Nearly 19,000 state and local government offices could lose access to vital cyber threat intelligence and affordable security tools by the end of the month.

Why it matters: Adversarial hackers have increasingly targeted local governments, law enforcement, utilities and schools in recent years.

• But the Trump administration is pushing to cut funding for an organization that has been helping these entities detect and defend against cyberattacks for decades.

Driving the news: Federal funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC) is set to expire on Sept. 30, and the Department of Homeland Security has no plans to request additional dollars.

• MS-ISAC, housed within the Center for Internet Security (CIS), has spent the last 20 years helping state, local and territorial governments share threat information and access tools to bolster their defenses.
• DHS has also not said whether it will renew its cooperative agreement with MS-ISAC. Declining to do so could jeopardize the program's access to federal threat intel.

Catch up quick: In March, DHS slashed $10 million from MS-ISAC's budget, representing about half of its funding at the time.

• Now the program is at risk of losing all $27 million in federal support, the group's leaders told Axios.

What they're saying: "This is the risk for me: that real-time, actionable information that we can share on a national platform with state and local law enforcement ceases to come," Orange County Sheriff Don Barnes, an MS-ISAC member, told Axios. "Then, we're in the dark."

The big picture: Investigating cyber threats is like solving a puzzle — and each tech vendor, company and agency has a different piece.

• Only when they share intelligence can potential victims see the full picture and take action to stop attackers.
• But threat sharing is complicated without groups like MS-ISAC. Organizations worry that detection tools could be leaked or that they could face lawsuits for flagging intrusion attempts.

Between the lines: The Trump administration has pushed to shift the burden of securing critical infrastructure to the states — prompting budget cuts at DHS and other agencies.

• But cutting MS-ISAC funding could undercut states' ability to build up their own defenses.
• "State and local organizations are literally on the front lines of defense for this nation," CIS CEO John Gilligan told Axios. "Our national security depends on the ability of our state and local folks to be able to operate critical infrastructure through these attacks."

Threat level: State and local government entities include schools, utilities and emergency services.

• Hackers have hit everything from 911 dispatch centers to jail management systems, said John Cohen, executive director of CIS' hybrid threats program and a former DHS official.
• "When those occur, if the departments aren't able to withstand those attacks or respond and be resilient to those attacks, it forced them to change their operational capabilities," Cohen said.

Zoom in: Among the emerging threats are drug cartels leveraging cyberattacks to support their operations, Gilligan said.

• "The current administration is making a significant push to expand our efforts to deal with violent gangs, drug trafficking and certain types of terrorist activities," Gilligan said.
• Yet, by cutting funding to threat information sharing, "they actually may be directly undermining the ability to achieve their objectives," he added.

The intrigue: If federal funding ends, MS-ISAC plans to move to a paid membership model.

• But DHS officials have also restricted how state and local governments can use existing federal cyber grants, barring them from using the funds to cover the cost of MS-ISAC membership.
• CIS is eyeing ways to make the new membership affordable in lieu of this support, including through discounted and free memberships.

What to watch: Congressional appropriators have already walked back some of the Trump administration's deeper cyber funding cuts.

• CIS will spend the coming weeks lobbying Senate and House appropriators in hopes of staving off MS-ISAC's budget shortfall.

Hackers are targeting a popular enterprise-grade AI chatbot in an ongoing supply chain attack, experts warned over the holiday weekend.

Why it matters: In a lot of ways, securing AI isn't that different from securing any other new enterprise tool or plug-in on a device.

Catch up quick: Cyber investigators have spent the last week digging through an apparent ongoing breach of Salesloft Drift, an AI agent that integrates with enterprise tools.

• At first, investigators believed the attacks — in which hackers steal authentication tokens that let them log into Salesloft's Drift AI agent — were limited to Salesforce customers who were using the agent.
• But Google threat researchers warned that they have uncovered new cases where intruders have targeted "a very small number" of Google Workplace accounts that integrate with Salesloft Drift.

Threat level: The attacks are probably even more widespread than investigators have found — with Google also finding evidence suggesting the threat actors have stolen authentication tokens for customers of Slack, Amazon and other major vendors.

• Google warned that all Salesloft Drift AI chat agent users should act as if their security tokens have been compromised and revoke them immediately.
• These tokens could give the attackers the ability to infiltrate customers' online environments. Salesloft Drift can be integrated into nearly 60 third-party software tools.

Driving the news: Over the weekend, cybersecurity vendor Zscaler became the latest known victim of the hacking spree, noting that its Salesforce tools have been compromised.

The big picture: The attacks are getting a lot of attention, in part because of their ties to a new AI tool, but the tactics aren't completely novel.

• Attackers have long exploited either security flaws or stolen login credentials to widely used enterprise tools as a means of hacking into dozens of companies at once.
• Many security leaders fear that autonomous AI agents will make these types of attacks easier for hackers to carry out in the near future.

Between the lines: Companies have been quickly deploying and integrating AI agents into their workflows amid C-suite and board pressure to stay ahead of the changing technological landscape.

• But those quick integrations have also made it harder for security teams to have a comprehensive view of all the new AI tools installed on their employees' systems.

What to watch: Salesloft is continuing to pause all integrations of Drift for Salesforce customers, according to an update Saturday.

• The company has also recommended all customers who use Drift as a plug-in proactively revoke all existing authentication keys.

Yes, but: If this incident plays out like similar supply chain attacks, expect to hear about even more corporate victims in the coming weeks.

Homeland Security Secretary Kristi Noem said the department fired two dozen employees inside FEMA's IT department after an alleged data breach.

Why it matters: Rarely are entire IT departments fired because of security incidents nowadays — underscoring just how much pressure government IT workers are under during the second Trump administration.

Driving the news: Noem said in a statement Friday that FEMA's chief information officer, chief information security officer and 22 other IT employees had been "immediately terminated" after a threat actor was found accessing the agency's networks.

• Noem said that an internal investigation had uncovered "significant security vulnerabilities," including lack of multifactor authentication and reported failures to fix "known and critical vulnerabilities."
• The statement added that the intrusion was found before any Americans' sensitive data was stolen, and Noem said FEMA's IT leadership had downplayed the extent of the breach.

Yes, but: DHS did not provide any additional details about the vulnerabilities that the threat actor exploited, when the attack happened and who the attacker was.

• DHS did not respond to a request for comment earlier today.

The big picture: Noem's announcement came amid growing tensions between political DHS appointees and FEMA employees.

• Nearly 200 current and former FEMA employees sent a letter to Congress last week warning that the Trump administration's recent "dismantling cuts" at the agency have been "devastating."
• Many of those staffers were put on leave after the letter's publication, according to the Washington Post.

What to watch: The reportedly fired employees have not spoken publicly yet on their departures — and whether they plan to push back in any way.

@ D.C.

🚨 A whistleblower warned that a former senior DOGE official who is now at the Social Security Administration copied the Social Security numbers, names and birthdays of more than 300 million Americans into a private part of the SSA's cloud. (NPR)

🧳 CISA's head of legislative affairs has left the position, just three months after joining the agency. (Nextgov)

🇰🇵 The Treasury Department sanctioned a Russian national and a Chinese company over their alleged ties to ongoing North Korean IT worker fraud operations. (The Record)

@ Industry

🤖 Anthropic named several high-profile national security, cybersecurity and policy experts to a new advisory council. (Axios)

💰 Data security startup Varonis Systems has agreed to acquire AI-based email security provider SlashNext for as much as $150 million. (Bloomberg)

📣 Some tech leaders are calling for AI makers to stop personifying their products to help stymie the number of chatbot-connected mental health tragedies. (Axios)

@ Hackers and hacks

🚗 Jaguar Land Rover said a cyberattack has "severely disrupted" its vehicle production and retail operations. (BBC)

🌎 The FBI and international law enforcement agencies said that China's Salt Typhoon telecom hacking spree has grown exponentially, now accounting for attacks on at least 200 American organization and 80 countries. (Washington Post)

🔍 Federal and state authorities are actively investigating a ransomware attack interrupting multiple government services across Nevada. (Cybersecurity Dive)

🏕️ Spent the long weekend unplugged and hanging around some very large trees — 10/10, would recommend.