This week on Dragon News Bytes, Eli W. and Will B. break down a fast-moving week in cybersecurity—from AI-driven supply chain attacks and Iranian targeting of critical infrastructure to North Korean IT worker scams, new edge-device zero-days, and the takedown of an APT28 router botnet. Topics: The NPM Poisoning Epidemic & The AI Accelerant Axios Backdoor: The team discusses ongoing NPM package exploitation, specifically highlighting the Axios package. Axios sees over 100 million weekly downloads, and at least two backdoored versions have been live recently. Unit 42 published an updated threat brief confirming the attack hit over 10 sectors across five geographic regions. The AI Factor: Will Baxter attributes this spike in supply chain attacks to the operationalization of AI. AI makes reviewing codebases for vulnerable packages incredibly easy for attackers. LLMs as Exploit Developers: Eli Woodward recalls an NSA prediction that LLMs would become great exploit code developers and malware analysis engines. The rapid pace of this AI evolution is forcing defensive teams to adapt quickly without the benefit of increased headcounts. Critical Infrastructure Under Siege by Iranian Actors Joint Advisory on PLC Exploitation: A joint advisory from the FBI, CISA, NSA, EPA, DOE, and Cyber Command formally attributes ongoing PLC exploitation to the Cyber Avengers. This group is the IRGC Cyber Electronic Command, also tracked as Shahid Kavev Group, Hydro Kitten, Storm 084, and UNK5691. Targeted Sectors: The actors are escalating targeting against Rockwell Automation and Allen Bradley PLCs in wastewater, energy, and government facilities. Massive Exposure: The advisory highlights traffic on ports 44818, 2222, 102, and 502. Team Cymru’s platform identified an alarming 49,000 devices exposed on the internet with port 44818 open. Edge Devices, Zero-Days, and CISA Guidance FortiClient EMS Zero-Day: CISA published information on a FortiClient EMS zero-day, with approximately 2,000 exposed instances currently on the internet. Edge Device Safety: CISA also released new edge device safety guidance. The hosts emphasize that patching edge devices and having good identity management is the bare minimum expectation for organizations. Unmasking the DPRK IT Worker Ecosystem The "Lucky Guys" Site: Independent researcher ZachXBT uncovered "luckyguys.site", a platform used by DPRK IT workers to send money back to the regime. These workers are easily making $1 million per month. Team Cymru Platform Analysis: Eli Woodward used the Team Cymru platform to analyze the infrastructure, finding a massive amount of Astral VPN usage and traffic from Russian ASNs (ASI and Trans Telecom). Operational Security Failures: The workers used the password "123456" for their platform, exposing Slack chat identities and conversations via an investigative site. APT 28 Botnet Takedown Router Hijacking: The US DOJ, FBI, and NCSC helped take down a network of TP-Link and MikroTik routers compromised by APT 28 (also known as Unit 26165 or Storm 2754). Botnet Scale: The botnet leveraged known vulnerabilities in these small office/home office (SOHO) devices and peaked at 18,000 unique IPs in December 2025. Events RISE Ireland: April 14 -25 in Dublin, Ireland RISEx Sydney: May 6 in Sydney, Australia register: https://shorturl.at/OyfTj RISEx Frankfurt: May 28th in Frankfurt, Germany register: https://shorturl.at/twbj6 RISEx Chicago: June 3rd in Chicago, IL register: https://shorturl.at/kd4SCRISEx New York: June 16 in New York City, US register: https://shorturl.at/atb2mUnderground Economy: September 7th -9th in Strasbourg, France register: https://shorturl.at/mw1yEFirstCon26 (Denver): Eli W. will be presenting two sessions. register: https://www.first.org/conference/2026/registration-options Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.
