Jordan: A worm that survives package deletion. Credentials stolen from your AI agents, your password managers, your Kubernetes clusters — all from 172 packages that looked completely legitimate. That's not a supply chain problem. That's a supply chain collapse. Today's show is dense. Let's get into it.

Alex: Welcome to Cleartext. I'm Alex Chen. It's Wednesday, May 13th, 2026. Alongside Jordan Reeves, we're covering a lot of ground today — a sprawling open-source supply chain attack that should be on every CISO's radar right now, ransomware hitting Foxconn and a pharma supplier in the same week, a China-linked APT expanding its target set into energy, and on the governance side, the UK is finally modernizing its cybercrime law in ways that matter for your bug bounty programs. Plus G7 AI SBOM guidance and two funding rounds worth knowing about. Let's move.

Jordan: The story I opened with — Mini Shai-Hulud — deserves your full attention for the next five minutes. Here's the threat model. Attackers compromised 172 packages across npm and PyPI. These weren't obviously malicious packages. They carried valid provenance signatures, meaning your dependency scanners likely gave them a pass. The worm inside harvests AWS keys, SSH keys, npm tokens, GitHub PATs, Kubernetes service accounts, password manager data — it's casting a very wide net. And the persistence mechanism is what makes this particularly ugly: it embeds itself in Claude Code and Kiro AI agent configurations. So you remove the package, you think you're clean, and you're not. The worm is still sitting in your AI tooling.

Alex: The immediate action item here is straightforward to say and painful to execute. You need to audit your developer environments — not just your production dependencies, but local dev machines, CI/CD pipelines, and specifically any AI coding agent configurations. Claude Code and Kiro are both widely adopted right now. If your engineers are using them, assume those config files need to be inspected. The credential harvest scope here is broad enough that this is also an incident response trigger. Rotate AWS keys, rotate GitHub PATs, audit Kubernetes service account activity. Do not wait for confirmation that you were hit. Treat this as presumptive exposure until you can prove otherwise.

Jordan: The provenance signature angle is the part that should keep security architects up at night. The industry has spent years pushing toward signed packages as the trust anchor for supply chain security. This campaign shows that attacker capability has caught up. Signed doesn't mean safe. It means the signature was valid at the time of publication. That's a meaningfully different thing.

Alex: Now, ransomware. Two significant hits disclosed this week. Foxconn confirmed that the Nitrogen ransomware gang disrupted operations at its North American factories — Wisconsin, Ohio, Texas, Virginia, Indiana, Mexico. The world's largest electronics manufacturer. If you have Foxconn in your hardware supply chain, and most enterprises with significant infrastructure do, you need to be on the phone with your procurement team today asking about lead times and alternative sourcing. This isn't hypothetical disruption. Factories are working to restore normal operations as we record.

Jordan: Nitrogen is not a new name. They've been active and they've been effective. What's notable here is the target scale. Foxconn's North American footprint is enormous. The downstream exposure for enterprises waiting on hardware — servers, devices, components — could persist for weeks depending on how deep the encryption went.

Alex: The second ransomware story is West Pharmaceutical Services. They filed an SEC 8-K on Monday disclosing a breach from May 4th — data stolen, systems encrypted. West Pharma is a critical supplier of drug delivery components. Prefilled syringes, containment systems, the infrastructure that pharmaceutical manufacturers depend on to get product out the door. The healthcare supply chain angle here is real. But I also want to pull on the disclosure piece. West filed within days of the breach. That's the regulatory environment now. If you haven't walked your board through your 8-K incident disclosure posture recently, this is your prompt. The SEC's cyber disclosure rules have teeth, and this is what compliant behavior looks like.

Jordan: Two ransomware disclosures in the same week across manufacturing and pharma. This is not coincidence. Operational technology and physical supply chains remain the highest-leverage targets for ransomware operators because the pressure to restore operations is immediate and enormous. The negotiating dynamic is completely different when the alternative is assembly lines staying dark.

Alex: Let's shift to the geopolitical story. FamousSparrow — tracked as UAT-9244, China-linked — ran a multi-wave intrusion against an Azerbaijani oil and gas firm from late December through February. What makes this significant isn't the technical execution. It's the target selection. FamousSparrow has historically operated in hospitality, telecom, and government. Energy is new territory for this group, and it tells you something about shifting collection priorities in Beijing.

Jordan: Azerbaijan sits at an interesting geopolitical intersection right now. It's a major transit corridor for Caspian energy into Europe, it's navigating relationships with Russia, the EU, and increasingly China. From a strategic intelligence standpoint, an oil and gas firm there is extraordinarily valuable — production data, pricing intelligence, infrastructure mapping, contract relationships. This is classic long-term strategic collection, not ransomware, not disruption. The goal is to know everything about how European energy flows.

Alex: For energy sector CISOs, the threat modeling update here is concrete. If FamousSparrow was previously not in your threat actor library because you weren't in hospitality or telecom, add them now. The sector expansion is documented. And the broader pattern — Chinese APT groups widening their targeting into critical infrastructure globally — is consistent with what we've seen from Volt Typhoon, Salt Typhoon, and others. This is a coordinated posture shift, not isolated activity.

Jordan: One more story I want to flag before we get to governance. A community bank in Pennsylvania disclosed that it exposed customer names, dates of birth, and Social Security numbers — because the data was shared with an AI application without adequate controls. This is the story that every CISO needs to show their legal and compliance teams. The attack surface isn't just external adversaries anymore. It's your own employees plugging sensitive data into AI tools that haven't been through your procurement and data classification process.

Alex: The governance failure here is simple to diagnose. Someone with access to customer PII used an AI application that wasn't approved, wasn't scoped, and had no data handling controls. Every CISO listening to this should have a documented AI acceptable use policy that covers what data categories can touch which tools. If you don't have that policy, or if you have it but haven't enforced it technically, this is your case study for the board conversation.

Jordan: On the governance front — the UK announced reforms to the Computer Misuse Act 1990 as part of the King's Speech package. First major overhaul in decades. The headline is legal safe harbors for security researchers. Right now, good-faith vulnerability research in the UK operates in a legally gray zone that has real chilling effects on the researcher community. If these reforms pass as proposed, that changes.

Alex: The practical implication for enterprise security teams is twofold. First, if you run a bug bounty program with scope touching UK-based researchers, the legal framework governing their participation is about to get clearer and more favorable. Second, this likely increases the volume and quality of research coming out of the UK community, which benefits everyone. Watch this one as it moves through Parliament.

Jordan: G7 released AI SBOM guidance — seven data clusters for documenting what's in your AI systems. CISA was in the room. This is early-stage framework development, but the direction is clear: AI systems will eventually need the same kind of supply chain transparency we've been building for software. For CISOs currently procuring AI tools, start asking vendors for this information now, before it becomes a compliance requirement. Get ahead of it.

Alex: Two funding rounds quickly. Exaforce closed a $125 million Series B at a $725 million valuation. Three years old, AI-native SOC focus, real-time detection and response. The valuation signals significant enterprise traction. If you're evaluating SOC modernization options, they're worth a look. Frame Security launched with $50 million — founded by a former Wiz leader, focused on AI-generated phishing simulations and deepfake training. The threat it's targeting is real. Personalized social engineering using voice cloning and AI-generated content is a growth vector for attackers right now. Whether you need a dedicated platform for it depends on your existing awareness program maturity, but the category is legitimate.

Alex: The theme this week, if you zoom out, is trust infrastructure under attack. Signed packages aren't trustworthy. AI tools are becoming data exfiltration vectors. A worm persists after you think you've removed the threat. Supply chains you depend on — hardware, pharma components — are being actively disrupted. The adversary playbook is increasingly about undermining the controls we rely on rather than bypassing them.

Jordan: And the organizational response has to match that. Audit assumptions, not just configurations. The question isn't just "are our packages signed?" It's "does a valid signature actually tell us what we think it tells us?" That kind of first-principles pressure-testing of your security model is what separates programs that stay ahead from programs that learn the hard way.

Alex: That's Cleartext for Wednesday, May 13th. Show notes and links to every story we covered today are at cleartext.fm. If this episode was useful, share it with a peer. We'll be back tomorrow.