CyberSecurity Updates

Mythos in the hands of attackers threatens a storm beyond the power of security teams to weather. Claude Security is designed to counter this. Anthropic’s Mythos AI model will not be the only frontier model able to compress the time-to-exploit to a meaningless number of minutes. Other foundation model developers will produce their own models with comparable capabilities – and these models will find their way into the hands of criminals and nation state adversaries.…

Read More

A critical-severity vulnerability in the open source AI gateway LiteLLM was exploited days after public disclosure to access database tables containing sensitive information, Sysdig reports. The security defect is described as an SQL injection during the proxy API key verification process and is identified as CVE-2026-42208, with a CVSS score of 9.3. In an April 20 advisory, LiteLLM’s maintainers explained that a database query used during key verification did not pass the caller-supplied value as…

Read More

CFOs and boards need to understand risk in financial terms. Insurance data can do this. Obtaining adequate cybersecurity budget from the board requires translating technical risk into business financial risk – an ability that is not always available to security technicians. Resilience, a firm that provides insurance, risk decision support and consultancy, can assist. Through its insurance service, Resilience can directly relate financial loss to specific cybersecurity events and their likely occurrence, allowing CISOs to…

Read More

Incomplete patch for a Windows SmartScreen and Windows Shell security prompts bypass created a new bug enabling zero-click attacks, Akamai reports. The initial vulnerability, tracked as CVE-2026-21510 and patched in February, could be exploited for remote code execution (RCE) if the attacker could convince the victim to open a malicious shortcut file. Microsoft warned at the time that the flaw had been exploited as a zero-day, without providing details on the observed attacks. Now, Akamai…

Read More

A newly uncovered APT is relying on legitimate services for command-and-control (C&C) communication and data exfiltration, ESET warns. Tracked as GopherWhisper (PDF) and active since at least November 2023, the hacking group is operating out of China, as timestamp inspection of chat messages and emails has revealed. The APT came to the spotlight in January 2025, during the investigation into a Go-based backdoor found on the systems of a governmental entity in Mongolia, which led…

Read More