In today’s cybersecurity news…
Palantir executive considered for CISA leadership
Following up on a story we covered last week regarding DHS Secretary Markwayne Mullin’s comment about a possible director for CISA, two anonymous sources quoted by The Record suggest that Shyam Sankar, chief technology officer at Palantir Technologies, has emerged as a lead contender for the long vacant director role at CISA. A White House official has disputed this announcement, saying there were no personnel announcements to make at this time. CISA has not had a Senate-confirmed chief since the departure of Jen Easterly in January 2025.
EU unveils tech sovereignty package to cut reliance on U.S., Chinese suppliers
As posted in The Record, “the European Commission proposed a sweeping set of laws and strategies this week aimed at reducing the European Union’s reliance on foreign technology, amid concerns that its long-standing tech dependencies are becoming a security vulnerability.” Describing it as “a major shift in how Europe approaches technological sovereignty” the Commission’s tech lead Henna Virkkunen described two draft laws, a Chips Act 2.0 and a Cloud and AI Development Act. Currently the EU relies on foreign countries for more than 80% of its key digital products, services, infrastructure and intellectual property.
Hackers now exploit SolarWinds Serv-U flaw to crash servers
A warning from CISA on Friday that hackers are “now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers.” This is the Windows and Linux file transfer software that offers Managed File Transfer (MFT) and FTP server capabilities, for the securely exchange of files via HTTP/HTTPS, FTP, FTPS, and SFTP. SolarWinds released Serv-U 15.5.4 Hotfix 1 on Thursday. The CVE numbered flaw (CVE-2026-28318) allows remote attackers to exploit it without privileges in low-complexity attacks that don’t require user interaction.
Critical Everest Forms Pro flaw exploited to take over WordPress sites
This is a CVE numbered vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin which allows attackers to take complete control of a WordPress website without authentication. The issue affects versions 1.9.12 and earlier. Everest Forms Pro is a WordPress add-on used to create contact, registration, payment, and other custom application forms. Telemetry data from Wordfence shows that the vulnerability is being exploited in the wild to create rogue administrator accounts.
Huge thanks to our sponsor, Doppel
They use one connected attack chain to hit your brand externally, infiltrate your inbox, and manipulate your team.
Stop playing whack-a-mole with fragmented tools. Doppel unifies Digital Risk Protection, Human Risk Management, and Email Security into one unified platform.
One attack chain. Three pillars of defense. Zero blind spots.
Secure your enterprise relentlessly at doppel.com.
Miasma worm attacks 73 Microsoft GitHub repositories
The ongoing self-replicating supply chain attack campaign hit the repositories “across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, according to OpenSourceMalware. The development has forced GitHub to disable access to those repositories. As opposed to being a standalone attack, this particular campaign involves the “re-compromise of the “durabletask” PyPI package, which was infected by TeamPCP last month to deliver an information stealer on Linux systems.”
Reports claim Anthropic engineers are helping the NSA use Mythos
The Financial Times is reporting that Anthropic has “placed six forward-deployed engineers inside the National Security Agency,” to help the agency use Mythos, for offensive operations. It is believed that its function is to assist in “infiltrating networks in countries like China or Iran,” although it is currently unclear if the Anthropic engineers are involved in live operations, or just customization and setup. This comes during a period of tension between Anthropic and the U.S. government, including a presidential order to the Pentagon to drop Claude from its systems by August.
New ChatGPT lockdown mode limits data exfiltration tools
This new mode, being rolled out by OpenAI, is intended for personal accounts to reduce the risk of data exfiltration arising from prompt injection attacks. It has been specifically designed for “people and organizations that handle sensitive data and require stricter protection guarantees,” and is available to logged-in users across Free, Go, Plus, and Pro, and self-serve ChatGPT Business plans. Lockdown Mode works by “reducing the risk of data exfiltration from prompt injection attacks by limiting outbound network requests.
Thwarted hackers now making house calls
Google’s Mandiant incident response team has released a warning about hackers appearing in person at businesses masquerading as IT technicians. A data-theft and extortion gang named UNC3753 has “targeted dozens” of banks, law firms, and other professional services companies in the U.S. from January through May, using fake help desk calls and other social-engineering techniques to gain access to corporate IT environments.” When the remote-deception methods don’t work, they will show up at victims’ physical offices, posing as IT technicians, and attempt to steal sensitive files using thumb drives. The FBI even posted a warning last month about this new tactic. The actors “claim to be IT support staff needing to image a device or create local backups for security reasons. If that line works, they plug a thumb drive into the victim’s computer and steal data the old-fashioned way.”