mattjay.com
Friendly neighborhood cybersecurity guy | expect infosec news, appsec, cloud, dfir. | Long Island elder emo in ATX.
vulnu.com <- sign up for my weekly cybersecurity newsletter
756 posts
9,627 followers
481 following
Regular Contributor
Active Commenter
comment in response to
post
Fantastic reporting by Stephen Fowler and Jenna McLaughlin. McLaughlin also broke the initial story that is leading to all of this follow up.
Read their writeup here - www.npr.org/2025/06/...
comment in response to
post
This represents potentially serious breach of federal systems + attempted coverup.
Will be watching Microsoft's response and whether this triggers broader scrutiny of DOGE's access to agency systems.
comment in response to
post
NLRB IG has launched formal inquiry.
House Oversight Dems lack subpoena power without Republican majority support, making Microsoft's voluntary cooperation crucial for investigation.
comment in response to
post
Data at risk includes sensitive labor organizing info and union complaints.
Over 50 House Democrats from Congressional Labor Caucus expressed concerns about worker data exposure risks.
comment in response to
post
Timing is notable - just one day after NPR's initial report, DOGE assigned two staffers to work "part-time for several months" at NLRB.
Appears reactive rather than planned deployment.
Original story - www.npr.org/2025/04/...
comment in response to
post
The alleged extraction code was hosted on Microsoft-owned GitHub.
Rep. Lynch specifically wants details about attempts to "conceal activities, obstruct oversight, and shield from accountability."
comment in response to
post
Key context: This follows whistleblower Daniel Berulis's disclosure about ~10GB of data exfiltrated from NLRB's NxGen system.
DOGE engineer Jordan Wick's repo "NxGenBdoorExtract" was made private before investigation.
comment in response to
post
If you were subscribed to my newsletter you would've already seen this along with over 30k other pros:
vulnu.com/subscribe
comment in response to
post
Heres a full write-up:
www.vulnu.com/p/unfi...
comment in response to
post
This fits a pattern: Major supply chain attacks hit Clorox (2023, $356M impact), Sysco (2024, data leak), JBS Foods (2021, $11M ransom).
Targeting distributors maximizes downstream impact.
comment in response to
post
Market impact: UNFI stock was down 9% after 8-K filing mentioned ongoing disruptions.
Critical infrastructure implications too - UNFI serves hospitals, schools, SNAP retailers.
(It's now down over 20% the last 5 days)
comment in response to
post
Whole Foods already seeing impacts: Reports of empty freezers, delayed deliveries across multiple states. While they have regional DCs, most center-store items flow through UNFI.
(Still nobody wants Keto bread...)
comment in response to
post
No confirmation of ransomware yet, but system shutdown suggests containment of potential lateral movement.
No evidence yet of PII/financial data theft. UNFI promising daily updates to major customers.
Whole Foods attempting alternate sourcing but options limited.
comment in response to
post
Systems affected: Order management, warehouse robotics, transportation scheduling all down.
Staff using paper bills of lading and manual picking - major efficiency hit for a modern supply chain.
comment in response to
post
UNFI is North America's largest grocery wholesaler ($31B in sales).
Whole Foods represents >10% of their business. Manual operations now in place at distribution centers.
Who remembers when DEFCON hotel got hacked and they had to break out the *cachunk* credit card carbon paper machines?
comment in response to
post
sorry to nerd snipe you!
comment in response to
post
oh 100% - but I'm working with at least 3 companies that don't even have normal cloud networks. 100% built on either PaaS stuff like Cloud Run, or all SaaS hosted offerings. And then they don't even have an office.
comment in response to
post
A lot of startups I work with don't even have a "network" to segment. Times they are-a-changing.
comment in response to
post
Easy win in terms of budget and effort translating to biggest win in terms of risk reduction.
All other parts of startup security programs that I build are *much* harder.
comment in response to
post
think about? I've lived it!
comment in response to
post
I stand by this is a losing battle. Read any scattered spider incident report. They register those domains and use them within an hour and have high success rates.
comment in response to
post
Join over 30k pros who get cybersecurity news from me every week:
vulnu.com/subscribe
comment in response to
post
Source report: www.reuters.com/sustainabili...
comment in response to
post
A hidden radio isn’t proof of malice. But buying black-box gear at grid scale *is* a gamble.
Expect tougher procurement rules, mandatory SBOMs, and more lab tear-downs. If you run renewables: inventory, segment, verify. Every device, every time.
comment in response to
post
NATO is warning its members that Chinese control of critical infrastructure, including inverters.
“intensifying” and urging allies to cut strategic dependencies.
comment in response to
post
DOE says it’s pushing for a mandatory Software Bill of Materials (SBOM) so buyers can see *every* radio, chip & library in grid-connected devices.
That’s the same strategy CISA now uses for medical and industrial gear.
comment in response to
post
Utilities are moving too.
Florida Power & Light - the largest U.S. electric utility - has begun sourcing non-Chinese inverters for new builds, according to industry briefings.
comment in response to
post
A U.S. Senate bill would bar DHS from buying Chinese batteries after 2027 (H.R. 1166)
comment in response to
post
Governments are reacting:
Lithuania banned remote Chinese access to >100 kW renewables (Nov 2024)
comment in response to
post
Legal backdrop: Chinese law (2017 National Intelligence Law) obliges domestic firms to “support, assist & cooperate” with state intelligence work.
That’s why Western agencies treat *undocumented* comms hardware as a national-security risk.
comment in response to
post
Huawei led global shipments with 29 % in 2022, followed by Sungrow & Ginlong Solis.
Europe now runs >200 GW of solar on Chinese inverters - roughly 200 nuclear reactors’ worth of generation.
comment in response to
post
This isn’t theoretical.
On 15 Nov 2024 Chinese vendor Deye remotely deactivated inverters in the US, UK and Pakistan during a contract dispute, leaving rooftop arrays dark.
comment in response to
post
Impact: Flipping enough inverters off-line at once can destabilize the grid.
Former NSA director Mike Rogers told Reuters it’s “value” Beijing would want in a crisis.
One analyst called it a “built-in way to physically destroy the grid.”
comment in response to
post
Security teams have confirmed multiple makes and models with these extra radios in the last nine months.
The labs aren’t saying how many units they’ve torn down. Only that the problem spans *several* suppliers.
comment in response to
post
Inverters already need remote access for firmware updates, so utilities put them behind firewalls.
A covert LTE module can hop right over that barrier, reach a cloud service in China, and issue commands the operator never sees.
comment in response to
post
Join over 30k pros who get cybersecurity news from me every week:
vulnu.com/subscribe
comment in response to
post
It’s all MCP connections. Not automatically ingesting that data. People voluntarily sending it.
comment in response to
post
All depends on your threat model! For personal use I don’t judge people from really leaning into this ecosystem.
For business data? Shiiiiiiiit