Read Time: 8 minutes

Brought to you by:

Howdy friends!

Anyone else in full summer brain? Just me because I spent the weekend scuba diving? Let me say this about Descent Cyber - the organizers put on a masterclass in throwing an event that balanced great cybersecurity content, heavy hitters from our industry, and camaraderie through diving together. It was an extremely well thought out and planned event that I’ve already committed Vulnerable U to sponsor again next year. Do recommend for the divers or dive curious.

ICYMI

🖊️ Something I wrote: MSRC couldn’t possibly do anything worse this week… oh. Oh ok.

🎧️ Something I heard: Blink 182 dropping updates on MySpace - as someone who was a Blink super fan and MySpace power user, it’s a big week for me. They’re teasing a 25 yr anniversary tour.

🎤 Something I said: Meta Built the Dumbest Hack in Instagram History

🔖 Something I read: I’ve been quoting this blog every day since I read it. Cloudflare’s Project Glasswing: what Mythos showed us

Vulnerable News

Anthropic’s New Model: Mythos On A Leash

For all of you who hang out in my live streams, you know I was hitting that MYTHOSSSS (spoken like Star Trek KHANNNN) sound button a ton this week. That’s because it has escaped the lab! Well sort of. Anthropic has now broadly released Fable 5, its public-facing “Mythos-class” model, and the reaction I'm seeing is a mix of excitement, confusion, and frustration. The marketing narrative is still very much that Mythos was so powerful it needed to be carefully contained before being released to the public.

Meanwhile, the actual experience many people are having is running headfirst into guardrails. In some cases, users report that simply mentioning cybersecurity-related topics is enough to trigger restrictions, model downgrades, or redirects to safer behavior. If Mythos escaped the lab, it appears to have done so while wearing several layers of bubble wrap.

What's becoming clearer is that Anthropic is taking an unusually aggressive approach to controlling how Fable 5 is used. Beyond the cybersecurity restrictions, the company has confirmed that it will actively limit the model's usefulness for certain frontier AI development tasks. These interventions aren't always visible to users. Anthropic says it may modify outputs or reduce effectiveness for requests related to building competing frontier models, training infrastructure, or AI acceleration research. At the same time, the company expanded data retention policies around Fable usage, citing safety and compliance requirements. That's generating almost as much discussion as the model itself.

My takeaway remains about the same as it was when Mythos launched. I believe the underlying capabilities are real because I've talked directly with people involved in Project Glasswing who have seen the model find vulnerabilities and security issues that other tools missed. And exploit/PoC development are definitely boosted. (read more here, here, here, here and here)

Time-to-exploit is down to one day. Now what?*

Intruder analyzed 3,000 organizations' attack surfaces. Top finding: more teams should be asking 'does this actually need to be on the internet?’

There’s no better time to ask it. AI can now find zero-days autonomously and time-to-exploit has shrunk to a single day. Anything on the internet that doesn't need to be is a target the moment a new CVE drops.

In the report:

• What are the most common attack surface exposures?

• How long are organizations taking to fix them?

• How does your industry compare?

Get the report now.

*Sponsored

Measuring LLMs’ Impact On N-Day Exploits

Anthropic with some sobering research on how their latest Claude model can automatically weaponize patches. Their most capable model, Mythos Preview, turned 18 recent Firefox security patches into 8 working exploits, with the first one ready in under an hour. On the Windows side, it cranked out 8 full privilege escalation exploits from kernel patches, basically going from low-privilege user to full SYSTEM control for about $2,000 in API credits per exploit.

This flips the traditional patch gap timeline on its head. Where it used to take expert reverse engineers weeks or months to develop N-day exploits, we're now looking at hours. WannaCry hit 59 days after the patch was available. Mythos Preview would have had working exploits ready before most organizations even started their patch rollouts. The implications for anything that patches slowly - IoT devices, industrial systems, medical equipment - are pretty grim. (read more)

Mini Shai-Hulud, Miasma and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels

We've officially lost the plot on supply-chain attack names. We now have Mini Shai-Hulud, Hades, Miasma, and whatever comes next. Underneath the increasingly ridiculous naming convention, though, there's a real evolution happening. Socket's threat research team caught the campaign evolving again, this time with 23 new malicious PyPI packages targeting bioinformatics and MCP developers. These attackers keep switching up their delivery methods - some packages now hide malicious code in compiled native extensions that execute at import time, while others use typosquats like "rsquests" and "tlask" to catch typos. The standout is langchain-core-mcp, which installs a loader that searches your entire sys.path for _index.js payloads, meaning the malicious code doesn't even need to be in the same package.

These aren't just random packages either - they're targeting real scientific computing tools like embiggen, gpsea, and pyphetools that researchers actually use. Once executed, the JavaScript stealer grabs everything from GitHub tokens to cloud credentials, SSH keys, and Docker configs.

The funniest part of this entire report was that the malware includes fake system instructions and policy-triggering text embedded in comments that don't affect execution at all but appear designed specifically to confuse AI-powered security tools and analyst copilots. The runtime ignores it, but an AI scanner might not. (read more)

Handala (Iran) Claims Breach of California Water Service

Handala just hit California Water Service pretty hard, dumping 5GB of customer data and internal credentials as their latest hack. The Iranian group managed to breach both the billing system (grabbing customer PII across multiple districts) and an internal RTKBase GPS correction network that field crews use for precision mapping. They got administrative credentials for the GPS network and essentially mapped out the entire infrastructure across seven service districts.

This isn't just a data grab - Handala's known for escalating to destructive attacks after their initial claims, and they've got custom wipers in their toolkit. Same group that hit Stryker medical and wiped everything they could.

The RTKBase system probably served as their entry point, which makes sense since these GPS correction systems often run on basic hardware with weak authentication. Water utilities everywhere should be checking if their survey equipment is internet-exposed right about now, especially since this fits the pattern of Iranian groups specifically targeting US water infrastructure that we've been warned about. (read more)

80% of Systems Are Exposed Through Stale Access. Here's the Fix.*

Stale entitlements create an open door. Opal analyzed real provisioning data across thousands of systems and found 80% exposed through access that was never revoked. When AI agents start requesting infrastructure access at scale, that surface compounds fast. Opal's 2026 report has the data on what AI-ready teams did differently.

Read the report.

*Sponsored

ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit

ShinyHunters just pulled off a pretty impressive campaign targeting Oracle PeopleSoft systems with a zero-day exploit (CVE-2026-35273). Between late May and early June, they hit over 100 organizations - mostly universities and colleges - using a critical RCE (9.8 CVSS). They were exploiting this before Oracle even knew about it, making it a proper zero-day until the patch dropped on June 10th.

These guys set up staging servers with MeshCentral agents disguised as Microsoft Azure services, complete with SSL certs for "azurenetfiles[.]net" to make it look legit. But here's where it gets sloppy - they left their staging directories wide open, exposing command histories, custom lateral movement scripts, and their bash history showing exactly how they mapped internal networks and exfiltrated data. Mandiant caught wind and started warning potential targets, but some organizations still got breached and had their data posted on the ShinyHunters leak site. (read more)

ServiceNow Customers Hit by Unauthorized API Access – And the Company Knew for Months

After days of speculation driven by customer reports on Reddit, ServiceNow disclosed that attackers exploited a vulnerability that could allow an unauthenticated user, under certain circumstances, to gain greater access to customer instances than intended.

Turns out they had an API endpoint sitting there configured with 'requires_authentication=false'. The vulnerable endpoint '/api/now/related_list_edit/create' let unauthenticated users query customer instance data, which could include all sorts of juicy enterprise info like support tickets, employee records, and internal docs. They quietly patched it on June 5th, but not before attackers (or maybe bug bounty researchers) had some fun with it.

ServiceNow received a confidential bug bounty submission about this exact issue back in April, but didn't bother fixing it until June when they spotted "anomalous activity.” Now they're saying it was probably just researchers poking around rather than actual bad guys, but that's a pretty generous interpretation considering the two-month delay between disclosure and fix. If you're running ServiceNow, definitely check your logs for requests to that endpoint and maybe rotate any credentials that might've been exposed in support tickets. (read more here, here and here)

Phishing for Lobsters: How Varonis Tricked OpenClaw into Spilling Secrets

If anyone thought AI agents were going to be immune to phishing attacks, this research should put that idea to rest. The Varonis team connected an OpenClaw agent to Gmail, gave it access to Google Workspace, and told it to monitor and process incoming emails.

The most brutal example was when a fake "Dan" emailed asking for staging credentials during a supposed production emergency. Pinchy (their agent) not only fell for it but helpfully forwarded AWS keys, database passwords, and SSH access to an external Gmail account. Even their "strict" security configuration failed because the agent prioritized being helpful over verifying who was actually asking. The researchers point out this flips the phishing game - low-effort technical attacks become less effective, but context-heavy spear phishing becomes way more dangerous since every inbox now has an autonomous system trained to retrieve information and act immediately. (read more)

New Github Account MSNightmare Posts Windows Defender Exploit With PoC That Works on Windows 11 and 10.

Another day, another Microsoft Defender zero-day from the prolific researcher "Nightmare Eclipse." This latest one, dubbed "RoguePlanet," is a race condition bug that can grant SYSTEM privileges on fully patched Windows 10 and 11 systems. It dropped just hours after Microsoft's June Patch Tuesday fixed two other flaws from the same researcher. ThreatLocker confirmed it works on the latest builds, though success rates vary depending on the machine.

The backstory here is getting messy. Nightmare Eclipse originally developed this as a remote code execution exploit targeting Defender's handling of SMB shares, but Microsoft quietly hardened the system in May, forcing a rewrite down to just local privilege escalation. This is all part of an ongoing feud between the researcher and Microsoft over bug bounty practices and disclosure policies. Microsoft's been nuking their repositories on GitHub and GitLab, even threatened law enforcement action, so now they're hosting exploits on their own platform.

I’m also hearing some chatter that Nightmare Eclipse is an ex-Microsoft insider, so the legal battle might be way more than the public knows. (read more here, here and here)

Expanding Private Cloud Compute

Apple announced important info about expanding their Private Cloud Compute beyond their own data centers. They're now partnering with Google Cloud and NVIDIA to run the more demanding Apple Intelligence workloads while supposedly maintaining their hardcore privacy commitments. The collaboration includes leveraging Google's Gemini tech to build the next-gen Apple Foundation Models, which is a fascinating shift from Apple's usual "we do everything ourselves" approach.

What's particularly noteworthy is how they're trying to have their cake and eat it too - running AI workloads on third-party infrastructure while claiming the same security guarantees as their own silicon. They're using NVIDIA's Confidential Computing, Intel TDX, and Google's Titan chips as the foundation, but they're adamant that Apple retains complete control over the PCC software stack. The real test will be whether their transparency promises hold up - they say they'll publish binaries for public inspection and maintain their security research program. Color me curious to see how this plays out in practice. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay