What 60 CISOs Left Out of the Mythos Playbook
Big Picture
Last week this newsletter covered Mythos finding thousands of zero-days. This week the industry responded. The CSA assembled 60+ CISOs to publish a risk register. The Federal Reserve convened emergency bank CEO meetings. Anthropic published seven defensive recommendations. Microsoft shipped 167 CVE fixes and attackers weaponized a developer tool vulnerability in 10 hours flat. The response plans are here. The patch velocity hasn't changed.
TL;DR
The Patch Sound Barrier
The CSA's MythosReady paper is the most significant coordinated CISO response to an AI capability announcement on record. Sixty-plus security leaders from Google, Netflix, Cloudflare, GitLab, and Wells Fargo contributed a 13-item risk register, an 11-item priority action list, and a new concept: VulnOps as a permanent organizational function. Former CISA Director Jen Easterly, Bruce Schneier, and former National Cyber Director Chris Inglis all contributed. The central acknowledgment is blunt: "We cannot outwork machine-speed threats."
Within 48 hours, Treasury Secretary Bessent and Fed Chair Powell convened emergency bank CEO meetings over a single AI model's cyber risk. EU regulators raised sovereignty concerns after exclusion from early Mythos access. Anthropic published seven defensive recommendations and launched Project Glasswing, its $100M defensive coalition.
Both documents are substantive. Both share the same gap. Neither addresses what happens when the tools they recommend generate findings at 71-88% false positive rates. Your engineers already spend 6.1 hours per week triaging alerts, and 72% of that time is wasted on noise.
Anton Chuvakin calls it the "Patch Sound Barrier". Every organization has a maximum remediation velocity. AI-driven discovery has permanently exceeded it. More scanning at those false positive rates doesn't shrink the backlog. It grows the triage queue.
Takeaways
The best response plan in the industry's history recommends more scanning without solving the false positive problem that made the last generation of scanning tools a net time drain. Mean time to remediate sits at 252 days. Exploit windows are now measured in hours. That math has not changed.
AI Is Writing the Code. Who's Reviewing It?
OX Security analyzed 216 million security findings and reported a 4x increase in critical risk year-over-year. The company attributes the surge directly to AI coding tools accelerating development faster than security review. The data lines up with what Brian Krebs observed this week: "more bugs are found now because AI helps discover them faster."
The intake side is growing too. GitGuardian's research this week found that AI coding assistants like Cursor, Claude Code, and Copilot now execute shell commands and read arbitrary files during development sessions. Secrets get exposed before code reaches a repository, before any scanner runs. Separately, Cisco researchers demonstrated that agentic AI memory systems create persistent attack surfaces that carry across sessions and users. AI coding tools are not just producing more code. They widen the attack surface at a layer your scanners never see.
Your developers are writing 70% more code. Your scanners still generate 60-70% false positives. Your security team did not grow 4x. The tools that generate findings and the tools that generate vulnerable code are both scaling. The people who fix things are not.
Takeaways
OX Security's 4x critical risk increase is year-over-year, pre-Mythos. As of early 2026, 41% of all code is AI-generated and 40-62% of AI-generated code contains security vulnerabilities. If AI coding tools already quadrupled your critical findings before AI-accelerated exploit discovery arrives, the backlog pressure is about to compound from both directions.
Four Developer Tool Attacks in Seven Days
A critical pre-authentication RCE in the Marimo Python notebook (CVE-2026-39987, CVSS 9.3) went from public disclosure to confirmed exploitation in 9 hours and 41 minutes. The attacker built a working exploit directly from the advisory description, without a public PoC, and achieved credential theft in under three minutes on a honeypot. This is a developer tool, not production infrastructure, which means the organizations most exposed are the ones running notebook environments with network access.
The Marimo timeline was not an outlier this week. CPUID's download infrastructure was hijacked for six hours, serving trojanized CPU-Z and HWMonitor binaries. Adobe patched a Reader zero-day (CVE-2026-34621) that had been exploited in the wild since November 2025, requiring no user interaction beyond opening a PDF. And North Korean actors compromised the Axios JavaScript library, briefly affecting OpenAI's macOS code-signing workflow. Four separate incidents, one pattern: trust relationships in developer tooling supply chains are the preferred attack surface.
Two weeks ago this newsletter covered the Axios supply chain compromise in detail. This week's CPUID and Marimo incidents confirm the pattern is structural, not episodic. Attackers are systematically targeting the tools developers use to build software, not just the software itself.
Takeaways
10 hours. That is the new disclosure-to-exploitation baseline for developer tool vulnerabilities. If your patching SLA assumes days, you are operating on expired assumptions.
Patch Tuesday Before Mythos
Microsoft's April Patch Tuesday delivered 167 CVE fixes, its second-largest ever. Two actively exploited zero-days: a SharePoint spoofing flaw (CVE-2026-32201) and a Defender privilege escalation (CVE-2026-33825, CVSS 7.8) granting SYSTEM access. CISA added both to KEV with an April 28 deadline. The same week, Adobe patched 55 vulnerabilities across 11 products and issued an emergency Reader fix for the zero-day exploited since November. SAP patched a critical ABAP flaw. Seven IBM WebSphere Liberty flaws chain into full server takeover.
This is baseline patch volume before AI-accelerated discovery adds to it. The CSA's MythosReady paper warns of a coming "vulnerability tsunami". This week's patch volumes are what the tsunami hits. Krebs notes the trend is already visible: AI-assisted discovery is driving part of the increase. When Mythos found a 27-year-old OpenBSD bug that survived decades of manual review, it proved the undiscovered vulnerability surface is larger than anyone estimated. What 167 monthly CVEs looks like when AI accelerates disclosure is not theoretical. It is the next two quarters.
Takeaways
167 Microsoft CVEs plus 55 Adobe fixes in a single week is the current ceiling. The CSA paper and Chuvakin's Patch Sound Barrier both argue that ceiling is about to rise faster than any manual process can match. If your team struggled with this week's volume, the structural problem is already here.
Vulnerabilities in the Wild
Actively Exploited
| CVE / ID | Product | Severity | Details |
|---|---|---|---|
| CVE-2026-39987 | Marimo Python Notebook | Critical (9.3) | Pre-auth RCE exploited within 10 hours of disclosure; single connection request grants full system control |
| CVE-2026-34621 | Adobe Acrobat Reader | Critical | Zero-day exploited since November 2025; no user interaction beyond opening a PDF. Emergency patch issued |
| CVE-2026-32201 | Microsoft SharePoint / Windows | Critical | 167 CVEs patched including two zero-days in SharePoint and Defender; second-largest Patch Tuesday on record |
| CVE-2026-35616 | Fortinet FortiClient EMS | Critical (9.8) | Improper access control exploited since March 31; CISA added to KEV with April 9 deadline |
| Axios supply chain | Axios npm / OpenAI code-signing | Critical | North Korean actors compromised Axios, briefly affecting OpenAI macOS code-signing workflow |
Critical (Patch Available)
| CVE / ID | Product | Details |
|---|---|---|
| wolfSSL forgery | wolfSSL Library | Certificate forgery undermines TLS trust for embedded/IoT devices |
| SAP ABAP | SAP ABAP Platform | Critical vulnerability affecting enterprise ERP deployments globally |
| CVE-2026-40175 | Axios JavaScript Library | Rated critical but not practically exploitable per Aikido analysis |
| 7-flaw chain | IBM WebSphere Liberty | Seven vulnerabilities chainable into complete server takeover |
High Severity
| CVE / ID | Product | Status | Details |
|---|---|---|---|
| CVE-2026-27654 | nginx | Patch Available | Discovered through AI + human collaboration |
| CVE-2026-22666 | Dolibarr 23.0.0 | PoC Available | Whitelist bypass in dol_eval() leads to RCE |
| AgentKit injection | Coinbase AgentKit | PoC Available | Prompt injection enables wallet drain and agent-level RCE |
| RAGFlow RCE | RAGFlow | Zero-Day | Unpatched post-auth RCE; no vendor fix at disclosure |
| CVE-2025-8061 | Kernel driver | PoC Available | Privilege escalation from user-land to Ring 0 |
| CPUID hijacking | CPUID (CPU-Z, HWMonitor) | Patch Available | Download infrastructure hijacked for 6 hours serving trojanized binaries |
| Docker AuthZ bypass | Docker Engine | Patch Available | Previously patched bypass resurfaces; original fix incomplete |
| LibreNMS RCE | LibreNMS < 26.3.0 | Patch Available | Authenticated RCE and XSS in network monitoring platform |
| 55 Adobe vulns | Adobe (11 products) | Patch Available | Regular April update, separate from emergency Reader fix |
Curated Reading List
Thought-Provoking
• Brocards for Vulnerability Triage -- Applies legal reasoning frameworks to vulnerability triage decisions. A genuinely novel analytical lens for prioritization that most AppSec practitioners have never considered, directly useful for teams drowning in post-Patch-Tuesday backlogs.
• Axios CVE-2026-40175: A Critical Bug That's Not Exploitable -- Aikido's technical teardown of why a CVSS-critical Axios bug is not practically exploitable in real environments. Required reading for anyone whose triage workflow treats CVSS scores as gospel rather than starting points.
• Fixing Vulnerability Data Quality Requires Fixing the Architecture First -- Argues the CVE ecosystem's data quality problems are architectural, not editorial. If you have ever wondered why your scanner outputs conflict with NVD data, this explains the structural reasons.
Current Events
• Coinbase AgentKit Prompt Injection: Wallet Drain and Agent-Level RCE -- On-chain PoC validated by Coinbase showing prompt injection can drain wallets and grant agent-level RCE. If your org is building AI agents with real-world action capabilities, this is the concrete threat model you need.
• Coordinated Vulnerability Disclosure Is Now an EU Obligation -- EU CVD obligations are now law, but cultural adoption lags behind regulation. ENISA's perspective on what this means operationally for security teams with European exposure.
• Claude + Humans vs nginx: CVE-2026-27654 -- Detailed walkthrough of a real AI-assisted vulnerability discovery in nginx. Goes beyond the Mythos headlines to show how human-AI collaboration works in practice for finding bugs in critical infrastructure software.
