Anthropic Found Thousands of Zero-Days, Then Buried the Model
Big Picture
Anthropic built an AI that found thousands of zero-days overnight, decided it was too dangerous to ship, and launched a $100M defensive coalition with AWS, Apple, Google, Microsoft, and eight other partners. Meanwhile, RSAC post-conference data showed 75% of security teams apply AI to less than a tenth of their portfolio. North Korea hit a new supply chain target every 72 hours. Fortinet shipped its seventh SQL injection in a year.
TL;DR
Anthropic's Mythos Found Thousands of Zero-Days
Anthropic announced Mythos Preview on April 7, a frontier AI model that discovered thousands of zero-day vulnerabilities across every major operating system and browser. One finding: a 27-year-old TCP SACK denial-of-service flaw in OpenBSD that survived decades of manual code review. Engineers with no formal security training received complete working exploits overnight. Mythos was not specifically trained for cybersecurity. The capability emerged from general reasoning.
Anthropic made the unusual decision to withhold Mythos from public release, calling it the first AI model restricted specifically for cybersecurity risk. Instead, it launched Project Glasswing: a $100M defensive coalition with 12 founding partners including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Over 40 additional organizations received defensive access. Anthropic committed $2.5M to Alpha-Omega/OpenSSF and $1.5M to the Apache Software Foundation for open-source vulnerability remediation.
Takeaways
Last week this newsletter covered Opus 4.6 writing its first autonomous kernel exploit. Mythos makes that look like a proof of concept. Deputy CISO Jason Clinton presented at RSAC on the coming "vulnerability tsunami" from AI-powered discovery tools. If one model found thousands of zero-days across the entire OS landscape in a single research cycle, the disclosure pipeline is about to get a volume problem no existing patch cadence was designed for.
RSAC Sold AI Everywhere. The Numbers Say Almost Nowhere.
RSAC's operational numbers arrived this week, and they undercut the keynote narrative. theCUBE Research found 90% of organizations say they use AI in their security stack, but 75% apply it to less than 10% of their portfolio. In the same analysis, Gallup Q4 2025 data showed only 26% of workers use AI a few times per week; 12% use it daily. The adoption headlines and the usage data show just how early we are.
With usage comes mess too. The cleanup costs of AI utilization are becoming measurable. Workers spend 4.5 hours per week fixing AI output (Zapier survey), which may exceed the 1.5-2.5 hours AI saves on generation.
Related is the shadow AI problem. The oversight gap we flagged three weeks ago is widening. Bessemer's 2026 cybersecurity report found 82% of executives say they're confident in their agent governance policies, but over 50% of deployed agents operate without logging or oversight.
Seems like a bit of an issue given the same report found 48% of cyber professionals identified agentic AI as the number-one attack vector for 2026. Shadow AI breaches cost $4.63M on average, $670K more than standard incidents (IBM data via Bessemer).
Takeaways
Cisco's RSAC framing maybe put all of this best when they said: "With chatbots, you worry about the wrong answer. With agents, you worry about the wrong action."
TeamPCP Hit a New Target Every 72 Hours. The Downstream Is Still Materializing.
Last week covered the Axios supply chain attack as a single incident. TeamPCP is a different problem: a North Korean-attributed campaign that has been compromising developer tools at a sustained pace of one target every 1-3 days. The confirmed targets include Trivy, CanisterWorm, Checkmarx, LiteLLM, and Telnyx SDKs. The method is consistent across all of them: maintainer credential compromise, followed by malicious PyPI or npm version publication, followed by credential and source code exfiltration.
The downstream damage is still unfolding. Cisco disclosed that 300+ GitHub repositories were stolen, including AI product source code. The breach traced back to credentials stolen via the March 19 Trivy supply chain attack, weeks before the theft was discovered. TeamPCP also pivoted to ransomware via a RaaS partnership, escalating from data theft to operational disruption. The group used audio file steganography for payload delivery, a technique that evades standard content inspection.
Takeaways
Campaign pace slowed after the March 27 Telnyx incident, but the blast radius from earlier compromises is still expanding. Cisco's disclosure proves what supply chain researchers have warned about: the initial compromise is just the entry point. Stolen credentials from Tool A unlock access to Organization B, which stores secrets for Platform C. The cascading effect means organizations breached in March may not discover the impact until May.
When Your Security Vendor Can't Prevent SQL Injection in Their Own Product
Fortinet FortiClient EMS disclosed CVE-2026-21643: a SQL injection vulnerability enabling unauthenticated remote code execution. It is Fortinet's seventh SQL injection CVE in 12 months. Seven SQL injections in 12 months at a company whose core business is selling security products.
Fortinet isn't the only infrastructure vendor under scrutiny this week. F5 BIG-IP APM had a DoS vulnerability upgraded to critical RCE after active exploitation was detected, earning it a CISA KEV addition. Citrix NetScaler (CVE-2026-3055) disclosed an out-of-bounds read vulnerability enabling session hijacking, also actively exploited. CISA ordered federal agencies to patch by April 2.
Takeaways
Fortinet, F5, and Citrix sit at the perimeter of enterprise networks. When the devices enforcing security policy contain the same vulnerability classes a first-year developer learns to prevent, buyer trust erodes. Seven SQL injections in 12 months isn't a patch management problem. It's a development practices problem at a company that sells security for a living.
Vulnerabilities in the Wild
Critical
CVE-2026-21643 | Fortinet FortiClient EMS
SQL injection enabling unauthenticated remote code execution. Fortinet's 7th SQL injection CVE in 12 months. Status: Actively exploited
N/A | F5 BIG-IP APM
DoS vulnerability upgraded to critical RCE after active exploitation detected. Added to CISA KEV catalog. Status: Actively exploited
CVE-2026-3055 | Citrix NetScaler
Memory overread vulnerability enabling session hijacking. CISA ordered federal agencies to patch by April 2. Status: Actively exploited
N/A | Multiple Major OS and Browsers (Anthropic Mythos)
Thousands of zero-day vulnerabilities discovered by Mythos AI model across every major OS and browser, including a 27-year-old OpenBSD TCP SACK DoS flaw. Model withheld from public release. Status: Zero-day (not actively exploited; model restricted)
High
N/A | Trivy (Aqua Security)
Supply chain compromise via maintainer credential theft. Malicious versions published to package registries. Led to downstream Cisco breach of 300+ GitHub repos. Status: Actively exploited
N/A | Checkmarx SDK
Supply chain compromise by TeamPCP. Maintainer credentials stolen, malicious package versions published for credential and source code exfiltration. Status: Actively exploited
N/A | LiteLLM
Supply chain compromise by TeamPCP via malicious PyPI package publication targeting maintainer credentials. Status: Actively exploited
N/A | Telnyx SDK
Supply chain compromise by TeamPCP using audio file steganography for payload delivery and PyPI package poisoning. Status: Actively exploited
N/A | CanisterWorm
Supply chain compromise by TeamPCP as part of sustained campaign targeting OSS developer tools. Status: Actively exploited
Curated Reading List
Thought-Provoking
12 Cyber Industry Trends Revealed at RSAC 2026 Why it's worth your time: Practitioner-level analysis of vendor 'AI opportunity gaga' versus real trepidation on the conference floor -- a more granular view than the headline adoption stats covered in the Deep Dive.
Cisco Reimagines Security for the Agentic Workforce Why it's worth your time: Cisco's full architectural framework for zero trust applied to AI agents -- the primary source behind the 'wrong answer vs wrong action' quote, with implementation detail the newsletter summary omits.
Amazon Bedrock AgentCore Adds Policy Controls for Deploying Trusted AI Agents Why it's worth your time: First-party technical deep dive on Cedar policy language for intercepting every AI agent tool call -- the governance infrastructure that could become the default standard for agent permissions.
Current Events
Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign Why it's worth your time: Anthropic's own disclosure of a Chinese state-sponsored group using Claude for espionage against 30 global targets adds context to Mythos -- the same company restricting one model for defense is seeing another weaponized offensively.
Anthropic Says Its Most Powerful AI Cyber Model Is Too Dangerous to Release Why it's worth your time: Analysis of the precedent-setting decision to withhold an AI model based on cybersecurity risk rather than general safety -- a framework that other labs will likely adopt or reject publicly.
Why Anthropic's New Model Has Cybersecurity Experts Rattled Why it's worth your time: Independent analysis from cybersecurity experts on what Mythos means for the offensive-defensive balance -- including skepticism about whether the 'too dangerous to release' framing is strategy or genuine caution.
