This week CISA, the agency whose entire job is telling everyone else how to do cybersecurity, left admin passwords and AWS keys on a public GitHub repo for six months. The repo was called "Private-CISA." A new Mac stealer called Reaper fakes an Apple security update, grabs your password, and raids everything from your Keychain to your crypto wallets. And the 2026 Verizon DBIR landed with a stat every awareness pro needs to hear: people are 40% more likely to fall for phishing by phone or text than email.
We've also got 7-Eleven breached by ShinyHunters, Portugal's postal service leaking real parcel tracking codes, Iran messing with fuel monitors at US petrol stations, and Discord encrypting your calls the same week they started asking for your government ID.
All of that is in this weeks The Awareness Angle!
Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts
Visit riskycreative.com for past episodes, our blog, and our merch.
Last week on The Awareness Practitioners
See content credentials
Last week on The Awareness Practitioners, Ant went down a rabbit hole about desire paths.
You know those unofficial shortcuts people wear into grass verges because the official path goes the wrong way? Turns out they're one of the most useful frameworks a security awareness practitioner can borrow. What happens when you follow where people actually go, instead of where you built the path?
Listen on Spotify, Apple Podcasts, and YouTube.
This Week's Stories...
CISA Left Its Passwords on Public GitHub
The US Cybersecurity and Infrastructure Security Agency, the actual federal body whose entire job is telling everyone else how to do cybersecurity, has been leaving the keys to its own systems sitting in a public GitHub repo for up to six months. The repo was called "Private-CISA", which somehow makes it worse.
Inside it, researchers found a file literally named "importantAWStokens" containing admin credentials for three Amazon cloud servers used by the US government. Another file, helpfully labelled "AWS-Workspace-Firefox-Passwords.csv", listed dozens of internal usernames and passwords in plain text.
The cause appears to be staggeringly mundane. A contractor working for a firm called Nightwing seems to have been using GitHub as a way to shuffle files between their work and home machine. Think of it as the digital equivalent of leaving a USB stick on the bus, except the bus is the entire internet. GitGuardian, the security firm that found it, had tried to alert the account holder nine times before going public. Their researcher Guillaume Valadon called it the worst leak he had ever seen in his career.
The Awareness Angles:
Nobody is immune, not even the experts - CISA publishes guidance on exactly this kind of thing. And it still happened. The lesson isn't to mock them, it's that controls matter more than awareness alone, because awareness clearly didn't save anyone here.
If the sanctioned way is hard, people will invent shortcuts - The contractor wasn't malicious, they were just trying to move a file. If your organisation doesn't make safe file transfer easy and accessible, people will find their own way. Every time.
Public code repositories are constantly being scanned - The bad guys have the same scanning tools as the security researchers. Once a password or key touches a public repo, treat it as compromised and change it immediately. There is no "we deleted it quickly" defence anymore.
Reaper: The macOS Stealer That Fakes an Apple Security Update
A new piece of malware targeting Mac users called Reaper is doing the rounds and it is a bold piece of work. It impersonates Apple, Microsoft and Google all in the same attack, shifting its disguise at every stage.
It starts with fake installer websites for apps like WeChat and Miro, hosted on a web address that looks like Microsoft but swaps a lowercase L for the letter i. So "mlcrosoft" instead of "microsoft". Easy to miss, especially on a phone. The user clicks what looks like a legitimate installer and a popup appears pretending to be an Apple security update, asking them to type in their Mac login password.
Once that password is handed over, Reaper goes shopping. It grabs data from password managers, web browsers, the Mac Keychain, iCloud, Telegram and specifically cryptocurrency wallets. It then injects itself into those wallet apps so future theft keeps happening automatically. It also hunts through your Desktop and Documents folders looking for anything that looks like a business or financial file, and sets up a backdoor disguised as "Google Software Update" that phones home every sixty seconds waiting for instructions.
The Awareness Angles:
Mac users are not immune, and Reaper proves it - The old "I use a Mac so I don't get malware" line has been wrong for a while now. Mac users need the same level of awareness training that Windows users have always needed.
Look at the URL, every single time - mlcrosoft[.]co[.]com (We add the square brackets to break the link) looks normal at a glance, especially on a small screen. A lowercase L where an I should be is one of the oldest tricks going. Always go to the official source by typing it yourself or using a bookmark.
A popup asking for your password is the moment to stop - Real macOS security updates do not ask for your login through random dialogue boxes. If a popup asks for your password and you cannot immediately explain why, close it.
The 2026 Verizon Data Breach Investigations Report Is Here
verizon.com/business/resources/reports/dbir/
The annual Verizon DBIR landed this week with its biggest ever dataset: 22,000 confirmed breaches analysed across 145 countries. If you work in security awareness, this is the report you will be quoting for the next twelve months.
The headline finding is that exploiting vulnerabilities in systems has overtaken stolen passwords as the number one way attackers break in, accounting for 31% of breaches. That is a 55% jump in a single year. And while attackers are getting faster, the defenders are going backwards. Only a quarter of known critical vulnerabilities were fully patched last year, down from 38% the year before, and the median time to fix one went from 32 days to 43 days. Organisations are drowning in patches and running out of hours in the day.
Ransomware is still in nearly half of all breaches but the economics are shifting. The average payment is down to under $140,000 and 69% of victims now refuse to pay, just like 7-Eleven did this week. Third-party breaches are the bigger worry though. Breaches involving a supplier, vendor or partner grew 60% year on year and now account for nearly half of all incidents. The ShinyHunters Salesforce campaign we have been covering for weeks is exactly this category in action.
On the human side, the big finding is not that people click phishing links. We already knew that. The big finding is that they click 40% more often when the attack arrives by text message or phone call instead of email. Someone actually calling you up, building rapport, pretending to be from IT or your bank and steering you toward a bad decision is now so common that Verizon has added it as its own category.
And then there is the AI section. Two thirds of employees are using AI tools on work devices with accounts their company does not control. Nearly half are regular AI users, up from 15% the year before. And some of them are uploading proprietary research and technical documents into those tools. The shadow IT problem has a new face, and it is wearing a chatbot.
The Awareness Angles:
Phishing training that only covers email is training for the wrong attack - Voice and text phishing is 40% more effective than email, and email is what the vast majority of training programmes focus on. People need to be just as suspicious of a phone call as they are of an inbox.
Your security is now your suppliers' security - Third-party breaches grew 60% in a year. Every vendor, integration and SaaS platform your organisation uses is part of your attack surface.
Shadow AI is shadow IT with extra data leakage - Two thirds of your users are pasting work data into AI tools you don't control. The answer isn't to ban AI, it's to give people a safe and approved way to use it.
69% of ransomware victims now refuse to pay - That is a genuine win for the defender community. The more public refusals there are, the easier it becomes for the next victim to say no. Worth celebrating and worth sharing.
Discussion points
All stories discussed on this week's episode:
7-Eleven confirms data breach claimed by ShinyHunters - Watch | Read
468K records leaked from Portugal's national postal service - Watch | Read
CISA left its keys on public GitHub - Watch | Read
Iran-linked attacks on US petrol stations - Watch | Read
Reaper, the macOS stealer faking Apple updates - Watch | Read
Discord enables end-to-end encryption for all calls - Watch | Read
The 2026 Verizon DBIR - Watch | Read
Security Social: Face unlock biometric hack - Watch | Read
Security Social: Keshipon privacy roller - Watch | Read
Security Social: Google IO and SynthID - Watch
Security Social: Luke's HMRC robocall scam - Watch
Security Socials
The teenage biometric hack
A dad on LinkedIn shared how his daughter deliberately registered her Face ID while pulling a weird face, so that if someone steals her phone or holds it up to her face while she's unconscious, it won't unlock. Does it actually work with the way facial geometry mapping works? Debatable. But kids are thinking about security in ways most adults aren't, and they're sharing these tricks with each other on the playground. Multi-face authentication might not be a thing yet, but the instinct behind it is spot on. Watch | Read
The Keshipon privacy roller
If you've ever tried to scribble out your name and address on a parcel before putting it in the recycling, this one's for you. The Keshipon is a Japanese roller that stamps a dense mesh of random characters over printed text, making it unreadable. It's analogue security at its finest and arguably more secure than just crossing something out with a pen, because overlapping random characters are harder to reconstruct than simple scribble lines. Available in the UK for about fifteen quid if you're interested. Watch | Read
Google IO and the AI watermark that's actually spreading
Since we recorded this episode, the SynthID story has moved on significantly. We discussed Google's invisible watermark system for AI-generated content and flagged the obvious problem: it only works if everyone agrees to play by the same rules. Well, it turns out OpenAI announced the same week that they're partnering with Google to embed SynthID watermarks into all images generated by ChatGPT. ElevenLabs and Kakao have signed on as well. Google has also rolled SynthID detection into Google Search and Chrome, so you'll be able to check whether an image is AI-generated right where you're actually looking at it rather than having to upload it somewhere else. It's still not a complete solution because open source models trained outside these partnerships will keep producing unlabelled content, but it's a much bigger step than it was when we hit record. Watch
Luke's HMRC robocall
Luke's phone screened a scam call this week claiming to be from HMRC threatening legal action over unreturned documentation. The giveaway? An American robotic voice pretending to be the UK tax office. The call asked the recipient to press one to speak to an officer, which is a common setup for routing you through to a live scam call centre. Luke found Reddit posts from two years ago describing the exact same script, which means it's still running because it's still working on enough people to be worth the effort. Watch
