The day is near when bad actors will use AI to hijack another AI system companies rely on — think chatbots or agents — forcing it to go rogue, according to John Watters, a longtime cybersecurity leader and former leading executive at Google's Mandiant.

• Watters says security companies are now carving out a new vertical of products to respond.
• I spoke with Watters last month as part of our monthly-ish series spotlighting predictions from formative voices in the cybersecurity world.

Why it matters: Watters echoes a warning from another industry titan, Kevin Mandia: The world is only months away from an untraceable cyberattack run entirely by an autonomous AI agent.

• But Watters' twist is even more unsettling: That attack won't be generic. It will be built uniquely for its victim, exploiting a zero-day vulnerability tailored to that company's systems.

The big picture: Security vendors must adapt faster than ever to prepare customers for that new reality. Watters warns that AI tools will make it easier for malicious hackers to personalize their attacks — and to do so at scale.

• That means they won't need to recycle old techniques or turn to flaws in widely used enterprise software to get the most impact. Instead, each strike will exploit a one-of-a-kind weakness in a company with little to no effort.

Reality check: Watters is now CEO of iCounter, a startup building products aimed squarely at that threat, so he's not exactly a neutral observer.

• But he's historically been ahead of the curve. Watters recognized the potential for bug bounty programs decades before they became mainstream, and he had a front-row seat to the evolution of the threat landscape after joining FireEye, which was later acquired by Mandiant.
• After stepping back from cybersecurity in 2022, Watters reentered the field this summer, joining iCounter to help develop its LLM-based tools that spot and block those novel attacks.

Zoom in: Watters predicts that iCounter won't be the only game in town come next spring.

• At next year's RSA Conference — the world's largest gathering of security experts — expect the term AI-DR, or AI detection and response, to dominate the trade show floor, he says.
• Think of AI-DR as a play on the current suite of endpoint detection and response (EDR) tools. But instead of monitoring network endpoints, AI-DR products focus on spotting when adversaries hijack an organization's AI tools — which he says have a huge target on their back because they can be overtaken and forced to hallucinate or go rogue.
• Recent breaches of Salesloft's AI agent underscore the point: Major security companies like Dynatrace, Qualys, CyberArk and Cato Networks are among the latest victims.

What they're saying: "The security gap is the difference between the innovation pace of the adversary and the innovation pace of the defender," Watters says.

• "Adversaries lead. We all think we're innovators — we're not."

Between the lines: Venture capital is betting big on this space, according to a Gartner report released in March. Since 2022, AI-driven detection and response startups have raised more than $730 million.

• Gartner projects that by 2028, 70% of AI implementations in threat detection and incident response will involve multiagent AI — up from 5% as of the report's publication.

Yes, but: Watters expects these tools to drive the conversation at RSAC, but the six months until next year's conference in San Francisco is several lifetimes away in terms of AI development.

Maintainers of several major open-source projects are being targeted in an ongoing phishing campaign designed to spread crypto-stealing malware.

Why it matters: At least one major maintainer said he fell for the fake email, affecting projects collectively downloaded billions of times each week.

Driving the news: Josh Junon, a maintainer of several popular npm packages, said yesterday he fell for an email purportedly from the npm support team.

• The email asked Junon to authorize a reset of his account's two-factor authentication setup by Sept. 10 or get locked out.
• "Sorry everyone, I should have paid more attention," Junon said in a BlueSky post. "Not like me; have had a stressful week. Will work to get this cleaned up."

The big picture: Open-source software underpins most of the tools that power online life. Junon maintains at least 80 npm packages alone.

• Other maintainers of npm projects have reported that they've also received the phishing email.

Between the lines: Supply-chain attacks can spiral quickly — as seen in the 2021 Log4j incident, when millions of systems were instantly vulnerable to hacking after the Apache Software Foundation disclosed a severe vulnerability.

• Even years later, it's still unclear how many organizations were impacted.

Threat level: Attackers are believed to have injected malware into Junon's packages to track crypto transactions and intercept funds.

• Many of Junon's packages receive hundreds of millions of downloads a week, according to BleepingComputer.

What to watch: Security experts are cautioning developers to audit their projects for malicious versions of popular open-source tools, like Chalk, and to rotate login credentials if they did accidentally download the tainted packages.

• Developers are also encouraged to use phishing-resistant MFA tools for developer accounts.

AI tools are helping Russia scale up its disinformation campaign against Ukraine, according new PeakMetrics data shared first with Axios.

Why it matters: Security experts have warned that we're only at the tip of the iceberg in terms of how AI is improving foreign adversaries' disinformation campaigns.

Zoom in: PeakMetrics, an AI-driven analytics company, studied a sample of 5,780 social media posts predominantly on X, Reddit and Instagram published in the last month that all pushed narratives looking to undermine trust in Ukraine's government.

• 28.2% of them showed strong signs of being bots tied to pro-Russian causes, per the company's assessment.
• The posts pushed several major narratives that are common in Russian disinformation campaigns, including the false claim that Ukrainian President Volodymyr Zelenskyy is "illegitimate" and that the Ukrainian government is corrupt and laundering money.

Yes, but: Even though PeakMetrics said there's evidence that the bot operators are using generative AI, the rest of the campaign is pretty similar to campaigns that don't use AI — from the messaging to the lack of engagement on the posts, Molly Dwyer, the company's head of insights, told Axios.

• "It's a lot of laundering the same things," Dwyer said. "What's surprising is that there's not much surprising there."

The intrigue: About 23% of the posts were written in French, a clear attempt to ensure that people in France, a NATO member, also noticed these posts.

• Part of this is because French President Emmanuel Macron has "positioned himself as the last bastion of defense for Ukraine in Europe," Dwyer said. "I don't think it's a coincidence."

Driving the news: The latest Russian-linked bot campaign started in the lead-up to President Donald Trump's meeting with Russian President Vladimir Putin in Alaska last month.

Reality check: The United States is also reportedly looking at ways to tap the potential of AI for its own overseas information operations, according to a U.S. Special Operations Command document reviewed by The Intercept last month.

A former WhatsApp security leader filed a lawsuit yesterday alleging that the Meta-owned messaging service neglected major security and privacy flaws that left users' data and accounts vulnerable.

Why it matters: The whistleblower complaint — the latest in a series against the tech giant — alleges that those security flaws resulted in more than 100,000 accounts being hacked every day.

• Many people turn to WhatsApp, which provides end-to-end encrypted messaging, for the added privacy benefits.

Zoom in: Attaullah Baig, former head of security at WhatsApp, claims in the lawsuit that about 1,500 engineers had unrestricted access to sensitive user data and that the company did not have adequate internal auditing and monitoring tools to see who accessed what data or to detect data breaches.

• The lawsuit, which was first reported by the New York Times, also alleges that he faced retaliation and was eventually fired for sharing his concerns with top executives, including Meta CEO Mark Zuckerberg.

Between the lines: Baig joined WhatsApp in January 2021, a year and a half after Meta had agreed to a privacy settlement with the Federal Trade Commission that called for routine internal audits and stronger privacy practices.

• Baig also shared his concerns with leaders at WhatsApp and across Meta in August 2022, following two cybersecurity incidents affecting WhatsApp users, according to the complaint.

The other side: "Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team," Meta spokesperson Andy Stone said in a statement yesterday.

• Carl Woog, VP of communications at WhatsApp, also said in a statement to Axios that, "Security is an adversarial space and we pride ourselves in building on our strong record of protecting people's privacy."
• Meta said that the claims in the New York Times story were not "fully validated" and that Baig was a software engineering manager who left his role due to poor performance.
• The company pointed out that Baig also filed a complaint with the U.S. Department of Labor, which dismissed his concerns after an investigation.

What's next: The U.S. District Court for the Northern District of California has scheduled an initial case management conference for Dec. 11.

Ransomware victims are paying more to recover from the attacks this year, according to a report released today by cyber insurance firm Resilience.

Why it matters: Ransomware attacks are already pushing companies, universities and hospitals out of business.

By the numbers: Ransomware accounted for 91% of all incurred losses among Resilience's customer base in the first half of 2025, according to the report.

• The cost of a ransomware-related insurance claim jumped 17% year over year, per the report. Resilience did not provide the exact dollar-amount numbers.

Yes, but: The total number of ransomware attacks that turned into claims with incurred losses shrunk: In the first half of 2024, 60% of ransomware claims led to losses, while in the same time this year, 42% of claims led to losses.

What to watch: Ransomware gangs are constantly adapting to keep their schemes profitable, Resilience warned.

• That includes using AI tools to improve each aspect of the kill chain, such as phishing emails and the negotiation process.

@ D.C.

🪖 The Trump administration has abandoned its plans to split up the dual-hat leadership structure at the NSA and Cyber Command. (The Record) And the president is expected to nominate Lt. Gen. William Hartman to lead the offices. (Politico)

💻 FEMA has started several internal security updates after a recent data breach. (Nextgov)

🇺🇸 Nicholas Andersen is now the executive assistant director of cybersecurity at the Cybersecurity and Infrastructure Security Agency. (CyberScoop)

@ Industry

💰 Netskope is looking to raise as much as $813 million at a valuation of up to $6.5 billion in its initial public offering. (Reuters)

✂️ Qantas Airlines cut executives' short-term bonuses by 15% after its security breach this summer. (FlightGlobal)

🇨🇳 Anthropic will stop selling intelligence services to organizations that are majority owned by Chinese entities. (Financial Times)

@ Hackers and hacks

🎨 Ransomware group LunaLock has been trying to extort artists by threatening to include their original work in LLM datasets. (404 Media)

👀 Ross Ulbricht, the creator of the Silk Road dark web marketplace, has been on a cross-country speaking tour ever since his pardon and release from prison in January. (New York Times)

📺 🎤 Who among us is still gagged over the VMAs this weekend? Did you even remember they were on? (It's alright, buddy, the performances are on YouTube.)