We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

A lot of people have been wondering about Mythos, Glasswing, and the vulns we / our partners are fixing. Today, I’m excited for us to start sharing more. (For context, I lead Glasswing @AnthropicAI.) Two independent evaluations this week—from XBOW and the UK AISI—confirm what we've been seeing internally: Claude Mythos Preview is a step change in autonomous cybersecurity capabilities. We need to start preparing fast for a world of models with this level of capabilities. The UK AI Security Institute tested the model we shipped at the launch of Project Glasswing and found Mythos Preview is the first model to solve both of their end-to-end cyber ranges, including one (Cooling Tower) which no model had ever cleared. But attackers (and defenders) have sophistication & cost constraints – Mythos is also the only model that clears every one of their tasks estimated over 8 hours under their deliberately low 2.5M-token cap. XBOW tested it on their offensive security benchmarks, finding "token-for-token, unprecedented precision." It's the only model to succeed at subtle V8 sandbox work. Other Glasswing partners shared similar stories. In a few weeks of testing, Mythos Preview has helped them find many thousands of (estimated) high critical severity vulnerabilities, sometimes double what they'd normally find in a year. I don't share this to boost Mythos. In fact, this is not about Mythos. It’s about preparing for the coming world of models being better, faster, cheaper, and more creative than some of the best human experts at dual use capabilities. Clearly, we need them supporting defenders as widely as can be done safely – and especially the least resourced ones. Within a year, Mythos will probably look quite dumb (relative to other new models). And others may release openly available or unguardrailed models of Mythos-level capabilities. We started Project Glasswing because capabilities like Mythos Preview's won't stay rare, or stay in careful hands. We are bringing it to defenders as fast as we responsibly can, while working to figure out, for example, the right safeguards and patching & disclosure processes. Also, to be clear, compute has never been a limiter in our rollout. Expect a fuller update on our Glasswing work in the coming days. XBOW report: xbow.com/blog/mythos-offensi… UK AISI report: aisi.gov.uk/blog/how-fast-is…

We’ve released Next.js versions 16.2.6 and 15.5.18 with important security fixes. These fixes address multiple vulnerabilities across high, moderate, and low severity, including one upstream React issue. We strongly recommend upgrading as soon as possible. ⬇️

Managing API keys is one of the top security concerns we hear from customers. Today we’re introducing keyless auth for Claude Platform: authenticate via browser with the CLI, or let workloads use their existing cloud identity (AWS, GCP, Azure, or any OIDC token provider).

Howdy folks! Taking a break from my twitter break to let yall know that we released a new @GreyNoiseIO product yesterday. It's called Project Swarm. We've been quietly not-so-quietly working on it for a few years. You can buy it now. It costs $1. There are lots of vulnerabilities on edge-facing apps. To catch in-the-wild exploitation of them, we @ GreyNoise run sensors on the internet. New AI models means more vulnerabilities being identified and exploited, and FASTER. Long term, software and hardware will probably get better, but in the meantime we're gonna have to deal with A LOT of vulnerabilities. At GreyNoise, the sensors we run are basically honeypots- we bait attackers to scan and exploit them which enables us to learn where the attackers are, which vulnerabilities they are exploiting, what it drops, and what it looks like on the wire. From ~2020-now it took us years to build up our fleet. Now anyone can use our new product to deploy their own sensors on their own networks, or an entire fleet of any size, in a day. You can rip back the data and do whatever you want with it. You can resell it, put it into your product, or just stare at it- whatever you want! On our side, we aggregate the data and pour it into a community dataset that everyone shares. As more people join, the data gets bigger and better. Couple neat features: - Sensor deployment is a single bash command on any modern linux distro that supports iptables and wireguard. - Sensors and vulnerable software (profiles) are abstracted into different logical concepts, which means the "what" and "where" are different things, and the sensor is not constrained by the compute required to run the vulnerable software. Also, no matter how hacked the profile (honeypot) gets, it can't touch your host sensor or the rest of your network. - Sensors can run fake honeypots, real software, or even real hardware (bridged with a raspberry pi) like old crappy routers and modems (or expensive firewalls and VPN gateways 👀) - You can create dynamic blocklists that block IPs sourced from your own sensors in real time, so if a remote IP address *looks at your network* the wrong way, you block them instantly. - All the PCAP data is available to you in a gorgeous and intuitive interface at near real time and fully enriched against all of our (thousands of) rules. We're working on the host metadata (malware, syscalls, host behaviors) as well, but this will come later. - If we don't tag a CVE that's interesting to you, you can write a Suricata rule to tag it yourself once and your data gets tagged with it in real time forever. - You can instantly download PCAPs of any exploits that hit your sensors. - If you don't want your data shared with the community dataset, you can talk to our team and we'll work out rights to make it private. Check it out! There's a lot of moving pieces to make this work and we expect bugs, but it's available right now. Join the fight! greynoise.io/project-swarm

Google DeepMind dropped a paper that should scare every agent builder. It's the first systematic framework for a threat that barely existed two years ago: adversarial content engineered to hijack AI agents browsing the web. They call them AI Agent Traps. The paper maps six distinct attack surfaces. 1) Content Injection Traps (perception) Invisible CSS, hidden HTML, steganographic payloads inside images. The agent parses it, humans never see it. One study showed simple HTML injections hijack web agents in up to 86% of scenarios. 2) Semantic Manipulation Traps (reasoning) No overt commands. Just biased phrasing, framing, and contextual priming that skew the agent's synthesis. LLMs inherit human cognitive biases, and attackers can weaponize every one of them. 3) Cognitive State Traps (memory and learning) Poison the RAG corpus. Corrupt long-term memory. One study achieved over 80% attack success with less than 0.1% poisoned data. 4) Behavioural Control Traps (action) Jailbreaks embedded in external resources. Data exfiltration prompts hidden in emails. Sub-agent spawning that tricks an orchestrator into instantiating attacker-controlled agents inside the trusted control flow. 5) Systemic Traps (multi-agent dynamics) This is where it gets scary. A single fake news headline could trigger a synchronized sell-off. A compositional fragment trap splits a payload across sources, so each fragment looks benign until agents aggregate them. 6) Human-in-the-Loop Traps The agent becomes the vector. The target is you. Invisible prompt injections have already caused summarization tools to faithfully repeat ransomware commands as "fix" instructions. The core insight is uncomfortable. By altering the environment instead of the model, attackers weaponize the agent's own capabilities against it. Training-time defenses cannot solve an inference-time problem. The paper closes by calling for automated red-teaming that can probe these vulnerabilities at scale. That same shift is already happening on the offense side. Strix is an open-source project doing exactly this for web apps. AI agents that act like real hackers, running your code dynamically, finding vulnerabilities, and validating them with actual proof-of-concepts. 24k stars on GitHub. Apache 2.0 licensed. The agents writing your code need to be tested by agents trying to break it. I've shared the link to the paper and Strix GitHub repo in the replies

> Not really real ShinyHunters > Claims to have compromised Vercel > Real ShinyHunters say "wtf that's not me" > Impersonator ShinyHunters says stole source code, customer data, databases etc > Vercel makes security bulletin > Announces compromise > Real ShinyHunters "wtf that's not us tho fr" 1. WHO EXTORTS SOMEONE ON A SUNDAY 2. 200iq move to blame ShinyHunters for compromise 3. 400iq move if ShinyHunters made fork of ShinyHunters claiming to be impersonator ShinyHunters to convince everyone the fake ShinyHunters are impersonating ShinyHunters, but it was actually ShinyHunters being the fake ShinyHunters all along 4. Lots of cybercrime drama right now, but ITS SUNDAY. Dawg, WAIT UNTIL LIKE TUESDAY OR SOMETHING. Smdh

We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems, impacting a limited subset of customers. Please see our security bulletin: vercel.com/kb/bulletin/verce…

Technical report released: The AI-Assisted Breach of Mexico’s Government Infrastructure gambit.security/blog-post/a-…

I'd like to apologize to my colleagues for not sharing the IoCs. Portable HWMonitor Installer (1.63): 3d91f442ddc055e19e3710482e1605836c799249dacd43d99843257a3affd2d2 Fake CRYPTBASE.dll: a27df06c7167eced1ddaeb8adccaa5f60500f52bc7030389eed2a0903cdf8286 Trojanized HWMonitor: 02db6764d1f13b837b0a525e5931bdbc67e7a2a4d071e849c7e087255d4a2d5b Can't remember what this file did: 4547f3c7854413f9ae0806c51564684b796399bea0511a8b6c4d63a136c8ad56 Can't remember what this file did (1): f633b48d5281709bcf3b1d8f54703792e51bb38ab507e9caa9c2fbe79b78aa53 Can't remember what this file did (2): 058f45b11fdd43ef51571577ec2ed9bcabe039a6615d05900aeb3655e9cec7e9 .cs file: 788d3f14ff6a701b114e0b40990379c0302e26c1bbbce22a7ee5c872c7df1d1f .NET assembly: 47c17003d58cd609bff8ab788b51803b3b0de0648b40cd4e5591948298914753 C2: https://welcome[.]supp0v3[.]com/d/callback

eSentire TRU reports finding EtherRAT, a Node.js-based backdoor, in a retail environment in March. It collects host data & steals cryptocurrency wallets & cloud credentials while using Ethereum smart contracts to fetch & rotate C2 addresses via EtherHiding esentire.com/blog/etherrat-s…

New blog on a previously undocumented RAT that we're tracking as #STXRAT - HVNC, credential theft, loader, X25519 ECDH key exchange between the C2 and victim w/ Ed25519 signature for verification to prevent C2 spoofing, AMSI Ghosting, Salted SHA-1 export hashing 🔥 esentire.com/blog/stx-rat-a-…

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion. Enjoy the findings!

Google meet recording.

😐 #Axios #SocialEngineering github.com/axios/axios/issue…

🚨#Tycoon2FA update @esthreat observed ProxyLine (RU proxy service) relaying phishing logins targeting M365 & Gmail accounts. They also query ipinfo/geojs/ipapi to redirect vendor traffic (Microsoft, Google, etc) to legit sites to hide their phishing pages.tinyurl.com/tycoon2FA

The Wire has a nice quote re supply chain and Infosec

npm security on the case, both malicious axios versions have been unpublished!

Now let's talk attribution. @DefSecSentinel quickly pointed to DPRK 🇰🇵. Remarkable similarities to WAVESHAPER / UNC1069

New blog is out! Deep dive into a suspected North Korean APT deploying #DEVPOPPER RAT (Node.js) and #OmniStealer (Python). Excellent resource for those interested in deobfuscation methods on highly obfuscated JavaScript and DPRK APT TTPs! esentire.com/blog/north-kore…