The Regex That Almost Owned the Cloud: A Masterclass in Modern Cyber Risk
Patrick Gray returned from a six-week stint in Latin America just in time to host one of the most consequential episodes of Risky Business in recent memory. Joined by regular contributor Adam Boileau and BBC cyber correspondent Joe Tidy, the trio navigated through a news cycle that felt less like a collection of headlines and more like a map of where the industry is heading in 2026.
The Near-Miss That Should Keep You Up at Night
The centerpiece of the discussion was the latest research from Wiz. In what Adam described as a "chef's kiss beautiful" cloud hack, researchers found a vulnerability in the AWS CodeBuild process for GitHub repositories.
[Image of AWS cloud infrastructure architecture]
The technical failing was deceptively simple: an unanchored regular expression (regex). AWS used a list of GitHub user IDs to determine who could trigger code builds. Because the regex wasn't anchored to the start or end of the string, the Wiz team realized they just needed to register a GitHub account with an ID that contained one of the approved sequences as a substring. By bulk-registering accounts to hunt for sequential IDs, they eventually gained admin access to AWS source code repositories.
The implication is staggering. Had a nation-state actor like North Korea or Russia found this first, they could have backdoored the AWS console globally. It is a sobering reminder that even the most sophisticated cloud providers can be humbled by a few missing characters in a line of code.
AI Malware: The Skepticism is Ebbing
For a long time, the "AI-powered malware" narrative felt like marketing fluff. This episode suggests we are finally crossing the Rubicon. The team analyzed Droidlink, a modular Linux-based malware framework built using the Zig programming language.
What makes Droidlink different is the evidence behind its creation. Checkpoint Labs discovered design documentation and sprint logs that appeared to be generated by AI agents. While the industry remains cautious about over-hyping automated hacking, the speed and competence of this development suggest that single actors are now wielding the power of entire dev teams by using agentic systems like the Tray AI platform.
Politics at the Top: The RSA Boycott
The conversation took a sharp turn into the messy intersection of cybersecurity and Washington politics. Jen Easterly, the former Director of CISA, has been appointed CEO of the RSA Conference. This move has apparently triggered a quiet directive within the current administration for federal employees to skip the event.
Patrick and Adam didn't mince words, describing the situation as "petulant and vindictive." RSA has historically been the primary bridge between the private sector and the federal government; burning that bridge because of a leadership change creates a vacuum that helps no one but the adversaries.
The Cruelest Attack: Understanding the Sociopath
The episode concluded with a deep dive into Joe Tidy’s new book, Control or Chaos, which chronicles the rise and fall of Julius Kivimäki (known as Zekiel). Kivimäki was the force behind the Vastamo hack, where he blackmailed individual psychotherapy patients by threatening to reveal their deepest secrets.
Tidy’s insights into the "centers of gravity" in hacking communities were particularly illuminating. He argues that these groups often push the most anarchic, amoral individuals to the top—not because they are the best coders, but because they are the ones who simply do not care about the human cost of their actions.
The Golden Nugget
"There are things cyber is good at, and actually having effects is not really top of the list. But it is good for the US to have everybody else being a little bit scared just in case they do have amazing cyber that can turn off the power."
Risky Business #821 serves as a high-signal reminder that while we worry about AI-generated code, the most dangerous vulnerabilities often remain human: a poorly written regex, a political grudge, or a teenager with a total lack of empathy.
Listen to Risky Business: https://podranker.com/podcast/risky-business