditional bounty volume — that's a massive market restructuring. But the secondary effect is the real cost: organizations will need to accelerate remediation spending by two to three times to keep pace. That's one point five billion dollars or more in additional defensive investment required.

HalilPierre, you're saying legacy codebases just became toxic assets.

PierreThat's exactly what I'm saying. If an AI can find a twenty-seven-year-old bug that five million automated scans missed — every organization with legacy code just inherited a liability they didn't know they had.

▶11Regulatory Obligations: NIS2, SEC, NERC CIP, and the Notification Clocks25:24

HalilSofia — notification clocks. OpenAI has a certificate compromise by a DPRK APT. Water utilities have confirmed Iranian PLC access. Who has to tell whom, and how fast?

Dr.Let me be precise. For OpenAI and GDPR — no notification required. OpenAI confirmed no user data was accessed. No personal data breach under Article 4(12) means the seventy-two-hour clock under Article 33(1) never started.

Dr.NIS2 is different. OpenAI qualifies as an important entity under NIS2 Annex II — digital infrastructure provider. Article 23 establishes a four-phase timeline. Twenty-four-hour early warning from becoming aware. Seventy-two-hour incident notification with severity assessment. Final report within one month.

HalilAnd that clock started when?

Dr.OpenAI disclosed April 11th. The twenty-four-hour early warning was due by April 12th. APT access to code-signing materials — even absent confirmed exfiltration — meets NIS2's definition of a significant incident under Article 23(3)(b). It was capable of causing considerable material or non-material damage to others.

JamesAnd SEC? Four business days from materiality determination. That's a judgment call — but a DPRK-linked APT touching code-signing infrastructure for software used by millions seems like it clears the bar.

Dr.I'd call it borderline, and I expect it to generate SEC enforcement action in 2026 to 2027 when they clarify the standard. Conservative approach argues for Item 1.05 disclosure. At minimum, address it in the next 10-K under Item 106 — cyber risk management.

HalilWater utilities with confirmed Iranian PLC access — CIRCIA?

Dr.Seventy-two hours from reasonable belief of a covered cyber incident. And here's the gray area — advisory AA26-097A alone, absent confirmed compromise, may trigger that reasonable belief threshold for organizations running internet-facing Rockwell CompactLogix or Micro850. The advisory states actors are actively exploiting. If your attack surface matches, the notification obligation may attach before you confirm a breach.

Dr.Energy sector — NERC CIP-005 and CIP-007. Internet-facing PLCs without documented electronic access points represent reportable violations. Penalties up to one point five million dollars per violation per day. Self-certify to your Regional Entity now, before enforcement finds you.

SaraThat's — that's a strong push for operators who've been dragging their feet on internet exposure. The regulatory clock may be more motivating than the threat advisory.

▶12Synthesis: What You Do in the Next 48 Hours28:35

HalilLet me pull the threads together. Three distinct crises, one throughline: trust infrastructure under simultaneous attack.

HalilNorth Korea didn't need a zero-day against OpenAI. They socially engineered a maintainer of a package OpenAI trusted implicitly. The lesson — your supply chain's human trust layer is your attack surface.

LenaAnd it's not opportunistic. Two separate DPRK units, both hitting supply chain chokepoints, in the same week. This is state-directed strategy — AI companies are explicitly in scope as high-value targets.

HalilOn nginx-ui — there is a patch. Version two point three point four. March 15th. If you haven't applied it, that's on you. If you genuinely can't patch right now, add the four-oh-three return on slash-mcp-message. Thirty minutes. Do it before this episode ends.

AlexTwo thousand six hundred eighty-nine exposed instances. Every hour that number stays the same, it gets smaller because attackers are working through the list.

HalilOn the PLC campaign — Sara, last word.

SaraPhysical key switches to RUN mode. Block EtherNet/IP, Dropbear SSH, and Modbus ports at the perimeter. Engage CISA per the advisory. And if you have Rockwell CompactLogix or Micro850 directly internet-accessible right now — that's an emergency, not a to-do list item.

HalilAnd Mythos — Arjun, the six-month window.

Dr.Six months before open-weight models reach comparable autonomous vulnerability discovery. That window is for governance — disclosure chains, audit logging, coordinated disclosure protocols with CISA fast-track. After that window, the capability is effectively public. Act now or react later.

HalilOne final flag from Lena — on Patch Tuesday attributions in this briefing.

LenaThe claims of APT28 for Acrobat, APT10 and FIN7 for SAP, APT29 for Fortinet — those are historical associations, not confirmed attributions for current exploitation of these specific CVEs. Do not cite these as active APT campaigns to your board without primary source intelligence. Patch the vulnerabilities — the urgency is real. But the threat actor claims are not corroborated.

HalilGood. Prioritize: Adobe Acrobat Reader CVE 2026 34621 — confirmed in-the-wild exploitation. Fortinet FortiSandbox CVE 2026 39813 and 39808, CVSS nine point one. SAP BPC CVE 2026 27681, CVSS nine point nine. This maintenance cycle. And OpenAI macOS app users — update before May 8th. That's when the revoked certificate stops working.

HalilTomorrow we'll be watching: any evidence of actual certificate misuse from the Axios window, whether CISA AA26-097A triggers the first confirmed Iranian OT destructive event, and Anthropic's next disclosure on Glasswing participation scope.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Tue28Apr

Grid in the Crosshairs: Cisco SD-WAN, Gemini CLI, and Two Deadlines Expiring Today

30:4311 sc

Sun26Apr

Correction Day: The LAPSUS$ Claim Falls Apart, Signal Phishing Is Real

29:2910 sc

Sat25Apr

Pay or Leak: The 48-Hour Clock, Two CVEs You Must Patch, and DeFi's Governance Confession

29:1912 sc

Fri24Apr

Shai-Hulud: The Worm That Ate the Pipeline