2026-06-11 AI创业新闻
GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
GitHub has announced what it said are “breaking changes” coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the “npm install” command to trigger the execution of malicious code using npm lifecycle hooks. “Npm install” is used to download and install all the necessary dependencies for a Node.js project. Version 12 is scheduled for release next month.
Describing install-time lifecycle scripts as the “single largest code-execution surface in the npm ecosystem,” GitHub said the “npm install” command runs scripts from every transitive dependency, as a result of which a single compromised package anywhere in the dependency tree can run arbitrary code on a developer machine or CI runner. By blocking such behaviours, the idea is to require explicit user approval before code execution is initiated automatically during “npm install” as opposed to being trusted by default. “Making script execution opt-in closes that path while keeping it one command away for the packages you trust,” GitHub said. The changes are listed below - npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in the project.
npm install will no longer resolve Git dependencies, either direct or transitive, unless explicitly allowed via –allow-git. npm install will no longer resolve dependencies from remote URLs, such as https tarballs, unless explicitly allowed via –allow-remote. “This includes native node-gyp builds (i.e., a package with a binding.gyp and no explicit install script still gets blocked, because npm runs an implicit node-gyp rebuild for it),” the Microsoft-owned subsidiary said about changes to the default “allowScripts” behavior. “prepare scripts from git, file, and link dependencies are blocked the same way.” By defaulting “–allow-git” to “none,” the setting closes out a code execution path where a Git dependency’s .npmrc configuration file used could override the Git executable, even with –ignore-scripts , a flag that prevents packages specified in a package.json file from automatically running built-in lifecycle scripts during the installation process.
GitHub recommends that developers prepare for these changes by upgrading to npm 11.16.0 or newer, running the normal install, and reviewing the warnings displayed. “Use npm approve-scripts –allow-scripts-pending to see which packages have scripts, approve the ones you trust, and commit the updated package.json,” it added. “After that, only the scripts you approved keep running once you upgrade. Anything you leave unapproved will stop.” Earlier this year, npm also introduced “min-release-age,” a setting that tells npm to reject any package version published less than a specified number of days as a safeguard against newly published malicious packages.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
Cybersecurity researchers have warned of a “resurgence and expansion” of JDY , a covert network associated with China-nexus state-sponsored threat actors. “The JDY botnet comprises over 1,500 SOHO [small office and home office] and IoT devices and operates as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale,” Lumen’s Black Lotus Labs said in a report shared with The Hacker News. JDY was first flagged as a cluster within another botnet codenamed KV-botnet in mid-December 2023. Primarily used for broader scanning against internet targets, the stealthy network comprising compromised SOHO routers, firewalls, and IoT devices has been put to use by Chinese hacking groups like Volt Typhoon.
Following KV-botnet’s takedown by the U.S. government in early 2024, the botnet operators began making behavioral changes to the network, with the second KV cluster largely going offline. It’s suspected that the botnet is offered by the operators to various hacking outfits, while carrying out reconnaissance and targeting on their own. The latest findings from Black Lotus Labs show that the malware has expanded in scope to infect a broader range of devices and act as a conduit to feed “structured reconnaissance data” into a larger scanning ecosystem for follow-on target identification and exploitation.
Specifically, the JDY cluster is being used to conduct targeted scanning and service fingerprinting with an aim to flag vulnerable infrastructure following public disclosures. This points to an industrialized reconnaissance effort, the results of which are leveraged by Chinese nation-state groups. This has been complemented by a growth in the botnet’s size, which has surged from 650 bots at the start of January 2024 to more than 1,500 compromised devices. Most of the hacked nodes are located in the U.S.
and Brazil, followed by Europe and Asia. Black Lotus Labs told The Hacker News that the cluster in Brazil is reflective of the fact that “we’re seeing more and more botnets made up of Brazilian victims these days.” Where previously the cluster primarily featured Cisco RV320 and RV325 routers, the present makeup of the botnet is a lot more diverse, including devices from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. “The botnet’s large number of U.S.-based SOHO/IoT devices enables the botnet operators to evade defenses and traditional IP-based controls, such as geofencing, IP reputation-based detection, and static blocklists,” Black Lotus Labs said. “By distributing their scanning and reconnaissance activity across a wide range of IP addresses, the operators make it less likely that any single IP will be labeled as a scanner and blocked.
Additionally, using compromised SOHO and IoT devices helps this activity blend in with legitimate user traffic.” The architecture that powers the botnet is best described as layered: the operators use Tor nodes to manage infected infrastructure, including both the command-and-control (C2) and payload servers. The C2 servers direct the bots to perform targeted reconnaissance and system profiling, as opposed to indiscriminate scanning. Results of the scans are sent to central servers for ongoing intelligence gathering in an effort to further Chinese threat actors’ objectives. Attack chains weaponize newly disclosed vulnerabilities in edge devices (e.g., CVE-2026-35616) to deliver a shell script dropper that checks if the malware is already active, and if not, proceeds to download the primary payload based on the detected processor architecture (e.g., mips, mips64, mipsel, or mipsel64).
Once the malware is launched, it’s deleted from disk. The malware that facilitates scanning and target reconnaissance is designed to fingerprint the host, receive scanning tasks from a central C2 server, carry out high-volume TCP, SSL, UDP, and ICMP-assisted probing, capture responses (TLS certificates, metadata, etc.), and report the results back to the dispatch server. The goal is to conduct infrastructure reconnaissance rather than exploitation. A noteworthy functionality of the malware is its ability to adapt its scanning methodology based on its privileges on the local system.
If it can open a raw socket, an indication of root privileges, it initiates high-speed SYN scanning using custom-crafted TCP packets. If raw sockets are unavailable or if the task is a web scan, the scanning engine resorts to using standard TCP and TLS connections or employs protocols like UDP and ICMP. This activity most likely informs asset discovery, vulnerability-targeting pipelines, and downstream exploitation or attack-orchestration systems, the cybersecurity company said. “JDY demonstrates how IoT/SOHO botnets and covert networks of compromised devices are being used for rapid vulnerability exploitation,” the company said.
“JDY’s growth and continued operation illustrate how modern reconnaissance networks persist despite takedowns and adapt as a durable capability within a broader adversary ecosystem.” “JDY’s evolution from a supporting component of the KV-botnet to an independent, high-performance reconnaissance capability demonstrates that disruption of individual nodes or clusters does not eliminate the underlying capability. The capability persists, adapts, and continues to provide adversaries with timely targeting data, often within hours of vulnerability disclosure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Fortinet, Ivanti, and SAP have released security updates to address multiple critical security vulnerabilities that could result in arbitrary code execution and information disclosure. The security flaw patched by Fortinet relates to a command injection vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It’s tracked as CVE-2026-25089 (CVSS score: 9.1). “An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests,” Fortinet said .
The issue impacts the following products and versions - FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above) FortiSandbox 4.4.0 through 4.4.8 (Upgrade to 4.4.9 or above) FortiSandbox Cloud 5.0.4 through 5.0.5 (Upgrade to 5.0.6 or above) FortiSandbox PaaS 5.0.4 through 5.0.5 (Upgrade to 5.0.6 or above) On Tuesday, Ivanti also published fixes for two critical security flaws impacting Ivanti Sentry (formerly MobileIron Sentry) - CVE-2026-10520 (CVSS score: 10.0) - An operating system command injection vulnerability before versions R10.5.2, R10.6.2, and R10.7.1 that allows a remote unauthenticated user to achieve root-level remote code execution. CVE-2026-10523 (CVSS score: 9.9) - An authentication bypass vulnerability before versions R10.5.2, R10.6.2, and R10.7.1 that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. watchTowr Labs, which published additional details of CVE-2026-10520, said an attacker could exploit the vulnerability by issuing a specially crafted HTTP request to the “/mics/api/v2/sentry/mics-config/handleMessage” endpoint, which is then interpreted as a MICS configuration command and executed by a backend component named “handleExecute().” The patch shipped by Ivanti incorporates additional controls that block access to the vulnerable endpoint, causing unauthenticated requests to be redirected to the login page. “Ivanti did not just remove attacker control over the vulnerable execution path,” security researcher Sonny Macdonald said .
“They also added a layer of protection in front of it to make reaching the endpoint significantly more difficult. In other words: they added authentication.” Rounding off the list of updates is SAP, which pushed out fixes for four critical vulnerabilities in NetWeaver AS ABAP and ABAP Platform, as well as SAP Commerce Cloud and SAP Data Hub - CVE-2026-44748 (CVSS score: 9.9) - XML signature wrapping vulnerability in SAML authentication in SAP NetWeaver AS ABAP and ABAP Platform CVE-2026-27671 (CVSS score: 9.8) - Memory corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform CVE-2026-22732 (CVSS score: 9.1) - Potential Spring security vulnerability within SAP Commerce Cloud and SAP Data Hub CVE-2026-40128 (CVSS score: 9.0) - Directory traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) “The application allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents with tampered identity information to the verifier,” SAP security company Onapsis said . “Due to an improper XML signature verification, the manipulated identity information is accepted, leading to unauthorized access to sensitive user data and potential disruption of normal system usage.” As for CVE-2026-27671, the defect allows an unauthenticated attacker to send a crafted RFC request that exploits how the SAP kernel validates the RFC protocol to achieve memory corruption. There is no evidence that any of the aforementioned flaws have been exploited in the wild.
However, it’s always a safe practice to update to the latest version for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
A high-severity unpatched security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations. “The ‘POST /api/v2/files’ endpoint does not sanitize the ‘filename’ parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences (‘../’),” Tenable, which discovered the flaw, said in an alert released in late March 2026. The cybersecurity company said it attempted to contact the project maintainers three times in January and February 2026, before disclosing details of the issue on March 27.
Caitlin Condon, vice president of security research at VulnCheck, said in a LinkedIn post that the vulnerability enables remote code execution. “Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation,” Condon added. Exploitation efforts so far appear to weaponize the bug to write test files on victim systems. Data from Censys shows that there are about 7,000 Langflow instances publicly exposed on the internet, with a majority of them located in North America.
The attack effort follows a flurry of exploitation activity targeting other Langflow vulnerabilities this year, including CVE-2026-0770 , CVE-2026-33017 , CVE-2026-21445 , and CVE-2025-34291 , the last of which has been weaponized by the Iranian state-sponsored group known as MuddyWater. “The activity underscores a growing trend of attackers targeting the infrastructure and tooling that organizations use to build and deploy AI applications,” the company said in a statement shared with The Hacker News. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports of active exploitation. The list of vulnerabilities is as follows - CVE-2026-20245 (CVSS score: 7.8) - An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. CVE-2026-11645 (CVSS score: 8.8) - An out-of-bounds read and write vulnerability in Google Chrome V8 that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-7473 (CVSS score: 6.9) - An incomplete comparison with missing factors vulnerability in Arista Extensible Operating System (EOS) that could be exploited to process non-configured tunnel traffic. No Patch Planned for Exploited Arista EOS Flaw “On affected platforms running Arista EOS where a tunnel decapsulation configuration - such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface - is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packets with a destination IP matching its configured decapsulation IP,” Arista said. “This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic.” The security defect mainly impacts 7020R, 7280R/R2, and 7500R/R2 series products. However, for successful exploitation to occur, the device must be configured as a tunnel endpoint with a decapsulation IP, such as a VXLAN VTEP, a GRE tunnel endpoint, or with an IP decap-group.
The network equipment company acknowledged that the vulnerability has been “reported as being exploited in the wild,” crediting Comcast’s Scott Christiansen, Lukas Peitz, Rich Compton, and Jonathan Davis for responsibly disclosing it. Despite this, Arista said no patches are being planned to address CVE-2026-7473, citing risks that doing so could break existing configurations on deployments. The company has outlined mitigations to address the issue. “There are two broad approaches to mitigate this issue - (1) applying ACLs on upstream devices or (2) applying ACLs on the devices where the unexpected decapsulation is happening,” Arista said.
“In both cases, the idea is to either selectively allow only legitimate tunnel traffic or to selectively block malicious tunnel traffic.” Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the necessary fixes or mitigations by June 23, 2026, to counter the threat posed by the three vulnerabilities. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Your Automated Pentest Looks Clean. See What It Missed in This Expert Webinar
Your pentest report looks clean. That might be the problem. Run automated pentesting long enough, and the new findings start to dry up. By the third or fourth run, fewer issues appear.
The report looks stable. Leadership reads “stable” as “secure.” It usually isn’t. The work slows down. The risk does not.
That gap is what a The Hacker News webinar with Picus Security sets out to close. Autumn Stambaugh and Can Yüceel, with host James Azar, show what your tool validates, where it stops, and how to close what it leaves open. Register for the webinar. Start with the core problem.
A flat report can mean the obvious holes were fixed. It can also mean the tool has reached the edge of what it can see. Automated pentesting is often treated as full security validation. It is not.
Picus frames validation as six surfaces and puts automated pentesting on one of them, the attack path: whether an attacker can move through an environment. That leaves the other five unproven, including detection rules, cloud configurations, identity controls, and AI guardrails. Tuning may sharpen the scan, but it cannot turn an attack-path test into detection or cloud validation. Here is the part most teams miss.
When the tool exploits a technique, it cannot tell you whether your SIEM rule fired or your EDR raised an alert. It may prove that credential dumping or lateral movement is possible. That still does not tell you whether the EDR blocked it, the SIEM logged it, or the SOC had enough signal to act. It proves a path exists.
It says nothing about whether you would have caught an attacker using it. That is the risk: mistaking a reachable path for a defended one. Save your seat for the session. BAS and Automated Pentesting Answer Different Questions Breach and attack simulation asks whether a control reacts to a known behavior: blocked, detected, logged, or missed.
Automated pentesting asks how far an attacker could get through an exploitable path. Swap one for the other, and the gap disappears from the report, not from the environment. The practical problem is prioritization. If a tool proves a path exists but your controls already block or detect it, that finding may not carry the urgency of one that works silently.
Without control validation, teams rank risk with half the evidence missing. That is what the session focuses on: turning a pile of findings into a ranked queue based on whether controls actually caught the behavior. If automated pentesting is treated as the whole validation program, this is the gap to check first. Register for the webinar.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
Microsoft on Tuesday released fixes for a record 206 security vulnerabilities impacting its software portfolio, including three flaws that have been publicly disclosed at the time of release. Of the 206 flaws, 39 are rated Critical, and 167 are rated Important in severity. This includes 63 privilege escalation, 56 remote code execution, 30 information disclosure, 27 spoofing, 20 security feature bypass, seven denial-of-service, and three tampering vulnerabilities. The patches also include two non-Microsoft CVEs, a privilege escalation vulnerability impacting Windows Kernel ( CVE-2025-10263 ) and a UEFI Secure Boot security feature bypass ( CVE-2026-8863 ).
They are in addition to more than 350 security flaws that Google has addressed in Chromium, which is used in Microsoft’s Edge browser. Topping the list of fixes is CVE-2026-45657 (CVSS score: 9.8), a use-after-free flaw affecting Windows Kernel that could result in remote code execution. “An attacker could exploit this vulnerability by sending specially crafted network traffic to a vulnerable Windows system,” Microsoft said. “If successful, the malicious network packets could trigger a flaw in how the Windows kernel processes certain TCP/IP data, potentially allowing the attacker to run code with system-level privileges without needing to sign in or interact with a user.” Other important vulnerabilities of note are listed below - CVE-2026-47291 (CVSS score: 9.8) - An integer overflow or wraparound flaw in Windows HTTP.sys that allows an unauthorized attacker to execute code over a network.
CVE-2026-44815 (CVSS score: 9.8) - A stack-based buffer overflow vulnerability in Windows DHCP Client that allows an unauthorized attacker to execute code over a network. “This flaw needs no credentials or user action and can turn network traffic into a full system compromise,” Alex Vovk, CEO and co-founder of Action1, said about CVE-2026-44815. “An attacker could send specially crafted network traffic to a system configured for DHCP services.” “Successful exploitation could allow unauthorized code execution over the network with high impact to confidentiality, integrity, and availability. This vulnerability creates serious risk because DHCP is a core network function.
Successful exploitation could lead to server compromise, malware deployment, data theft, service disruption, and movement deeper into the network. Systems handling DHCP traffic should be treated as high-priority patch targets.” Microsoft has also released patches to address CVE-2026-45585 (CVSS score: 6.8), a Windows BitLocker security feature bypass vulnerability for which a proof-of-concept (PoC) exploit called YellowKey was released by security researcher Chaotic Eclipse (aka Nightmare-Eclipse) last month. CVE-2026-45585 is one of several secure feature bypasses that the Windows makers has addressed this month - CVE-2026-45655 (CVSS score: 5.3) CVE-2026-45658 (CVSS score: 7.8) CVE-2026-50507 (CVSS score: 6.8) “A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device,” Microsoft said in its advisories for the three issues. “An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.” According to security researcher Will Dormann, CVE-2026-50507 is assessed to be a fix for a BitLocker bypass dubbed bitskrieg that grants full access to encrypted data.
It’s worth noting that CVE-2026-50507, along with CVE-2026-49160 and CVE-2026-45586, are listed as publicly disclosed zero-days. CVE-2026-45586 (CVSS score: 7.8) - Windows Collaborative Translation Framework (CTFMON) privilege escalation vulnerability CVE-2026-49160 (CVSS score: 7.5) - HTTP.sys denial-of-service vulnerability CVE-2026-49160 is related to HTTP2/Bomb , an attack technique that can be used to knock web servers offline in seconds. In tests conducted by Calif, an IIS server was found to exhaust 64 GB RAM in about 45 seconds. To mitigate the attack, Microsoft has introduced a new “MaxHeadersCount” registry setting to limit the number of headers in HTTP/2 and HTTP/3 requests.
“Limiting HTTP headers can help protect systems and servers from excessive memory use, high CPU consumption, and denial-of-service attacks,” Microsoft said . “Because HTTP/2 (HPACK) or HTTP/3 (QPACK) header compression is used and more complex protocol processing, enforcing a header limit such as MaxHeadersCount can help maintain performance and reliability.” On the other hand, CVE-2026-45586 is suspected to be a fix for a zero-day privilege escalation exploit that Chaotic Eclipse released under the name GreenPlasma . Lastly, the June 2026 update also plugs MiniPlasma , a separate vulnerability disclosed by Chaotic Eclipse as an incomplete fix for CVE-2020-17103, which was originally addressed by Microsoft in December 2020. “To comprehensively address the vulnerability identified by CVE-2020-17103 and recently publicly referred to as ‘MiniPlasma,’ Microsoft recommends installing the June 2026 updates for your Windows operating systems,” the tech giant said in an update to its advisory.
The increasing number of patches has been attributed to the use of artificial intelligence (AI)-assisted vulnerability discovery approaches, a trend that Microsoft said will continue in the foreseeable future. “Pandora’s proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday,” Satnam Narang, senior staff research engineer at Tenable, said in a statement. Dustin Childs, head of threat awareness at TrendAI’s Zero Day Initiative (ZDI), described the massive set of Microsoft vulnerabilities as a testament to how AI is supercharging flaw discovery at an uncontrollable scale. “The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018,” Childs said.
“It is extraordinary that Microsoft can produce so many patches in a single month, and I expect many testers are wondering what quality issues may exist.” The patches come as Chaotic Eclipse released a PoC exploit for yet another Microsoft Defender zero-day named RoguePlanet , characterizing it as a race condition that could be used to spawn a Windows command prompt with SYSTEM privileges. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards
On June 9, Anthropic released Claude Fable 5 , the most capable model it has ever made, generally available. It also did something unusual: it shipped one model as two products, split not by capability but by a layer of safety classifiers. Fable 5 goes to the public. Its twin, Claude Mythos 5, the same underlying model with the cyber safeguards lifted, stays locked to a vetted group of cyber defenders and critical infrastructure operators.
Anthropic calls Mythos 5 the strongest cybersecurity model in the world. The practical difference is this: Fable 5 routes flagged cyber, biology, chemistry, and distillation requests to the weaker Claude Opus 4.8, while Mythos 5 keeps the cyber capabilities available for vetted users. Both models cost $10 per million input tokens and $50 per million output tokens, less than half the price of the earlier Mythos Preview, and Fable 5 is available through the Claude API now. It is included on Pro, Max, Team, and seat-based Enterprise plans at no extra cost through June 22, then moves to usage credits.
- How Fable 5’s cyber classifiers work
- The split exists because Mythos-class models find and exploit software vulnerabilities well enough that, in Anthropic’s framing, handing that capability to the general public without controls would give attackers serious uplift. The mechanism is a set of
- classifiers
- separate AI systems that watch for misuse and jailbreak attempts. When a request trips one, Fable 5 does not refuse. The response is handed to Opus 4.8, and the user is told the handoff happened.
Of the flagged categories, distillation is the odd one out: it means extracting a model’s capabilities to train a competing model, which Anthropic blocks to stop near-frontier abilities leaking out without safeguards attached. The cybersecurity classifier is the broad one. Anthropic designed it to block not just exploit development but offensive cyber tasks in general: reconnaissance, discovery, lateral movement, the agentic steps that make up a real attack. In an internal evaluation run with Fable 5 set to block rather than fall back, and which did not attempt to evade the safeguards, the classifiers stopped the model from making any progress on those tasks.
One external partner found Fable 5 complied with zero harmful single-turn requests on cyberattack planning, exploit development, or defense evasion, holding up against 30 different public jailbreak techniques. The trade-off is false positives. Anthropic tuned the safeguards conservatively to ship fast, so they sometimes catch harmless requests. The company says fallback fires in under 5% of all sessions, so for more than 95%, Fable 5 behaves like the cyber-unrestricted Mythos 5.
That figure covers every fallback, genuine blocks included, so it caps the total disruption rather than measuring the false-positive rate on its own. Anthropic says it will narrow the safeguards and cut false positives after launch. On robustness, the numbers are specific. An external bug bounty ran over 1,000 hours and produced no universal jailbreak, a prompt, or a harness that strips the safeguards wholesale.
External red teams found none on long-form agentic tasks either, with one caveat Anthropic states plainly: the UK’s AI Security Institute made progress toward a universal jailbreak within a brief initial testing window. Anthropic concedes it is likely impossible to fully prevent universal jailbreaks, and its stated goal is to make any that remain slow and costly enough to catch before they are used at scale. Why is the capability a threat The case for treating this model carefully was laid out in April, when Anthropic released Claude Mythos Preview to a limited group through Project Glasswing . The technical write-up from Anthropic’s red team is the part worth reading.
During testing, Mythos Preview identified and exploited zero-day vulnerabilities in every major operating system and every major web browser when a user directed it to. The oldest bug it found was a 27-year-old flaw in OpenBSD, an operating system known mainly for its security. It autonomously wrote a remote code execution exploit against FreeBSD’s NFS server from a 17-year-old bug, triaged as CVE-2026-4747 . Anthropic describes the result as full root for an unauthenticated attacker from anywhere on the internet; NVD’s entry is more measured, noting the stack overflow itself does not require the client to authenticate, but frames kernel code execution as reachable by an attacker able to send packets to the NFS server while the kgssapi.ko module is loaded.
By Anthropic’s own account, it did not explicitly train these capabilities in; they emerged as a side effect of general improvements in code, reasoning, and autonomy, the same gains that make the model better at patching. The red team’s flat warning: mitigations whose security value comes from friction rather than hard barriers get much weaker against a model that grinds through tedious exploitation steps at scale. Hard technical barriers like KASLR and W^X still raise the cost; the warning is narrower, aimed at defenses that lean on attacker patience or manual effort, and the model can now supply itself. Mythos 5 carries those skills forward.
Anthropic says users will find it comparable to or somewhat stronger than Mythos Preview. The defender’s actual problem The defensive case is not hypothetical. In the first weeks of Project Glasswing, Anthropic and roughly 50 partners used Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities in systemically important software. Cloudflare alone found 2,000 bugs, 400 of them high- or critical-severity.
Mozilla found and fixed 271 in Firefox 150, more than ten times what it caught in Firefox 148 using the older Opus 4.6. Anthropic says the same pressure is visible beyond Glasswing, in vendors shipping unusually large security releases. That flood is the catch. Finding bugs is now cheap and fast.
Verifying, triaging, and patching them is not, and it still runs on human time. Anthropic reports that open-source maintainers, already buried under low-quality AI-generated bug reports, have asked it to slow its disclosures because they cannot write patches fast enough. In Glasswing, it says a high- or critical-severity bug found by the model takes about two weeks to patch on average. The bottleneck has moved from discovery to the fix, and the gap between a public disclosure and a deployed patch is where attackers live.
The red team’s N-day experiments sharpen the point: starting from nothing but a disclosed CVE and its patch, Mythos Preview built working Linux privilege-escalation exploits in under a day each, at a few thousand dollars or less in compute. For defenders, the read is the same as ever, just on a shorter clock: assume a high-severity CVE can become a working exploit within hours of disclosure, not weeks. That means prioritizing auto-update paths for internet-facing systems and treating dependency bumps that carry CVE fixes as time-sensitive work rather than backlog. MFA and comprehensive logging stay the baseline, so a single missed patch does not become the only thing standing between an attacker and the network.
Anthropic has opened a Cyber Verification Program that lets vetted security professionals use its models for legitimate offensive work without the cyber safeguards. A new 30-day data retention requirement Anthropic is also changing how it handles data for Mythos-class models. It will require 30-day retention for all traffic on Fable 5, Mythos 5, and future models at this capability level, across both first- and third-party surfaces. The company says it will not use the data for training or any non-safety purpose, will log all human access, and will delete it after 30 days except where a safety investigation or legal obligation requires holding it longer.
The stated reason is defensive: the data helps detect novel attacks and jailbreaks that operate across many requests. Teams with strict data-handling requirements will want to factor that retention window in before routing sensitive traffic through these models. Anthropic plans to widen Mythos 5 access through a trusted-access program, and says that once compute capacity catches up, it aims to fold Fable 5 back into subscription plans without the usage-credit premium that kicks in after June 22. The larger question the launch raises is the one Anthropic has been circling since April: similarly capable models from other labs are coming, and not all of them will ship with a wall of classifiers in front.
The defensive head start Glasswing was meant to buy only matters if the rest of the industry uses it. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances. “On June 5, 2026, ServiceNow applied a security update to hosted customer instances,” the company revealed in an advisory that requires customer access. “The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.” The security update makes changes to an endpoint configuration to limit this access to authenticated users. The security flaw currently does not have a CVE identifier.
Details of the issue first emerged on Reddit. ServiceNow said it detected anomalous activity relating to the security issue, and that it observed evidence of successful queries of instance tables against a “subset of customers.” Impacted customers have been notified, it added. “The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia,” it noted. A Reddit comment from a user named “d3s7iny” claimed that its security team reported the vulnerability to ServiceNow, adding that the software company had been aware of the problem internally since April 7, 2026.
For about two months, ServiceNow is said to have classified it as a non-urgent issue, with plans to remediate it in a future update. When reached for comment, a ServiceNow spokesperson said “our main priority was to reach out directly to the subset of customers this [incident] affected, it was not broad.” The company has since publicly acknowledged in an advisory that “a subset of customer instances were queried successfully as part of this activity.” The malicious activity is said to have commenced on June 2, 2026. “On June 3-4, 2026, customers shared submissions to their bug bounty programs regarding a security issue that could, in certain circumstances, allow an unauthenticated user to gain unwanted access to information in ServiceNow instances,” it added. “These submissions were similar to a confidential submission sent to our bug bounty program on April 22, 2026.” (The story was updated after publication to include a response from ServiceNow and details of the security issue.) Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet . “The exploit is a race condition, so it’s a hit or miss,” the researcher, who published the exploit under a new GitHub account “MSNightmare” said . “I have managed to get a 100% success rate on some machines while it struggled to work on others.” Should the exploit succeed, the result is a shell with SYSTEM-level privileges, granting the attacker the ability to run arbitrary code or perform unauthorized actions. The researcher said the exploit has been tested on Windows 11 and 10 machines with the June 2026 Patch Tuesday updates installed, meaning the exploit works on the up-to-date versions of the desktop operating system.
That said, the exploit does not work on Windows Server instances in its current form since “standard users cannot mount an ISO image.” Chaotic Eclipse emphasized that Windows Server installations are also vulnerable to the flaw and that the exploit needs to be redesigned for it to work. “Getting this PoC to work genuinely drained my soul, it severely degraded my mental and physical health but in the end of May [sic], a full PoC was developed,” the researcher said. “Microsoft’s efforts to protect Defender from path redirection attacks are useless, I have a batch of memory corruption vulnerabilities in defender as well and not to mention the other batch of vulnerabilities I have in several other components.” Video Credit: ThreatLocker Security researcher Will Dormann, in a post shared on Mastodon, said “it’s reportedly not 100% reliable, but it worked on the first attempt for me.” RoguePlanet is the latest in a series of Microsoft Defender flaws uncovered by Chaotic Eclipse in recent months - BlueHammer (CVE-2026-33825) UnDefend (CVE-2026-45498) RedSun (CVE-2026-41091) These uncoordinated disclosures are part of what’s assessed to be a retaliatory effort following an alleged breakdown in communication between the researcher, who has not publicly identified themselves, and Microsoft. In cryptographically signed posts on their Blogger page, Chaotic Eclipse expressed dissatisfaction with the way Microsoft handled the disclosure process and called out the company for revoking access to their Microsoft Security Response Center (MSRC) account, where researchers can report vulnerabilities.
The researcher has also accused Redmond of humiliating them, dismissing their reports, failing to compensate them for the identified vulnerabilities, and defaming them. Late last month, Microsoft condemned the public vulnerability disclosures, stating they are “never justifiable” and put customers at “unnecessary risk.” It’s worth noting that all three aforementioned Defender vulnerabilities have since been exploited in the wild. The public feud has also resulted in the takedown of their GitHub and GitLab accounts. “Microsoft is attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour,” security researcher Kevin Beaumont said .
“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said in an X post. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.” “We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products.” Update When reached for comment, a Microsoft spokesperson shared the below statement with The Hacker News - Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible.
Importantly, we support coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public. (The story was updated after publication to include a response from Microsoft.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS
Cybersecurity researchers have flagged half a dozen vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers ( Protobuf ), that, if successfully exploited, could result in remote code execution (RCE) and denial-of-service (DoS) attacks. “In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger crashes, runtime corruption, or even code execution,” Cyera security researcher Assaf Morag said . The vulnerabilities have been codenamed Proto6 . Protobuf is a free and open-source, language-agnostic mechanism for serializing structured data.
It was originally developed and used internally by Google before it was made publicly available in 2008. The identified vulnerabilities affect Node.js applications that use protobuf.js, Google Cloud client libraries, messaging frameworks like Baileys , and CI/CD pipelines. Per Cyera, any Node.js service that deserializes Protobuf data or generates code from schemas with protobuf.js is likely impacted as well. A brief description of each of the flaws is below - CVE-2026-44289 (CVSS score: 7.5): DoS through unbounded protobuf recursion CVE-2026-44290 (CVSS score: 7.5): Process-wide DoS when loading schemas with unsafe option paths CVE-2026-44291 (CVSS score: 8.1): Code generation gadget after prototype pollution CVE-2026-44292 (CVSS score: 5.3): Prototype injection in generated message constructors CVE-2026-44294 (CVSS score: 5.3): DoS from crafted field names in generated code CVE-2026-44295 (CVSS score: 8.7): Code injection in pbjs static output from crafted schema names Cyera said all the vulnerabilities stem from the library’s handling of schema and metadata as trusted by default.
This validation oversight could influence application behavior and lead to code execution. “While exploitation of these vulnerabilities generally requires specific conditions, those conditions are increasingly common in data and AI ecosystems that routinely exchange data, schemas, and configuration files across services, repositories, cloud platforms, and third-party integrations,” Morag noted. In a potential attack scenario, a bad actor could introduce a malicious protobuf schema to poison CI/CD workflows, leaking build secrets in the process (CVE-2026-44295), or crash Node.js services such as WhatsApp bots built using Baileys, a WhatsApp Web API automation TypeScript library, by means of a specially crafted message (CVE-2026-44292). The most severe of the lot is CVE-2026-44291, which results in code execution when a Node.js application accepts attacker-controlled input.
“That input reaches a prototype pollution gadget,” security researcher Vladimir Tokarev explained . “Later, the same process uses protobuf.js to encode or decode a message. Because protobuf.js resolves type names through plain property lookups, a polluted Object.prototype can make an attacker-controlled string look like a valid protobuf primitive.” “Protobuf.js then inserts that string into a generated encoder or decoder function and compiles it with Function(). The attacker gets arbitrary JavaScript execution inside the Node.js process.” The following versions of the tool are vulnerable - protobuf.js: versions <= 7.5.5 and >= 8.0.0 <= 8.0.1 protobufjs-cli: versions <= 1.2.0 and >= 2.0.0 <= 2.0.1 Patches for the flaws are available in protobufjs 7.5.6 and 8.0.2, and protobufjs-cli 1.2.1 and 2.0.2.
Users are advised to apply the latest fixes to safeguard against potential threats. “Because protobuf.js is heavily used inside databases, vector stores, inference pipelines, orchestration systems, CI/CD tooling, and cloud SDKs, successful exploitation could impact sensitive enterprise and AI workloads at scale,” Cyera said. “Modern software increasingly treats schemas, metadata, and configuration files as trusted inputs that drive automation, orchestration, and code generation. When those trust assumptions break, data can become behavior.
That shift creates new attack surfaces that security teams must learn to identify and manage.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Meta to Use Off-Site Business Data for Feed and AI Personalization
Meta on Tuesday announced that it will use information shared by other businesses to personalize users’ feed and responses from its artificial intelligence (AI) chatbot, expanding its scope beyond targeted ads. “Businesses often share information about people’s activity on their sites with us to make ads more relevant,” Meta said in a statement. “We already use this data - like games you play or purchases you make on other websites - to make the ads you see more relevant. In the future, we’ll use this information to personalize other parts of your experience, including the content you see in your Feed and AI responses.” The social media giant emphasized that it’s not collecting any new data as part of the update, adding users are in the driver’s seat and that they get to decide how this information is used for personalization.
To that end, Meta is streaming its controls by expanding the “Activity from other businesses” setting (formerly “Activity information from ad partners”) to better manage how data from other businesses are used for this purpose. The setting “Your activity off Meta technologies” will be discontinued. “If you allow us to use this data to show you personalized content, the ads and other content you see will be more relevant,” the company said. “For example, if you’ve recently purchased a tent online, you might see more Reels about camping.” However, if users don’t allow it, the content shown will be based on other activity on its platforms, such as liking a reel or post.
It’s worth pointing out that businesses can also share customer lists with Meta
- e.g., those that have signed up to receive emails - who are then served relevant ads. Meta said the new option allows users to manage how the data is used to serve both ads and non-ad content. The change is expected to go into effect in the U.S. and a number of other countries, including the U.K., Brazil, Thailand, South Africa, Turkey, South Korea, Ecuador, Nigeria, and Kenya, starting next month.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.