Secure.com

If any of this looks familiar... The teams closing these gaps aren't buying more tools. They're building a layer that connects what they already have. See how → secure.com (8/8)

The average enterprise security team runs 45+ tools. Each one sees a slice of the environment. None of them talks to each other. More tools didn't close the gaps. They became the gaps. (7/8)

Every CISO we speak to has the same tools. Most of them have the same gaps. Here are 7 things keeping security leaders up at night.👇 (1/8)

@IntCyberDigest OpenAI's own write-up admits that hardening was in progress during deployment when the attack landed. The controls weren't missing; they weren't fully deployed yet.

‼️🚨 This is wild. OpenAI just confirmed it got hit in the TanStack npm supply chain attack, and the attackers were close to being able to ship malicious code inside official OpenAI software, signed and trusted, if their incident response had not caught it in time. The campaign is the work of TeamPCP, the same crew running the Mini Shai-Hulud wave. Two employee devices in OpenAI's corporate environment were compromised through the malicious TanStack packages. The attackers used that foothold to reach a limited subset of internal source code repositories. OpenAI says only "limited credential material" was successfully exfiltrated, with no customer data, production systems, intellectual property or deployed software impacted. Here is the part that should grab your attention. OpenAI is rotating its code-signing certificates and forcing every macOS user to update their OpenAI apps. You do not rotate signing certs for "limited credential material." You rotate signing certs when the attacker was close enough to signing malicious binaries as OpenAI. The "we contained it in time" framing is doing serious heavy lifting here. For wider context, the same TeamPCP wave also hit Mistral AI, UiPath, Guardrails AI, OpenSearch and SAP npm packages. The TanStack compromise is tracked as CVE-2026-45321 at CVSS 9.6, and Mistral AI source code is already being advertised for sale by the group.

Two things worth pulling out for anyone scanning this... This SSRF is one of 12 CVEs in the same May 2026 Next.js release, including several middleware auth bypasses. The patched versions in the post (15.5.16 / 16.2.5) fix this one. The full-batch patches are 15.5.18 and 16.2.6.

CVE-2026-44578 is a GET-only SSRF (cloud metadata and internal HTTP services on port 80), not an arbitrary credential exfiltration vulnerability. And it's one of 12 CVEs in the May 2026 Next.js release, including several auth bypasses. The fully-patched versions are 15.5.18 and 16.2.6. Upgrading to 15.5.16 / 16.2.5 closes this one but leaves the other 11 open.

Next.js just got its worst vulnerability ever, CVSS 8.6. → affects versions 13.4.13+, 14.x, 15.x, and 16.0.0–16.2.4 → attackers can access your internal services, cloud credentials, API keys, and admin panels → no authentication needed → one crafted request is all it takes → roughly 79,000 instances are exploitable right now → vercel-hosted apps are safe, self-hosted are not upgrade to 15.5.16 or 16.2.5 immediately.

@KuptoKosmos @ivancastl The principle that catches attackers here is the same one they exploit on the other side: humans take shortcuts when the tooling makes it possible. VPN-fatigue is just MFA-fatigue from the other direction.

🌐‼️ Même les hackers se font doxxer par leur propre connerie ! Un chercheur OSINT mexicain @ivancastl a pris une fuite de mi-avril 2026 sur DarkForums (gros forum cybercriminel) et l’a transformée en outil de cartographie... ➡️ 312 600 enregistrements au total ➡️ 79 900 adresses IP uniques ➡️ Carte Leaflet interactive qui zoome direct sur les pays, villes, FAI et même les VPN foireux !! Tu tapes un username et la carte te montre où ce gars se connectait depuis sa box résidentielle Totalplay, ALTAN REDES, ou un ProtonVPN mal configuré. Clusters en France (1,3k IPs), Allemagne, Pays-Bas… tout y passe 👉 Même les hackers font des erreurs. Et l’erreur est très souvent humaine ! Des vendeurs de malware, de logs stealer ou de dumps cartes bleues qui se croyaient intouchables sur le darkweb ont fait la connerie classique : se connecter sans anonymisation digne de ce nom. Un VPN oublié, une connexion juste pour poster vite fait depuis leur FAI perso, et leur vraie IP + username finissent sur une carte publique 👌 La majorité des IPs pointent vers des connexions résidentielles ou des configs approximatives Pour ceux qui veulent vérifier il a balancé le hash SHA-256 complet du JSON : `77E12E11465CDAC07F3F24B968FD1EA2B089BCA01208510DD380FF9C07E0B33D` L’outil est limité à ~3000 requêtes par jour. Le lien est temporaire dans son post du 11 mai 👉 Moralité : Même sur le darkweb, l’anonymat parfait, c’est mort. La technique la plus pointue ne sert à rien si l’humain merde. Un oubli, une flemme, une box résidentielle et ta "vie cachée" devient un point rouge clignotant sur une carte ! #CyberSécurité #OSINT

@lochan_twt Mythos helped, it didn't hack. Calif's three-person team did the actual work in five days. Still a big story.

Anthropic’s Mythos just hacked macOS helped researchers find a macOS kernel exploit Apple is reviewing it now. The AI found the vulnerability. Wrote the exploit. Delivered a 55-page report to Apple in Cupertino. We are so cooked

@vxunderground @NathanMcNulty PowerShell was written by someone who hated whoever uses PowerShell.

Microsoft: PowerShell is simple and easy to use. Actual PowerShell command: Remove-MgIdentityAuthenticationEventFlowAsOnGraphAPretributeCollectionExternalUserSelfServiceSignUpAttributeIdentityUserFlowAttributeByRef No, this isn't a joke. This was noted by @NathanMcNulty

@IntCyberDigest Auth bypass already used to land VPN access in production isn't a 7.2 in practice. The question worth answering is whether your CAS interfaces are exposed.

‼️🚨 Palo Alto Networks just dropped an advisory for CVE-2026-0265, an authentication bypass in PAN-OS. Palo Alto rated it HIGH with a CVSS of 7.2 and says exploitation has not been observed. The reporting researcher, Harsh Jaiswal of Hacktron AI, publicly pushed back on that rating. He says he already got VPN access to major corps by abusing the bug against GlobalProtect. He also flagged that the issue is not limited to PAN-OS, meaning the blast radius is wider than just firewalls. If that holds up, this is not a 7.2. Full technical details are landing on the Hacktron AI blog later next week. The flaw lives in the Cloud Authentication Service (CAS) when it is enabled and attached to a login interface. It hits PA-Series and VM-Series firewalls, plus Panorama virtual and M-Series appliances. Patches are partially available now, with additional fixed builds expected May 28. Admins running CAS on a Palo Alto login interface should verify exposure and patch on an emergency basis.

Full autonomy isn't a feature. It's a risk transfer. The override IS the feature.

Snyk and Invicti combined caught zero high or critical findings. Not one. The scanners aren't broken. They're just built for last decade's threat. Our Head of Engineering breaks down what's actually happening, and the free fix that makes developers 8x more likely to catch what scanners miss. Read the full piece → secure.com/blog/appsec/vi…

@logangraham @AnthropicAI The vuln-discovery side is moving faster than the remediation side can keep up. If Mythos doubles annual findings in weeks, the bottleneck shifts hard to triage, prioritization, and patching workflows. That's the gap to close next.

A lot of people have been wondering about Mythos, Glasswing, and the vulns we / our partners are fixing. Today, I’m excited for us to start sharing more. (For context, I lead Glasswing @AnthropicAI.) Two independent evaluations this week—from XBOW and the UK AISI—confirm what we've been seeing internally: Claude Mythos Preview is a step change in autonomous cybersecurity capabilities. We need to start preparing fast for a world of models with this level of capabilities. The UK AI Security Institute tested the model we shipped at the launch of Project Glasswing and found Mythos Preview is the first model to solve both of their end-to-end cyber ranges, including one (Cooling Tower) which no model had ever cleared. But attackers (and defenders) have sophistication & cost constraints – Mythos is also the only model that clears every one of their tasks estimated over 8 hours under their deliberately low 2.5M-token cap. XBOW tested it on their offensive security benchmarks, finding "token-for-token, unprecedented precision." It's the only model to succeed at subtle V8 sandbox work. Other Glasswing partners shared similar stories. In a few weeks of testing, Mythos Preview has helped them find many thousands of (estimated) high + critical severity vulnerabilities, sometimes double what they'd normally find in a year. I don't share this to boost Mythos. In fact, this is not about Mythos. It’s about preparing for the coming world of models being better, faster, cheaper, and more creative than some of the best human experts at dual use capabilities. Clearly, we need them supporting defenders as widely as can be done safely – and especially the least resourced ones. Within a year, Mythos will probably look quite dumb (relative to other new models). And others may release openly available or unguardrailed models of Mythos-level capabilities. We started Project Glasswing because capabilities like Mythos Preview's won't stay rare, or stay in careful hands. We are bringing it to defenders as fast as we responsibly can, while working to figure out, for example, the right safeguards and patching & disclosure processes. Also, to be clear, compute has never been a limiter in our rollout. Expect a fuller update on our Glasswing work in the coming days. XBOW report: xbow.com/blog/mythos-of… UK AISI report: aisi.gov.uk/blog/how-fast-…

@birdabo The exploit was a "please" and a "🥺". We're cooked.

never deleting this app 💀 bro is gonna wake up with -$300k

If you run NGINX, here's what you need to do right now: → Upgrade to 1.31.0 or 1.30.1 immediately → Audit configs for rewrite + set directives with $args → Watch for repeated worker crashes in your logs → PoC is already public, opportunistic scanning has started One bug. Since 2008. CVSS 9.2. A third of the internet is affected. Full technical breakdown → secure.com/news/nginx-18-…