In today’s cybersecurity news…
Claude Mythos Preview’s cyber capabilities
The AI Security Institute reports that Claude Mythos Preview shows a significant jump in cyber capabilities, successfully completing advanced capture-the-flag tasks and autonomously executing multi-step attack simulations that previously required days of human work. The model solved a 32-step simulated enterprise attack in 30% of runs and outperformed prior systems, though tests were conducted in simplified environments without real-world defenses. The results highlight growing risks from AI-assisted attacks on weak systems, and stronger security practices and defenses are increasingly urgent. (AI Security Institute)
Anodot hack leaves breached companies facing extortion
Attackers linked to ShinyHunters breached business monitoring software maker Anodot, stealing authentication tokens to gain access to customer cloud data and exposing more than a dozen companies to extortion threats. The attackers used the tokens to pull sensitive data from cloud storage platforms like Snowflake, prompting access shutdowns after unusual activity was detected. One affected customer, Rockstar Games, claims the breach had no material impact on its operations. (TechCrunch)
wolfSSL library flaw enables forged certificate use
A critical vulnerability in the wolfSSL library allows improper validation of cryptographic signatures, letting attackers forge certificates and impersonate trusted servers or connections. The flaw affects multiple signature algorithms and could weaken authentication across billions of devices, particularly in embedded and IoT systems. It’s been patched in version 5.9.1, and organizations are urged to update quickly to prevent exploitation. (BleepingComputer)
APT41 delivers ‘zero-detection’ backdoor
Researchers at Breakglass Intelligence report that China-linked APT41 is deploying a “zero-detection” Linux backdoor to steal cloud credentials across Amazon Web Services, Google Cloud, Microsoft Azure, and Alibaba Cloud environments. The malware uses SMTP-based command-and-control and typosquatted domains to evade detection while extracting credentials from instance metadata services for lateral movement and privilege escalation. The tooling reflects years of development toward cloud-native attacks and researchers warn stolen credentials can grant attackers broad access, requiring stronger monitoring, logging, and access controls to contain intrusions. (Dark Reading)
Huge thanks to our sponsor, Conveyor
Most teams start with a trust center, bolt on a questionnaire tool, and end up with a knowledge base nobody trusts and a Slack channel full of sales pings anyway.
Conveyor replaces all of it. Trust center, questionnaire automation, self-serve for sales, AI-managed knowledge library, one platform.
Companies like Atlassian and Zapier already made the switch. See why at conveyor.com.
FBI and Indonesian police dismantle W3LL
The Federal Bureau of Investigation and Indonesian police dismantled the W3LL phishing network, arresting its alleged developer and seizing infrastructure tied to more than $20 million in fraud attempts. The W3LL toolkit functioned as a full-service phishing platform, letting attackers mimic login pages, steal credentials, bypass MFA using adversary-in-the-middle techniques, and resell access to more than 25,000 compromised accounts. Researchers including Group-IB say the operation supported hundreds of threat actors globally, with activity continuing via encrypted channels even after its marketplace shut down. (The Hacker News)
Mailbox rule abuse emerges as stealthy threat
Proofpoint researchers report a rise in attackers abusing Microsoft 365 mailbox rules as a stealthy post-compromise tactic, with about 10% of breached accounts in late 2025 seeing malicious rules created within seconds of access. These rules hide alerts, forward sensitive data, and manipulate email threads to enable fraud like business email compromise while remaining largely undetected. Because the rules can persist after password resets and be deployed at scale, researchers warn they create durable access and recommend tighter controls on forwarding, MFA, and account monitoring. (Infosecurity Magazine)
Bain & Co vulnerability exposed
A hacker from CodeWall accessed an internal AI tool used by Bain & Company by exploiting credentials exposed in public code, getting visibility into thousands of chatbot conversations tied to client analysis. The breach took minutes and could have enabled impersonation of employees via exposed tokens, though Bain says no sensitive client data or core systems were at risk and the issue was quickly fixed. This follows similar recent vulnerabilities at McKinsey & Company and Boston Consulting Group. (Financial Times)
OpenAI’s Mac apps need updates
OpenAI said its macOS apps require updates after a supply chain attack compromised the widely used Axios library, which was briefly infected by a North Korean group after hijacking a maintainer’s accounts. A GitHub workflow used for app signing downloaded the malicious package, prompting OpenAI to revoke and rotate certificates despite finding no evidence of data access or system compromise. The company fixed the misconfiguration, is working with Apple to prevent abuse, and warned older macOS app versions will stop working once the certificate is fully revoked. (CyberScoop)