Alex: Welcome to Cleartext. It's Wednesday, June 3rd, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Alex, I want to start today with something that should make every CISO in our audience pause. Dashlane, the password manager, confirmed that attackers brute-forced their two-factor authentication system and downloaded complete customer password vaults. Let that sit for a second. The thing your organization deployed specifically to reduce credential risk just became the single point of failure.

Alex: Yeah, and that's where we're going to spend real time today. We've also got an AI-built ransomware toolkit that's automating Active Directory discovery and EDR evasion in production — not a lab demo, not a proof of concept. We'll cover a new HTTP/2 vulnerability that hits basically every web server you're running in default config. China expanding its targeting into European enterprises. A months-long email compromise at a global stock exchange. The new White House AI executive order. Anthropic scaling its vulnerability discovery program to critical infrastructure across fifteen countries. And Cyera's eye-popping twelve billion dollar valuation. Let's get into it.

Jordan: So let's start with Dashlane because this is not just a breach story. This is a vendor trust story. Attackers found a way to brute-force Dashlane's two-factor authentication implementation. Not phish it, not social-engineer it — brute-force it. Which immediately raises the question of what rate limiting, what lockout policies, what anomaly detection was sitting in front of that 2FA system.

Alex: And this is the nightmare scenario we've been warning about with centralized credential stores. The pitch for enterprise password managers has always been: consolidate credentials, enforce complexity, reduce reuse. And that's valid. But the implicit assumption is that the vault itself is inviolable. When it's not, you haven't reduced risk. You've concentrated it. Every corporate credential stored in those vaults — SaaS applications, internal systems, privileged accounts — is now potentially exposed.

Jordan: The immediate action here is obvious. If your organization uses Dashlane, you're rotating credentials. All of them. Today. But the strategic question is harder. Do you move to a different password manager and hope their 2FA implementation is better? Do you accelerate your passwordless roadmap? This is a board-level conversation about single points of failure in your identity architecture.

Alex: And it's a vendor due diligence conversation. When was the last time your team actually tested your password manager's authentication controls? Not took the vendor's word for it — actually tested them. I'd bet most organizations haven't. This should change that calculus permanently.

Jordan: Staying on the theme of trust assumptions breaking down, let's talk about the AI-built ransomware toolkit that BleepingComputer reported on. A threat actor is deploying a toolkit that uses AI to automate Active Directory discovery and EDR evasion. This is not somebody prompting ChatGPT to write a script. This is a production attack toolkit where AI is compressing the entire reconnaissance and evasion phase of the attack lifecycle.

Alex: This matters because most enterprise security architectures are built on a fundamental assumption: that there's a window between initial access and lateral movement where your detection stack can catch the attacker. EDR is supposed to be that safety net. Active Directory monitoring is supposed to give you visibility into reconnaissance. This toolkit is specifically designed to shrink that window to near zero and blind your detection at the same time.

Jordan: Right. The AD discovery piece is particularly concerning. Traditional ransomware operators spend time mapping the domain — finding domain controllers, identifying high-value targets, understanding trust relationships. That reconnaissance generates noise. It's detectable. When you automate that with AI that understands AD topology natively, you eliminate the fumbling around that gives defenders their edge.

Alex: So what do you do? First, this reinforces that EDR alone is not a strategy. If your security architecture's last line of defense is endpoint detection, you are already behind this threat. You need network-level segmentation that limits lateral movement regardless of whether the attacker is detected. You need identity-based controls that don't rely on catching the reconnaissance. And honestly, you need to pressure-test your detection stack against AI-generated evasion, not just the known bypass techniques from last year.

Jordan: And this connects directly to the HTTP/2 Bomb vulnerability, which is a different kind of problem but equally urgent. Researchers — and notably, this was discovered using OpenAI Codex — found a remote denial-of-service vulnerability that affects NGINX, Apache, IIS, Envoy, and Cloudflare Pingora. In their default HTTP/2 configurations. Default configurations, Alex. That means if you stood up a web server and didn't specifically harden the HTTP/2 settings, you're exposed.

Alex: The blast radius here is enormous. These are the web servers and reverse proxies that sit in front of virtually every enterprise web application. And because it's unauthenticated — no credentials needed — any internet-facing deployment is a target. This is an emergency patching priority. No debate. If your team hasn't already started assessing exposure across your HTTP/2-enabled infrastructure, that starts this morning.

Jordan: I want to flag something else about this one. It was discovered by AI — Codex chaining vulnerability analysis to find something humans had missed across multiple server implementations. We're seeing AI accelerate both offense and defense simultaneously. The toolkit we just talked about uses AI to automate attacks. This vulnerability was found by AI doing defensive research. That duality is the defining feature of the threat landscape we're entering.

Alex: While we're on vulnerabilities, the Oracle WebLogic CVE that just hit CISA's Known Exploited Vulnerabilities catalog. CVE-2024-21182. Unauthenticated network-level takeover, CVSS 7.5. If you're running WebLogic — and if you're in financial services or large enterprise Java environments, you probably are — the KEV listing means active exploitation is confirmed. For federal contractors, you have mandatory remediation deadlines. For everyone else, treat it the same way.

Jordan: WebLogic is one of those platforms that's deeply embedded in middleware stacks. It's not always visible to the security team. So step one is actually confirming your inventory. You might have WebLogic instances your team doesn't even know about.

Alex: Let's shift to the geopolitical picture. Jordan, China's dual-method campaign targeting Czech organizations and Taiwan-linked entities.

Jordan: This is significant because of the targeting expansion. Chinese state-linked actors deploying Azureveil malware through a layered spear-phishing campaign — that's sophisticated but not surprising. What's notable is the deliberate targeting of Czech organizations. We're seeing China's cyber operations extend deeper into European enterprise targets, not just the traditional Asia-Pacific theater. If you're a multinational with EU operations, particularly any business that touches Taiwan — supply chain, trade, diplomatic, anything — you need to update your threat model. The assumption that Chinese state targeting is primarily an APAC problem is no longer valid.

Alex: And the dual-method, layered attack chain is designed specifically to frustrate attribution and complicate incident response. This is the kind of campaign that lives in your environment for months if you're not looking for it.

Jordan: Which brings us perfectly to the stock exchange compromise. A threat actor maintained near-continuous access to a senior finance executive's email inbox at a global stock exchange for months. Using living-off-the-land techniques. No custom malware. Just native Windows tools.

Alex: This is the story that should terrify financial services CISOs. Not because of the technique — living-off-the-land is well understood — but because of the duration. Months of access to a senior executive's email. That's deal flow, regulatory correspondence, board communications, M&A discussions. The data exfiltration potential is staggering.

Jordan: And the detection failure is the real lesson. Signature-based detection doesn't catch this. If your privileged account monitoring isn't doing behavioral analytics — looking at login patterns, email access volumes, geographic anomalies — you have a blind spot that sophisticated actors are actively exploiting. This isn't theoretical. This happened at a globally influential financial institution with presumably a mature security program.

Alex: Quick pivot to governance. The White House released its scaled-back AI executive order yesterday. Jordan, the headline is that it's more industry-friendly than earlier drafts.

Jordan: It includes cybersecurity requirements, insider-risk provisions, and IP protection mandates for federal AI model access. But the concessions to industry are significant. Near-term compliance burden is lighter than what was circulating in earlier drafts. For CISOs, the practical implication is downstream. If you're a federal contractor or in critical infrastructure, these requirements will flow into your procurement and deployment policies. Start mapping your AI governance program to this framework now, even if enforcement timelines are generous.

Alex: And speaking of AI in critical infrastructure, Anthropic is expanding Project Glasswing — their vulnerability discovery program using the Claude Mythos model — to 150 organizations across fifteen-plus countries in power, water, healthcare, and communications. Infrastructure potentially affecting a hundred million people. There are security requirements organizations must meet before they get access to the model, but the scale here is remarkable. AI-powered offensive security tooling is being institutionalized.

Jordan: The dual-use question is real. Every one of those organizations gets access to a model that's exceptional at finding vulnerabilities. The defensive value is obvious. But the model-access risk surface — who has access, how it's secured, what happens if credentials leak — that's a new attack vector CISOs in those sectors need to account for.

Alex: Last one before we look ahead. Cyera, the data security posture management company, is nearing a three hundred million dollar raise at a twelve billion dollar valuation. That's an eighty-times ARR multiple despite operating losses.

Jordan: That's the market telling you something. Investors believe data security posture management is a generational category. Whether Cyera specifically justifies that valuation is a different question, but CISOs should be tracking this space. DSPM is becoming board-level priority, and the consolidation dynamics over the next eighteen months will determine which vendors survive and which get absorbed.

Alex: Alright, looking ahead. Jordan, the thread running through today's episode is obvious. AI is simultaneously the attack tool, the vulnerability discovery engine, the governance challenge, and the investment thesis. The Dashlane breach shows that even foundational security controls can't be taken for granted. The AI ransomware toolkit shows attackers compressing kill chains faster than most enterprises can adapt their detection. And the HTTP/2 Bomb shows AI finding vulnerabilities at scale across critical infrastructure.

Jordan: The theme for the rest of this week and into next: assumption testing. Every defensive assumption in your architecture — that EDR will catch lateral movement, that your password manager is secure, that your executive email monitoring is sufficient, that your web servers are hardened — every one of those needs to be validated against current threat reality, not last year's. The attackers have new tools. If your defensive assumptions haven't been updated to match, you're operating on borrowed time.

Alex: That's the show for today. Show notes and links to every story we covered are at cleartext.fm. I'm Alex Chen.

Jordan: I'm Jordan Reeves. We'll see you tomorrow.