Risky Business #834: Vercel Breach, Mozilla's Mythos Bug Hunt, and NIST's CVE Backlog Crisis
This week's Risky Business podcast covers a Vercel security incident tied to an infostealer infection, Mozilla's use of Anthropic's Mythos to fix 271 Firefox bugs, and NIST's decision to limit vulnerability analysis amid a swelling CVE backlog.
This week's episode of Risky Business, hosted by Patrick Gray and James Wilson with special guest The Grugq, dives into a packed week of cybersecurity news. The show leads with the Vercel security incident, which has been linked to an infostealer infection at Context.ai. Hackers are claiming to be selling stolen data, and security researcher Matt Johansen described the situation as 'not a good look' for the company. The breach highlights the ongoing risk of credential theft via infostealers, even for well-resourced tech firms.
In a significant development for software security, Mozilla used Anthropic's Mythos AI tool to find and fix 271 bugs in Firefox. The Grugq and the hosts discuss whether this represents a 'bug-pocalypse' — a flood of vulnerabilities discovered by AI that could overwhelm traditional patching and disclosure processes. The conversation also touches on the NSA's use of Mythos, despite the Department of Defense's blacklisting of Anthropic, raising questions about the government's inconsistent stance on AI security tools.
The show also covers NIST's decision to limit its vulnerability analysis efforts as the CVE backlog swells. This move has sparked debate about the sustainability of the current vulnerability management ecosystem, especially as AI-generated bug reports continue to increase. The hosts explore the implications for organizations that rely on NIST's enriched data for prioritization.
Other stories discussed include ongoing DDoS attacks against Bluesky and Mastodon, a $290 million crypto theft blamed on North Korean hackers, and the abuse of unpatched Windows security flaws to breach organizations. The episode also features a sponsored segment from Permiso, where Ian Ahl discusses detecting ShinyHunters-style activity in cloud environments.
The show notes provide links to detailed coverage of each story, including the Vercel breach, NIST's backlog, and the Windows flaw exploitation. For listeners seeking a comprehensive weekly roundup, this episode offers a comprehensive overview of the most pressing cybersecurity events of the week, from AI-driven bug hunting to the persistent threat of ransomware and state-sponsored theft.