Risky Bulletin: Mythos found thousands of critical bugs

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by Sondera. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.

Six weeks after it launched Project Glasswing and its Mythos cybersecurity model, Anthropic says researchers and partners have found more than 23,000 vulnerabilities across more than 1,000 open-source projects.

Analysis is still ongoing, but the company claims that more than a quarter (6,202) of the found bugs (23,019) received or are suspected of having a high or critical severity rating, confirming they are real issues and not just random vulnerability scanning chaff.

More than 1,500 of these critical bugs have been confirmed to be legitimate issues and almost 100 have already received patches. Anthropic expects the 1,500 confirmed figure to go as high as 3,900.

Anthropic says the public will learn more of Mythos' success as time passes, vulnerability disclosure deadlines expire, and details are published by vendors and project maintainers.

All of this vulnerability scanning is part of what Anthropic calls Project Glasswing, an initiative to allow a select number of companies and vetted security researchers access to its new and highly advanced Mythos cybersecurity model so they can scan open and closed-source software that underpins today's internet.

The project launched in early April and has already garnered positive reviews from whoever got to use it. The UK government, Mozilla, Palo Alto Networks, Cloudflare, and Oracle all gave it the thumbs up over the past month.

Governments, intelligence agencies, banks, and other private sectors have all started courting Anthropic to gain access to the model so they can scan their own networks and software and patch them before adversaries start using AI to find and exploit the same bugs.

In the meantime, unleashing Mythos and other similar models on the open-source ecosystem has reminded everyone just how underfunded the entire sector really is. Project maintainers left and right are slowly getting flooded and getting angry.

While the orgs that got Mythos access are mature enough to validate their bugs before submissions, the bug bounty ecosystem is not and is wearing everyone's patience thin. Several bug bounty programs have either been shut down or banned AI-written reports altogether.

As for patches, developers would gladly ship them, but sorting through all the gen-AI-written bug reports is so time consuming that we may soon start to see delays in patching due to long triage times.

On top of this, you also have security firms developing their own AI models and just dumping zero-days online just for some clicks and headlines. (You know who you are!)

As a whole, the cybersecurity industry is truly changing due to AI. Processes that have been established through years of stepping on garden rakes are being phased out or bypassed altogether.

Capture the flag competitions and public bug bounty programs are seeing their last days, as others more attuned to the industry than me have also noted, but something else is also dying that I cannot put my finger on or properly express.

It could be the feeling that at least some well-maintained software was safe to use. Maybe it was a fake feeling that I used to have because I was stupid and naive.

There's now a feeling of uncertainty and not knowing how the pieces fall back together, or even if they fit anymore. Maybe I'm a negative person, but I don't see the open-source community being able to cope with all that's about to hit them, and I for sure don't trust the commercial vendors to… even care.

This is not a good change? If the bottleneck is patching then we're becoming less secure www.anthropic.com/research/gla...

[image or embed]

— Jacob Aron (@jjaron.bsky.social) May 23, 2026 at 12:29 AM

This sounds impressive but I really need to know more. Surely Mythos isn't running on live bank customer data?

[image or embed]

— Jacob Aron (@jjaron.bsky.social) May 23, 2026 at 12:30 AM

Anthropic's solution to the problem it has created is "idk guys, work harder I guess 🙃"

[image or embed]

— Jacob Aron (@jjaron.bsky.social) May 23, 2026 at 12:34 AM

"AI is now driving both the production and consumption of open source software. AI-generated music ends in human ears, and AI-generated images mostly benefit humans, but AI-generated software is an ouroboros (a snake eating its own tail) which is just getting started." - @staltz.com

[image or embed]

— Sarah Gooding (@sarahgooding.bsky.social) May 23, 2026 at 11:04 PM

Risky Business Podcasts

In this episode of Risky Business Features, Ollie Whitehouse, the CTO of the UK’s National Cyber Security Centre, joins Patrick Gray and James Wilson to talk about why “patch faster” will only get organisations so far in the face of the AI "bugpocalypse."

Breaches, hacks, and security incidents

Hackers breach and leak SDA data: Hackers have breached and leaked sensitive documents from the Social Design Agency, a Russian disinformation group. The documents were shared with selected journalists and contain details about current disinformation operations running in Armenia, France, Ukraine, Germany, Moldova, and Norway. Most of the campaigns aimed to stir hate towards migrants, blame Ukraine for current economic difficulties, and support far-right political groups. The group operated fake news sites, organized local protests, and ran sabotage activities under false flags. The leaked SDA files also exposed the names of local collaborators, such as a retired US General, a former Bundestag member, a Romanian oligarch, and many more. [FIP // OCCRP // Le Monde // Aktual24 // RFI]

Vietnam investigates government breach: The Vietnamese government is investigating breaches of two unnamed agencies. The compromised networks store the data of millions of citizens. Investigations began last Thursday after the breaches went initially undetected. [VietnamNet]

RetoSwap crypto-heist: Hackers have stolen $2.7 million worth of Monero from anonymous trading platform RetoSwap. The hack took place last week and tricked the platform into changing a multisig wallet for one controlled by the hackers. RetoSwap runs on the Tor network and is one of the very few anonymous Monero trading hubs. [RetoSwap // Quickex]

StablR crypto-heist: Hackers have stolen $2.8 million worth of tokens from the StablR platform over the weekend. [StablR // Yahoo Finance]

Hacker returns Verus funds: The Verus cryptocurrency platform has stopped an investigation into a recent hack after the attacker returned 75% of the stolen funds. The company has confirmed it received $8.5 million of the $11.6 million stolen last week. Verus claims it allowed the attacker to retain the rest in the form of a bug bounty payment. Nice legal semantics! [Verus // The Crypto Times]

China tracks visiting foreigners: An internet-exposed dashboard has revealed a secret Chinese program for tracking foreigners visiting the country. The dashboard tracks their movements, who they come into contact with, and regular acquaintances. Data is being pulled from security cameras, facial recognition systems, and ID scanners. The portal is branded with official government insignia but appears to have been built by contractors. The platform is one of many similar insecure dashboards exposed online by Chinese tech startups. [NetAskari // The Telegraph]

General tech and privacy

Companies pledge to LVFS: Three of the world's largest tech companies have pledged to support the Linux Vendor Firmware Service. The service aggregates drivers and firmware updates for the Linux ecosystem. Dell, HP, and Lenovo have committed to contributing $100,000 per year to help keep the portal running. [Phoronix // It's FOSS]

GitHub rolls out new npm security measures: GitHub has rolled out a new security feature for the npm ecosystem designed to counter the spread of the Shai-Hulud worm attacks. The new Staged Publishing feature will require developers to manually approve every new package release through a 2FA challenge. The company has also invalidated all previous npm granular access tokens that allowed Shai-Hulud worms to bypass two-factor authentication on npm. GitHub has urged developers to also adopt Trusted Publishing workflows, which use cryptographic proofs and much shorter-lived tokens for any automated workflows. [GitHub // GitHub]

A huge milestone for npm securing the largest development supply chain in the world. Setting the stage with Staged publishing, npm maintainers can now review and approve before a npm package is made public 🎉🥳💥 github.blog/changelog/20...

[image or embed]

— saquibkhan.bsky.social (@saquibkhan.bsky.social) May 22, 2026 at 11:26 PM

AI is killing package repos: The npm package repository is seeing increased activity and is close to breaking the 100,000 barrier for new packages published in a month. Clues suggest that almost a third of these are created by or with the help of an AI agent. Despite the surge in new submissions, around 10,000 of all npm entries have more than 100 weekly downloads. [Socket Security]

Data centers devour 2% of all electricity: Data centers are now consuming 2% of all of the world's electricity. The US is by far the world’s largest data center location, with 43% of global consumption. US data centers are now using 6% of all of the US electric power. [International Data Center Authority]

Government, politics, and policy

Gabbard resigns: Tulsi Gabbard has resigned from the role of US Director of National Intelligence. Gabbard cited her husband's cancer diagnosis as the reason. Her resignation is effective June 30.  [BBC]

Unsigned AI security EO leaks: The executive order that President Trump almost signed last week to impose new security rules on AI models has been leaked. The White House backed down on signing the EO after some major lobbying from the US AI brotech league. [Politico]

US goes MAX wild: Last month, the White House launched an official app to share recent news and decisions from the Trump administration. The White House has now ordered agencies to forcibly install the app on all employees' work phones. That's one way to find government leakers, I guess. [Government Executive]

Malaysia bans kids 16< from social media: The Malaysian government has banned children under the age of 16 from social media. Online platforms will be required to implement the bans. They will also have to roll out measures to verify online advertisers and label manipulated content. Platforms will have a grace period to roll out the changes, but the government didn't say how much. [Reuters]

Sponsor section

In this Risky Business sponsor interview, James Wilson chats with Sondera CEO Josh Devon about why guardrails and instruction files aren’t enough to keep AI agents from going haywire. EDR, DLP and other traditional controls can't and won't prevent agents from going rogue. Josh explains Sondera’s “principle of least autonomy” for agents: let them do useful work, but put them in a deterministic policy harness so they can’t leak secrets, abuse tools or wander off-task.

Arrests, cybercrime, and threat intel

MirHosting and WorkTitans raided: Dutch authorities seized more than 800 servers owned by two bulletproof hosting providers on Friday. MIRHosting and WorkTitans allegedly hosted server infrastructure for Russian hackers and disinformation operations. The two companies were part of THE.Hosting group, a rebrand of the old Stark Industries provider that was sanctioned in both the US and EU. The owners of both companies were arrested in Amsterdam and the Hague. They were identified as Andrey N., a Russian pianist who owned MIRHosting, and business consultant Youssef Z., who owned WorkTitans. [FIOD // deVolkskrant // Correctiv]

Romance scammers arrested in Thailand: Thai police have arrested six Nigerian nationals for their involvement in a romance scam scheme. The suspects were detained on Friday in three luxury condominiums in Nonthaburi, near Bangkok. The three used AI tools to pose as successful Western men and target older Thai women. Police said the suspects entered the country on student visas but never enrolled or attended any universities. [Leadership.ng]

Two phishers arrested in the Netherlands: Two Dutch nationals were arrested last week for selling ready-made phishing templates. The phishing pages imitated the login screens of various European banks. Both suspects are from Bergschenhoek and aged 23. [Dutch Police]

US, Canadian police work with scam baiters: US and Canadian police worked with a group of scam baiters to prevent victims from falling to online scams. The project prevented scammers from stealing more than more than $30 million over the past ten months. The largest loss prevented was in the US, where authorities blocked a $4 million scam. [Edmonton Police]

Russian granny hosted SIM box: Scammers have tricked a Russian 80-year-old woman into hosting a SIM box for them as a way to pay back a fictitious debt. [TatPressa]

CINEMAGOAL takedown: Italian police have seized the infrastructure of a mobile piracy app named CINEMAGOAL. [Italy's GDF]

ROADtools abuse: Threat actors have adopted the ROADtools open-source Azure red-team framework for attacks on Azure cloud infrastructure. Don't be shocked now! [Palo Alto Networks // ROADtools]

Supply chain attack targets Laravel devs: Hackers have compromised an open-sourced project that provides localization support for the Laravel PHP framework. Attackers gained access to the Laravel Lang organization and inserted an infostealer in the project's libraries. More than 100 past package versions have been compromised and are still live. [Aikido Security // Socket Security // Snyk // Step Security]

Today, an attack also hit a major PHP project. If you think supply chain attacks are only a JS, you’re very wrong. Docker and CI are attacked constantly. All package managers are vulnerable in roughly the same way. socket.dev/blog/laravel...

[image or embed]

— Andrey Sitnik (@en.sitnik.es) May 23, 2026 at 1:32 PM

Malware technical reports

New RondoDox attacks: The RondoDox IoT botnet is now targeting ASUS through an old 2018 bug tracked as CVE-2018-5999. [VulnCheck]

Botnet targets Ollama servers: A new botnet is targeting Ollama servers to deploy cryptominers and backdoors. [Akamai]

Sponsor section

In this edition of the Snake Oilers podcast, Sondera's Josh Devon talks about Sondera technology designed to intervene when AI models start doing the wrong thing by statefully tracking their trajectories. This isn't a permissions suite for AI agents, it's a way to stick agents in a harness and make sure they adhere to hard policy boundaries.

APTs, cyber-espionage, and info-ops

DPRK campaign linkage: Krypt3ia takes a top-down look at DPRK cyber operations, from espionage to its obsession with crypto-theft operations. [Krypt3ia]

Void Dokkaebi's InvisibleFerret update: The Void Dokkaebi APT, aka Famous Chollima, has migrated its InvisibleFerret infostealer from Python to Cython. [Trend Micro]

"The update gives the intrusion set an additional layer of evasion while preserving InvisibleFerret’s core capabilities, including backdoor access, browser credential theft, clipboard monitoring, keylogging, and cryptocurrency wallet targeting."

Lazarus' RemotePE: Last year, Fox-IT saw North Korean hackers deploy three new RATs in their recent hacking campaigns. The company now takes a deeper look at one of them, named RemotePE. [Fox-IT]

Cloud Atlas: Here's another report on the evolution of the Cloud Atlas APT and its very likely Ukrainian origin. [Kaspersky]

Red Lamassu: A suspected Chinese APT group has hacked telecom providers in the Middle East and Southeast Asia. The attacks were linked to a group known as Red Lamassu, or Calypso. The campaign used a new Linux malware family named Showboat. Confirmed victims include an Afghanistan ISP and an unknown entity in Azerbaijan. [Lumen // PwC]

APT28 higher-up gets a promotion: A higher-up from GRU Unit 26165, linked to the APT28 cyber-espionage group, was recently promoted pretty high up in the Presidential administration, and is now an aide to Sergei Shoigu in Russia's Security Council. [The Insider]

Patriot Bait campaign: Trend Micro has a funny report on how a single Russian-speaking individual ran a major five-year MAGA disinfo campaign that heavily relied on AI to publish pro-Trump propaganda. At one point, the individual started posting RAT-infected files on his Telegram channel, which he used to steal credentials and empty some crypto-wallets. [Trend Micro]

Iranian APT adopts SEO poisoning: An Iranian cyber-espionage group has adopted SEO poisoning as a malware delivery method. The Nimbus Manticore group has used fake Zoom websites and installers to deliver the MiniFast backdoor. The group has also adopted AI coding tools to help speed up its malware development cycles. The sudden diversification in tactics was spotted this year after the start of the US-Israel-Iran war. The group is also tracked as Screening Serpens, UNC1549, Smoke Sandstorm, and Iranian Dream Job. [Check Point // Palo Alto Networks]

Vulnerabilities, security research, and bug bounty

Security updates: LiteSpeed, Trend Micro, Ubiquiti.

Trend Micro zero-day: Trend Micro has patched a zero-day in its Apex One security solution. The vulnerability (CVE-2026-34926) is a path traversal bug that can allow attackers to modify files on Apex One servers. The modified files can then be rolled out to managed systems. Apex One servers have been targeted through zero-days for almost half-a-decade. [Trend Micro]

LiteSpeed zero-day: Hackers are exploiting a zero-day vulnerability in the LiteSpeed cPanel plugin to take over unpatched servers. Attacks were detected last week. The server maker released a security update two days after the initial reports. [LiteSpeed, CVE-2026-48172]

Drupal bug exploited in the wild: Hackers are exploiting a recently disclosed Drupal CMS vulnerability two days after the project warned about its severity. The bug was patched last Wednesday and active attacks began on Friday. The vulnerability is an SQL injection that impacts sites using PostgreSQL databases. It allows remote anonymous attackers to take over sites that failed to patch. Drupal admins warned that they expected proof-of-concept exploits to appear within hours or days after the patch was released. [CVE-2026-9082]

Ubiquiti fixes three 10s: American networking equipment vendor Ubiquiti released security updates on Friday to patch five vulnerabilities in its UniFi operating system. Three of the five vulnerabilities have a severity rating of 10/10 and can be exploited for device takeovers. More than 100,000 UniFi devices are currently reachable on the internet. [Ubiquiti]

Underminr technique: Threat actors are abusing flaws in CDN infrastructure to hide connections to malicious sites as legitimate traffic. The technique allows threat actors to list a legitimate site in the public SNI field of an encrypted HTTPS connection but use a malicious site as the actual destination inside the connection. Named Undermir, the technique is a variation of domain fronting. [ADAMnetworks]

FatGid vulnerability: After a wave of Linux LPEs being disclosed over the past weeks, we now have one in FreeBSD, this one with a special name of "FatGid." [Przemyslaw Frasunek]

GitHub bans Nightmare Eclipse: Microsoft has banned and deleted the GitHub account of Nightmare Eclipse, the researcher who disclosed several Windows zero-days (BlueHammer, GreenPlasma, RedSun, YellowKey, etc.) after Microsoft also deleted their MSRC account last year. The researcher has now moved to GitLab. [Nightmare Eclipse]

IBB cuts rewards: The Internet Bug Bounty program has cut rewards by up to 75%. The program was established in 2021 by several tech giants to sponsor bug reports and patches for popular open-source projects. The IBB has been paused since March as the program deals with an influx of AI-found bugs. [h/t Courtney C.]

Infosec industry

Threat/trend reports: Check Point, Cognyte, Digital.ai, F5, HP Wolf Security, IDCA, JFrog, and RSAC have recently published reports and summaries covering various threats and infosec industry trends.

New tool—Bumblebee: PerplexityAI has released Bumblebee, a read-only inventory collector for package, extension, and developer-tool metadata on macOS and Linux developer endpoints.

New tool—GhostType: Security researcher Roei Sherman has published GhostType, a scanner that extracts and verifies credentials from local AI conversations.

New tool—Workcell: Security researcher Omkhar Arasaratnam has open-sourced Workcell, a tool to run coding agents inside a bounded local runtime on macOS.

New tool—PhantomKiller: Red Team Fortress has released PhantomKiller, a BYOVD tool to abuse a Lenovo driver and terminate security tools.

New tool—Honeyslop: Security researcher Gadi Evron has open-sourced Honeyslop, a canary to detect and triage AI-hallucinated bug reports.

Risky Business podcasts

In this episode of Risky Business Features, Theori's Brian Pak and Andrew Wesie join James Wilson to discuss why the CopyFail exploit was publicly disclosed before Linux distributions had their patches ready.