Jordan: The people your company hired to stop a ransomware attack were running one. Let that sit for a second.

Alex: It's Friday, May 1st, 2026. Welcome to Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we're covering the end of CISA's 75-day shutdown and what the recovery actually looks like, a pattern in AI coding agent exploits that should change how you think about IAM, two new threat groups copying Scattered Spider's playbook almost verbatim, the ransomware-as-insider-threat story Jordan just teased, a critical cPanel auth bypass that's been in the wild since February, and a Cisco acquisition that signals where the non-human identity market is heading. There's a lot on the table, so let's get into it.

Jordan: Start with CISA, because this sets the backdrop for everything else today. The 75-day DHS shutdown is over. Bipartisan bill passed the House, funding restored. And the instinct is to say fine, problem solved. It isn't. CISA spent two and a half months in reactive posture. No proactive threat hunting, degraded coordination with sector risk management agencies, and a workforce that was already depleted before the shutdown started. The people who left during those 75 days are not coming back because a continuing resolution passed.

Alex: And CISOs need to recalibrate what they expect from the federal ecosystem right now. CISA's threat intelligence sharing, its vulnerability coordination, its support during major incidents — those functions are diminished. Not gone, but diminished. If your security program had CISA in the dependency column as a backstop, you need to reweight that assumption. The public-private partnership model still exists, but the partner on the public side just went through a serious operational disruption.

Jordan: The proposed cuts still on the table make this worse. Even with funding restored, CISA is operating with institutional memory gaps and a smaller headcount. That affects KEV list updates, it affects JCDC coordination, it affects how fast sector-wide advisories move. Plan accordingly.

Alex: Speaking of the KEV list, CISA did manage to push out a critical add this week. cPanel's authentication bypass, CVE-2026-41940, is now confirmed actively exploited. What makes this particularly bad is the timeline: active exploitation has been ongoing since at least February. That's roughly two months of zero-day window before a patch existed. If your organization has any web properties sitting on shared hosting infrastructure or cPanel-managed environments, this needs to go to the top of your remediation queue today, not next sprint.

Jordan: The attack surface here is easy to underestimate. cPanel manages millions of hosting accounts globally. It's not just small businesses — enterprises often have marketing sites, regional properties, dev environments running on infrastructure they don't fully inventory. Auth bypass at the hosting control panel layer means an attacker can pivot into anything managed under that account.

Alex: Now let's talk about the story that connects directly to where your developers are spending their time. The VentureBeat piece from yesterday pulled together six months of research findings on AI coding agents — Claude Code, GitHub Copilot, OpenAI Codex — and the pattern is unambiguous. Every exploit went after credentials held by the agent, not the model itself.

Jordan: The BeyondTrust finding is the one that should keep IAM architects up at night. A crafted GitHub branch name — that's the attack vector — was sufficient to steal Codex's OAuth token in cleartext. OpenAI rated it Critical P1. And separately, Adversa found that Claude Code would silently ignore its own deny rules once a command chain exceeded 50 subcommands. The agent's own policy enforcement broke down under load.

Alex: Here's the business framing for this. Your developers are adopting these tools whether you've formally approved them or not. These agents operate with persistent credentials — OAuth tokens, API keys, sometimes service account access — and they're running autonomously in contexts that your IAM team almost certainly hasn't modeled. There's no human session anchoring. Traditional MFA assumptions don't apply. You have machine identities accumulating privileges in your development pipeline and nobody's auditing them.

Jordan: The fix isn't to ban the tools. That battle's already lost. The fix is to apply the same rigor to AI agent identities that you apply to service accounts. Least privilege, rotation schedules, behavioral monitoring. Treat the agent's credential surface the way you'd treat a privileged service account, because that's functionally what it is.

Alex: Which is a nice segue into why Cisco is reportedly in talks to acquire Astrix Security for somewhere between two-fifty and three-fifty million. Astrix is a non-human identity management play — service accounts, API keys, OAuth grants, machine-to-machine access. The market is getting crowded with point solutions and Cisco is trying to consolidate it into their identity stack. For CISOs, the strategic read here is that the major platform vendors have recognized non-human identity as a distinct, unsolved problem. If Cisco closes this deal, expect that to accelerate similar moves from Microsoft, Palo Alto, and CrowdStrike.

Jordan: Now let's get to the insider threat story, because this is a genuinely alarming data point. Two former incident responders — one from Sygnia, one from DigitalMint, both reputable firms — were sentenced this week to four years each for conducting BlackCat ransomware attacks against five companies in 2023. They extorted nearly 1.3 million dollars from one victim alone.

Alex: These were people who understood IR playbooks from the inside. They knew how defenders respond, what forensic artifacts get prioritized, how to time attacks to maximize leverage. The board question this raises is uncomfortable but necessary: how rigorously are you vetting the third parties who have privileged access to your environment during your worst moments? Most IR retainer agreements involve deep forensic access, and most vendor vetting processes don't go deep enough on the individuals who will actually show up when the incident happens.

Jordan: This isn't a reason to stop retaining IR firms. It is a reason to ask harder questions. Background checks on named responders, not just company-level due diligence. Logging and monitoring of IR firm activity in your environment during engagements. Treating your IR vendor's access the way you'd treat any privileged third party. The trust model has to be zero-trust even in a crisis.

Alex: Sticking with the threat actor landscape, CrowdStrike published research this week on two new Com-affiliated groups — Cordial Spider and Snarky Spider — and they are essentially running the Scattered Spider playbook with minor variations. Voice phishing, fake SSO pages, targeting SaaS environments, rapid data exfiltration for extortion. The speed-to-exfil is what's notable. These groups are optimized for getting data out fast, not for dwell time.

Jordan: The Scattered Spider playbook worked spectacularly well against organizations with strong perimeter defenses but weak helpdesk authentication controls. The lesson from that wave should have been: your helpdesk is an attack surface. If a caller can social engineer a password reset or an MFA bypass, your identity perimeter is made of paper. These new groups are betting that lesson hasn't been learned broadly enough. Based on the research, they're right.

Alex: Before we get to the outlook, a quick note on state CISOs. The 2026 NASCIO-Deloitte survey dropped this week and the headline number is stark: only 22% of state CISOs say their data is protected from cyberthreats. That's not a rounding error, that's a collapse in confidence. Shrinking budgets, AI-enabled attacks, and third-party vendor risk are the drivers.

Jordan: The enterprise relevance here is supply chain and regulatory. If your organization exchanges data with state agencies — healthcare, financial services, critical infrastructure, any regulated sector — the security posture on the other end of that exchange just got a lot harder to trust. And Section 702 getting another 45-day extension rather than comprehensive reauthorization means compliance teams planning cross-border data flows are still operating in uncertainty. That's the third consecutive short-term punt on this.

Alex: Alright, the week's emerging theme. Jordan, what's the thread you're pulling on?

Jordan: Institutional erosion across every layer of the defense stack simultaneously. CISA degraded. State CISOs at their lowest confidence in years. Congress unable to make durable decisions on surveillance law. AI tooling creating IAM blind spots faster than policy can catch up. And threat actors — both nation-state and criminal — who are absolutely tracking all of this. The attack surface isn't just technical. It's structural.

Alex: And the board conversation that comes out of this week is about dependencies. Which of your security assumptions rest on external institutions — federal agencies, trusted vendors, established playbooks — that are currently under strain? Because this week gave us evidence that several of those dependencies are shakier than the org chart suggests. That's the risk assessment conversation to have before summer planning cycles close.

Jordan: Validate your assumptions. Especially the ones you haven't questioned in a while.

Alex: That's Cleartext for Friday, May 1st. If this episode was useful, share it with a peer. We'll be back Monday. Have a good weekend.

Jordan: Stay clear.