Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
Risky Business #839 -- TeamPCP stole GitHub's internal repos
May 27, 2026
1:00:23
10.42 MB ( 47.55 MB less)
Downloads: 0
On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover:
- TeamPCP breached GitHub’s internal repos. Now what?
- Some absolute plonker glued Coruna to a hijacked npm package
- CISA is worried about about open source and wants third party submissions for KEV
- AI infrastructure is “systemically” insecure
- Much, much more
This week’s episode is sponsored by allowlisting vendor Airlock Digital. Airlock’s founders David Cottingham and Daniel Schell join Patrick Gray to talk about Microsoft briefly flagging DigitCert’s root certificate as malware. Fun!
This episode is also available on YouTube
Show notes
- GitHub confirms being hacked by TeamPCP, says customer data unaffected | therecord.media
- Grafana Labs links GitHub environment breach to TanStack npm supply chain attack | Cybersecurity Dive
- Coruna Respawned: Compromised art-template npm Package Leads... | Socket
- CISA chief frets about open-source vulnerabilities, delayed security improvements | cyberscoop.com
- Anthropic: Mythos finds more than 10,000 software flaws in first month | cyberscoop.com
- Pardon MIE? | ironPeak Blog
- CISA asks cybersecurity community to alert it to vulnerability exploitation | Cybersecurity Dive
- Lawmakers Demand Answers as CISA Tries to Contain Data Leak | krebsonsecurity.com
- Google publishes exploit code threatening millions of Chromium users | arstechnica.com
- Millions of AI agents imperiled by critical vulnerability in open source package | arstechnica.com
- Discord migrates all users to end-to-end encryption by default | The Record
- Texas AG sues Meta over claims that WhatsApp doesn't provide end-to-end encryption | arstechnica.com
- Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada | krebsonsecurity.com
- Iran-linked hackers target key US, allied sectors with sophisticated spear-phishing messages | Cybersecurity Dive
- FBI warns about fast-growing phishing kit targeting Microsoft 365 users | cyberscoop.com
- Analyzing the rise in device code phishing attacks in 2026 | Push Security
- Trump Mobile confirms it exposed customers’ personal data, including phone numbers and home addresses | TechCrunch Security
- Kash Patel’s clothing brand website shut down after reports it was hacked | TechCrunch Security
- Tulsi Gabbard resigns as US director of national intelligence | Social Signals
- When Certificate Trust Fails: The DigiCert Code-Signing Incident and Microsoft Defender False Positive |