Get a jump on lawn care projects with this DeWalt string trimmer and leaf blower bundle – plus choose an extra tool or extra battery for free.
Latest news – Read More
Victims don’t need to match the cybercrime group’s technical sophistication, experts say. But patching and some form of zero trust are now non-negotiable.
darkreading – Read More
A critical Adobe Acrobat zero-day has been exploited for months via malicious PDFs to steal data and potentially take over systems, with no patch yet available.
The post Hackers Exploit Adobe PDF Flaw for Months to Steal Data, No Fix Yet appeared first on TechRepublic.
Security Archives – TechRepublic – Read More
CuerdOS is a niche Debian-based distro with a alternative approach to preinstalled software – and it’s truly a breath of fresh air.
Latest news – Read More
A 27-year-old bug sat inside OpenBSD’s TCP stack while auditors reviewed the code, fuzzers ran against it, and the operating system earned its reputation as one of the most security-hardened platforms on earth. Two packets could crash any server running it. Finding that bug cost a single Anthropic discovery campaign approximately $20,000. The specific model run that surfaced the flaw cost under $50.
Anthropic’s Claude Mythos Preview found it. Autonomously. No human guided the discovery after the initial prompt.
On Firefox 147 exploit writing, Mythos succeeded 181 times versus 2 for Claude Opus 4.6. A 90x improvement in a single generation. SWE-bench Pro: 77.8% versus 53.4%. CyberGym vulnerability reproduction: 83.1% versus 66.6%. Mythos saturated Anthropic’s Cybench CTF at 100%, forcing the red team to shift to real-world zero-day discovery as the only meaningful evaluation left. Then it surfaced thousands of zero-day vulnerabilities across every major operating system and every major browser, many one to two decades old. Anthropic engineers with no formal security training asked Mythos to find remote code execution vulnerabilities overnight and woke up to a complete, working exploit by morning, according to Anthropic’s red team assessment.
Anthropic assembled Project Glasswing, a 12-partner defensive coalition including CrowdStrike, Cisco, Palo Alto Networks, Microsoft, AWS, Apple, and the Linux Foundation, backed by $100 million in usage credits and $4 million in open-source grants. Over 40 additional organizations that build or maintain critical software infrastructure also received access. The partners have been running Mythos against their own infrastructure for weeks. Anthropic committed to a public findings report “within 90 days,” landing in early July 2026.
“I’ve been in this industry for 27 years,” Cisco SVP and Chief Security and Trust Officer Anthony Grieco told VentureBeat in an exclusive interview at RSAC 2026. “I have never been more optimistic for what we can do to change security because of the velocity. It’s also a little bit terrifying because we’re moving so quickly. It’s also terrifying because our adversaries have this capability as well, and so frankly, we must move this quickly.”
Security directors saw this story told fifteen different ways this week, including VentureBeat’s exclusive interview with Anthropic’s Newton Cheng. As one widely shared X post summarizing the Mythos findings noted, the model cracked cryptography libraries, broke into a production virtual machine monitor, and gave engineers with zero security training working exploits by morning. What that coverage left unanswered: Where does the detection ceiling sit in the methods they already run, and what should they change before July?
OpenBSD TCP SACK, 27 years old. Two crafted packets crash any server. SAST, fuzzers, and auditors missed a logic flaw requiring semantic reasoning about how TCP options interact under adversarial conditions. Campaign cost ~$20,000. Anthropic notes the $50 per-run figure reflects hindsight.
FFmpeg H.264 codec, 16 years old. Fuzzers exercised the vulnerable code path 5 million times without triggering the flaw, according to Anthropic. Mythos caught it by reasoning about code semantics. Campaign cost ~$10,000.
FreeBSD NFS remote code execution, CVE-2026-4747, 17 years old. Unauthenticated root from the internet, per Anthropic’s assessment and independent reproduction. Mythos built a 20-gadget ROP chain split across multiple packets. Fully autonomous.
Linux kernel local privilege escalation. Mythos chained two to four low-severity vulnerabilities into full local privilege escalation via race conditions and KASLR bypasses. CSA’s Rich Mogull noted Mythos failed at remote kernel exploitation but succeeded locally. No automated tool chains vulnerabilities today.
Browser zero-days across every major browser. Thousands identified. Some required human-model collaboration. In one case, Mythos chained four vulnerabilities into a JIT heap spray, escaping both the renderer and the OS sandboxes. Firefox 147: 181 working exploits versus two for Opus 4.6.
Cryptography library vulnerabilities (TLS, AES-GCM, SSH). Implementation flaws enabling certificate forgery or decryption of encrypted communications, per Anthropic’s red team blog and Help Net Security. A critical Botan library certificate bypass was disclosed the same day as the Glasswing announcement. Bugs in the code that implements the math. Not attacks on the math itself.
Virtual machine monitor guest-to-host escape. Guest-to-host memory corruption in a production VMM, the technology keeping cloud workloads from seeing each other’s data. Cloud security architectures assume workload isolation holds. This finding breaks that assumption.
Nicholas Carlini, in Anthropic’s launch briefing: “I’ve found more bugs in the last couple of weeks than I found in the rest of my life combined.”
|
Vulnerability Class |
Why Current Methods Miss It |
What Mythos Does |
Security Director Action |
|
OS kernel logic (OpenBSD 27yr, Linux 2-4 chain) |
SAST lacks semantic reasoning. Fuzzers miss logic flaws. Pen testers time-boxed. Bounties scope-exclude kernel. |
Chains 2-4 low-severity findings into local priv-esc. ~$20K campaign. |
Add AI-assisted kernel review to pen test RFPs. Expand bounty scope. Request Glasswing findings from OS vendors before July. Re-score clustered findings by chainability. |
|
Media codec (FFmpeg 16yr H.264) |
SAST unflagged. Fuzzers hit path 5M times, never triggered. |
Reasons about semantics beyond brute-force. ~$10K campaign. |
Inventory FFmpeg, libwebp, ImageMagick, libpng. Stop treating fuzz coverage as security proxy. Track Glasswing codec CVEs from July. |
|
Network stack RCE (FreeBSD 17yr, CVE-2026-4747) |
DAST limited at protocol depth. Pen tests skip NFS. |
Full autonomous chain to unauthenticated root. 20-gadget ROP chain. |
Patch CVE-2026-4747 now. Inventory NFS/SMB/RPC services. Add protocol fuzzing to 2026 cycle. |
|
Multi-vuln chaining (2-4 sequenced, local) |
No tool chains. Pen testers hours-limited. CVSS scores in isolation. |
Autonomous local chaining via race conditions + KASLR bypass. |
Require AI-assisted chaining in pen test methodology. Build chainability scoring. Budget AI red teams for 2026. |
|
Browser zero-days (thousands, 181 Firefox exploits) |
Bounties + continuous fuzzing missed thousands. Some required human-model collaboration. |
90x over Opus 4.6. Chained 4 vulns into JIT heap spray escaping renderer + OS sandbox. |
Shorten patch SLA to 72hr critical. Pre-stage pipeline for July cycle. Pressure vendors for Glasswing timelines. |
|
Crypto libraries (TLS, AES-GCM, SSH, Botan bypass) |
SAST limited on crypto logic. Pen testers rarely audit crypto depth. Formal verification not standard. |
Found cert forgery + decryption flaws in battle-tested libraries. |
Audit all crypto library versions now. Track Glasswing crypto CVEs from July. Accelerate PQC migration. |
|
VMM / hypervisor (guest-to-host memory corruption) |
Cloud security assumes isolation. Few pen tests target hypervisor. Bounties rarely scope VMM. |
Guest-to-host escape in production VMM. |
Inventory hypervisor/VMM versions. Request Glasswing findings from cloud providers. Reassess multi-tenant isolation assumptions. |
The CrowdStrike 2026 Global Threat Report documents a 29-minute average eCrime breakout time, 65% faster than 2024, with an 89% year-over-year surge in AI-augmented attacks. CrowdStrike CTO Elia Zaitsev put the operational reality plainly in an exclusive interview with VentureBeat. “Adversaries leveraging agentic AI can perform those attacks at such a great speed that a traditional human process of look at alert, triage, investigate for 15 to 20 minutes, take an action an hour, a day, a week later, it’s insufficient,” Zaitsev said. A $20,000 Mythos discovery campaign that runs in hours replaces months of nation-state research effort.
CrowdStrike CEO George Kurtz reinforced that timeline pressure on LinkedIn the same day as the Glasswing announcement. “AI is creating the largest security demand driver since enterprises moved to the cloud,” Kurtz wrote. The regulatory clock compounds the operational one. The EU AI Act’s next enforcement phase takes effect August 2, 2026, imposing automated audit trails, cybersecurity requirements for every high-risk AI system, incident reporting obligations, and penalties up to 3% of global revenue. Security directors face a two-wave sequence: July’s Glasswing disclosure cycle, then August’s compliance deadline.
Mike Riemer, Field CISO at Ivanti and a 25-year US Air Force veteran who works closely with federal cybersecurity agencies, told VentureBeat what he is hearing from the government. “Threat actors are reverse engineering patches, and the speed at which they’re doing it has been enhanced greatly by AI,” Riemer said. “They’re able to reverse engineer a patch within 72 hours. So if I release a patch and a customer doesn’t patch within 72 hours of that release, they’re open to exploit.” Riemer was blunt about where that leaves the industry. “They are so far in front of us as defenders,” he said.
Grieco confirmed the other side of that collision at RSAC 2026. “If you talk to an operational team and many of our customers, they’re only patching once a year,” Grieco told VentureBeat. “And frankly, even in the best of circumstances, that is not fast enough.”
CSA’s Mogull makes the structural case that defenders hold the long-term advantage: fix a vulnerability once and every deployment benefits. But the transition period, when attackers reverse-engineer patches in 72 hours and defenders patch once a year, favors offense.
Mythos is not the only model finding these bugs. Researchers at AISLE, an AI cybersecurity startup, tested Anthropic’s showcase vulnerabilities on small, open-weights models and found that eight out of eight detected the FreeBSD exploit. AISLE says one model had only 3.6 billion parameters and costs 11 cents per million tokens, and that a 5.1-billion-parameter open model recovered the core analysis chain of the 27-year-old OpenBSD bug. AISLE’s conclusion: “The moat in AI cybersecurity is the system, not the model.” That makes the detection ceiling a structural problem, not a Mythos-specific one. Cheap models find the same bugs. The July timeline gets shorter, not longer.
Over 99% of the vulnerabilities Mythos has identified have not yet been patched, per Anthropic’s red team blog. The public Glasswing report lands in early July 2026. It will trigger a high-volume patch cycle across operating systems, browsers, cryptography libraries, and major infrastructure software. Security directors who have not expanded their patch pipeline, re-scoped their bug bounty programs, and built chainability scoring by then will absorb that wave cold. July is not a disclosure event. It is a patch tsunami.
Every security director tells the board “we have scanned everything.” Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, told VentureBeat that the statement does not survive Mythos without a qualifier.
“What security leaders actually mean is: we have exhaustively scanned for what our tools know how to see,” Baer said in an exclusive interview with VentureBeat. “That’s a very different claim.”
Baer proposed reframing residual risk for boards around three tiers: known-knowns (vulnerability classes your stack reliably detects), known-unknowns (classes you know exist but your tools only partially cover, like stateful logic flaws and auth boundary confusion), and unknown-unknowns (vulnerabilities that emerge from composition, how safe components interact in unsafe ways). “This is where Mythos is landing,” Baer said.
The board-level statement Baer recommends: “We have high confidence in detecting discrete, known vulnerability classes. Our residual risk is concentrated in cross-function, multi-step, and compositional flaws that evade single-point scanners. We are actively investing in capabilities that raise that detection ceiling.”
On chainability, Baer was equally direct. “Chainability has to become a first-class scoring dimension,” she said. “CVSS was built to score atomic vulnerabilities. Mythos is exposing that risk is increasingly graph-shaped, not point-in-time.” Baer outlined three shifts security programs need to make: from severity scoring to exploitability pathways, from vulnerability lists to vulnerability graphs that model relationships across identity, data flow, and permissions, and from remediation SLAs to path disruption, where fixing any node that breaks the chain gets priority over fixing the highest individual CVSS.
“Mythos isn’t just finding missed bugs,” Baer said. “It’s invalidating the assumption that vulnerabilities are independent. Security programs that don’t adapt, from coverage thinking to interaction thinking, will keep reporting green dashboards while sitting on red attack paths.”
VentureBeat will update this story with additional operational details from Glasswing’s founding partners as interviews are completed.
Security | VentureBeat – Read More
Welcome to this week’s edition of the Threat Source newsletter.
“Study hard what interests you the most in the most undisciplined, irreverent and original manner possible.” ― Richard Feynman
“I had discovered that learning something, no matter how complex, wasn’t hard when I had a reason to want to know it.” ― Homer Hickam, Rocket Boys
*looks around at – gestures – everything*
*opens a new tab in the browser, takes in the newest news on AI, a new tab on supply chains, a new tab on vulnerability, and a new tab on active exploitation and zero-days*
*closes tabs and throws laptop into the nearest bin, à la Ron Swanson*
*opens other laptop, avoids the internet*
*puts on headphones for deep work binaural audio*
*cracks knuckles*
I’m often asked about why I bring up board games and video games when interviewing perspective analysts or threat hunters, so I’m going to give the 8,000 foot view on my thoughts. With everything that is going on, now more than ever we need the most curious people on the planet on our side.
What’s the very first and most important step to securing any environment? Knowing the environment, inside and out. When you play any gameyou must understand the rules: the standard opening moves of chess, or Go, or perhaps the common resource-gathering patterns in strategy games. Once you understand what “normal” play looks like, you can immediately spot when an opponent makes a move that is inefficient or unusual — an anomalous trigger that, if spotted, can lead to victory.
When experienced players recognize patterns (a specific chess gambit, a defensive build in a strategy game, etc.), they don’t just react to the current move — they predict several moves into the future from both players, especially if they know their opponents’ tendencies. As players gain experience and play against other skilled players, they begin involving feints or decoys (false flags, if you will). A player might sacrifice a minor piece to distract you from their true objective. Learning to look past that “noise” to find the real motivation is the key to taking your experience and skill to the next level.
Threat actors rarely follow a predictable script. They constantly evolve tactics, techniques, and procedures (TTPs). Developing the mental flexibility to handle those unexpected, non-standard behaviors is essential in identifying the unknowns.
The transition from board games to threat hunting is rooted in the development of critical thinking and situational awareness. While board games provide a controlled environment to practice these skills, the core competency — that ability to identify the why behind a deviation — is exactly what will make you a successful threat hunter.
“I prefer to speak in metaphor: That way, no logic can trap me, and no rule can bind me, and no fact can limit me or decide for me what’s possible.” ― Claire Oshetsky, Chouette
Cisco Talos has observed threat actors weaponizing legitimate SaaS notification pipelines, such as those in GitHub and Jira, to deliver phishing and spam emails. By leveragingthese platforms’ official infrastructure, attackers bypass traditional email authentication protocols like SPF, DKIM, and DMARC. This “Platform-as-a-Proxy” (PaaP) technique exploits the implicit trust organizations place in system-generated notifications to facilitate credential harvesting. These campaigns effectively mask malicious intent behind the reputation of trusted enterprise tools.
Traditional email security gateways are often blind to these attacks because the emails are technically authenticated and originate from verified, trusted domains. This technique exploits “automation fatigue,” where users are conditioned to reflexively trust system-generated alerts from business-critical platforms. Consequently, attackers can bypass standard perimeter defenses, making it harder to distinguish between legitimate business communications and sophisticated phishing attempts.
Transition to a Zero-Trust approach by implementing instance-level verification and cross-referencing notifications against internal SaaS directories. Security teams should ingest SaaS API logs into their SIEM to detect anomalous precursor activities, such as suspicious project creation or mass invitations. Additionally, introduce friction for high-risk interactions by requiring out-of-band verification and apply semantic intent analysis to identify notifications that deviate from a platform’s established functional baseline.
Tech giants launch AI-powered “Project Glasswing”
Major technology companies have joined forces in an effort to use advanced artificial intelligence to identify and address security flaws in the world’s most critical software systems. (CyberScoop)
Russian government hackers broke into thousands of home routers to steal passwords
Fancy Bear, or APT 28, is known for its high-profile hacks and spying operations, including the breach of the U.S. Democratic National Committee in 2016 and the destructive hack that hit satellite provider Viasat in 2022. (TechCrunch)
Storm-1175 deploys Medusa ransomware at “high velocity”
Storm-1175 has rapidly exploited more than a dozen n-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor’s Privileged Remote Access. (Dark Reading)
North Korean hackers pose as trading firm to steal $285M from Drift
A group of individuals approached Drift staff at a “major crypto conference,” presenting as a professional quantitative trading firm. They went so far as to deposit $1M of their own money into a Drift Ecosystem Vault between December 2025 and January 2026. (HackRead)
Telehealth giant Hims & Hers says its customer support system was hacked
A spokesperson for Hims & Hers said the company was hit by a social engineering attack, and the stolen data “primarily included customer names and email addresses.” (TechCrunch)
New Lua-based malware observed in targeted attacks against Taiwanese organizations
Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.”
Vulnerabilities old and new and something React2
2025 was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e.g., Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of the year.
From the field to the report and back again
The same Year in Review report that Talos IR casework feeds into is the report that defenders should be feeding back into their own preparation cycles. Here’s how you can start.
Talos Takes: 2025’s ransomware trends and zombie vulnerabilities
In this episode, Amy and Pierre Cadieux unpack the ransomware and vulnerability trends that defined 2025. From the persistent ransomware threats targeting the manufacturing sector to the rise of stealthy “living off the land” tactics, we break down what these shifts mean for your defense strategy.
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: VID001.exe
Detection Name: Win.Worm.Coinminer::1201
SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: APQ9305.dll
Detection Name: Auto.90B145.282358.in02
SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
MD5: 41444d7018601b599beac0c60ed1bf83
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
Example Filename: content.js
Detection Name: W32.38D053135D-95.SBX.TG
SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg**
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201
SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe
MD5: a2cf85d22a54e26794cbc7be16840bb1
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe
Detection Name: W32.5E6060DF7E-100.SBX.TG
Cisco Talos Blog – Read More
The free Tubi TV video streamer now integrates with ChatGPT so you can ask the AI to search the site’s lineup of more than 300,000 movies and TV episodes.
Latest news – Read More
The latest iOS update also repairs a glitch with iCloud syncing and comes with the usual bug fixes.
Latest news – Read More
Discover my picks for the top dedicated web hosting providers, with detailed insights on performance, security, and reliability.
Latest news – Read More
I’ve spent decades testing nearly every Linux desktop. Which one should you try today? I’ve narrowed your options down to five.
Latest news – Read More