Jordan: An AI model just found 271 zero-day vulnerabilities in Firefox. In one pass. That same class of model is available to every nation-state, every ransomware crew, and every threat actor with a cloud account. If that doesn't reframe your patching strategy conversation with the board, I don't know what will.

Alex: Welcome to Cleartext. It's Wednesday, April 22nd, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we're covering a lot of ground—and most of it points in the same direction. Nation-state tempo is up. AI is reshaping both the offense and the defense. And the software supply chain is having a genuinely bad week. We've got the UK's NCSC sounding alarms at a volume we haven't heard before, two significant supply chain compromises demanding your team's attention right now, a Vercel breach that every CISO with SaaS sprawl should read carefully, and some legislative movement on ransomware that could change the legal calculus overnight. Let's get into it.

Jordan: Start with the UK, because the numbers are striking. The NCSC disclosed this week that they're handling four nationally significant cyber incidents every week. Not incidents broadly—nationally significant ones. And the majority are now attributed to hostile foreign governments, not criminal actors. Their framing is explicit: converging geopolitical tensions plus accelerating technology equals a perfect storm. That's not bureaucratic hedging. That's a warning.

Alex: And the relevance for CISOs outside the UK isn't abstract. What the NCSC is seeing in terms of nation-state tempo and targeting patterns reflects a global shift. When a G7 intelligence agency says the majority of major incidents are state-sponsored, that should land differently in your board risk presentation than the generic "threat landscape is evolving" language we've been using for years. If your board still thinks of nation-states as someone else's problem, these numbers should end that conversation.

Jordan: Reinforcing that, the Pentagon this week told Congress that the new 1.5 trillion dollar budget request positions cyber as a core warfighting domain. The funding covers expanded offensive operations, AI-driven capabilities, and a significant Cyber Command overhaul. The specific framing from defense officials was that adversaries have shifted from espionage to pre-positioned disruptive attacks. That's a meaningful distinction. Espionage steals data. Pre-positioning means they're already inside systems they intend to disrupt at a time of their choosing.

Alex: Two implications for CISOs. First, if you operate in or adjacent to the defense industrial base, compliance requirements are going to tighten, and probably faster than the acquisition cycle can accommodate. Start that conversation with your legal and regulatory teams now. Second, more broadly—when the US is expanding offensive cyber operations and adversaries are responding in kind, the volume and sophistication of activity across the entire internet goes up. The contested environment doesn't stay contained to government networks.

Jordan: Now let's talk about AI and vulnerability discovery, because this is the story I'd be thinking about if I were sitting in a CISO chair today. Anthropic's Mythos model found 271 security vulnerabilities in Firefox 150. Mozilla's own CTO described the model as, quote, every bit as capable as the world's best security researchers. That's not marketing copy—that's the vendor whose product was analyzed saying the AI matched their best humans.

Alex: Here's the strategic problem. This capability isn't proprietary to Anthropic or to defenders. The same class of model, and in some cases the same models, are accessible to well-resourced threat actors. What this does to your patch window assumptions is severe. We've operated on a mental model where there's some lag between a vulnerability existing and an exploit appearing in the wild. That lag is shrinking toward zero for any organization that isn't patching aggressively. This is a conversation to have with your board framed around mean time to patch, not around whether AI is interesting.

Jordan: And the AI risk this week wasn't limited to vulnerability discovery. Researchers at Johns Hopkins demonstrated what they're calling Comment and Control—a prompt injection attack where a malicious instruction embedded in a GitHub pull request title caused Claude Code, Gemini CLI, and GitHub Copilot Agent to each post their own API keys as PR comments. No external infrastructure required. Three separate AI coding agents from three separate vendors, all vulnerable to the same technique.

Alex: This is a live attack surface. If your development teams are using AI agents in CI/CD pipelines—and most of them are at this point—you need to treat those integrations as privileged processes with the same scrutiny you'd apply to any other automated system with production access. The specific vector here involves the pull_request_target trigger, which exposes secrets to fork PRs. That's an immediate configuration audit item. But the broader takeaway is that AI agents are not just productivity tools. They're new attack surface, and most security teams are not yet governing them as such.

Jordan: Staying on supply chain, two significant incidents this week. The Vercel breach is instructive because it's a perfect illustration of how shadow AI creates exposure. One Vercel employee adopted a third-party AI tool. That tool's vendor got hit with an infostealer. The attacker walked through an OAuth grant that nobody had reviewed into Vercel's production environment. Mandiant is engaged, law enforcement notified. The good news is that no npm packages were compromised—that was verified jointly with GitHub, Microsoft, and Socket.

Alex: But the mechanism here is the story. OAuth grants from employee-adopted AI tools are the new shadow IT. Most security teams have reasonable visibility into sanctioned SaaS. They have almost no visibility into the OAuth grants their employees are generating by connecting AI tools to their work accounts. An audit of OAuth grants in your environment—specifically third-party AI tool integrations with access to production systems—is not optional at this point. This is where the breach surface is growing fastest.

Jordan: The second supply chain hit is more urgent in terms of immediate action. CISA issued guidance this week following a compromise of the axios JavaScript library, which has hundreds of millions of weekly downloads. Attribution points to a North Korea-linked actor. CISA's direction is straightforward: review your environments now for indicators of compromise. If axios is in your dependency tree—and the odds are high that it is—this goes to your security team today.

Alex: Now, a story with significant long-term implications, particularly for anyone in healthcare or with healthcare clients. The House Homeland Security Committee held a hearing this week that included serious discussion of terrorism designations for ransomware groups that target hospitals, and homicide charges for attacks that result in patient deaths. A former FBI official endorsed the terrorism classification. This isn't fringe positioning—it's gaining real traction.

Jordan: The legal consequences if this moves forward are substantial. Terrorism designations trigger sanctions frameworks. Ransom payments to designated groups become federal crimes. Insurance coverage under existing cyber policies could become void if paying is legally prohibited. Healthcare CISOs and their general counsel need to be tracking this actively and starting scenario planning now, not when legislation passes.

Alex: And one more governance story worth flagging quickly. A former ransomware negotiator at DigitalMint pleaded guilty this week to colluding with BlackCat to maximize ransoms totaling 75 million dollars across five victim companies. He was the person hired to negotiate on the victim's behalf. The takeaway for CISOs is direct: the IR vendor ecosystem is not uniformly trustworthy. When you're vetting incident response and negotiation partners, you need the same due diligence rigor you'd apply to any third party with privileged access—references, conflict-of-interest disclosures, segregation of duties between negotiation and payment facilitation.

Jordan: One brief item before we close. Airbus is acquiring Quarkslab, a French cybersecurity firm focused on protecting aerospace and defense systems from AI-driven reverse engineering. It's a 100-person shop, but the acquisition rationale matters. Airbus is specifically worried about AI being used to reverse engineer embedded and edge systems in aircraft. For CISOs in defense, manufacturing, and critical infrastructure—this signals where the threat is heading on the OT and embedded systems side.

Alex: So what's the through-line this week? Jordan, I keep coming back to the same thing. The AI acceleration on both sides of this conflict is compressing every timeline we've built our security programs around.

Jordan: That's exactly right. Four major incidents a week in the UK. An AI model matching elite human researchers on vulnerability discovery. Prompt injection taking down three AI coding agents simultaneously. These aren't isolated data points. The threat environment is operating at a tempo that was theoretical two years ago and is operational now. The question for CISOs is whether your risk model has updated to reflect that, or whether you're still presenting to the board using last cycle's assumptions.

Alex: The practical near-term actions from today: audit your OAuth grants with focus on AI tool integrations, check your axios dependency exposure against CISA's guidance, review your CI/CD pipeline permissions for AI agent access, and update your patch window assumptions in light of what autonomous vulnerability discovery means for exploit timelines. And if you're in healthcare, get your legal team reading the terrorism designation language now.

Jordan: All of today's source links are in the show notes.

Alex: Thanks for listening to Cleartext. We're back tomorrow.