Alex: Welcome to Cleartext. It's Tuesday, June 2nd, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We have a packed show today. A password manager breach that hinges on a 2FA brute-force, which should make every CISO rethink their credential tooling assumptions. A supply-chain attack on Red Hat npm packages that's hitting developer pipelines right now. Microsoft's new OS-level sandbox for AI agents. And Anthropic publishing a number that should be uncomfortable for everyone building agentic AI. Plus, the NVD is officially broken — an inspector general said so — and a Palo Alto Networks flaw that everyone ignored until it was too late. Jordan, let's start with the story you flagged.

Jordan: Yeah, the Sophos finding. They discovered a threat actor who built what amounts to an AI-powered malware R&D lab. Not just using AI to write malicious code — that's old news at this point. This actor built a dedicated testing framework, using AI coding tools, specifically designed to develop and iterate EDR evasion techniques. They were running Cobalt Strike profiles tuned to disguise beacon traffic as legitimate web requests, with command and control running over Telegram. Sophos found it after an anomalous endpoint in a customer environment triggered alerts from a testing directory. So this actor was literally doing QA on their evasion techniques inside a compromised environment.

Alex: And this is the part that should land hard for CISOs. If you're treating EDR as your primary detection layer — and let's be honest, a lot of organizations do — this finding says your adversaries are now systematically stress-testing your controls with AI assistance before they deploy. The development cycle for evasion has compressed dramatically. You need to be running your own adversary simulation against your EDR stack at a cadence that matches this reality. If your last purple team exercise was six months ago, you're behind.

Jordan: And it's not just the sophistication. It's the accessibility. You don't need nation-state resources to build one of these labs anymore. AI coding tools have democratized the process. A motivated mid-tier threat actor can iterate on EDR bypasses the way a startup iterates on product features.

Alex: Which connects directly to two AI stories we need to cover. Microsoft announced MXC at Build 2026 — Microsoft Execution Containers. This is an OS-level sandbox that controls what AI agents can access and do on a Windows system. OpenAI and Nvidia are launch partners, so this has immediate ecosystem weight.

Jordan: The timing here is telling. For two years the industry has been racing to make AI agents more capable without building the guardrails to match. MXC is Microsoft saying: we're going to enforce policy at the OS layer, not just at the application layer. IT admins get hard boundaries on agent behavior — file access, network calls, system modifications. It's the control plane that's been missing.

Alex: For CISOs evaluating agentic AI deployment strategies, especially on Windows-based workloads, MXC should be on your architecture review immediately. It doesn't solve everything, but it's the first credible attempt at foundational policy enforcement for agents at the OS level. The question is how granular the policies are and how quickly the ecosystem builds around it.

Jordan: And then pair that with the Anthropic disclosure. Their red teamers hijacked Claude's browser agent via prompt injection 31.5 percent of the time before safeguards kicked in. That is the highest figure any frontier lab has publicly disclosed.

Alex: Now, here's the nuance. Anthropic published a 244-page safety report covering four agentic surfaces. OpenAI, Google, Meta — none of them gave comparable data. So Anthropic's number looks like a liability, but it's actually the most transparent data point we have. The real problem is that the other labs aren't telling you their numbers.

Jordan: Exactly. And for CISOs doing procurement on agentic AI tooling, you can't do comparative risk assessment when only one vendor is showing you the data. So what do you do? You mandate prompt injection testing in your own environment before anything goes to production. Period. Thirty-one percent is a useful benchmark, but your mileage will vary based on your deployment context.

Alex: And the Meta story from Krebs underscores why this matters in practice right now. Attackers circulated instructions on Telegram showing how to trick Meta's AI support bot into resetting Instagram account passwords. The Obama White House account and the U.S. Space Force Chief Master Sergeant's account were both briefly defaced with pro-Iranian content. Meta has patched it, but the exploit spread virally before they did.

Jordan: This is prompt injection in the wild, against a production AI system, enabling account takeover at scale. If you've deployed AI chatbots for helpdesk, support, or account management, you need to be asking right now: can someone talk my bot into resetting a password or escalating privileges? Because that's exactly what happened here.

Alex: Let's shift to the breaches. The Dashlane story first. Hackers brute-forced Dashlane's two-factor authentication system to access customer accounts and download encrypted password vaults. Fewer than 20 personal subscription accounts were affected, so the blast radius is limited. But the vector is what matters here.

Jordan: If a password manager's 2FA can be brute-forced, that's a systemic design flaw, not a configuration issue. For enterprise CISOs, the immediate action is: if you have Dashlane in your stack, assess your exposure now. But the broader question is whether your credential management vendor has rate-limiting and lockout controls on their MFA that would survive a sustained brute-force attempt. Ask them. Get it in writing.

Alex: And the Red Hat supply-chain attack. More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised after a Red Hat employee's GitHub account was hijacked. A new malware variant called Miasma was injected to steal credentials from developer build environments. Malicious commits were pushed on June 1st across two separate time windows, so this was deliberate and coordinated.

Jordan: This is a textbook supply-chain attack against trusted packages in a trusted namespace. If your developers are pulling from '@redhat-cloud-services,' you need to audit dependency integrity right now. Check your build logs for commits from June 1st. And this is another argument for reproducible builds, dependency pinning, and runtime integrity verification in your CI/CD pipeline. Trust is not a security control.

Alex: The point about trusted namespaces is critical. Developers see Red Hat and assume safety. That assumption is exactly what the attackers exploited.

Jordan: Moving to vulnerabilities. CVE-2026-0257 in Palo Alto Networks products is now confirmed under active exploitation. What makes this one worth flagging is the trajectory. It was initially rated low severity. It flew under the radar. And now it's being actively exploited against perimeter infrastructure.

Alex: This is the patch prioritization lesson we keep having to relearn. Low CVSS scores don't mean low risk. If it's on your perimeter, if it's on infrastructure that faces the internet, you treat it differently. Your vulnerability management program needs context-aware prioritization, not just severity scores. And if you're running Palo Alto products, triage this today.

Jordan: Which brings us to the NVD story, and this one has been building for a long time. An inspector general report found that NIST's National Vulnerability Database backlog grew from 13,000 unprocessed vulnerabilities in February 2024 to over 27,000 by the end of 2025. The IG's words were that the failures are "undermining the NVD's utility and public trust."

Alex: This is not a surprise to anyone who's been watching, but having the IG put it on the record matters. The NVD has been the foundational data source for vulnerability management across the entire industry. If you're still relying on NVD as your primary or sole enrichment source, you are working with incomplete data. You need to be investing in alternative or supplementary vulnerability intelligence — commercial feeds, vendor advisories, CISA KEV. The NVD is no longer timely enough to be your single source of truth.

Jordan: And for CISOs going to the board, this is worth mentioning. The government's own authoritative vulnerability database is officially degraded. That changes the risk equation for any program that was built on NVD as a foundational control.

Alex: One more story before we look ahead. NSA has formalized leadership at two key cyber units. David Imbordino is now permanent chief of the Cybersecurity Directorate, and Bruce Jones takes over the Cybersecurity Collaboration Center, which is the unit that works most directly with private sector enterprises on threat intelligence sharing.

Jordan: The CCC appointment is the one CISOs should care about. If you're participating in any of NSA's private-sector threat intelligence programs, new leadership typically means new priorities and potentially new engagement models. It's worth reaching out to your contacts there proactively.

Alex: Alright, looking ahead. Jordan, what's the through-line today?

Jordan: The through-line is the collapse of assumptions. Your EDR is being systematically tested by AI-powered adversaries. Your trusted open-source packages aren't trustworthy. Your password manager's 2FA can be brute-forced. Your government vulnerability database is broken. Your AI chatbot can be talked into resetting passwords. Every one of these stories is about a control or a trust relationship that CISOs assumed was solid, and it's not. The theme for the rest of this year is going to be re-validating your foundational assumptions, not just adding new tools on top of them.

Alex: Agreed. And the Microsoft MXC announcement and the Anthropic disclosure point to the same thing from the builders' side. The industry is starting to acknowledge that you have to build the controls in, not bolt them on. Whether that's OS-level agent sandboxing or publishing your actual prompt injection failure rates, the move toward honesty and architectural rigor is the right one. CISOs should be rewarding that transparency in their procurement decisions.

Jordan: Watch for follow-on activity from the Red Hat supply-chain compromise this week. If they got credentials from developer build environments, the secondary effects haven't played out yet.

Alex: That's the show for Tuesday, June 2nd. Show notes and links to every story we covered are at cleartext.fm. I'm Alex Chen.

Jordan: I'm Jordan Reeves. See you tomorrow.