The Department of Know: Google's CodeMender, CISA's big leak, Torvalds open-source warning
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from “The Department of Know: Google's CodeMender, CISA's big leak, Torvalds open-source warning” inside PodZeus.
CISA's recent public exposure of compromised AWS credentials in a GitHub repository named 'Private CISA' has ignited a firestorm of concern, revealing a stark disconnect between the agency's mission to secure national infrastructure and its own fundamental security hygiene. The leak—caused by disabling default secret-scanning protections and storing credentials in plaintext—exposes not just technical negligence but a deeper systemic crisis: a gutted agency struggling to defend itself amid funding cuts and staff reductions. This isn't just a breach; it's a collapse of trust in the very body meant to safeguard the nation’s digital backbone. Compounding this, CISA has now issued dire warnings that critical infrastructure operators must prepare to function for weeks or months without IT systems or third-party vendors, a scenario that would be catastrophic in healthcare, where patients rely on cloud-based EHRs and electronic approvals for life-saving treatments. Meanwhile, open source is under siege: Linus Torvalds has publicly lamented the flood of duplicate, low-quality vulnerability reports from AI-powered tools, rendering the Linux kernel mailing list nearly unusable. In response, projects like TanStack are considering moving to invitation-only pull requests—a radical shift that threatens the open collaboration that drives innovation. The message is clear: the era of unguarded openness is over.
CISA’s public credential leak was caused by disabling GitHub’s secret-scanning feature and storing keys in plaintext—highlighting a systemic failure in basic security hygiene.
CISA is now advising critical infrastructure operators to prepare for months-long isolation from IT systems and third-party vendors due to persistent threats from Chinese state-linked groups.
In healthcare, losing access to cloud-based EHRs and electronic approval systems could be a death sentence for cancer patients, as treatment must restart if interrupted.
AI-powered bug hunting tools are flooding open source mailing lists with duplicate, low-value reports, making it harder for maintainers like Linus Torvalds to triage real vulnerabilities.
Projects like TanStack are considering invitation-only pull requests to prevent supply chain attacks, signaling a major shift away from open collaboration in response to rising threats.
…and 3 more takeaways available in PodZeus
Opening: Priorities, Sponsors, and the State of Cybersecurity
Host Rich Straffelino welcomes guests Kate Mullen and Nick Espinosa, setting the tone with a mix of personal anecdotes and a reminder of the show's mission: to deliver actionable insights. The episode kicks off with a sponsor plug for ThreatLocker and a call to join the live chat on YouTube, emphasizing community engagement.
Google's CodeMender: Hype, Hype, and Who's on the Other End?
The team evaluates Google's new AI tool, CodeMender, which automates software vulnerability fixes. While the technology is promising, the hosts express skepticism over its lack of marketing and the absence of transparency about which governments and enterprises are in discussions—raising red flags about potential misuse.
UK Cybercrime Law Reform: A Legal Trap for Researchers
Experts condemn the UK’s proposed overhaul of the 1990 Computer Misuse Act, which would restrict researchers to scanning one IP at a time and stopping immediately upon finding a vulnerability—rendering modern, automated security testing legally impossible.
Anthropic’s Claude Sandbox Flaw: A Breach in the Black Box
“If you're an LLM maker at this point, you're not just making AI, you're a security vendor. I'm sorry.”
Shai Hulud’s 600-Package Supply Chain Attack: The New Normal
A massive supply chain attack compromised over 600 NPM packages, stealing developer credentials, propagating via stolen tokens, and creating thousands of GitHub repos to store exfiltrated data—exposing the fragility of open-source ecosystems.
“If you're an LLM maker at this point, you're not just making AI, you're a security vendor. I'm sorry.”
“We're not going to be able to count on normal connectivity. We're not going to count on vendors, cloud services, remote support, those kinds of things. They are literally saying that they are shifting from like an incident response mode to a survival mode.”
“This is a little organization responsible for improving our cyber hygiene. They are supposed to be our advisors. Right. And they're ignoring the basics of like secret management.”
Host
Guests
nick espinosa
person
kate mullen
person
cisa
organization
anthropic
organization
shai hulud
organization
linus torvalds
person
organization
brian krebs
person
tanstack
organization
threat locker
organization
Department of Know: Axios malware, TeamPCP campaign, New Storm infostealer
Cybersecurity Headlines • 31m • 4/6/2026
The Department of Know: Mythos Mayhem, critical infrastructure targeted, NVD changes
Cybersecurity Headlines • 38m • 4/17/2026
The Department of Know: Vercel breach, a "Contagious Interview," and ghost breaches
Cybersecurity Headlines • 40m • 4/24/2026
The Department of Know: GitHub drama, AI deletes production data, Claude Security Beta
Cybersecurity Headlines • 39m • 5/1/2026
The Department of Know: AI "transformation paradox," Copy Fail chaos, hacked lawnmowers
Cybersecurity Headlines • 38m • 5/8/2026
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from “The Department of Know: Google's CodeMender, CISA's big leak, Torvalds open-source warning” inside PodZeus.
Start discovering podcast insights today
Start with a 7-day trial and explore a growing catalog of popular podcasts. No credit card required.
No credit card required • 7-day trial • Cancel anytime