The Week Writing Code and Finding Bugs Both Got Cheap
Big Picture
The frontier labs keep pushing into security faster than anyone can absorb it. This week it was Anthropic, shipping Claude Fable 5 to every developer and a cyber-unlocked variant, Mythos 5, to cybersecurity partners. We hear a version of one question from clients and prospects almost every week now: can we just point a frontier model at our security backlog and call it done? The short answer is no, and we explain why below. In other news, NIST published a proof that AI guardrails are bypassable in principle, and Microsoft set a record with 206 CVEs in one Patch Tuesday. More below.
TL;DR
★ Story of the Week: Fable 5 Shipped to Every Developer
Anthropic released Claude Fable 5 on June 9, its most capable model, and put it in front of every developer the same day through GitHub Copilot, across VS Code, JetBrains, and Xcode. Anthropic reported that Stripe used it to migrate a 50-million-line Ruby codebase in a single day, work it estimated would otherwise take more than two months. For cybersecurity partners, Anthropic also shipped Mythos 5, the same model with its cyber safeguards lifted, which it says "excel[s] at discovering and exploiting software vulnerabilities."
The public model is not the weapon that framing suggests. Researcher Jamieson O'Reilly tested Fable 5 and found it routes every offensive request to the weaker Opus 4.8 model, 181 of 181 agentic turns, so the version anyone can download won't do the attacking; the offensive variant stays gated to vetted partners. The more useful part of his testing was about which bugs these agents can and can't handle.
Injection bugs (SQL injection, SSRF, command injection) fell to every agent he tested, on targets they had never seen. Authorization logic and IDOR did not. His read was that those bugs carry a higher context burden, because the model has to know whether a given record is even supposed to be private. A scanner can flag an unsanitized query from the code. Neither a scanner nor a model can tell you, without your application's context, whether user 1003 should be able to read invoice 5571. That is the bug class behind most real breaches, and a bigger model doesn't close it.
That is the shift to plan around. Writing code got faster, and finding bugs got cheaper, and that accelerated a lot this week. A Mythos preview for example reportedly surfaced around 800 issues for one enterprise pilot in days; an earlier Glasswing preview turned up decade-old bugs in OpenBSD and FFmpeg.
And it is not a one-model story. A month before Fable, OpenAI shipped its own cyber-tuned model, GPT-5.5-Cyber, gated to vetted defenders much as Mythos is to partners. When creation and discovery both industrialize, what's left is the hard part. Deciding which findings are real, proving a fix, and shipping it before the window closes.
Every CISO we talk to has some version of the board asking "what are we doing to be ready for this?"
We have been building toward that answer for years with our triage and fix engine. Throughout that time the durable layer has been the harness around it. That is, the models are swappable (within reason); the thing that delivers quality results is the methods to assemble the right context, judge which findings are real, prove a fix before it merges, and remember the decision. We write more about this in our VulnOps Mythos-Ready Playbook, an ungated whitepaper that lays out how to stand up a machine-speed defense program and build the internal case for it.
Takeaways
Your scanner and a frontier model will both catch the injection bug. Neither can tell you who is supposed to see what inside your app, and that blind spot is where the breaches that matter actually happen. To combat this you need AI on the defensive side, and there's very specific ways to go about building this in a way that is effective and cost affordable.
A 206-CVE Patch Tuesday, and Microsoft Says the Quiet Part
Microsoft's June Patch Tuesday fixed a record 206 vulnerabilities, and analysts are openly attributing the volume to AI. Researchers and Microsoft's own tooling are surfacing bugs at a rate the disclosure pipeline was never built to absorb. A record that used to take a coordinated campaign of human researchers now arrives as a monthly baseline.
Underneath the 206, three Windows zero-days were already being exploited when the patches shipped: YellowKey, GreenPlasma, and MiniPlasma, covering SYSTEM-level privilege escalation, a BitLocker bypass, and a second privilege-escalation path. A public exploit for a Microsoft Defender privilege-escalation flaw, RoguePlanet, also circulated.
Takeaways
Three of these were exploited before a patch existed, which means patching faster would have protected no one; only the detection and controls already standing on Tuesday morning would have. The record 206 is a real strain on triage, but it is a separate and smaller problem than the few bugs already being used against everyone who patches on schedule.
A Worm Summer Ends npm's Decade-Long Argument
Self-propagating worms ran across npm and PyPI for weeks. IronWorm hid Rust-compiled malware inside binding.gyp build files; the Hades campaign compromised 37 PyPI wheels and 19 packages alongside the Shai-Hulud strain; the Miasma worm hit official Red Hat cloud-services packages. Separately, GitHub disabled 73 Microsoft-linked repositories that were pushing credential-stealing malware. The common thread is the install-time script, the preinstall and postinstall hooks that run arbitrary code the moment you npm install.
For a decade, the ecosystem defended that behavior as a feature. This week GitHub conceded the argument, announcing that npm 12, due in July, will disable install-time scripts by default.
Takeaways
The timing is not a coincidence. A default that survived years of complaints did not survive a summer of worms that used it as their propagation mechanism. It is a rare case of a package ecosystem changing its threat model in public.
The Edge Appliances Are Failing on Repeat
The week's critical-infrastructure bugs read like a list of the usual suspects. Ivanti Sentry shipped a CVSS 10.0 pre-auth OS command injection (CVE-2026-10520) that grants code execution as root, paired with an authentication-bypass flaw. Microsoft patched an actively exploited Exchange Server zero-day used to steal credentials through Outlook Web Access. A Check Point VPN flaw has been exploited since early May by Qilin ransomware affiliates, a Veeam flaw exposes domain-joined backup servers to RCE, and ServiceNow disclosed an incident tied to a flaw it had known about since April 7 and patched only after exploitation.
Takeaways
What stands out is not any single bug but the recurrence. Ivanti, Exchange, edge VPNs, backup servers. The same categories of internet-facing appliance keep producing maximum-severity, pre-authentication flaws. These are not novel attack surfaces. They are the load-bearing walls of enterprise networks, and they keep failing in the same way.
Vulnerabilities in the Wild
By the numbers: 206 CVEs in one Microsoft batch | 6 under active exploitation | 4 zero-days | public PoC for multiple flaws
Critical
• CVE-2026-10520 — Ivanti Sentry. CVSS 10.0 pre-auth OS command injection; remote code execution as root. Patch available. Source
• CVE-2026-10523 — Ivanti Sentry. CVSS 10.0 authentication bypass (CWE-288), chains with the command-injection flaw. Patch available. Source
• Microsoft Exchange Server zero-day — Stored XSS, actively exploited to steal credentials via Outlook Web Access. Patched June 2026. Source
• Veeam Backup & Replication — Critical RCE on domain-joined backup servers. Patch available. Source
• Check Point VPN — Critical flaw actively exploited since early May by Qilin ransomware affiliates. Patch available. Source
High
• YellowKey — Microsoft Windows zero-day, actively exploited, SYSTEM-level privilege escalation. Patched June 2026. Source
• GreenPlasma — Microsoft Windows zero-day, actively exploited, BitLocker bypass. Patched June 2026. Source
• MiniPlasma — Microsoft Windows zero-day, actively exploited, privilege escalation. Patched June 2026. Source
• ServiceNow — Unauthenticated API access flaw, known since April 7, patched only after exploitation; customer data exposed. Source
Notable PoC & Supply Chain
• RoguePlanet — Microsoft Defender privilege-escalation exploit released publicly. Source
• IronWorm — Rust-compiled self-propagating npm worm hiding in binding.gyp build files; credential theft. Source
• Hades / Shai-Hulud — PyPI/npm campaign compromising 37 wheels and 19 packages with credential exfiltration. Source
• Miasma — Self-propagating worm compromising official Red Hat cloud-services npm packages via malicious install hook. Source
Curated Reading List
Thought-Provoking
• The Sorry State of Skill Distribution — Why it's worth your time: Trail of Bits defeated every major AI skill scanner (ClawHub, Cisco, skills.sh) in under an hour, showing that static analysis gives attackers unlimited attempts to tweak a payload past it. A concrete look at why "we scan our agent skills" is thinner protection than it sounds.
• NIST Research: AI Guardrails Are Fundamentally Bypassable — Why it's worth your time: A mathematical argument that the safety classifiers wrapping today's models can always be circumvented in principle. Essential framing for anyone betting their AI strategy on guardrails alone.
• Customization Beats Competence — Why it's worth your time: Daniel Miessler's framework for rating AI integrations argues that fit to your context, not raw model capability, is what determines usefulness. The same lesson O'Reilly's IDOR finding teaches, from the product-strategy side.
Current Events
• More Evidence That Words Don't Mean What We Thought: Ivanti Sentry CVE-2026-10520 — Why it's worth your time: watchTowr Labs' full technical teardown of the CVSS 10.0 pre-auth RCE, with the exploit path laid out. The primary source behind this week's most severe disclosure.
• The Agentic Development Lifecycle — Why it's worth your time: Snyk's attempt to name the emerging category of securing software written and operated by agents. Useful for seeing how the tooling vendors are framing the shift, whether or not you buy the label.
• GitHub Pulls the Pin on npm's Auto-Run Scripts — Why it's worth your time: The Register's account of npm 12 disabling install-time scripts by default. A primary-source read on a default that's been a supply-chain liability for a decade finally changing.
The model is the commodity. The harness is the product. — Pixee. Read past editions →
