Videos

On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover:

• TeamPCP breached GitHub’s internal repos. Now what?
• Some absolute plonker glued Coruna to a hijacked npm package
• CISA is worried about about open source and wants third party submissions for KEV
• AI infrastructure is “systemically” insecure
• Much, much more

This week’s episode is sponsored by allowlisting vendor Airlock Digital. Airlock’s founders David Cottingham and Daniel Schell join Patrick Gray to talk about Microsoft briefly flagging DigitCert’s root certificate as malware. Fun! …

Tom Uren and James Wilson talk about moves from several European governments to ditch Signal and set up their own encrypted messaging systems for internal government use. These efforts are motivated by concerns about phishing and sovereignty, but the solutions being adopted are imperfect and will come with their own set of problems. Signal fills a space that can’t be filled with sovereign capability.

They also talk about Fast16 malware. We are only now learning about the second arm of a mid-2000s campaign to delay Iran’s nuclear weapons program that included the infamous Stuxnet worm.

Risky Business #838 – GitHub investigates possible breach

On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news.

They cover:

• GitHub announced a possible breach
• CISA leaks important creds, keys in public repo
• Awful vulnerability in Bitlocker renders it useless without a PIN
• So. Many. Patches.
• Polish Government urges officials to ditch Signal for mSzyfr
• Much, much more

This week’s show is brought to you by Thinkst Canary. Thinkst’s founder, Haroon Meer, is this week’s sponsor guest. He joined James Wilson to talk about how doing “the basics” in security isn’t trivially easy….

In this edition of Between Two Nerds Tom Uren and The Grugq look at Department 4 of Bauman Moscow State Technical University where students learn how to hack for the state. Its curriculum is extremely explicit about how the hacking and propaganda operations are relevant to state operations. They discuss whether this is an advantage for Russia’s cyber program and look at what Western intelligence agencies do instead.

In this edition of Risky Business Features Ollie Whitehouse, the CTO of the UK’s National Cyber Security Centre, joins Patrick Gray and James Wilson to talk about why “patch faster” will only get organisations so far in the face of the AI “bugpocalypse”.

As Ollie explains, organisations will need to reduce internet-facing attack surface and make better architecture decisions as 0day discovery speeds up.

In this sponsored soap box edition of the Risky Business podcast Patrick Gray chats with Toni de la Fuente, the founder of Prowler.

Prowler started off as a bunch of scripts in a trenchcoat, then became an open source cloud security tool, and it’s now a venture-funded cloud security business. In this interview Toni talks us through how AI is changing the game for him as an open source project owner, and as a vendor. In short, reports of the death of IT and security tooling at the hands of frontier models have been greatly exaggerated.

Tom Uren and James Wilson talk about the argy bargy within the Trump administration about AI regulation. They cover who is fighting, what is at stake and what the real areas of concern are.

They also cover low earth orbit satellite constellations. Russia’s building one, the EU has plans and China is building two. They are the new must-have accessory for any country with global ambitions.

On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news.

They cover:

• Mini Shai-Hulud and the TanStack compromise using Github Actions
• Instructure pays Canvas elearning platform data extortionists
• More Linux privilege escalation 0days!
• CISA helping critical infrastructure operators rearchitect their networks so they work offline

This week’s episode is sponsored by email security platform Sublime Security. Bobby Filar chats with Patrick about how agentic AI is being evaluated by buyers in a marketplace that’s experiencing “AI fatigue”.

In this edition of Between Two Nerds Tom Uren and The Grugq discuss why it makes even more sense for criminal organisations to adopt AI as compared to regular businesses.

Show Notes:

• Microsoft’s 2026 Work Trend Index Annual Report, https://www.microsoft.com/en-us/worklab/work-trend-index/agents-human-agency-and-the-opportunity-for-every-organization
• Cybersecurity Looks Like Proof of Work Now, https://www.dbreunig.com/2026/04/14/cybersecurity-is-proof-of-work-now.html…

In this episode James Wilson chats with Niels Provos about his research into using older AI models to successfully hunt for 0day vulnerabilities. Niels has had a long and prolific career in cybersecurity, having worked as a Distinguished Engineer at Google and then heading up security at Stripe.

His interest in AI bug hunting was piqued recently when one of the Mythos 0day vulnerabilities that received lots of attention happened to be in code he wrote for the OpenBSD project 27 years ago.

It got him thinking: Are these frontier models really that magical? Or could we replicate their findings with some clever orchestration instead of relying on the model’s smarts to find bugs with a single prompt?…