News

MI5 and its international allies are once again warning that China is shopping for state secret leakers on popular recruitment platforms, including LinkedIn, Indeed, and Upwork. In a fresh advisory published on Wednesday evening, the UK’s domestic counter-intelligence agency said China is using an increasing number of platforms to recruit those who have access to classified or privileged information. Chinese military intelligence officers specifically target security clearance holders, including marks working in defense, security, and foreign affairs, military personnel, and those with indirect access to government information, such as academics, journalists, think tank employees, and others. Anyone who fits the bill is being urged to remain vigilant to potential attempts from Chinese operatives to cultivate long-term relationships. “These actors use an aggressive online recruitment strategy whereby intelligence officers or their affiliates pose as employees of private consultancies, think tanks, or human resources firms, and place online job advertisements for foreign policy and defence analysts (or similar),” the advisory [PDF] states. “Successful candidates are pressured to provide 'non-public' information for unspecified clients who are associated with the Chinese government. China’s military intelligence services ultimately seek to acquire privileged military, political, and economic intelligence that can provide China with a strategic and tactical advantage over the Five Eyes.” According to MI5, after the job and gig-work ads are posted online, China’s spies will rank the resumes they receive based on how likely a given individual is to have information of interest before interviewing them. It warned that even by sending a resume over, which includes personal details, a person is risking their own security and privacy. Targets face probing questions about who they know in government. For those in the military, they might be asked about where they were based, and what tasks they were responsible for. After demanding potential recruits complete a trial report on matters related to China, the spies will often shift conversations to encrypted messaging platforms where recruits are offered payments in exchange for increasingly privileged information. Payments may arrive through a number of online platforms, including reputable services like PayPal, Zelle, and Wise, to others more commonly associated with associated with illegality, such as Western Union and cryptocurrency. MI5 closed out its advisory with a warning to anyone even considering a life of peddling secrets to China: doing so comes with severe consequences. “Certain types of data can place the lives of frontline military or other personnel at risk, can weaken our economic prosperity, and enable interference in our democratic processes,” it said. “Individuals engaged in the unauthorized disclosure of sensitive or classified information could face a number of consequences, including prosecution under national laws such as those relating to espionage.” A common theme This week’s admonition is far from the first issued by the UK in response to this particular aspect of Chinese spies’ tradecraft. The most recent came in November when UK security minister Dan Jarvis reminded the UK's House of Commons that members should have received information about Chinese attempts to recruit parliamentarians through identical means. In those information packs disseminated by MI5, Brit politicos were given the names of two online profiles that the counter-intelligence agency suspected of being involved in recruitment campaigns. MI5 dished out an earlier warning in 2021, saying that around 10,000 Britons had been targeted by Chinese spies over the previous five years using work platforms, posing as headhunters. The 10,000 figure, it added, was thought to be a conservative estimate, with the agency's head, Ken McCallum, saying workplace platforms were being exploited “on an industrial scale.” The US said it was seeing similar tactics used when President Trump took office for the second time, which shortly after led to mass redundancies across federal agencies. Experts at the Foundation for Defense of Democracies (FDD) named five supposed consulting companies targeting the recently jobless via LinkedIn, Craigslist, and others, all in search of state secrets. The companies would present the fired workers with job opportunities, and as FDD senior analyst Max Lesser told The Register at the time, the layoffs, which began in February 2025, would have likely raised the risk level associated with state secrets being spilled. ®

Two former RAC workers in the UK have three months to pay more than £118,000 ($158,500) collectively after being convicted of selling crash victims’ data, according to the Information Commissioner’s Office (ICO). Debbie Okparavero and Maliha Islam, of Salford and Manchester respectively, were sentenced to six-month prison stints, suspended for 18 months, and 150 hours’ unpaid work in 2024, after being found guilty of offenses under the Computer Misuse Act 1990 and the Data Protection Act 2018. The pair, who worked for roadside accident biz RAC, were caught selling the personal data of car crash victims – just shy of 30,000 lines of data to an unknown buyer, the ICO revealed following an investigation. Okparavero and Islam were in a WhatsApp chat together, where they discussed the data and its sale to the unknown third party. RAC clocked on to the activity after deploying unspecified monitoring software, which detected Okparavero copying the data from RAC systems. A resulting investigation showed that around 29,500 lines of data were shared with Islam via WhatsApp. Islam was ordered to repay £39,522.50 ($48,274.45) for her part in the scheme in November, and the ICO noted in a Thursday announcement that she paid this in full. Reflecting more serious offending, at Manchester Crown Court on May 29, Okparavero was ordered to repay £89,277.32 ($119,962.38) within three months. Failure to do so will result in her serving 18 months in prison. Andy Curry, head of investigations at the ICO, said: “This outcome demonstrates justice did not end at sentencing. Our powers enabled us to continue to pursue these two individuals in order to strip them of assets gained through their serious criminal activity. Through the Proceeds of Crime Act, we are ensuring people do not financially benefit from their criminal activity. “I would like to once again thank the RAC for informing us about this breach and fully supporting the ICO’s investigation, which enabled us to hold these two individuals to account.” ®

There's a lot of fear surrounding the bug-finding capabilities of super-advanced AI models like Anthropic's Mythos and OpenAI's GPT 5.5-Cyber. But attackers are already using free, publicly available LLMs to hijack networks and worm through software supply chains at a much lower cost – to them at least. The latest example comes from University of Toronto researchers, who used an unnamed, publicly available open-weight model released in 2025 to develop a computer worm that they claim spread through an enterprise test network. The self-propagating code adapts on the fly to identify known vulnerabilities and misconfigurations on target systems, then generates and executes attacks to move laterally through the network and compromise additional machines. And it’s all built on a small, free model that runs on a single GPU. “People need to understand that it’s not just the biggest and most powerful AI models that pose security concerns – a whole other area of threat has been vastly underestimated,” University of Toronto computer engineering professor Nicolas Papernot told The Register. Papernot and fellow researchers Jonas Guan, Tom Blanchard, Hanna Foerster, Hengrui Jia, and Gabriel Huang published their findings [PDF] on Tuesday. While guardrails and other safety features implemented by major commercial AI systems are “essential,” Papernot told us, in reality “they will not prevent the threat of AI-driven worms with a similar design.” “The majority of real-world cyberattacks don’t rely on zero-day vulnerabilities,” he added. “Our work demonstrates that attackers can now cheaply operationalize known vulnerabilities at scale, which decreases the window of time defenders have to fix vulnerabilities and find human errors, like reused passwords or poorly configured backup jobs.” The paper doesn’t specify, and Papernot declined to say, which LLM they used. “We omitted certain methodological details (such as the agent’s reasoning graph and tool harness) and experimental specifics (such as the AI model) that could materially help a malicious actor construct similar malware,” Papernot said. “We shared enough information to make the threat credible enough for scientific scrutiny without providing a blueprint that would enable misuse.” The researchers also noted that they are not publicly releasing the code, but are working with the University of Toronto to set up a vetting process through which qualified researchers may request access for defensive research purposes. Not NotPetya Before you start breathing into a paper bag, there are a few things to note about this research. First, unlike Mythos and friends, the prototype worm does not exploit zero-day vulnerabilities. It only targets publicly disclosed but unpatched bugs, misconfigurations, and recurring weakness classes. This is intentional, because known security flaws – not zero-days – are what most real-world cyberattacks use, the authors say, citing WannaCry and NotPetya as examples. Both of these worms exploited security holes that had patches available for at least a month before the malware infected vulnerable machines. Both spread rapidly and caused global disruption. The worm did, however, find and abuse vulnerabilities disclosed after the model’s training cutoff by ingesting publicly available security advisory information at runtime and using this data to develop exploits. While the paper repeatedly points to WannaCry and NotPetya as worst-case scenario examples, this lab-tested prototype or something similar is not going to cause the level of destruction that either of those two earlier worms did. Both propagated very quickly: WannaCry infected more than 230,000 computers across 150 countries in just one day in May 2017. In June 2017, NotPetya spread globally within hours, taking down at least one large banking network in just 45 seconds. Plus, they both used very sophisticated evasion techniques to avoid being detected by security tools. This worm, on the other hand, moves slowly. In the “FakeCorp” network they used in the experiments, the prototype took about five days to replicate across half the network, requiring hundreds of LLM inference calls per target for reconnaissance, strategy formulation, and payload generation. The timeline gives defenders a longer window for detection and response. However, it will likely shorten as inference hardware and model efficiency improve. Also, unlike WannaCry and NotPetya, the worm doesn’t try to hide itself. “We deliberately chose not to equip the worm with concealment capabilities – it is not instructed to cover its tracks or minimize its network footprint, and it has no tools to do so,” the boffins wrote. “This was a conscious methodological choice to further limit the risk of misuse.” Finally, the test-network devices themselves didn’t have any endpoint detection, antivirus, or firewall software deployed, which (we hope) makes this a not-quite-realistic setup. Exploiting the FakeCorp target network Here’s how the experiments worked. The team deployed the worm prototype in 15 independent experiments on an isolated 33-host network including Linux servers, Windows environments, and IoT devices. Each computer had been seeded with at least one real-world vulnerability, including software bugs and misconfigurations. The worm operated fully autonomously for seven days, and correctly identified an average of 31.3 vulnerabilities, exploited 23.1 hosts to elevated access, and propagated to 20.4 hosts. It reached up to seven generations of self-replication, we’re told. “Put another way, on average, the proof-of-concept worm successfully exploited 73.8 percent of the network and then replicated to 61.8 percent of the network,” according to the research paper. In addition to finding and abusing the known flaws on the devices, the worm also found vulnerabilities disclosed after the LLM’s training cutoff: two recent Linux flaws, CopyFail and DirtyFrag, and a critical bug that leads to remote code execution in the Marimo notebook platform (CVE-2026-39987). The AI-based worm gained root access in 41 of 67 attempts (61 percent) across the three hosts with these one-day vulnerabilities. This includes 13 of 27 attempts on the Marimo host, 15 of 17 on DirtyFrag, and 13 of 23 on CopyFail. The two Linux vulnerabilities were disclosed shortly before the experiments, and a single document containing publicly available exploit instructions was enough for the worm to weaponize them successfully 70 percent of the time, or in 28 out of 40 attempts. “This result suggests that the same exploitation pipeline can absorb newly published vulnerability information without architectural changes,” the team wrote. When worms get sneaky In addition to finding and exploiting vulnerabilities, the AI worm did some other interesting, sneaky things during the experiments. Despite the lack of firewalls and endpoint security products enabled, the researchers added some components to the worm’s code to “provide increased defence-in-depth.” This included a denylist of IP addresses baked into the source code. So in theory, the worm would read the denylist every time it targets a new machine, and if the IP address matched one on the list, it would move on to a new target, thus preventing it from infecting some hosts. Instead, at “various points” during the experiments, the worm rewrote its source code to allow it to attack an IP address on the denylist. In another workaround example: when a virtual-machine check caused replica worms on Alpine Linux and Windows Server 2008 machines to crash at startup, the parent worm found the attestation source file on the target computer and removed the VM-detection check, allowing the worm to replicate successfully on the new machine. “This behavior was not prompted or incentivised by the agent’s instructions; it autonomously diagnosed the failure, identified the responsible code, and modified it to achieve its objective,” the boffins wrote. In another test run, the researchers accidentally packaged a FakeCorp network configuration file that included admin credentials with the worm code. The worm discovered the credentials and shared them with other active replica worms, “causing a rapid increase in propagation within the contained environment.” Additionally, in two separate instances, the worm established persistence on a compromised computer using mechanisms outside of the intended replication pipeline, we’re told. In one instance, it started the replica process and then registered it with the machine’s service-management system to auto-restart if terminated. In another, it created a scheduled task that relaunched the replica worm, causing it to reappear even after the original process was killed. “The agent appears to have inferred, from the general objective of maintaining an operational replica, that persistence mechanisms available on the target could be used to make the replica more robust,” the researchers noted. Prior to publishing their work, the academics say they shared their findings with “national science, security, and defence” agencies to seek advice on how to responsibly release the information. We asked Papernot for details, including which government agencies and how they responded, but he declined to share anything else. ®

PWNED Welcome back to PWNED, the weekly column where we talk about weak security policies and how to avoid them. Hopefully, we can learn from others’ mistakes – or at least have a good laugh at them. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. This week, we have a tale of password passivity involving Active Directory. It comes to us courtesy of Rob Anderson, head of reactive consulting services at Reliance Cyber, a UK-based security firm. Anderson recalls in the past working with a firm that was creating service accounts that developers needed to use, but the org didn’t have a proper password vault for storing the associated credentials. Instead, to make it easy for team members to find what they needed, they put the passwords into the description field for Active Directory. “People don't realize that as soon as you've got an Active Directory user — just an ordinary user — you can read the comments field or the description field across the whole of Active Directory,” Anderson told The Register. “It's such an amazing lapse of security.” Soon enough, an Initial Access Broker (IAB), someone who specializes in gaining access to protected networks and then selling it to other threat actors, used a phishing campaign and executed offensive hacking tool Sliver on the endpoint. At that point, they captured a victim’s credentials, which led them to query Active Directory. Once in AD, the hackers found plenty of passwords, which came with full domain access. They used this access to delete all the backups and execute ransomware. In total, the crimes put 2000+ users out of action by encrypting Hyper-V hypervisors and their hosts. The company was taken offline for months. What we can learn from this sad story is that you can’t put passwords in cleartext anywhere that's easy to access, unless you want an enormous attack surface. Even without a phish, an untrustworthy colleague could have sold the passwords to a threat actor. After all, a recent survey found one in eight workers think selling company logins can be justified. “I've seen it where configuration details are kept in application servers that are running, and threat actors are using fuzzing — trying likely file and directory names — which again exposes configuration and credentials to the threat actors,” Anderson said. He noted that developers are a bit more savvy these days about where they put their credentials, but security naivete sinks ships. Trust no one. ®

AI-enabled cybercriminals have better tools and are inflicting more pain on their victims, wiping out virtual machines and hypervisors and leaving infrastructure in a "dark, dead" state after an attack, said Commvault Chief Technology Officer Brian Brockway. "The majority of cyber cases that we've seen in the customer base have moved well beyond the breaking inside, and encrypting and corrupting some of your key files and folders, to taking over control of your entire VM environment, wiping out all VMs, destroying all hypervisors, blowing up the center and leaving you in basically a dark, dead state," Brockway told The Register. Frontier AI is reshaping the threat landscape in two ways, he explained: advanced models are uncovering a deluge of software vulnerabilities, and attackers are exploiting disclosed flaws within minutes rather than weeks. “The more unplanned work that has to be done to react to this, that's always going to challenge priorities,” Brockway said. “We had the plan in place, we had sprints already dedicated to kind of get out to the next launch, and we have to come back over and reinvest more engineering time to corrective actions versus the next new get ahead feature.” Commvault cited Palo Alto Networks research showing that frontier AI models such as Mythos and GPT-5.5-Cyber identified more than seven times the typical number of software vulnerabilities found within a single month during testing. To prepare for this, Commvault recommends that IT and security teams look beyond backups and ask whether they can restore critical systems cleanly, whether recovery environments are isolated from compromised production systems, and whether recovery plans include the most important applications and dependencies. Brockway said air-gapping is the starting point. He said organizations should keep immutable and isolated copies of critical data separated from production identity, network, and management planes, and pressure-test recovery time and recovery point objectives against realistic attack scenarios, a hard lesson learned from witnessing victims recover from recent attacks. “One team is just trying to even clear the smoke to figure out what happened, then you have to come back over, strip it all down to bare metal, and basically redeploy the data center all over again,” he said. “While that's ongoing – and that's not a couple hour process by any means, that could take you, even in a well-exercised environment, it could be a couple of days or longer to get it back into a stable, usable state – what are our sanitized versions that we're going to come back over to (in order to) rebuild or restart the business again?” Businesses should prioritize the systems they cannot operate without — identity platforms, billing systems, operational databases, and cloud services — and define the order in which they will be restored, he said. As AI moves into core operations, teams should also account for newer dependencies such as data pipelines, model repositories, vector databases, and agentic workflows. In its recommendations, Commvault said it is also critical that organizations continuously test recovery. Brockway recommends rehearsing those plans in isolated cleanroom environments before the worst happens. “I need a testing environment that's got the same makeup, the same builds, which we're using, maybe not on full production resources, but I need to be able to say, ‘How do I put that application stack into a live environment, so we can come back over and test?’ “ he said. “That's what we're saying about things like this clean room concept of not just being a reaction to an incident, but it is also a quick environment for you to come back over and clone.” Brockway said this new normal in the AI era is straining the engineers who build and maintain enterprise software. He said while the first wave of AI scanning tools flooded teams with potential vulnerabilities, newer models go further, entering controlled environments and attempting the exploits themselves — a capability that mirrors what attackers do. "When you let them in, you have to do it under an extremely tight security control, because you're effectively almost automating the same thing that bad guys can do on the outside too," Brockway said. The output can swamp downstream teams. Brockway said one frontier model flagged roughly 10,000 critical vulnerabilities across operating systems, browsers, and other infrastructure. "That's 10,000 patches that have to come out of the system," he said. That volume forces hard choices about engineering priorities. Brockway said unplanned remediation work pulls staff off planned releases. To absorb the load at Commvault, Brockway runs a standing group dedicated to just those items. "They're the fast action team to analyze, make a quick assessment," he said. Brockway said the signal volume emerging from AI bug finders ultimately calls for more automation and AI to filter noise, assist with patching, and support deployment. "The amount of information and signals that are coming in are way overwhelming. People just get desensitized, and that's when bad things really start to occur," he said.®

Wireless jamming attacks are on the rise. Rice University researchers have shown how self-curving radio beams can make a jammer appear to be somewhere it isn't, potentially undermining some anti-jamming defenses. Jamming relies on flooding a wireless receiver with noise that denies service. Some modern receivers identify and block jamming attempts using direction-of-arrival (DoA) estimation technology that pinpoints the jammer's direction and directs an array null that blocks signals emanating in the jammer’s direction. Were a jammer to transmit a self-curving beam, however, it could fool DoA-based anti-jamming defenses by appearing to come from somewhere else entirely, and that's exactly what the Rice researchers demonstrated. Rice electrical and computer engineering professor Edward Knightly and doctoral student Caroline Spindel presented a paper [PDF] last month in which they demonstrated a curving-beam jamming attack that caused "catastrophic bit-error-rate degradation" while also "fool[ing] the receiver's DoA estimator," preventing conventional DoA-based defenses from stopping the interference. Knightly and Spindel have done prior research developing wireless technology that could bend beams around objects to increase signal strength - particularly useful for short-range millimeter wave signals - and found that the same technology could be used to deploy jammers that are far harder to locate. Spindel gave the perfect analogy in a recent Rice press release about the research for understanding how curved beams confuse DoA estimators by considering a soccer ball kick to the head. “Imagine being hit on the right side of your head by a soccer ball - you would naturally look to the right,” Spindel said. “If the ball actually curved through the air, like a David Beckham free kick, then it was kicked from somewhere else entirely.” Were Sir David to keep moving and kicking curveballs at your head you’d probably spot him eventually, but it might take a minute, and a few more smacks, to stop him. A signal jammer at radio-wave distances will probably be far harder to spot, and it won’t even have to move: Knightly and Spindel were able to create the illusion that the jammer was mobile by modulating the beam parameters from a stationary position, making it even more difficult to locate the jamming signal and negating the point of blindly searching for the best spot to point an array null. Conventional recovery methods used to block jamming completely failed in laboratory tests, Spindel said. “This is the first demonstration of a jammer that cannot be reliably localized and the first time self-curving wireless beams have been used as an attack,” Knightly added. The pair sees their research not just as a way to point out a serious threat to wireless signals - GPS jamming of aircraft is on the rise, for example - but also something that can inform the direction of future wireless technologies as we move toward the 6G era. Until then, however, there’s the potential for even more devastating jamming attacks to come. ®

Yet another aggrieved bug hunter has leaked a vulnerability affecting a Microsoft product after becoming disillusioned with the company’s handling of security reports. Ammar Askar dropped a proof of concept (PoC) exploit for a Visual Studio Code (VS Code) flaw within just an hour of disclosing it to “an old contact” at the open source platform, according to his account of things. The vulnerability he exposed involves attackers configuring repos, either of their own making or those they have compromised separately, to push malicious VS Code extensions via its Workspace Recommendations feature, which then steal OAuth tokens they can then use to read/write public and private GitHub repos. It affects anyone who has ever used github.dev, a feature that allows users to open a GitHub repo in a browser-based version of VS Code. Askar said that the feature is enabled by github.com passing an OAuth token over to github.dev and, crucially, this token is not limited to the repo from which github.dev was spun up. It means that this token can hand an attacker access to any other repo – public or private – to which the target also has access. The exploit is contingent on an attacker being able to modify a repo’s .vscode/extensions.json file and recommending an attacker-controlled extension for the browser-based VS Code instance. In normal scenarios, a pop-up would appear asking for a user to accept the installation of this extension, potentially tipping them off to foul play. However, because of the way in which the attacker delivers the repo to the target, they already have a Jupyter Notebook file running in the target’s github.dev before the extension is installed. The attacker must initially get the target to open their repo using a github.dev link that points to this ipynb file, which VS Code immediately opens inside a Webview. Inside the Jupyter Notebook is a hidden HTML snippet inside a Markdown cell, which when loaded allows attacker-controlled JavaScript code to run. This code fires a simulated keyboard shortcut, which VS Code bubbles up to the main editor, tricking the system into automatically accepting the malicious extension popup. The attaker-controlled extension is then running with access to the browser environment, and steals the OAuth token, which can be used to read and change any public or private repo. Askar said past negative experiences with Microsoft Security Response Center (MSRC) influenced his decision not to go through the typical responsible disclosure process, publishing the PoC roughly an hour after tipping off his GitHub contact. “To summarize the last time I interacted with MSRC regarding reporting a VSCode bug, it was a horrible experience where they silently fixed the bug I pointed out without any credit,” he wrote. “They also marked it as not having any security impact. As I mentioned in that post, going forward I would be doing full public disclosure for any security bugs I found in VSCode. Taking a look at a recent report by Starlabs on a VSCode XSS bug marked as ineligible and low severity, it doesn’t look like MSRC has gotten any better about VSCode bugs. “I’m sure the VSCode team would have appreciated a longer heads up on this to come up with solutions. There is legitimately a UI/UX balance here that needs to be struck with the security concerns. To those folks, I am sorry, but this is one of the few levers I have to try to influence MSRC and the security posture of VSCode. Finding and fully developing security bugs into proof-of-concepts like this takes time and effort on the part of security researchers that should not be disrespected or taken for granted.” Askar’s approach is reminiscent of a researcher who goes by Nightmare Eclipse, a suspected former Microsoft employee who has attracted a great deal of attention in recent weeks for leaking zero-days without informing Microsoft beforehand. The researcher has so far released six zero-days, three of which were quickly confirmed to be exploited by attackers in the wild. As regards their motivation for launching this attack on Microsoft, Nightmare Eclipse previously alluded to being stabbed in the back and being left homeless after an agreement that was not honored – all very vague. After the sixth zero-day, Microsoft vaguely threatened the researcher with its Digital Crimes Unit, which works closely with law enforcement, before quickly backing down after an outpouring of negative responses. The Register approached Microsoft for more information. ®

UK banks are set to receive access to OpenAI’s GPT-5.5 Cyber after being excluded from Anthropic’s latest expansion of Project Glasswing. Project Glasswing, and access to the Mythos Preview model, is geared toward ensuring critical infrastructure providers are prepared to handle the threat posed by advanced AI models, once they inevitably make their way into the public domain, and therefore the hands of attackers. However, amid a fourfold expansion of Glasswing’s partners, only JPMorganChase was named among the financial institutions to receive access to Mythos Preview, despite financial services falling under the critical infrastructure umbrella. In light of the news, HSBC, Lloyds Banking Group, and Nationwide will be among the banks to receive access to GPT-5.5 Cyber, the BBC reported, while NatWest and Santander have already been playing with it as part of separate agreements. OpenAI offered nine UK banks access to its Mythos-rival model in total, after they were snubbed from Glasswing. It is not clear if this number also includes the Bank of England, whose governor, Andrew Bailey, has been outspoken about its exclusion from Glasswing. Bailey told Bloomberg TV last week that despite pushing for access so the UK’s financial system is protected, Anthropic has not handed over the keys to Mythos Preview. Liam Salsi, director of architecture at Talion, told The Register he suspects the decision to exclude UK banks was political. Bailey had also previously alluded to suspicions that Anthropic had not yet granted access to Mythos Preview due to processes at play related to the US administration. “The US government wants to control who has access to the platform and this is largely because it will limit the chances of it falling into the wrong hands,” said Salsi. “However, limiting access will ultimately leave some banks more exposed to cyber threats and could impact their vulnerability management, leaving larger windows of opportunities for attackers. “It's hopeful these gaps won't exist for too long because of competition among Advanced AI platforms. GPT-5.5 was issued only a few weeks after Mythos, and it's safe to assume more advanced AI platforms will surface soon, closing gaps and delivering more of these systems to a larger pool of critical organizations.” He added that it could also introduce a single point of failure in the global banking sector if every institution were using the same product. Anthropic has not commented publicly on its approach regarding which financial institutions receive Mythos access, although it's not just financiers who are pondering the company’s decision-making. It transpired this week that the EU’s cybersecurity agency, ENISA, will receive access to Mythos Preview, while the US equivalent, CISA, is yet to be selected. Glasswing goes big In other news, Anthropic said on Tuesday it is looking to induct many more organizations into its Project Glasswing initiative, taking the total number of members from around 50 to 200. The additional 150 or so organizations hail from 15 different countries and will join the old guard, comprised of security shops and other tech giants, government agencies, and open-source maintainers. It has not named these organizations officially, although reports suggest that South Korea is among the 15 countries, and its science ministry, Samsung, SK Hynix, and SK Telecom are among the new inductees. Project Glasswing is something of a private members’ club – a carefully selected cohort of organizations with early access to Anthropic’s most advanced Mythos Preview model, the one the company claims will fundamentally alter the cybersecurity landscape. The cynics among us may see such claims as an extension of Anthropic’s marketing playbook, which some believe involves stoking excitement about a product through fear. When the AI biz announced Mythos in April, it did so by dubbing it too dangerous to unleash on the public. It was billed as an expert bug hunter and zero-day specialist, capable of finding vulnerabilities in code far more efficiently than humans. The oft-touted nugget from launch was the 27-year-old OpenBSD bug Mythos found during initial testing, but there were many more zero-days and other critical vulnerabilities – novel ones – Anthropic said its model was able to unearth. Those who have tinkered with Mythos Preview already report mixed results. Cloudflare CISO Grant Bourzikas wrote in May that the model represented “a real step forward,” and was able to find a series of low-severity bugs and chain them into working exploits. Others, such as cURL’s Daniel Stenberg, called Mythos Preview “an amazingly successful marketing stunt,” after it found just one vulnerability in the data transfer software. Likewise, security expert Kevin Beaumont said the model “is not great,” and “it’s marketing, essentially.” He said Mythos Preview was good at finding bugs in vibe-coded applications, but aside from that, it was not discovering much beyond what the models of yesteryear were capable of. Regarding the new intake of Glasswing partners, Anthropic but said each would have to pass its own security requirements before being granted access to Mythos Preview. It also said the new organizations brought into the fold all managed critical infrastructure services, and a successful attack on their systems could be “catastrophic.” “For most partners, we estimate that a major attack could affect more than 100 million people, with important ramifications for both global and national security,” the company said on Tuesday. “This expansion is the next step toward our long-term goals: for AI to make all software more secure, and for us to help the industry adjust to how AI could change many of the core assumptions of cybersecurity.” The big when? As for when the Mythos model will be made available to the wider public, Anthropic has kept that largely under wraps, but don’t expect it to be anytime soon. In its latest Glasswing announcement, the company said the safeguards required to prevent abuse are not yet available. “We’re working as quickly as we can to safely release Mythos-level capabilities in general access,” it stated. “To do so, we’ll need highly robust safeguards that prevent the model’s cyber capabilities from being misused – safeguards that we (and, to our knowledge, all other AI developers) have yet to develop. “Because cybersecurity has both helpful and destructive uses, making safeguards that are both strong and precise enough is a major challenge.” Anthropic may face some tough decisions in the next year, however, as by its own reckoning other AI companies will produce Mythos-level capabilities within their own models inside 6-12 months. Confusingly, it also said on Friday that it would be releasing Mythos-class models to all customers in the coming weeks. Anthropic said it will expand Glasswing further before Mythos is more widely launched, bringing in more critical infrastructure orgs, open-source maintainers, and safety testers. “We intend for future expansions to cover organizations in the US and overseas, just as this one does. We also intend to scale up our Cyber Verification Program, which would grant Mythos-class capabilities to many more organizations for specific cyberdefense tasks.” ®

Even ransomware cartels make mistakes, and in this case, it was a biggie that could have landed the responsible crim in a Russian gulag: accidentally infecting a company located in a Commonwealth of Independent States country. In what threat-hunter Dominic Alvieri deemed the ransom “dumbass of the day,” Nova, the affiliate program for ransomware crew RAlord, on Tuesday issued an apology to Eriell Group, a major oilfield services company with headquarters in Uzbekistan and a corporate office in Moscow. Apparently, Eriell contacted Nova and notified the ransomware operators about an affiliate's mess-up. The affiliate has since been banned from the criminal operation, we’re told. In addition to issuing a “formal apology,” the ransomware gang promised to assist Eriell with the recovery process “free of charge.” The malware slingers claimed they didn’t encrypt any files, and pledged not to leak any of the stolen data. “Apparently, the first rule of ransomware club, you don't attack organizations in the Commonwealth of Independent States (CIS), is still very much in effect in 2026,” Recorded Future threat intelligence analyst Allan Liska told The Register. While cybercrime is technically illegal in Russia and other CIS countries, their governments often provide safe harbor for extortionists and other financially motivated crims - especially if they also happen to work day jobs as state-sponsored hackers - and local police look the other way unless the gangs infect any in-country organizations. Some crews, like the DragonForce cartel, VanHelsing ransomware-as-a-service group, and notorious LockBit operators, expressly prohibit their gang members and affiliates from hitting Russian and other CIS targets. We’re guessing that the Nova affiliate will be high up on all of these gangs’ do-not-hire lists for quite a while. Still, they aren’t the first cybercriminal, Russian-speaking or otherwise, to make seriously dumb mistakes. Earlier this year, notorious data-leak-and-extortion crew Scattered Lapsus$ Hunters claimed they had gained "full access" to Resecurity's systems and stolen "everything." Resecurity later offered its "congratulations" to the cybercrime crew, which had fallen into the threat intel team's honeypot – resulting in a subpoena being issued for one of the data thieves. Pro-Russian hacktivist crew CyberVolk got sloppy when they debuted a ransomware service late last year. They hardcoded the master keys - this same key encrypted all files on a victim's system - into the executable files, thus allowing victims to recover encrypted data without paying any extortion fees. While that mess-up worked in the victim orgs’ favor, another coding error committed by Sicarii malware developers makes it nearly impossible for companies to recover their files: the Sicarii encryptor generates a new cryptographic key pair during every execution - but then discards the private key, meaning there's no recoverable master key. Similarly, a programming mistake in Nitrogen ransomware prevents the gang's decryptor from recovering victims' files, again making paying up futile. Trellix VP of threat intel strategy John Fokker recently told us that he got so sick of seeing the security industry "glorifying threat actors,” that he and his team decided to troll the baddies, and started publishing the Dark Web Roast. “These are just individuals, they just use computers, and they just want to steal your data and make money,” Fokker told The Register. “They're not mythical. They don't have superpowers." And just like any other individual - or superhero - they sometimes slip up, and give the rest of us a moment of snarky joy. ®

Bug hunting has become a whole lot more exciting in recent months with both Anthropic and OpenAI touting their latest models (that also happen to be super-scary exploit machines). On Tuesday, as Anthropic announced a fourfold expansion to its Mythos preview program, Cisco jumped into the fray, praising the transformative power of AI - but without disclosing how many bugs the latest frontier models found. Cisco SVP Anthony Grieco in a Tuesday blog said that the advanced AI systems, including Anthropic’s Claude Mythos Preview and OpenAI’s GPT 5.5-Cyber, scanned 1.8 billion lines of code in eight weeks looking for vulnerabilities in Cisco products - a task that otherwise would have taken the networking giant’s advanced security team eight years to accomplish. However, Grieco, who heads Cisco’s security and trust organization, didn’t say how many flaws Mythos and other frontier models uncovered, or if they have all been fixed. The company also did not respond to The Register’s questions about this. Grieco did say that “speed is only half the story,” calling the “real breakthrough” the “scale, quality, and impact” of the models’ findings. The 1.8 billion lines of code, written in more than 25 different languages, spanned Cisco’s portfolio, we’re told. Netzilla paired the models with a “human-guided harness,” and achieved a false positive rate of under 3 percent, Grieco wrote. “Rather than focusing on a specific scope for a security evaluation, we can assess entire code bases of a product. It’s like switching from a flashlight to a flood light to illuminate a dark room,” he said. “Because each finding is validated through a hybrid of AI and human expertise, our engineering teams are receiving actionable intelligence rather than a wall of warnings.” Meanwhile, Anthropic on Tuesday said it expanded Project Glasswing to about 150 additional organizations, bringing the total partner count to about 200. Project Glasswing is the AI giant’s controlled partner program for giving selected orgs access to Claude Mythos Preview. When it announced the new model and partner program in early April, Anthropic limited the preview to about 50 entities, claiming Mythos is so good at finding and exploiting security holes that all hell would break loose and the zombie apocalypse would hit should the model fall into the wrong hands. Since April, these select government agencies and corporate partners - including Cisco - have been using Mythos to find and fix bugs in their own products. Palo Alto Networks, one of the original Project Glasswing partners, said in May that after spending a month using frontier AI models, including Anthropic's Mythos, to scan more than 130 products across its three platforms, it uncovered 26 CVEs representing 75 underlying security issues. For comparison, the cybersecurity giant said it typically discloses fewer than five CVEs per month. At the time, a company exec forecast “a narrow three-to-five-month window for organizations to outpace the adversary before AI-driven exploits start to become the new norm.” The newly expanded Project Glasswing spans more than 15 countries, and, while an Anthropic spokesperson declined to name them or the new partner companies, it’s a safe bet that these are likely Western and/or “friendly” nations. So not China and Russia. Rubrik, a data security and management vendor, said that it was among the new Glasswing partners. The expanded list also reportedly includes the Korea Internet and Security Agency (KISA), along with Samsung Electronics, SK hynix, and SK Telecom, among other Korean companies. “The group covers several industries that weren’t well-represented in our initial cohort, such as power, water, healthcare, communications, and hardware,” according to a Tuesday Anthropic blog. “And many of the new partners are vendors - companies or nonprofits that maintain codebases that are relied upon by lots of other organizations around the world, including governments.” Each new partner must meet Anthropic’s security requirements before they gain access to Mythos, the company added. ®

Russia's domestic spy agency says it has uncovered a sprawling foreign espionage operation that allegedly turned the smartphones of senior Russian officials into pocket-sized surveillance devices, though it has so far offered little in the way of evidence. In a statement Tuesday, the Federal Security Service (FSB) claimed foreign intelligence agencies implanted malware on the mobile devices of high-ranking Russian officials, allowing operators to steal data, intercept conversations, and secretly activate microphones and cameras to monitor targets and their surroundings. “This software is used to steal existing data, eavesdrop on ongoing conversations, and conduct covert acoustic and video monitoring of the environment near electronic devices, all aimed at obtaining sensitive information,” the FSB said. The agency said it had opened a criminal investigation into illegal access to computer information and the distribution of malicious software. It did not identify the alleged intelligence service responsible, disclose how many officials were affected, name the malware involved, or provide any technical indicators that would allow independent verification of the claims. As things stand, the FSB has revealed the accusation but not the proof. However, the notion that foreign intelligence agencies might target the phones of senior Russian officials is hardly farfetched. State-backed mobile surveillance campaigns have become a routine feature of modern espionage, and Moscow has spent years accusing Western intelligence services of abusing consumer technology platforms for intelligence gathering. In 2023, the FSB claimed that thousands of iPhones had been compromised in a US National Security Agency spying operation. At the time, Russian security vendor Kaspersky disclosed what became known as “Operation Triangulation”, an iPhone surveillance campaign that infected devices through iMessage. Apple denied cooperating with any government, while Kaspersky stopped short of attributing the operation to the NSA. Moscow's spy agencies are hardly strangers to offensive cyber operations themselves. Last year, the FBI warned that hackers linked to the FSB's Center 16 were exploiting a years-old Cisco vulnerability to collect configuration files from thousands of network devices associated with critical infrastructure operators. So while the FSB's latest allegations may ultimately prove accurate, they lack the technical evidence security researchers would normally expect before accepting claims of a major cyber espionage campaign. ®

Microsoft has moved to calm an increasingly noisy backlash from the security community after appearing to threaten legal action against a researcher who spent the past several weeks dumping Windows zero-days onto the internet. In a statement published on Monday, Redmond said it has "no intention to pursue action against individuals conducting or publishing security research”, a noticeably softer position than the one it adopted just days earlier when it condemned a string of public vulnerability disclosures and invoked its Digital Crimes Unit. The updated statement follows a public feud with a researcher known as Nightmare-Eclipse, who released multiple Windows zero-days along with proof-of-concept exploit code. Several of those vulnerabilities have since been exploited in the wild, turning what might have remained an obscure disclosure dispute into a much larger argument about how vendors handle security researchers. Last week, Microsoft described the publication of exploit code for unpatched flaws as "never justifiable" and warned it would work with law enforcement when criminal activity harmed customers. The statement triggered immediate criticism from parts of the security community, with researchers warning that the language risked creating a chilling effect around vulnerability research. Former Microsoft employee and security researcher Kevin Beaumont described the company's position as a "dumpster fire of its own making," while Luta Security founder Katie Moussouris, who created Microsoft's bug bounty program, told The Register the response sent mixed messages. She questioned Microsoft's decision to tout researcher compensation and recognition while responding to a researcher who claims he received neither, and argued that references to the Digital Crimes Unit made the post feel "vaguely threatening." She added that, regardless of the specifics of the dispute, Microsoft risked creating a chilling effect on other researchers considering whether to report vulnerabilities. What’s more, if Microsoft's goal was to isolate Nightmare-Eclipse, that may not be going entirely to plan. The researcher claimed over the weekend that other researchers had begun handing over vulnerabilities following Microsoft's response, including an alleged flaw dubbed "Bitskrieg" that breaks Secure Boot trust guarantees and bypasses BitLocker. Nightmare-Ecipse said the bug will be released “sometime in June”. Against that backdrop, Microsoft's Monday message read more like damage control than deterrence. "We have no intention to pursue action against individuals conducting or publishing their security research," Microsoft said, adding that legal referrals would be reserved for people engaging in malicious activity that causes harm to customers. The company also acknowledged that "some interactions have fallen short" and said it was working to learn from feedback. Notably, Microsoft stopped well short of conceding any of Nightmare-Eclipse's specific allegations. The researcher had accused Microsoft of deleting accounts used for vulnerability reporting, refusing to pay bounties, and mishandling communications through the Microsoft Security Response Center. The company has not publicly addressed those claims directly. Nobody should mistake Monday's statement for a sudden conversion to the church of full disclosure. Microsoft remains firmly of the view that researchers should report vulnerabilities privately, give vendors time to fix them, and avoid dropping working exploit code onto the internet for everyone else to play with. The problem for Redmond was that the argument had drifted well beyond the actions of one researcher. What began as a dispute over a string of Windows zero-day releases was rapidly turning into a debate about Microsoft's relationship with the security community and whether the company was comfortable invoking lawyers when that relationship soured. The updated statement looks very much like an attempt to slam the brakes on that narrative. ®

Claude has gone offline on the day after its maker Anthropic filed for what is expected to be a blockbuster IPO. The popular chatbot and coding tool suffered an outage from around 0600 UTC on Tuesday, with Anthropic saying the team was investigating the issue. By 1042 UTC, the status page said a fix had been implemented and the technical team was monitoring the results. Some users continued to complain to The Register about the disruption after that point. Downdetector shows users reporting the LLM service from Anthropic was down twice momentarily yesterday. A surge in reports started from 0700 UTC today and peaked at 0948 UTC, after which they started to fall. The timing of the technical difficulties is unfortunate for Anthropic, the company founded in 2021 by former employees of OpenAI. Yesterday, the company submitted a draft registration statement to the US Securities and Exchange Commission for a proposed initial public offering (IPO) for common stock. It has yet to set the price of shares but a May funding round which raised $65 billion valued the company at around $965 billion (£717 billion), more than rival OpenAI, makers of chatbot ChatGPT. It is set to be a monster year for IPOs, with Elon Musk’s SpaceX and OpenAI also anticipated to join the frenzy. Each is expected to be valued at around $1 trillion. Claude Code has bolstered Anthropic’s reputation and has been well-received by some developers. Reportedly, Anthropic earns more in revenue despite having a fraction of the users OpenAI claims to serve. According to the Wall Street Journal, Anthropic is on the verge of reporting its first quarter of operating profit, according to people at the company who spoke anonymously. ®

The Police Service of Northern Ireland (PSNI) is warning the public to be wary of scammers spoofing its switchboard number in an attempt to profit by calling marks from a "trustworthy" number. A member of the public reported an attempted scam on Monday afternoon. A phone call came in from what appeared to be the PSNI’s switchboard number, and the caller pretended to be a member of the force inquiring about a case in which the recipient was involved. “The caller told the person there was an investigation linked to their name involving money transfers to narcotic-related countries and was subsequently asked to provide information about their bank cards,” said the PSNI’s Inspector Walker. We don’t have any expert criminals here at The Register, but we think it would be pretty sage advice for someone looking to increasingly pass as a police representative not to be so stupid as to ask for gift cards as “part of the investigation process.” “The caller then asked them to purchase gift cards and send across the codes for those, stating that this was part of the investigation process and that the money would be returned to them,” Inspector Walker added. “This made the reporting party suspicious, however, and thankfully, the victim didn’t share any of their personal or bank details with the caller, who they then blocked.” Officials confirmed to The Register that the police’s number was spoofed, and this case was not instigated by a real member of the switchboard team. Spoofing the switchboard’s phone number marked “a very concerning situation,” Walker said, urging the public to remain vigilant to similar calls. The PSNI is continuing to make follow-up enquiries about the report, but has not yet detained any individual in connection with the attempted fraud. Anyone who falls victim to digital fraud in the UK should contact the police, their bank, and Action Fraud, all of which can offer the necessary assistance. “Our advice is that you should never disclose your personal or financial details over the phone, in person, or by email, to someone you don't know,” said Walker. “Guarding your personal and banking details is essential.” The attempted scam is the second disclosed by the PSNI in as many days. On Monday, it warned of a separate case involving an elderly woman being defrauded of a sum north of £250,000 ($336,000) after being targeted by individuals operating a fake cryptocurrency scheme. “After initially sending a relatively small amount, the woman then ‘invested’ larger amounts on a number of occasions after the criminals convinced her that she needed to send more in order to get her initial investment back,” said Detective Inspector Moffett, of the PSNI’s Serious Crime Branch. “After she unknowingly downloaded malware at their instruction, they were able to gain control of her electronic devices and, we believe, transfer further sums from her account.” Cryptocurrency investment scams are among the most pervasive in the world, with figures from the US suggesting the problem is growing increasingly severe. According to the FBI’s annual digital crimes report, it received 48 percent more complaints about crypto investment scams last year than it did the year before, with losses also rising 25 percent. Much of this pain was shouldered by those aged 60 and over, the agency added. ®

Security researchers on Monday found dozens of Red Hat npm package releases infected with the Mini Shai-Hulud worm that TeamPCP cybercriminals recently open-sourced. The new supply chain attack hit at least 32 npm package releases published under the Red Hat Cloud Services namespace, according to security researchers from Google-owned Wiz, who traced the malware to one Red Hat employee’s compromised GitHub account. They said the affected packages are downloaded around 80,000 times a week. “The compromised account pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review,” the threat hunters said in a Monday blog. “This happened across two waves of activity.” Wiz considers this a “live threat,” and says its researchers are actively monitoring it for any new developments. Socket, meanwhile, counted 95 affected package versions as of 11:00:22 UTC. The supply-chain security shop continues to monitor the ongoing attack and update the artifacts list – so be sure to check it out, and if your organization or any development pipelines have installed one of the poisoned versions, assume compromise and immediately rotate credentials. The compromised versions execute a hidden payload through a preinstall hook so that the malware automatically runs during the npm install process – before a developer imports or uses the package. “Based on Socket’s analysis, the payload is designed to collect GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files,” Socket’s research team wrote on Monday. “It also includes encrypted exfiltration logic and GitHub-based fallback mechanisms, indicating that the attacker was not only attempting to steal credentials, but also potentially enable further supply chain propagation.” A Red Hat spokesperson told The Register that the IBM-owned software firm is aware of the reports. “We immediately initiated an investigation and removed the packages from the npm registry,” the spokesperson said. “The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system. While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems.” Both security firms say the malware resembles the Mini Shai-Hulud worm – but because TeamPCP open sourced the credential-stealing tool, it’s tough to say whether TeamPCP or a copycat crew is responsible for the latest developer-targeting supply chain infection. According to Wiz, the modifications look “largely cosmetic, with references to the Dune universe replaced by Greek mythology themes (i.e ‘spartan’), while the underlying functionality and tradecraft remain substantially similar.” One of the notable changes, the security sleuths said, is that the new variant adds data collectors for Google Cloud Platform and Microsoft Azure identities, and this new capability snarfs up all the identities that the infected machine has access to, as opposed to just stealing secrets from the cloud environments. This suggests “an increased attacker focus on gaining and leveraging access to the cloud itself,” Wiz warns. This variant also creates repositories containing the description “Miasma: The Spreading Blight.” And unlike earlier variants of the self-spreading worm that copied themselves, this one generates a uniquely encrypted payload for each infection, which makes hash-based indicators-of-compromise useful only for a specific package version. ®

The biggest threat to America’s midterm elections in November likely isn’t foreign attackers hacking US voting machines. Phishing and election-official impersonation are the bigger risks, according to Check Point, which documented more than 5,000 election-themed domains registered between April and May. These domains can be used by attackers for phishing, impersonation, fraud, misinformation, or influence activity, especially when coupled with about 17,000 exposed credentials associated with fundraising orgs, political parties, and government-related services also spotted by the security shop’s intelligence arm in May. "Election-related domains and leaked credentials represent two sides of the same problem: infrastructure and access," Danielle Hess, a cyber threat intelligence analyst at Check Point Software, told The Register. "A rise in election-themed domains not only creates more potential infrastructure that could be abused for phishing or impersonation, but also reflects a growing election-related ecosystem with more organizations, accounts, and users that can be targeted," Hess said. "When combined with a large pool of exposed credentials, attackers have more opportunities to conduct convincing and scalable election-related operations." Plus, AI gives phishing, impersonation, election misinformation and other scam operations a massive boost, making them faster, cheaper, and easier to scale. The uptick in election-related threats follows the Trump administration’s efforts to gut America’s lead cyber-defense agency and decimate its efforts to combat election-related fraud, while slashing its budget and workforce, and shutting down the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). According to a Monday report, Check Point has been monitoring registered domains and documented about 1,300 containing the keyword “election” and 2,957 containing “vote” in January. Three months later, between April 13 and May 14, about 1,140 newly registered domains contained the word "election," while the number containing "vote" had climbed to about 4,010. While simply registering a domain doesn’t guarantee it will be used for malicious purposes, such domains are often used for phishing pages that impersonate voter info sites or candidates themselves, and campaign donation scams, and misinformation sites designed to look like official election communications. Along these lines, the security shop documented thousands of leaked credentials in May linked to fundraising and political party websites including about 9,500 ActBlue.com (Democrats’ fundraising site) compromised credentials, 6,500 leaked WinRed.com (Republican fundraising) credentials, plus 600 from the official Republican gop.com website, 130 from democrats.org, and 150 leaked usa.gov citizen services’ site credentials. Hess told us that "it's important to note that the credential statistics reflect credentials identified on Check Point's External Risk Management (ERM) platform as of May 2026 and are not limited to credentials that were necessarily stolen or leaked during May 2026 itself." As the reports point out, the credential leaks aren't limited to one political party or specific campaigns. “Individual political campaign domains showed little to no observed credential exposure across a sample of swing-state candidates from both major political parties, reinforcing that current exposure is concentrated in centralized platforms rather than campaign-specific infrastructure,” according to the report. “A single campaign domain stood out as an exception, with around 90 leaked credentials identified,” the report continued. "The campaign domain referenced was associated with candidate Tom Kean," Hess said, referring to Rep. Tom Kean Jr. (R-NJ). "However, it's important to note the credentials were identified within infostealer malware logs, which typically reflect opportunistic compromise rather than deliberate targeting of a specific campaign. While not indicative of direct targeting, the presence of these credentials may still pose a security risk if associated accounts remain active or reused.” In addition to the political org-related credential exposure, voter information is also appearing across dark web forums ahead of the November midterms. This includes a January 30 BreachForums post advertising data - being given away for free - tied to the Fremont County, Colorado election division. The data dump included names, email addresses, IP address data, and election-related portal submission information. On April 26, the threat hunters spotted a post on criminal forum Spear[.]cx, claiming to offer a multi-state US voter database covering more than two dozen states and Washington, DC. ®

Grand Theft Auto cheat users have discovered that even the people selling ways around the rules struggle to follow some basic security ones. According to breach notification site Have I Been Pwned, the operators of Atlas Menu, a cheat service for Grand Theft Auto V and Counter-Strike 2, suffered a data breach in May that exposed information belonging to tens of thousands of users after an attacker allegedly gained access to the service's systems and dumped its database online. The breach exposed 64,000 unique email addresses, according to HIBP. The leaked data also included usernames, IP addresses, support tickets, and passwords stored as bcrypt hashes. The individual who claimed responsibility for the breach published the stolen database to a public GitHub repository, claiming to have gained access to "all Atlas systems" before extracting customer records, support conversations, menu license keys, signup dates, and Rockstar Games account identifiers. The data, reviewed by The Register, also appears to include lists of thousands of banned users, administrator logs, and other internal records. Posts discussing the breach on Reddit suggest this was not Atlas Menu's first security incident, but users said the latest leak appears to contain significantly more sensitive information than previous disclosures. Anyone signing up for a GTA cheat service probably wasn't expecting privacy guarantees. Even so, having your email address leaked is one thing. Having support tickets, account identifiers, and purchase records dumped onto GitHub is another. The Atlas breach comes weeks after Rockstar Games was pulled into a separate data leak claimed by ShinyHunters. In that case, the extortion crew alleged it had accessed Rockstar data through cloud cost-monitoring platform Anodot and threatened to publish the information unless its demands were met. Atlas users now have their own security headache to deal with. Whether they're more concerned about the leaked database or the screenshot-spying allegation will likely depend on what they were doing while the software was running. ®

Palo Alto customers are being been told to patch yet another internet-facing security flaw after researchers caught attackers bypassing GlobalProtect authentication and gaining unauthorized VPN access. The flaw, tracked as CVE-2026-0257, affects PAN-OS deployments using GlobalProtect authentication override cookies under specific configurations. Palo Alto disclosed the bug on May 13 and initially assigned it a medium-severity rating, saying it was aware of attempts to exploit it but had not observed any malicious exploitation. That assessment has not aged well. Security boffins at Rapid7 said they observed successful exploitation across multiple customer environments dating back to at least May 17 and validated the attack technique using its own proof-of-concept testing. Attackers established unauthorized VPN sessions on vulnerable systems, potentially granting access to internal corporate networks without legitimate credentials, it added. Rapid7's analysis suggests the flaw comes down to how PAN-OS trusts authentication override cookies. In certain deployments, hackers can create their own cookies and have the firewall accept them as legitimate. The risk is highest where the same certificate is used for both HTTPS services and authentication override cookies, giving the baddies access to the information needed to generate convincing fakes. Rapid7 said it observed multiple waves of activity targeting vulnerable devices. In some cases, cybercrims successfully obtained VPN IP addresses and network access, but the company said it didn’t observe evidence of successful lateral movement following initial access in the incidents it investigated. The flaw has now landed in CISA's Known Exploited Vulnerabilities catalog, with federal agencies given until June 1 to patch or otherwise secure affected systems. Palo Alto has also revised its advisory, elevating the severity rating and attaching its highest urgency label. Fixes are available for supported releases. "Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," the firm said in an update. The latest PAN-OS headache arrives less than a month after another Palo Alto emergency. In May, state-backed attackers were found exploiting CVE-2026-0300, a critical remote code execution flaw in the PAN-OS User-ID Authentication Portal, before patches became widely available. Organizations running vulnerable GlobalProtect gateways now face a familiar choice: patch quickly or find out whether someone else gets there first.®

Password manager Dashlane has disabled a number of user accounts as a precaution amid a spate of brute force attacks. It didn't specify the scale of the attack, although scores of users have queried the reason for receiving emails informing them of account suspensions. “Your account has been temporarily suspended for security reasons as someone has attempted to register a new device and didn't enter the correct token after several tries,” the emails read, along with instructions to contact customer support to restore access. The attacks began on Sunday afternoon and the Dashlane team said it had finished investigating the matter later that evening, restoring all affected user accounts in the process, according to its status page. In a copy-paste statement sent to a number of users via social media, Dashlane also confirmed there was no compromise of internal systems. Dashlane posted an update to its status page on Monday morning, repeating the same statement from a day earlier, but changing the incident status from "resolved" to "monitoring." Several users reported unauthorized login attempt notifications from various countries - the common culprits being Korea and Russia. Dashlane did not specify whether any attempts on customer accounts were successful. Dashlane’s interventions involved suspending accounts and its two-factor authentication (2FA) service. Some users reported trying to access Dashlane’s 2FA one-time passcodes, but when entering them, all that returned was an error. Some criticised the company for a lack of public comms about the attacks. Aside from the direct account suspension emails and some replies to users on social media, Dashlane has not disclosed the attack through any high-visibility channels. Users also queried whether the initial account suspension emails were a phishing attempt. But the emails showed no hallmarks of phishing as they contained no suspicious links, no attachments and were sent from a real Dashlane domain. However, the nature of the message and the fact that the emails contained an old Dashlane logo only exacerbated some customers’ fears. The Register has contacted Dashlane for more information. ®

The British government wants stronger protection for subsea internet cables following a surge in Russian activity near UK waters, but its latest proposals lean heavily on fines and prison sentences rather than direct defensive action. Plans - outlined in a speech by Baroness Liz Lloyd, Minister for Digital Economy ahead of a consultation - include tougher penalties for recklessly damaging undersea cables, operator security obligations and emergency powers allowing government to compel businesses to better protect their infrastructure. In April, the Royal Navy and Royal Air Force tracked Russian submarines on a covert reconnaissance near critical undersea infrastructure. According to reports, Russia deployed an Akula-class attack submarine as a decoy while two specialist vessels from Directorate of Deep Sea Research - known as Glavnoye Upravlenie Glubokovodnikh Issledovanii (GUGI) - surveyed the UK's cable routes. “Their mission was to survey our cables in peacetime, so they could more easily sabotage them in a conflict,” Lloyd said in a speech delivered at the Royal United Services Institute (RUSI). “They wanted this operation to be secret, but they failed." In light of this, the government is reviewing whether the UK’s security and resilience arrangements are strong enough, the Defence, Science and Technology Laboratory said. UK Parliament's Joint Committee on National Security Strategy (JCNSS) last year told the government it is "too timid" in its approach to protecting Britain’s cable connections, and must do a better job. Measures proposed include tightening the law so ship owners and operators that recklessly damage subsea internet cables face tougher penalties. Cable operators could be landed with extra obligations to ensure they take steps to prevent, detect and respond to security incidents in a consistent and timely manner. “The UK already has strong protections in place for our subsea cables, but in a more uncertain world we cannot stand still,” said Lloyd. "As hostile activity by Russia and others grows, protecting these cables matters more than ever for our economy, security and daily lives.” Some 64 cables connect Britain to the global internet, and when one breaks, repair vessels are typically on scene within eight days. Historically, most cable faults have stemmed from fishing activity or dragging anchors, not sabotage. The Royal Navy unveiled its Atlantic Bastion program last year to supplement its sub-hunting ships with a force of uncrewed, autonomous vessels. The aim is that enemy submarines in the North Atlantic have nowhere to hide. This is in its early stages, with £14 million committed so far for testing and development. The latest proposals will be outlined a white paper published later this year. Separately, the UK, US, and Australia announced this weekend that their AUKUS partnership will jointly develop sensor and weapons payloads for uncrewed underwater vehicles, which is another building block for protecting seabed infrastructure. ®