Department of Know: Axios malware, TeamPCP campaign, New Storm infostealer

In this episode of Cybersecurity Headlines, host Sarah Lane leads a deep dive into several high-impact security stories from the past week, featuring insights from CISOs Adam Palmer of First Hawaiian Bank and Jack Kufal of Michigan Medicine. The discussion centers on the leak of Anthropic’s Claude source code via a public NPM registry, which both guests agree highlights growing risks in AI governance and insider threats. Apple’s new macOS Terminal warning system for malicious commands is seen as a minor but useful step in user awareness, while the emergence of AI-powered malware like DeepLoad signals a shift toward more efficient, polymorphic attacks. The revival of Iran’s pay2key ransomware operation and its collaboration with criminal groups underscores the accelerating convergence of nation-state tactics and cybercrime, increasing baseline threat levels for all enterprises. The hijacking of the Axios NPM library by UNC 1069 and the Team PCP supply chain campaign reveal systemic vulnerabilities in open source dependencies, with attackers exploiting stolen credentials within hours. Both CISOs emphasize that resilience now hinges on rapid response, continuous monitoring, and rethinking third-party risk management. The episode concludes with a call for CISOs to evolve from purely defensive roles to strategic digital risk leaders who focus on observability, governance, and speed in response. Key takeaways include: 1) AI adoption demands parallel governance maturity to protect intellectual property and infrastructure; 2) Supply chain attacks are no longer slow-moving—they can lead to cloud exploitation within a day; 3) Third-party risk must be assessed dynamically, not just during contracting; 4) Security maturity is defined by response speed, not just prevention; 5) Open source risk stems not from open source itself, but from unverified trust and market concentration; 6) CISOs must shift from 'blocking and tackling' to leading digital risk conversations around AI and data flows; 7) Resilience is now measured in hours, not weeks; 8) The line between nation-state and criminal cyber operations is blurring, making all organizations potential collateral damage.