Trust Is the Vulnerability

29:5112 scenes9 speakersBriefing

01 Cold Open: Three Crises, One Thread

Chapters

01Cold Open: Three Crises, One Thread

02Sponsor — Blue Cortex AI

03Vercel Breach: What Actually Happened

04AI Tools as Attack Surface — The OAuth Problem

05Marimo CVE 2026-39987: Pre-Auth RCE, Already Weaponized

06KelpDAO: How $292M Disappears in Twenty Minutes

07DeFi Contagion: Circle, Bad Debt, and the Six-Billion-Dollar Bank Run

08Mythos: What the AI Actually Does

09Mythos & Geopolitics: The DoD-NSA Contradiction

10Regulatory Exposure: What GDPR, NIS2, and SEC Rules Mean Right Now

11Financial Stakes: Board-Level Numbers

12Synthesis: What You Do Tomorrow Morning

Speakers

HalilAlexLenaDr.JamesViktorPierreDr.Dr.

▶01Cold Open: Three Crises, One Thread00:00

HalilThree hundred million dollars gone in twenty minutes. A developer tool you trusted just handed attackers your entire CI/CD pipeline. And five central banks in emergency coordination over a single AI model.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilToday is April 20, 2026. And the threat landscape right now is defined by something that should scare every security team: it's not your firewall that's failing. It's your trust model.

HalilThree threads today. First — the Vercel breach. ShinyHunters walked in through an AI productivity tool called Context.ai. OAuth. No zero-day. Just a door nobody reviewed.

HalilSecond — KelpDAO. Two hundred ninety-two million dollars. Lazarus Group. A single-verifier misconfiguration in a cross-chain bridge. And six-point-two billion dollars in Aave withdrawals that followed.

HalilThird — Anthropic's Mythos model has five central banks coordinating a response. Elena Rossi says this isn't about cybersecurity. It's about who gets to govern AI.

HalilPlus — CVE 2026 39987, a pre-auth RCE in Marimo notebooks. Weaponized in ten hours. Malware dropping from Hugging Face. Alex has that.

HalilThe panel today: Alex Mercer on offense, Lena Hartmann on attribution, Viktor Petrov following the money, Dr. Elena Rossi on geopolitics, Dr. Arjun Patel on AI security, James Okafor closing with defense, Pierre Lefevre on the dollar figures, and Dr. Sofia Andersen on compliance. Let's go.

▶02Sponsor — Blue Cortex AI02:08

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03Vercel Breach: What Actually Happened03:14

HalilAlex — let's correct the record. Early coverage called this a CI/CD tool. It wasn't, right?

AlexYeah, so — that framing is wrong, and it matters. Context.ai is a productivity monitoring tool. It reads your Gmail, your calendar, your GDrive — to understand 'work patterns.' It's not sitting in your pipeline.

AlexBut it had 'Allow All' Google Workspace OAuth permissions. An engineer connected it to their work account. Context.ai gets breached. Attacker abuses those OAuth tokens. Pivots into Vercel's internal systems.

LenaAnd that pivot matters for attribution. The access path — OAuth abuse, token theft, lateral movement — this is textbook ShinyHunters.

HalilShinyHunters — that's the group Mandiant tracks as UNC6040 and UNC6240?

LenaRight. Two distinct cells — UNC6040 handles initial access, UNC6240 runs extortion. Same entity, different functions. They've been doing this since the Snowflake campaign.

AlexAnd here's what really stings. Vercel's 'non-sensitive' environment variables weren't encrypted at rest. Marking something 'sensitive' triggers encryption. Everything else? Plaintext. That's an architectural choice that just bit them.

LenaHmm.

HalilLena — this is running alongside a Fortune 500 extortion campaign with an April 21 deadline. Is this the same operation?

LenaHigh confidence, same overarching entity. The targets — Canada Life, Zara, Carnival, 7-Eleven, Medtronic, Pitney Bowes — over one hundred million records across nine-plus organizations. Same OAuth initial access vector, same extortion methodology.

AlexThey're running Vercel and the Fortune 500 campaign simultaneously. That's a lot of operational surface.

LenaWhich is exactly why I think the April 21 deadline is seventy percent real, thirty percent theater. They'll follow through — but selectively. Expect targeted leaks, not simultaneous dumps.

HalilSo the deadline is real, but their execution capacity is stretched.

LenaThat's my read. They've followed through before — Alert 360, Hallmark. But doing all nine organizations at once? That's operationally ambitious.

▶04AI Tools as Attack Surface — The OAuth Problem05:48

HalilArjun — you had a framing shift. You came in calling this 'AI infrastructure as choke point.' You've walked that back?

Dr.Yeah. I've been rethinking it. The attack path at Vercel — OAuth compromise, workspace pivot, lateral movement to CI/CD — that's standard SaaS supply chain tradecraft. LiteLLM's compromise was PyPI credential theft and package poisoning. Also standard.

AlexExactly. The tradecraft isn't new. What's new is the scope.

Dr.Right. AI tools request absurdly broad permissions under the guise of contextual understanding. Email, calendar, documents, repositories — all of it. Non-AI dev tools don't typically get that level of access. And adoption happens months before security review catches up.

HalilSo you're reframing it as 'high-velocity developer infrastructure compromise'?

Dr.Exactly. AI-enabled but not AI-defined. The controls aren't new — they just became urgent faster than anyone anticipated.

AlexAnd most security teams can't even enumerate how many AI tools have Workspace access right now. That's the real problem.

Dr.LiteLLM — that's the open-source LLM routing library used by ninety-five million monthly downloads — was poisoned for forty minutes. Forty minutes. One hundred nineteen thousand malicious downloads. Classic supply chain, but the blast radius is enormous.

HalilWow.

LenaAnd that's the velocity problem in one number. Security review cycles don't run in forty minutes.

HalilJames — you're listening. What's the fix?

JamesStep one: you cannot fix what you cannot see. Most teams I talk to have no inventory of AI tools with OAuth integrations. That's your first job. Before anything else — enumerate.

JamesThen default-deny broad Workspace access. Force ninety-day re-auth on anything with data access. And isolate your engineering identity domain from your general Workspace. Don't put your Vercel-deploying engineers in the same domain as marketing.

▶05Marimo CVE 2026-39987: Pre-Auth RCE, Already Weaponized08:09

HalilLet's shift to Marimo. Alex, you said CVSS nine point three is actually justified here. You rarely say that.

AlexI rarely do. But this one earns it. Single WebSocket handshake to slash terminal slash ws — no auth, no token, no session. Full PTY shell. Exploitation in ten hours from disclosure. No public PoC needed.

HalilThey just read the advisory and built the exploit.

AlexExactly. One researcher pulled credentials in under three minutes post-compromise. The developers protected slash ws with validate underscore auth — but completely forgot to add it to slash terminal slash ws. It's like locking your front door and leaving the back sliding door wide open.

JamesAnd Marimo gets exposed on shared internal networks because researchers run it with host zero-zero-zero-zero for collaboration. That's how you get six hundred sixty-two exploit events across eleven countries in a single month.

AlexThat Sysdig tracking, yeah. The blast radius is smaller than Log4j — but the compromise quality is identical. Cloud credentials, SSH keys, model weights, training data.

HalilAnd then NKAbuse gets dropped. From Hugging Face.

AlexNKAbuse — multi-platform botnet that abuses NKN protocol — that's a blockchain-based peer-to-peer network — for command and control. Dropping it from Hugging Face is clever. Clean reputation, no blocked domains.

JamesHunt for NKAbuse persistence in systemd, cron, LaunchAgents. Any unexpected nkn process or outbound connections on ports thirty thousand through thirty thousand ten — treat that as a confirmed compromise.

HalilBottom line on Marimo?

AlexPatch to zero-point-twenty-three-point-zero. Stop reading. Patch now. And block slash terminal slash ws at your WAF if you can't patch immediately. Any internet-facing instance on versions zero-point-twenty-two-x or earlier — assume compromised.

JamesRight. And that interim WAF block costs you nothing. Do it in parallel with patching, not instead of.

▶06KelpDAO: How $292M Disappears in Twenty Minutes10:30

HalilViktor — walk us through the KelpDAO exploit. The mechanics.

ViktorSo, KelpDAO runs a LayerZero bridge — that's a cross-chain messaging protocol — with a single-verifier architecture. One verifier. One point of failure.

ViktorThe attacker poisoned the RPC node that verifier trusted. Sent a forged cross-chain message saying 'burn confirmed.' Bridge believed it. Minted one hundred sixteen thousand five hundred rsETH — that's a liquid restaking token — out of nothing. Two hundred ninety-two million dollars at exploit-time prices.

HalilAnd then they immediately deployed that as collateral.

ViktorWithin minutes. Deposited rsETH into Aave V3, Compound V3, and Euler. Borrowed real WETH against it. Fifty-two thousand eight hundred thirty-four WETH on Ethereum mainnet, twenty-nine thousand seven hundred eighty-two WETH on Arbitrum.

ViktorThen — and this is the part that tells you this is Lazarus — automated Tornado Cash laundering began within twenty minutes. That is not a person clicking. That is pre-built laundering infrastructure.

LenaThe automation signature is consistent with TraderTraitor — that's the Lazarus subunit that ran the Bybit exchange attack and the Axie Infinity bridge hack.

HalilLayerZero is attributing this directly to Lazarus. How confident are you, Lena?

LenaThe wallet clustering, the automation pattern, the bridge targeting — it fits. I want to see OFAC designation before I call it confirmed. But I'm not pushing back on LayerZero's attribution.

ViktorAnd the OFAC lag is exactly the problem. No formal designation means Circle stays hands-off. Standard Lazarus playbook — hold the funds sixty to ninety days while chain surveillance cools, then hop through bridges to Avalanche or Bitcoin.

▶07DeFi Contagion: Circle, Bad Debt, and the Six-Billion-Dollar Bank Run12:36

HalilViktor — you flagged Circle's freeze policy as a systemic vulnerability. Explain that.

ViktorCircle will not freeze USDC without a court order. Jeremy Allaire made this explicit last week. Tether, meanwhile, has frozen stolen funds within hours repeatedly. That asymmetry is now a feature of attack planning.

ViktorAttackers now prefer USDC over USDT specifically because Circle won't act in real time. Two hundred thirty million in stolen USDC from this and prior exploits flowed through Circle's own Cross-Chain Transfer Protocol — unblocked.

HalilSo the policy designed to protect decentralization is actively helping Lazarus launder money.

ViktorThat's the perverse incentive. And it's a gap that MiCA — that's Europe's Markets in Crypto-Assets regulation — and US regulators need to address urgently.

PierreCan I jump in here? Because the contagion numbers are the real story for institutions. Six-point-two billion dollars withdrawn from Aave in the wake of this. Aave's TVL — total value locked — went from twenty-six-point-four billion to eighteen-point-six billion.

PierreThe USDT pool on Aave hit two thousand five hundred forty dollars liquid from two-point-eight-seven billion. That is a bank run in decentralized clothing.

ViktorRight. And one hundred seventy-seven to two hundred million in bad debt — those are positions Aave cannot liquidate because the rsETH collateral is worthless. Being absorbed by Aave's Umbrella backstop mechanism.

HalilPierre — has Umbrella ever been tested at this scale?

PierreNo. This is the first real stress test. If depositors take haircuts, institutional DeFi adoption timelines reset by eighteen to twenty-four months. The 'DeFi is safe' narrative collapses.

ViktorAnd the AAVE token already dropped twenty percent — from one hundred twelve dollars to around eighty-nine. The market is pricing in the possibility that Umbrella fails.

HalilSo the Kelp exploit isn't two hundred ninety-two million. It's a potential five-billion-dollar ecosystem event.

PierreAt worst case. My contagion multiplier is three to four times direct losses when you cascade across interconnected protocol dependencies. True exposure approaches one billion even in the contained scenario.

▶08Mythos: What the AI Actually Does15:22

HalilArjun — five central banks are in emergency coordination over an AI model. Before we get to the politics, help us understand what Mythos actually does. Is the fear technically justified?

Dr.The capabilities are credible but bounded. Here's what's independently verified: seventy-two-point-four percent exploit success rate on Firefox vulnerabilities. Compare that to Claude Opus 4.6's fourteen-point-four percent. That's a five-times improvement.

Dr.Autonomous exploit construction — Linux kernel privilege escalation chains under two thousand dollars. FreeBSD NFS remote code execution under one thousand. Concrete validated finds: a twenty-seven-year-old OpenBSD TCP overflow, a sixteen-year-old FFmpeg H.264 codec flaw.

AlexWait — twenty-seven years old? That's not Mythos finding new bugs. That's Mythos doing archaeology at scale.

Dr.Exactly. And that's the critical framing. This is not novel capability. It is novel scale and cost. The Bank of England's Andrew Bailey said Mythos could 'crack the whole cyber risk world open' — and that's not alarmist, because vulnerability discovery just became compute-limited rather than skill-limited.

HalilMeaning anyone with inference credits can run this.

Dr.AISLE — an independent AI security lab — demonstrated that small open-weights models at eleven cents per million tokens recovered Mythos's flagship exploit patterns. The barrier is now price, not expertise.

AlexSo the N-day exploitation window — the time from CVE disclosure to working exploit — what does this do to that?

Dr.Collapses it. Historically, days to weeks. Mythos demonstrated same-day turnaround from CVE disclosure to working exploit. Patching cadences built on human researcher timelines are now obsolete.

PierreAnd banks are running IBM mainframes and decades-old middleware that haven't had systematic security review. Mythos makes that dormant attack surface economical to sweep.

Dr.That's the financial infrastructure threat in one sentence. Legacy complexity plus scalable cheap exploit development. The attack surface that was too expensive to review is now economical.

▶09Mythos & Geopolitics: The DoD-NSA Contradiction18:07

HalilElena — five central banks coordinating. The Fed, Treasury, Bank of England, ECB, Bank of Canada, ASIC — all within a ten-day window. What's actually happening here?

Dr.Halil, this is faster than the 2008 financial crisis coordination. Faster than COVID-19 responses. And I'd argue it's not primarily about the technical threat — it's about who gets to define 'risk' itself.

Dr.Each jurisdiction used its own supervisory tool rather than a multilateral playbook. The US went with ad-hoc Treasury summits. The UK deployed CMORG. The ECB folded it into regular supervisory dialogue. That tells me they're racing against time, not executing coordinated strategy.

HalilRacing to establish precedent before the next model generation.

Dr.Exactly. Now look at the DoD-NSA contradiction. The Pentagon designated Anthropic a 'supply chain risk' — a label Senator Warren noted is typically reserved for firms with ties to the Chinese government. And yet the NSA continues using Claude for operations.

HalilIncluding, reportedly, strikes on Iran.

Dr.Which is the tell. If Claude were genuinely a supply chain risk, you don't keep using it for your most sensitive operations while banning contractors. The DoD asked for a six-month transition period rather than immediate cessation. That's not how you treat a national security threat.

Dr.Hmm. So the designation is — leverage.

Dr.It's retaliatory posture. The administration wants to establish that AI companies don't get to set ethical boundaries that constrain military flexibility. Anthropic insisted on contractual kill switches for mass domestic surveillance and fully autonomous weapons. The Pentagon's position is: we don't negotiate with vendors about lawful uses.

Dr.I read this as the Huawei moment — but inverted. With Huawei in 2019, the US excluded foreign technology. Here they're disciplining domestic technology. Same tool, turned inward.

HalilAnd a federal judge has already granted a preliminary injunction blocking enforcement.

Dr.Paused, not resolved. Appeal is likely. What I'm watching is whether this bifurcates the AI vendor landscape — companies that give DoD 'all lawful uses' contracts get preferred access; companies with usage policies face regulatory friction. A 'cleared AI' ecosystem.

▶10Regulatory Exposure: What GDPR, NIS2, and SEC Rules Mean Right Now20:51

HalilSofia — let's make the compliance obligations concrete. Starting with Vercel.

Dr.Under GDPR Article 33(1), the seventy-two-hour notification clock to the supervisory authority starts the moment you become aware of a personal data breach. For employee PII — clear obligation.

Dr.The environment variable question is a gray area. If those variables connected to systems containing personal data, it's a reportable breach. If they only accessed non-personal infrastructure, it may not trigger Article 33. My advice: notify anyway. The ambiguity doesn't protect you.

HalilAnd the ShinyHunters campaign — the Fortune 500 extortion?

Dr.GDPR Article 82 — the controller bears primary liability to data subjects, even when the breach vector was a SaaS misconfiguration. Controllers and processors are jointly and severally liable. A data subject can sue either party for the full amount.

Dr.NIS2 is sharper: entities classified as 'important' — banking, digital infrastructure, transport — face a twenty-four-hour early warning and a seventy-two-hour detailed notification. NIS2 fines reach ten million euros or two percent of global turnover.

PierreAnd that's before class action exposure. My modeling puts ShinyHunters litigation reserve at two hundred to five hundred million across affected organizations. GDPR fines on top of that.

Dr.Which is why I'll say it directly: the extortion demand — five hundred thousand to one million dollars per target — is rounding error compared to the compliance and litigation exposure. Do not pay.

HalilSofia — for government contractors using Anthropic. The preliminary injunction buys time, but what's the actual obligation?

Dr.The designation under ten USC section 3252 applies to DoD contracts specifically. Anthropic's legal position — which the court accepted preliminarily — is that the blanket prohibition on contractors doing business with Anthropic in any capacity exceeds statutory authority. The scope is contested.

Dr.Practical advice: prime contractors with DoD work need legal counsel to parse their certification scope now. Dual-use contractors — commercial and DoD — face the hardest decisions. The legal uncertainty is real. Don't wait for the appeal ruling.

▶11Financial Stakes: Board-Level Numbers23:29

HalilPierre — give me the board-level numbers. All three scenarios.

PierreVercel first. They're riding a two-hundred-forty percent revenue surge to three hundred forty million ARR, valued at nine-point-three billion, IPO-ready. Three cases.

PierreContained — env vars only, no token leakage — ten to twenty-five million dollars. That's forty percent probability. Escalated — GitHub or npm tokens compromised, moderate supply chain exposure — one hundred fifty to four hundred million. That's forty-five percent.

PierreIPO-killer scenario — massive token compromise, source code exfil — one-point-five to three billion in market cap destruction. Fifteen percent probability. But if it hits, the IPO story evaporates.

HalilAnd ShinyHunters?

PierreTotal exposure across affected organizations: five hundred fifty million to one billion dollars. The extortion demand is noise — it's the GDPR fines, the class action settlements, the compliance costs. CCPA alone allows statutory damages of one hundred to seven hundred fifty dollars per consumer per incident.

HalilAnd KelpDAO's cascade?

PierreThree to five billion when you cascade it. The two-hundred-ninety-three million direct exploit is table stakes. The real number is the six-point-two billion Aave outflow, the seven percent sector-wide DeFi TVL drop in twenty-four hours, and the question of whether Umbrella can absorb that bad debt.

ViktorIf Umbrella fails — if depositors take haircuts — the institutional DeFi adoption argument breaks completely. That's not a recovery in months. That's a reset in years.

PierreEighteen to twenty-four months. That's my estimate. And that's the number that should be in every institutional DeFi treasury report this week.

▶12Synthesis: What You Do Tomorrow Morning25:37

HalilJames — you've been listening. Pull it together. What does a security team do right now?

JamesThree tiers. Today, this week, thirty days. No debate on tier one.

JamesToday: rotate all Vercel project tokens and API keys before you do anything else. Don't wait for Vercel's full disclosure. Audit Google Workspace OAuth apps for Context.ai or any AI tool with broad scopes. Move all secrets to Vercel's 'sensitive' flag.

JamesAlso today: patch Marimo to version zero-point-twenty-three-point-zero on every instance. Block slash terminal slash ws at your WAF as interim. Hunt NKAbuse persistence now.

AlexAnd if you're a Salesforce customer in any of those nine ShinyHunters targets — validate your configuration baseline before the April 21 deadline. Tomorrow.

JamesRight. Do not pay the ransom. The extortion demand is the cheapest line item in this. The compliance bill is not.

HalilThirty-day horizon?

JamesMandatory OAuth scope review and AI tool allowlisting. Default-deny broad Workspace access. Force ninety-day re-auth on any tool with data access. Most security teams cannot enumerate their AI tool OAuth surface right now. That inventory — do it.

Dr.And update your third-party risk frameworks to classify AI capability providers alongside traditional software vendors. The Mythos situation makes clear — AI providers are now critical infrastructure suppliers.

Dr.Financial institutions: anticipate formal regulatory guidance on AI model risk within thirty to sixty days from the Fed, OCC, and ECB. Prepare contingency plans for Anthropic service disruption now, before that guidance lands.

ViktorEnterprises with DeFi treasury exposure: treat any cross-chain bridge without multi-verifier message validation as high risk. Review positions across Aave V3, Compound V3, and Euler while markets are still frozen. Monitor Umbrella.

HalilThe through-line across all three incidents today — Vercel, KelpDAO, Mythos — is trust model exploitation. Nobody broke a lock. They walked through doors we left open: an OAuth app we didn't review, a single verifier we didn't question, a policy Circle won't deviate from, a DoD designation that says one thing and does another.

HalilThe attackers aren't smarter. They're more patient with our trust architecture than we are.

HalilWhat we're watching tomorrow: whether ShinyHunters follows through on the April 21 deadline, whether Aave's Umbrella mechanism absorbs the bad debt or breaks, and the first appellate move on the Anthropic preliminary injunction.

HalilThanks to Alex, Lena, Viktor, Elena, Arjun, James, Pierre, and Sofia. That's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Tue28Apr

Grid in the Crosshairs: Cisco SD-WAN, Gemini CLI, and Two Deadlines Expiring Today

30:4311 sc

Sun26Apr

Correction Day: The LAPSUS$ Claim Falls Apart, Signal Phishing Is Real

29:2910 sc

Sat25Apr

Pay or Leak: The 48-Hour Clock, Two CVEs You Must Patch, and DeFi's Governance Confession

29:1912 sc

Fri24Apr

Shai-Hulud: The Worm That Ate the Pipeline