Jordan: Your Linux servers. All of them. Every major distribution built since 2017. Being actively exploited, right now. That's where we're starting today.

Alex: Welcome to Cleartext. It's Tuesday, May 5th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we've got a full board. An actively exploited Linux kernel vulnerability that touches virtually every enterprise data center and container fleet on the planet. A ransomware gang leaking data from one of the largest insurers in the US. A security vendor's own source code gets breached. Five Eyes dropping joint guidance on agentic AI. A critical MOVEit patch that you do not want to sit on. Australia standing up a cyber review board modeled on the one the US just walked away from. And Cisco making a move in the non-human identity space. Let's get into it.

Jordan: So CopyFail. CISA confirmed active exploitation yesterday of a Linux kernel vulnerability that affects every mainstream distribution built since 2017. That's not hyperbole — that's the advisory. Successful exploitation gives an attacker root access. Full stop. If you are running Linux servers, containers, cloud workloads on standard distributions — and you are — this is your emergency patch event for the week. CISA has it on the Known Exploited Vulnerabilities catalog, which means federal agencies have a deadline. But honestly, so should you.

Alex: The operational calculus here is straightforward. You have a confirmed, active exploit chain targeting infrastructure that underpins most of enterprise computing. Your patching cadence does not matter this week. This supersedes it. Get your Linux fleet inventoried, get patches tested and deployed, and if you can't patch immediately, start thinking about compensating controls — network segmentation, privilege restrictions, enhanced monitoring on those hosts. Brief your team today.

Jordan: And while you're in that mode, cPanel. Separate issue, but same urgency window. Critical authentication bypass in cPanel and WHM, and we're already seeing mass exploitation. Thousands of sites compromised, attacks including ransomware deployment. If any part of your organization or your third-party web infrastructure runs cPanel-managed hosting, you need to know that today. This one has a narrower blast radius than CopyFail, but it's being actively weaponized at scale.

Alex: That brings us to a story that should make every CISO uncomfortable on multiple levels. Everest Group is now publicly leaking what they claim is 108 gigabytes of data from Liberty Mutual. Policyholder details. And they say the insurer failed to respond to their demands.

Jordan: The irony is almost too pointed. A cyber insurer, breached. Policyholder data — which could include details about the security posture and coverage limits of other enterprises — potentially in the hands of a ransomware gang. That's not a hypothetical threat chain. That's a live one.

Alex: There are two things I want CISOs to take from this. First: if you're a Liberty Mutual customer, you need to understand what data they hold about you, what your policy documents contain, and whether that information could inform targeting. Insurance applications are essentially detailed inventories of your weaknesses. Second, and more broadly — your cyber insurer is a third party. They hold sensitive information about you. How often are they in your third-party risk review cycle? For most organizations, the honest answer is not often enough.

Jordan: Liberty Mutual hasn't confirmed the breach scope yet, which is its own problem. When a ransomware gang is publishing your data and you're not communicating, you're losing the narrative entirely.

Alex: Now let's talk about a story that hits closer to home for a lot of us. Trellix disclosed a breach of a portion of its source code repository. Trellix, for context, is a major enterprise security vendor — XDR, endpoint, email security. If you're running Trellix in your environment, your question right now should be: what was in that code, and could a threat actor use it to identify vulnerabilities in the product before patches exist?

Jordan: This is the supply chain trust problem in its purest form. You deploy a security product specifically to defend your environment. That product's source code is now in unauthorized hands. The disclosure says "a portion" of the repository — which is the kind of qualifier that typically means we don't yet know what we don't know. Watch for any follow-on advisories from Trellix closely, and make sure your Trellix deployment is current on patches. If something new drops, you want zero lag time.

Alex: This is also a board conversation. Not necessarily this week, but the pattern — security vendors being breached — is something boards need to understand when they ask about your vendor stack. It's not just about the product. It's about trusting the vendor's own security posture.

Jordan: Switching gears. Five Eyes — the intelligence alliance covering the US, UK, Canada, Australia, and New Zealand — issued joint guidance yesterday on agentic AI. Autonomous AI systems. The kind that don't just answer questions but take actions across your environment.

Alex: And the timing is not coincidental. Enterprises are deploying these systems now, in many cases faster than governance can keep up. The Five Eyes guidance calls out three specific risk domains: identity — these agents need credentials and permissions, and managing that is genuinely hard. Visibility — autonomous agents create action chains that are difficult to audit after the fact. And control — the systems can outpace human decision-making by design.

Jordan: What they're recommending is essentially a zero trust framework applied to AI agents. Least privilege, continuous monitoring, and — this is the one that will create friction — meaningful human oversight checkpoints. The guidance stops short of mandating specifics, but here's what I'd tell CISOs: regulators and auditors will use this document. This is your baseline.

Alex: If you're in a regulated industry and you're deploying autonomous AI agents, you want to be able to demonstrate that you've read this guidance and that your deployment reflects it. Not because you have to today, but because you will have to, and "we weren't aware" is not a defensible position when it's a Five Eyes advisory.

Jordan: MOVEit. I know. I know. But yes, again. Progress Software patched a critical authentication bypass in MOVEit Automation. No confirmed active exploitation yet — emphasis on yet. We all know what happened in 2023. The Cl0p campaign that hit hundreds of organizations in a matter of weeks. MOVEit vulnerabilities do not stay unexploited for long.

Alex: Patch it now. Before the weekend. This is one of those cases where the history of the product tells you everything you need to know about threat actor interest. If you have MOVEit in your environment and you haven't patched by end of week, you're making a bet I wouldn't make.

Jordan: Now let's go to Australia, and this one matters strategically. Australia just launched a Cyber Incident Review Board — no-fault, post-incident reviews of significant attacks on government and industry, focused on systemic lessons. And yes, it's explicitly modeled on the US Cyber Safety Review Board that the current administration disbanded earlier this year.

Alex: The geopolitical read here is interesting. Other Five Eyes partners are essentially picking up governance frameworks the US has walked away from. For CISOs with APAC operations, this is practical: you may be asked to participate in one of these reviews. That means your incident documentation, your post-mortems, your timeline reconstruction all need to be ready for external scrutiny. The no-fault framing is important — this isn't litigation. But it does require transparency.

Jordan: And the bigger picture: as the US retreats from certain multilateral cyber governance structures, allies are filling the gap. That creates a patchwork of obligations for multinationals. If you operate across Five Eyes jurisdictions, you could be subject to review frameworks in multiple countries with different scope and processes. That's worth a conversation with your legal team now, not after an incident.

Alex: Quick note on the Cisco-Astrix story before we hit the outlook. Cisco is reportedly in talks to acquire Astrix Security — a non-human identity startup — for somewhere between 250 and 350 million dollars. Astrix focuses on service accounts, API keys, OAuth tokens. The messy, sprawling identity surface that most organizations have dramatically undercounted.

Jordan: The validation signal here is clear. Non-human identities now outnumber human identities in most enterprise environments by a significant factor. The market is consolidating. If you don't have a non-human identity governance program, you're behind the curve and the vendors are about to make it harder to ignore.

Alex: For the outlook this week, the through-line is pretty stark. CopyFail tells us active exploitation of foundational infrastructure is not slowing down. The Liberty Mutual breach tells us that the institutions we rely on to backstop cyber risk are themselves targets. Trellix tells us that security vendors are not exempt. And the Five Eyes AI guidance tells us that the governance frameworks for the next generation of enterprise risk are being written right now, whether we're at the table or not.

Jordan: What I'm watching: whether CopyFail spawns a secondary wave of intrusions we'll see documented over the next thirty to sixty days, and whether any of the Liberty Mutual policyholder data surfaces in ways that enable targeted attacks against named enterprises. Both of those have meaningful downstream consequences.

Alex: And on the governance side, I'll be watching how quickly APAC regulators begin operationalizing that AI guidance and whether the EU follows with something similar. The patchwork is growing.

Jordan: That's Cleartext for Tuesday, May 5th. Thanks for listening.

Alex: Show notes and links to everything we covered today are at cleartext.fm. We'll be back tomorrow.