Jordan: A certificate authority just got compromised via a screensaver. Let that sink in for a moment. DigiCert — one of the foundational trust anchors for enterprise PKI globally — breached by what amounts to a 1990s attack vector. We'll get into what that means for every certificate your organization relies on.

Alex: Welcome to Cleartext. It's Monday, May 4th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we've got a dense one. DigiCert's breach and the trust chain implications that follow. MOVEit is back — yes, again — with a critical auth bypass. CISA is warning about active exploitation of a Linux privilege escalation flaw that went from proof-of-concept to weaponized in under 24 hours. We'll also talk about a landmark US-China-UAE law enforcement operation that seized $701 million in crypto fraud proceeds, why data centers may be heading toward critical infrastructure designation, and what Cisco and Palo Alto's latest acquisitions tell you about where the identity and AI security markets are heading. Let's get into it.

Jordan: Let's start with DigiCert, because this one has real teeth. The initial reporting indicates they were compromised through a malicious screensaver file — which, setting aside the almost darkly comic delivery mechanism, this is a serious supply chain trust event. DigiCert issues TLS certificates that sit underneath an enormous percentage of enterprise infrastructure. Authentication, encryption, code signing — all of it traces back to certificate authorities like DigiCert.

Alex: The immediate question for any CISO right now is: what's your certificate inventory look like, and do you have visibility into it? Most organizations don't. Certificate sprawl is a real problem — certificates issued years ago across dozens of teams, many of them untracked. If DigiCert's systems were compromised, the concern is whether any certificate issuance or private key material was touched. We don't have full details yet on scope, but the prudent move is to pull your DigiCert certificate inventory today and flag anything that may have been issued or renewed in a window proximate to this breach.

Jordan: The other story in that same briefing — Trellix also disclosed a separate breach. Two security vendors in the same news cycle. And two ransomware negotiators each sentenced to four years. That last item is actually significant. It signals that the DOJ is increasingly willing to go after intermediaries in the ransomware ecosystem, not just the actors themselves.

Alex: Which connects nicely to our next story. A coordinated operation involving the FBI, Chinese law enforcement, and Dubai Police just arrested 276 people, shut down nine cryptocurrency scam centers, and seized $701 million in fraud proceeds. This was primarily targeting pig butchering and crypto investment fraud schemes aimed at American victims.

Jordan: What makes this geopolitically notable is the US-China cooperation angle. These two countries don't coordinate on much right now. The fact that they found common ground on transnational financial crime — facilitated through the UAE as a neutral convening party — is meaningful. It doesn't signal a thaw in the broader relationship, but it does suggest there are narrow lanes where operational cooperation is possible when both sides see mutual benefit.

Alex: From a CISO perspective, BEC and fraud remain the top financial threat for most organizations. What this operation demonstrates is that enforcement can actually move the needle when it's coordinated at scale. It won't eliminate the threat, but it does raise the cost of operating these networks. The other takeaway is the UAE's emerging role as a serious cybercrime enforcement partner. Dubai is increasingly where these operations are being run out of, and the local authorities are apparently willing to act.

Jordan: Now, MOVEit. Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation. Patch immediately. That's the action item, and everything else is context.

Alex: The context matters though. In 2023, Cl0p's mass exploitation of MOVEit Transfer affected hundreds of organizations — healthcare systems, government agencies, financial institutions. It was one of the most consequential vulnerability exploitation campaigns in recent memory. The MOVEit brand carries that baggage. If you have MOVEit Automation instances in your environment — and many organizations do, because it's widely deployed for managed file transfer — your first question is whether they're internet-exposed. The second question is whether they're patched. Don't wait for your regular patch cycle on this one.

Jordan: Shifting to active exploitation. CISA confirmed that the 'Copy Fail' Linux vulnerability is being exploited in the wild — one day after researchers at Theori published a proof-of-concept. One day. That's the weaponization timeline you're working with in 2026.

Alex: This vulnerability allows privilege escalation to root on Linux systems. The exposure surface is significant — Linux underlies most cloud workloads, container infrastructure, and a large portion of on-premise server environments. The PoC was public, it was functional, and threat actors moved immediately. Your Linux patching cadence needs to reflect that reality. If you're still on a 30-day patch cycle for servers, this is a good week to have that conversation with your infrastructure team.

Jordan: And while we're on active exploitation — a previously unknown threat actor is targeting government and military entities in Southeast Asia, as well as MSPs and hosting providers across the Philippines, Laos, Canada, South Africa, and the US, using a critical cPanel vulnerability. Detected just two days ago by Ctrl-Alt-Intel. The MSP targeting is the piece that should get CISO attention, because that's a supply chain vector. If your managed service provider runs cPanel and hasn't patched, your environment could be downstream of that compromise.

Alex: Verify patch status with your MSPs. Get written confirmation. This is exactly the scenario where third-party risk management either pays off or doesn't.

Jordan: On the market side — Cisco is reportedly in talks to acquire Astrix Security for somewhere between $250 and $350 million. Astrix is a non-human identity player — API keys, service accounts, OAuth integrations, machine-to-machine credentials.

Alex: This validates something a lot of security leaders have been saying internally for a while: non-human identities are now the larger attack surface. The ratio of machine identities to human identities in a typical enterprise is already lopsided and it's getting worse. Cisco adding this capability to their identity portfolio is a signal that the major platforms are taking it seriously. If you haven't done a non-human identity audit recently — service accounts, API tokens, third-party OAuth grants — that's worth putting on the roadmap.

Jordan: And Palo Alto is acquiring Portkey to build out AI agent gateway capabilities. Runtime security, identity controls, and governance for autonomous AI agents. It's a narrower story but it's pointing at something real.

Alex: Every organization that's deploying agentic AI — and that number is growing fast — is dealing with the same problem. These agents have broad system access, they're communicating with external services, and the visibility into what they're actually doing is fragmented at best. The gateway concept is the right architectural response. Palo Alto is betting they can own that layer. For CISOs, the message is: if you're deploying AI agents without a security governance layer over their communications and identities, you have a blind spot that adversaries will eventually find.

Jordan: And that brings us to the data center critical infrastructure story, which is less of a news item and more of a policy trajectory worth tracking. The argument being made is that as AI deepens enterprise and national security dependence on cloud facilities, those physical facilities deserve the same regulatory designation as energy grids and telecommunications networks.

Alex: It's a reasonable argument. The problem is that critical infrastructure designation comes with regulatory obligations, and the cloud providers are going to push back hard on anything that creates new compliance surface for them. But for CISOs, the more immediate implication is threat modeling. If you're running AI workloads in cloud data centers and those facilities become higher-priority targets for nation-state actors, your resilience planning needs to account for that. Redundancy, failover, and supply chain concentration risk all come into focus.

Jordan: This week's through-line is actually pretty clear. The perimeter is gone, the trust model is broken, and everything is moving faster — breach to exploitation, patch to weaponization, AI deployment to attack surface. The DigiCert story is a reminder that trust anchors themselves can be compromised. Copy Fail going from PoC to active exploitation in 24 hours is a reminder that your response window has effectively shrunk to hours, not days.

Alex: And the acquisition activity from Cisco and Palo Alto tells you where the industry thinks the gaps are: non-human identity and AI agent governance. Both of those should be on your H2 planning radar if they aren't already. The organizations that build governance frameworks around machine credentials and AI agent behavior now will be ahead of both the threat curve and the regulatory curve.

Jordan: Busy Monday. Lots to action on.

Alex: That's Cleartext for May 4th, 2026. If this was useful, share it with a peer who needs it. We're back tomorrow. Stay sharp.