Read Time: 5 minutes

Brought to you by:

Howdy friends!

What a week! Opus 4.8 dropped. Microsoft pissed off the entire security community. Malware keeps malware-ing. Mythos is out there hacking the planet. And here we are. Clocking in for our shift at the vuln mines.

I’m giving that keynote in the Caymans next week, so let me know if you have any shady offshore finance stuff you need done.

Lets get to it.

ICYMI

🖊️ Something I wrote: Why I’m worried about AI agents downloading malicious packages

🎧️ Something I heard: Whats that? I started a podcast with LowLevel? But of course we did. Now found in a podcast store near you.

🎤 Something I said: What the hell is going on at CISA?

🔖 Something I read: Cloudflare’s Mythos write up is a very solid read with good lessons learned.

Vulnerable News

Microsoft calling security researchers criminals for public disclosure

This got me riled up today on stream. I recorded a YouTube video about it, will be out soon. But Microsoft got a big nostalgic about the early 2000s and is now threatening legal action against security researchers again. The community has absolutely exploded with stories of their nightmare experiences trying to work through the “responsible” disclosure processes. The pattern is clear - they are slow, non communicative, and consistently downplay security vulnerabilities, not rewarding researchers, not crediting researchers, and then fixing the vulns anyway.

Casey Ellis (founder of Bugcrowd) wrote recently about this on an unrelated public disclosure issue with Citrix, but he captures the whole thing we’re talking about this week beautifully. I consider this required reading: Coordinated, Until It Isn't

As he states, the “responsible” disclosure social contract is that the vendor is also responsible/responsive. If the vendor isn’t holding up their end of the bargain, full disclosure is the agreed upon path. This is to keep the asymmetry of power and legal consequences a bit more balanced and holding vendors accountable. The real goal at the end of the day is a more secure internet, not for the vendor to have the cheapest and least embarassing vulnerability patching lifecycle possible. If you ostracize and threaten security research, we end up with a less secure internet as more talent will refuse to work with you.

As their own CEO said. The answer is clear, Do security. Threatening researchers isn’t doing security. (read more)

You can’t secure AI if you can’t see what’s running.*

Oligo ran the runtime telemetry on what's actually executing inside production AI stacks, not what's sitting in a requirements.txt. It's the most data-driven look at the AI runtime landscape I've seen this year, and one number in it reframes a lot of the vendor noise from the last 18 months.

No company in their dataset runs Anthropic without also running OpenAI. Not one. 36% have both installed. Zero go Anthropic-only.

Every "OpenAI killer" take assumed companies would switch. What the runtime shows is that nobody switches. They add Anthropic as a secondary, usually for specific tasks (long context, code, certain reasoning jobs), while OpenAI stays as the default. The full dataset has more numbers like this one. Grab the full report now.

Read the 2026 AI Runtime Report.

*Sponsored

Hackers are trying to steal Signal users’ backups in new wave of phishing attacks

Signal users are getting hit with a new phishing scam where hackers pose as Signal support claiming their backups are about to vanish due to a "sync issue." The fake support messages ask users to hand over their recovery keys to "save" their chat history - which …is what you shouldn't do. Josh Rogin from the Washington Post flagged this after anti-CCP activists started getting targeted, though it looks like the campaign might be casting a wider net based on reports from Access Now's security folks.

Interesting that this is going after Signal's relatively new Secure Backups feature, which lets you store encrypted chat history on Signal's servers. Previous Signal phishing attempts usually tried to hijack accounts outright, but this approach is a bit more surgical - if they get your recovery key, they can decrypt all your old messages, photos, and documents. Signal will never message you first and definitely won't ask for your PIN or recovery keys. If you see a "Signal Support" chat pop up, it's not them. (read more)

Apple open sources quantum proof encryption code

Apple just open-sourced their quantum-resistant crypto implementation for corecrypto along with the formal verification tools they built to mathematically prove it's correct. This isn't your typical "trust us, we tested it" approach. They literally used mathematical proofs to verify their ML-KEM and ML-DSA implementations work exactly as the FIPS specs intended, covering over 2.5 billion devices.

Their formal verification process caught a nasty bug that traditional testing missed. There was a missing step in the ML-DSA code that would have silently broken digital signatures - meaning iMessage users could have thought their messages were authenticated when they actually weren't. Apple's releasing their Cryptol-to-Isabelle translator and verification methodology, which should be a goldmine for other developers working on post-quantum crypto. (read more)

DBIR: Exploitation is now 31% of breaches. Prioritization is the bottleneck.*

The 2026 data breach investigations report shows that exploitation is now 31% of breaches, median time to full remediation rose to 43 days, and 184 million known exploited vulnerability instances sat open past day 28.

Discovery is cheaper and faster than ever, but picking what to fix is getting harder. Empirical Security builds local predictive models that tell your team which vulns actually matter in your environment. (read more)

*Sponsored

Project Glasswing: An initial update

Anthropic with their initial Project Glasswing update. Of course, please read this through their is marketing mixed in lens - but good data to stay on top of. Their Mythos model has been going through open-source code for six months and found over 23,000 vulnerabilities across more than 1,000 projects. Over 6,000 of these are high or critical severity bugs, with about 1,500 confirmed as legitimate issues. Only 100 have been patched so far, which gives you an idea of the scale we're dealing with.

While big players like Mozilla, Cloudflare, and various government agencies are lining up for access to scan their own stuff, the open-source maintainer community is getting absolutely swamped. Bug bounty programs are either shutting down or banning AI-generated reports entirely because sorting through the flood of automated submissions is becoming impossible. Some maintainers are literally asking Anthropic to slow down because they can't keep up with the flood of legitimate bug reports. (read more)

Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate

Conference organizers, you might want to check your Pretalx installations. Novee Security found a stored XSS (CVE-2026-41241) that let attackers plant malicious code in talk submissions that would execute the moment an organizer searched for their proposal. The clever bit was chaining together legitimate platform features - file uploads and search display - to bypass both the platform's security and browser protections.

Submit booby-trapped talk proposals to multiple conferences, stuff the titles with common search terms, then wait for organizers to search and get their accounts automatically compromised. With some automation, you could theoretically achieve a 100% talk acceptance rate across every Pretalx-powered conference. The vulnerability's been patched, but is a funny one. (read more)

CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain

CrowdStrike just pulled off a takedown of the Glassworm botnet, working with Google and Shadowserver to simultaneously nuke four servers that were keeping this supply chain nightmare running. These Russian-linked attackers have been having a field day since early 2025, poisoning hundreds of open source packages including VSCode extensions, npm modules, and over 300 GitHub repos. Their whole game was infiltrating developer workflows to push malware downstream through the supply chain. (and no, this isn’t TeamPCP. Yet Another Supply Chain Nightmare ^ TM)

They were using everything from the Solana blockchain to BitTorrent to Google Calendar to keep their C2 resilient. CrowdStrike's approach here is interesting - instead of waiting around for lengthy legal processes (good luck extraditing Russians), they went straight for the infrastructure. The idea is to make the attackers burn time and resources rebuilding rather than targeting new victims. (read more)

FBI warns extortion hackers are visiting US law firms to steal data

The FBI is warning about Silent Ransom Group, a crew tied to the old Conti ransomware gang that's been hassling U.S. law firms since 2023. These guys are getting creative with their social engineering - they're not just sticking to phishing emails and fake IT support calls anymore. They're actually showing up at offices pretending to be IT folks who need to "backup" or "image" devices for security reasons, then copying data onto USB drives or external storage. Feels like I’m reading a Kevin Mitnick story from the 90s.

They use legitimate remote management tools that IT departments already have, and exfiltrate data through trusted platforms like Google Drive and OneDrive. Law firms are prime targets to access sensitive legal, financial, and corporate information. The fact that they're willing to physically show up at offices was worth the callout here. I want to see the security cam footage of them coming in to do “backups.” (read more)

Iranian intelligence service behind hack of LA transit system, researchers say

Turns out that March hack of LA Metro wasn't just some random hacktivist crew after all. Israeli researchers at Gambit Security traced "Ababil of Minab" back to Iran's Ministry of Intelligence (MOIS), despite the group's claims of being independent Palestine supporters. The attackers didn't just steal data - they went full scorched earth, wiping databases, virtual machines, and storage volumes using both automated scripts and manual keyboard work to maximize destruction and prevent recovery.

What's particularly concerning is the speed and scale these guys operated at. They hit multiple other targets including Israeli media orgs, a Turkish insurance firm, and various websites across different sectors. The researchers are warning that this kind of "straight to the recovery layer" attack strategy is becoming easier to execute as AI tools lower the technical barriers. It's the same playbook we saw with Handala's devastating Stryker attack - another MOIS-linked group masquerading as hacktivists. The takeaway? Iran's getting better at both the technical execution and the cover stories.
(read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay