Anthropic releases Mythos-derived model with cyber guardrails

Don't miss my CSO piece on the release of the two new Mythos-class models that have cyber safeguards that some experts think are broader than what Anthropic suggests.

Also, don't miss my latest CSO feature on how AI red teaming, which requires skills beyond what red teams are used to, has come of age.

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

Each day, Metacurity is read by thousands of cyber leaders, including some of the industry's top CISOs, security architects, practitioners, vendors, analysts, and journalists.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

Anthropic released a next-generation “Mythos-class” model to the general public with guardrails that remove dangerous capabilities related to areas such as cybersecurity and biological research.

Called Claude Fable 5, the large language model will mostly let users query Mythos, which the company previously deemed was too dangerous for general release. However, if users ask Fable about sensitive issues such as a bioweapon or exploiting a software bug, it will kick them back to the older Opus 4.8 version of the Claude chatbot.

Fable 5 will cost more than Opus 4.8, but it will also do a better job of remembering things. That will make it better at completing large, complex tasks with fewer instructions, said Dianne Penn, Anthropic’s head of product management, research and labs.

“We wanted to be able to provide this level of intelligence for general users in a safe manner,” she said.

Hackers are likely to try to trick Mythos into answering these questions, despite Anthropic’s controls—a process known as jailbreaking—but the company says it has done extensive testing to make that harder to pull off.

For a small group of cyberdefenders and infrastructure providers, Anthropic also launched Claude Mythos 5. It’s the same underlying model as Fable 5, but with the safeguards lifted in some areas.2 Mythos 5 will initially be deployed through Project Glasswing, in collaboration with the US government, as an upgrade to Claude Mythos Preview.

Anthropic says Claude Mythos 5 has the strongest cybersecurity capabilities of any model in the world. Soon, we intend to expand access to Mythos 5 through a broader trusted access program. (Robert McMillan / Wall Street Journal and Anthropic)

Related: CSO, CyberScoop, Wired, NextGov/FCW, Politico, Wired,  Simon Willison's Weblog, BBC, VentureBeat, VentureBeat, Anthropic, About Amazon, Fortune, Protos, Bitcoin News, CNBC, Politico, PYMNTS, Tom's Hardware, CNET, Engadget, The Register, The New Stack, PCWorld, Ars Technica, Benzinga, Decrypt, XDA Developers, New York Post, Android Authority, 9to5Google, Constellation Research, Tech Times, HealthcareInfoSecurity.com, The Mac Observer, Unite.AI, The Deep View, Bitcoin News, 9to5Mac, Implicator.ai, The Tech Portal, Newser, Mashable, Neowin, Amazon Web Services, Sherwood News, The Independent, SecurityWeek, crypto.news, Hacker News, r/theprimeagen, r/GithubCopilotr, r/ClaudePlaysPokemon, r/slatestarcodex, r/technology, Slashdot, The Decoder, TechCrunch, ZDNet,  The Economic Times, iPhone in Canada, The Asia Business Daily, ITPro, Inc, Reuters, Barron's Online, The Next Web, Fast Company, Yahoo Finance, iClarified, Techstrong.ai, r/singularity

US administration officials, including National Cyber Director Sean Cairncross, have told the Center for AI Standards and Innovation to halt publication of its model assessments while an executive order President Trump signed last week is implemented, people familiar with the matter said.

Administration officials, including National Cyber Director Sean Cairncross, have told the Center for AI Standards and Innovation to halt publication of its model assessments while an executive order President Trump signed last week is implemented, people familiar with the matter said. The order represented a win for Cairncross and Treasury Secretary Scott Bessent, who have pushed for security considerations to play a bigger role in model evaluation.

The concern was prompted by the recent release of Anthropic’s Mythos and other powerful models capable of carrying out cyberattacks or potentially aiding the creation of biological weapons. The administration is working with Anthropic and OpenAI to control who has access to their best products to make sure the companies are protecting national security.

The move to halt the center’s public work is being viewed as a sign to some officials that Cairncross and his allies want more say over model evaluation, the people said. Some administration officials are upset at Cairncross for exerting more influence over the process; they thought the executive order directed a new group to do work that the center—known as CAISI—was already doing, the people said.

On the other side are companies including OpenAI, which have had discussions with administration officials about the importance of the center, known as CAISI, and preserving its power, the people said. White House AI advisers, including venture capitalist David Sacks, have warned that an overzealous model-testing process—regardless of who oversees it—could slow deployment and hinder innovation. (Amrith Ramkumar / Wall Street Journal)

Microsoft released Patch Tuesday software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company’s monthly Patch Tuesday cycle.

Nearly three dozen of those bugs earned Microsoft’s most dire “critical” rating, and exploit code for at least three of the weaknesses is now publicly available.

The software giant said in a blog post last month that both its engineers and the security community are increasingly using artificial intelligence tools to find bugs, meaning this month’s heavy Patch Tuesday may start to become the norm, said Satnam Narang, senior staff research engineer at Tenable.

“Some surveys put AI usage among security professionals generally at 90%, so it’s unsurprising that this volume of patches may be the norm,” Narang said. “Pandora’s proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday.”

June’s zero-day bugs include CVE-2026-49160, a denial-of-service vulnerability affecting a range of web servers, including Microsoft Internet Information Services (IIS). Microsoft says OpenAI’s Codex reported the flaw.

Two of the zero-days addressed this month appear to stem from recent vulnerability disclosures by Nightmare Eclipse, the nickname chosen by a security researcher who has been dropping exploits for various Windows flaws. One of those, dubbed “GreenPlasma,” leverages an elevation-of-privilege weakness in the Windows Collaborative Translation Framework, the same framework patched today in CVE-2026-45586.

Nightmare Eclipse also released " YellowKey " last month, an exploit for a Windows BitLocker vulnerability that allows an attacker with physical access to view encrypted data, and CVE-2026-50507 is a patch for an elevation-of-privilege bug in BitLocker. (Brian Krebs / Krebs on Security)

Related: Security Affairs, Ars Technica, Zero Day Initiative, Nightmare Eclipse, The Stack, Infosecurity, Cyber Security News, BleepingComputer, Notebookcheck, Security Affairs, The Register, SecurityWeek, CyberScoop, ComputerWeekly.com, Neowin, BleepingComputer, Qualys Security Blog, Cisco Talos Blog, The Stack, SANS Internet Storm Center, Ask Woody

Security researcher Nightmare Eclipse, who has spent the past several months publicly releasing unpatched Windows vulnerabilities while sparring with Microsoft over vulnerability disclosure practices, has published exploit code for a new zero-day flaw dubbed RoguePlanet.

The researcher said their exploit uses a race condition problem affecting Microsoft Defender, giving attackers less than a hundred percent odds of success, which can potentially allow SYSTEM-level privilege on even freshly updated Windows.

As before, the exploit arrives just after Microsoft issued its June 2026 Tuesday patches, where the company issued fixes for over 200 security flaws, including 32 critical ones. “The timing is a giveaway, MiniPlasma was released on May 13, 2026—exactly one day after Microsoft’s May Patch Tuesday cycle, ensuring defenders have no official vendor patch for weeks,” Agnidipta Sarkar, chief evangelist at ColorTokens, had said about Eclipse’s previous “MiniPlasma” disclosure.

The exploit was dropped in a new GitHub repository, “MSNightmare,” surely a pointed reference to Microsoft, after GitHub (owned by Microsoft) removed Eclipse’s original repositories recently. Several earlier Eclipse disclosures were reportedly incorporated into real-world attacks shortly after exploit code became available, prompting warnings from Microsoft and multiple security vendors. (Shweta Sharma / CSO Online)

Related: Nightmare Eclipse, Cyber Security News

Researchers at CrowdStrike said China-linked hackers posed the biggest espionage threat to technology companies over the past year, amid surging investment in artificial intelligence.

The hacking ​campaigns align with the Chinese government’s strategic priorities and a sustained interest in technology ‌development, intellectual property, and information with strategic and economic value, the firm said.

The technology sector was once again the most targeted industry by both foreign governments and cybercriminals, the report found. It focused on threats to companies that research, ​develop, or distribute computer hardware and technology, IT services and consulting, semiconductors, and software overall.

The ⁠findings, which span April 1, 2025, to March 31, 2026, come amid frenzied valuations and investments ​in technology firms in and around the artificial intelligence space, which are among the high-value targets, said ​Adam Meyers, CrowdStrike’s senior vice president, head of counter-adversary operations. (AJ Vicens / Reuters)

Related: CrowdStrike, CNBC, Benzinga, Crypto Briefing, Cyber Daily, Forbes

Researchers at Bitdefender report that social media has overtaken email as a primary attack vector, showing changes in how people consume information and interact online.

According to the company's Global Scam Intelligence Report 2026, fraud campaigns use advertisements, sponsored content, impersonation pages, and direct messages to reach users.

One in seven consumers fell victim to a scam during the past year. Scam operations resemble organized businesses, with structured workflows, dedicated personnel, and tactics designed to exploit trust through familiar brands, platforms, and communication channels.

Financially motivated fraud accounted for a large share of scam activity throughout the year. Phishing remained the most common web-based scam category, representing roughly a quarter of reported incidents. Financial and investment scams, fake shops and advertising scams, and job scams ranked among the leading categories identified in Bitdefender’s data. (Anamarija Pogorelec / Help Net Security)

Related: Bitdefender

Researchers at Varonis Threat Labs report that a phishing simulation on an OpenClaw email agent with various configuration profiles showed that it was susceptible to tactics commonly used to compromise human users.

The OpenClaw open-source AI agent framework allows large language models (LLMs) to interact with real-world systems and perform actions autonomously. It can be used as an email agent for basic reasoning and operations.

Varonis created an OpenClaw agent and connected it to a Gmail inbox, browser tools, Google Workspace APIs, and fabricated internal company data sources, instructing it to monitor and process incoming emails.

The synthetic enterprise data included AWS credentials, database credentials, CRM exports, internal communications, and Calendar invites, all highly sensitive data.

The agent ran on two configurations: a generic one with standard productivity instructions and a strict mode that included specific instructions for phishing awareness and identity verification procedures. The framework was tested with two models, namely Google Gemini 3.1 Pro and OpenAI GPT-5.4.

Varonis concludes that AI agents are good at detecting suspicious URLs, identifying fake login pages, spotting malicious OAuth apps, and recognizing phishing indicators, but may still fail due to a lack of identity verification, loss of context, and inability to apply “zero trust” principles to social interactions. (Bill Toulas / Bleeping Computer)

Related: Varonis Threat Labs, GBHackers, CSO Online, Cyber Press

The US Federal Communications Commission (FCC) wants to make it effectively impossible for people to buy what many call burner phones—phones not explicitly linked to their identity at the point of purchase—which would impact privacy-conscious people, domestic abuse survivors, journalists, and many more.

The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government-issued identification number and their physical address, alarming privacy advocates and civil rights activists who compare the measures to those from authoritarian countries where it can be difficult to buy a mobile phone plan without giving up your identity.

The proposed change would drastically shake up how people obtain phone plans in the US and have all sorts of privacy and cybersecurity knock-on effects. The FCC is proposing the data collection partly under Know Your Customer rules (KYC) as a way to combat scammers, with telecoms being required to collect other information on business and foreign customers, like the intended use case of their bulk phone plan purchase and their IP address.

But the changes would mean telecoms collect data on all new and renewing customers, and the FCC provides a long list of other things that the collected data could help authorities with.

In a synopsis of the proposed changes, the FCC writes, “Specifically, we seek comment on requiring originating providers to, at a minimum, obtain and retain the name, physical address, government issued identification number, and an alternate telephone number of any new and renewing customer before granting access to its services.” The goal of collecting this data, the FCC writes, is to deter some scammers from getting onto a telecom network in the first place, and so “enforcers will be better able to identify the scammers when they do.” The FCC compares the changes to the sort of data collected by banks to prevent money laundering.

One section stresses that the newly collected data would help “law enforcement to more easily identify callers that use the network to perpetuate crimes by ensuring that voice providers have accurate and complete customer information.” It goes on to ask if the data would help identify people buying and selling illicit goods; the investigation of “fraud, espionage, or influence operations that undermine national security”, and “address abuse in text messaging networks.” (Joseph Cox / 404 Media)

Related: Federal Register, Digital Trends, PC Mag, Boing Boing, Android Authority

Everyone is racing to adopt AI. But if your security foundation is weak, AI won’t save you — it will amplify the risk.

That’s the core message behind my just-published new book, The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. Rather than treating cybersecurity as a compliance exercise, the book shows how organizations can build resilient security programs grounded in real operational failures and lessons learned.

Wiley is currently offering Metacurity readers a 20% discount with code ENG20. Don't wait! Order your copy today! Email me to find out about bulk purchases for your organization or special customized print runs for your team.

Roughly 34,000 Instagram accounts were affected by a bug in a Meta customer service tool that allowed anyone to use an AI-powered chatbot to reset the passwords for Instagram accounts, including the accounts of President Barack Obama, the home security monitoring company SimpliSafe and a senior official in Mr. Trump’s Space Force department, according to internal Meta documents viewed by The New York Times.

In the Space Force official’s case, hackers began posting pro-Iran messages comparing the war in Iran to US involvement in Vietnam in the 1960s.

Of the 34,000 accounts, 20,000 were breached, giving hackers access to the related email addresses, phone numbers, birth dates, and other personal data. More than 3,500 of the accounts had their user names taken over and changed from the hack, according to the internal documents. Meta has said it could not determine what information was viewed or stolen by the attackers.

In a statement, Meta said it had fixed the flaw, which was reported by 404 Media this month, and secured the affected accounts. (Mike Isaac and Eli Tan / New York Times)

Cloud-based enterprise software platform ServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.

The company quietly warned impacted customers through a support bulletin and direct support cases after detecting "anomalous activity" related to the issue.

The bulletin, which is hidden behind ServiceNow's customer support login portal, states that the company applied a security update to hosted customer instances on June 5, 2026.

"On June 5, 2026, ServiceNow applied a security update to hosted customer instances," reads the support bulletin.

"The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended." (Lawrence Abrams / Bleeping Computer)

Related: Hacker News, r/servicenow, r/cybersecurity

Fortinet and Ivanti rolled out fixes for multiple vulnerabilities in their products, including critical-severity OS command injection flaws.

Fortinet published three advisories describing security defects in FortiSandbox, FortiOS, FortiProxy, and FortiPortal.

The most severe of the three bugs is CVE-2026-25089 (CVSS score of 9.8), an OS command injection issue impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI.

Remote, unauthenticated attackers could exploit the weakness via specially crafted HTTP requests to execute arbitrary commands on vulnerable appliances, the company’s advisory reads.

Patches for the CVE were included in FortiSandbox 5.0.6 and 4.4.9, FortiSandbox Cloud 5.0.6, and FortiSandbox PaaS 5.0.6.

The other two vulnerabilities that Fortinet patched on Tuesday are medium-severity flaws in FortiOS, FortiProxy, and FortiPortal API, respectively. Authenticated users could exploit them for script execution and to disclose sensitive network configuration data.

Fortinet makes no mention of any of these security defects being exploited in the wild.

On Tuesday, Ivanti released Sentry versions 10.5.2, 10.6.2, and 10.7.1 and Endpoint Manager Mobile (EPMM) versions 12.9.0.1, 12.8.0.3, and 12.7.0.2 with fixes for two security weaknesses each.

The Sentry update resolves two critical-severity bugs, including CVE-2026-10520 (CVSS score of 10), an OS command injection issue that could be exploited remotely, without authentication, to execute arbitrary code with root privileges.

Tracked as CVE-2026-10523 (CVSS score of 9.9), the second flaw is an authentication bypass that could allow remote, unauthenticated attackers to create user accounts with the role of administrator and gain full access to vulnerable appliances. (Ionut Arghire / Security Week)

Related: Bleeping Computer, Fortiguard, Fortiguard, Ivanti, The Register

Identity crime experts have warned of “multi-layered crises” after revealing that many victims dealt with two or more incidents over the past year.

The findings come from US non-profit the Identity Theft Resource Center (ITRC), which analyzed data from over 6000 reports submitted to it between April 1 2025, and March 31, 2026. 

The 2026 Trends in Identity Report revealed that nearly 26% of victims managed two or more concurrent identity crime incidents, up from 24% the previous year.

The increase in multiple identity crime events could be down in part to a surge in unauthorized device/PC access. The category accounted for 27% of identity compromise incidents reported in the period, up 78% annually.

It’s now the primary threat for adults aged 35–64, the report noted. (Phil Muncaster / Infosecurity Magazine)

Related: ITRC

Researchers at Zscaler ThreatLabz say they spotted a newly discovered backdoor malware called MLTBackdoor in a carefully designed, multi-stage attack chain.

Identified in May 2026, this threat stands out for its advanced ability to hide from security tools while quietly establishing a deep foothold on infected machines.

The infection begins with something deceptively simple: a ClickFix lure hosted on an automotive-related web page. The moment a visitor copies, pastes, and runs the fake prompt, the full attack chain kicks into motion.

The victim unknowingly triggers a series of commands that download a compressed archive, decrypt a hidden payload, and ultimately install the backdoor deep within their system.

The researchers noted that the threat is likely being used by a ransomware-related threat actor. (Tushar Subhra Dutta / Cyber Security News)

Related: Zscaler, Cyber Press

Best Thing of the Day: No Need for Ego-Stroking?

Anthropic PBC co-founder and Chief Executive Officer Dario Amodei has just one direct report at the artificial intelligence company.

Worst Thing of the Day: This Is Not the Way

Britain has weakened proposed cybersecurity protections for its telecoms networks that were developed in response to the Salt Typhoon espionage campaign, after the companies responsible for implementing the measures lobbied against the cost and practicality.

Bonus Worst Thing of the Day: Smile for the Cameras, You Game-Loving Innocents

2026 World Cup stadiums in the US, Canada, and Mexico are subjecting fans to an array of surveillance tech, potentially without adequate safeguards and with concerns that in the US, the technologies will be used for aggressive immigration enforcement.

Closing Thought