On this week’s show, Patrick Gray and James Wilson are joined by special guest The Grugq. They discuss the week’s cybersecurity news, including:

• Vercel got owned, and there’s a few infostealer and compromised employee dots to connect
• Mozilla used Mythos to find 271 bugs, which feels like a sign of the bug-pocalypse
• Speaking of the bug-pocalypse, is that why NIST is noping out of enriching a bunch of bugs?
• The NSA is using Mythos even though the government did that whole Anthropic blacklisting thing
• And DDos attacks hit a couple of smaller-player socials

This week’s episode is sponsored by Permiso. Ian Ahl chats to Pat about the subtle signals Permiso uses to detect ShinyHunters-style activity in cloud and on-prem environments.

Show notes:

Vercel April 2026 Security incident https://vercel.com/kb/bulletin/vercel-april-2026-security-incident

Vercel Breach linked to infostealer infection at Context.ai https://www.infostealers.com/article/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai/

Vercel confirms breach as hackers claim to be selling stolen data https://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/

Matt Johansen: “This is not a good look” | X https://x.com/mattjay/status/2046222804555608574?s=46&t=VLIuBKdOq3MvRk4IpV-_-A

NIST limits vulnerability analysis as CVE backlog swells | Cybersecurity Dive https://www.cybersecuritydive.com/news/nist-vulnerability-analysis-criteria-nvd-cve/817683/

CISA Cyber on X https://x.com/CISACyber/status/2046284602218549277

Ransomware attack continues to disrupt healthcare in London nearly two years later | The Record from Recorded Future News https://therecord.media/ransomware-nhs-cyberattack-disruption

Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks | CyberScoop https://cyberscoop.com/lawmakers-ponder-terrorism-designations-homicide-charges-over-hospital-ransomware-attacks/

In defeat for Trump, House extends electronic spying program for just 10 days | The Record from Recorded Future News https://therecord.media/fisa–trump-congress-extension-surveillance

Crypto infrastructure company blames $290 million theft on North Korean hackers | The Record from Recorded Future News https://therecord.media/crypto-north-korea-theft-kelp

US-sanctioned currency exchange says $15 million heist done by “unfriendly states” - Ars Technica https://arstechnica.com/security/2026/04/russia-friendly-exchange-says-western-special-service-behind-15-million-cyberattack/

Hackers are abusing unpatched Windows security flaws to hack into organizations | TechCrunch https://techcrunch.com/2026/04/17/hackers-are-abusing-unpatched-windows-security-flaws-to-hack-into-organizations/

Mozilla Used Anthropic’s Mythos to Find and Fix 271 Bugs in Firefox | WIRED https://www.wired.com/story/mozilla-used-anthropics-mythos-to-find-271-bugs-in-firefox/

NSA using Anthropic’s Mythos despite Defense Department blacklist https://www.axios.com/2026/04/19/nsa-anthropic-mythos-pentagon

Beyond the breach: inside a cargo theft actor’s post-compromise playbook | Proofpoint US https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook

Beware scam messages offering ships safe transit through Hormuz Strait, says security firm | The Straits Times https://www.straitstimes.com/world/middle-east/scam-messages-offering-ships-safe-transit-through-hormuz-security-firm-warns

New Jersey men given lengthy sentences for running North Korean laptop farms | The Record from Recorded Future News https://therecord.media/new-jersey-men-sentenced-north-korean-laptop-farms

Turns Out We’re Not Alone - Volodymyr Styran https://arunninghacker.substack.com/p/turns-out-were-not-alone

US joins nearly two dozen other countries in striking back against DDoS-for-hire platforms | Cybersecurity Dive https://www.cybersecuritydive.com/news/ddos-service-takedowns-arrests-operation-poweroff/817814/

Bluesky blames app outage on ‘sophisticated’ DDoS attack | The Record from Recorded Future News https://therecord.media/bluesky-blames-app-outage-on-ddos

Mastodon says its flagship server was hit by a DDoS attack | TechCrunch https://techcrunch.com/2026/04/20/mastodon-says-its-flagship-server-was-hit-by-a-ddos-attack/

An IT expert explained under what conditions using a VPN can cause a smartphone to explode https://www.kuban.kp.ru/online/news/6926840/