Trust Is the Attack Surface Now

The Edge

A single confederation calling itself the Coinbase Cartel hit four major verticals in eight days: telecom (Charter, 4.9M), education (Canvas/Instructure, 275M), healthcare (DentaQuest, 234GB), and travel (Carnival, 6M). The connective tissue across all four was not a CVE. It was a phone call to a help desk, a Salesforce OAuth grant, and a refusal-to-pay threshold that has now collapsed into a 48-hour publish cycle. Meanwhile Iran activated 60 groups within hours of the late-February kinetic escalation using ChatGPT, Claude, and Mythos for reconnaissance and lure generation; Lapsus$ leaked Vodafone source code containing hardcoded production database credentials two weeks ago that defenders are still working through; and the first publicly observed agentic intrusion saw an LLM enumerate a PostgreSQL database after a human handed off the foothold. None of this is about perimeter patching.

The uncomfortable observation: trust pipelines are now the primary attack surface, and the industry's defender muscle is still pointed at boxes. ShinyHunters' tradecraft is identity-to-SaaS: vish a privileged account, ride the Entra session into the CRM, walk out with the tenant. The Gentlemen ransomware (Storm-2697) abuses SYSTEM scheduled tasks because the trusted execution context is what matters, not the encryption. DAEMON Tools, TanStack, and Nx Console hit CISA's KEV the same day because attackers compromised the build pipeline, not the binary, and SLSA provenance attested to the wrong thing with full cryptographic legitimacy. Every story this week rhymes: trust the call, trust the signed installer, trust the scheduled meeting invite, trust the merged PR.

The defender response gap is structural. Anthropic is preparing to ship Mythos broadly in the coming weeks, a model already credited with finding 10,000+ critical vulnerabilities through Project Glasswing; Google DeepMind, Microsoft, and xAI just signed CAISI agreements granting pre-release government evaluation; the EU pushed AI Act high-risk obligations out to December 2027. The capability is arriving while the regulatory floor is moving down. Attackers will weaponize it through the same trust pipelines they already own: fake patches disguised as Fortinet updates (already happening with FortiClient EMS), AI-authored phishing indistinguishable from grammar, agentic post-exploitation that doesn't fingerprint to any known TTP cluster.

The forward read: by Q3, expect "vishing-to-SaaS" to be the dominant initial-access category in incident response statistics, displacing edge-VPN exploitation for the first time since 2020. Expect at least one major frontier-model-assisted intrusion to be confirmed publicly before the end of June. And expect the patch cycle to keep doing exactly what it's been doing, because the next CVE you actually need to care about already came out as a help desk call.

Cyber Security News

Coinbase Cartel Hits Four Verticals in Eight Days as ShinyHunters Industrializes Refusal-to-Pay Dumps

ShinyHunters and the broader Coinbase Cartel confederation executed an operational tempo of roughly one major-vertical victim every 48 hours: Charter Communications (4.9M accounts, 42M records claimed, refused to pay), Instructure's Canvas LMS (3.65 TB, 275M users across 9,000 institutions, Instructure paid), DentaQuest (234 GB dumped after negotiations collapsed), Carnival Corporation (6M travelers via April social-engineering compromise), plus active listings against BCD Travel, Kemper Corporation, Ameriprise (502K accounts), 7-Eleven (185K franchise applicants, 9.4 GB dumped), and Mytheresa (84K accounts including partial card data). The signature tradecraft is consistent across every confirmed intrusion: vish a help desk or support agent, ride the Microsoft Entra session into a Salesforce or SharePoint tenant, bulk-export, demand payment, dump on refusal within days.

Mandiant GTIG tracks the broader campaign across 400+ organizations. Instructure's payment is statistically anomalous (only 19% of non-encryption extortion victims paid in 2025 per Coveware) and reflects the FERPA exposure that comes with minor PII at population scale. The refusal-to-pay cohort (Charter, DentaQuest, 7-Eleven, Ameriprise) is now standardized: collapsed negotiations end in full publication within 72 hours.

Why it matters: Identity-to-SaaS is now the highest-yield initial-access vector in the industry, and the patch-and-perimeter defensive stack is irrelevant to it.

Sources: Cybernoz HIBP | Tech-Insider | SOS Ransomware | BreachNews | Duggan USA | CybrSec Media

Vodafone Source Code Leak Reveals Hardcoded Production Database Credentials

Two weeks after Lapsus$ posted approximately 7.1 GB of Vodafone source code on May 12, independent analysis confirmed the archive contains hardcoded production database credentials still in publicly circulating copies of the dump. Vodafone's public position that "no customer data has been impacted" is technically defensible but does not address the credential exposure. Lapsus$ also posted a separate claim against Vodafone Germany infrastructure on May 28.

Why it matters: Any actor who downloaded the archive in May inherits a potential foothold for as long as rotation is incomplete; treat every Vodafone-adjacent authentication event as suspect until proven otherwise.

Sources: OpsecInsider | Yazoul

Microsoft Names Storm-2697 Behind "The Gentlemen" RaaS Abusing SYSTEM Scheduled Tasks

Microsoft Threat Intelligence published a deep-dive on The Gentlemen, a Go-based RaaS using Garble obfuscation and Curve25519/XChaCha20 per-file encryption that relaunches itself via Windows scheduled tasks under SYSTEM before encrypting drives and propagating laterally through a 21-method engine. Victims confirmed across education, healthcare, transportation, manufacturing, and finance on five continents include Heartland Growers, Fonderia Corra, and Grupo Premier.

Why it matters: Worm-class lateral movement at SYSTEM context defeats EDR rules tuned for interactive user-context ransomware; defenders need anomalous SYSTEM scheduled-task creation as a top-tier detection.

Sources: Microsoft Security Blog | VPNCentral

FBI Warns Silent Ransom Group Is Walking Into U.S. Law Firms With USB Drives

The FBI issued IC3 FLASH-20260526-01 on May 26 warning that Silent Ransom Group (Luna Moth / UNC3753), a Russia-linked extortion crew spun out of post-Conti dispersal, has dispatched physical operatives into U.S. law firm lobbies posing as IT technicians to insert malicious USB drives when callback phishing and IT-impersonation vishing fail. SRG has leaked data from 38+ firms across 100+ claimed attacks since 2023, with a surge in spring 2026.

Why it matters: Physical-access tradecraft bypasses every email gateway, EDR network signal, and MFA challenge; visitor verification, USB device-control, and lobby security are now front-line cyber defenses for professional services.

Sources: BleepingComputer | CyberScoop | SecurityWeek

Iran Activates 60+ Groups Within Hours of February Escalation Using Western AI

Researchers documented Iranian state-aligned actors weaponizing publicly accessible ChatGPT, Claude, and Mythos models to orchestrate what is being described as the largest coordinated cyberattack mobilization on record, with more than 60 groups activating within hours of the late-February U.S.-Israel kinetic operation. Iran's Nimbus Manticore (UNC1549) shipped a new AI-authored MiniFast backdoor and MiniJunk V2 via SEO poisoning of Oracle SQL Developer and trojanized Zoom installers, hitting U.S., Israeli, and UAE aviation and defense targets. MuddyWater abused signed Fortemedia and SentinelOne binaries for DLL sideloading across nine countries in Q1. The March LA Metro disruption was formally attributed this week to an MOIS-linked group.

Why it matters: Iranian operations did not throttle during kinetic conflict; they accelerated, and machine-speed mobilization across an entire actor ecosystem makes hourly lure adaptation the baseline assumption for any region adjacent to a geopolitical flashpoint.

Sources: based.info | SecurityWeek | Cybersecurity News | SecurityWeek LA Metro

AgentZero: First Publicly Observed Agentic Intrusion Captured in the Wild

A major threat research team documented an intrusion in which a human operator exploited CVE-2026-39987 in marimo notebook, then handed execution to an AI agent that autonomously enumerated and dumped an internal PostgreSQL database within an hour. A Chinese-language planning comment left in the command stream provided a circumstantial attribution clue. Researchers are calling it the first observed agentic intrusion in the wild, with reasoning traces that do not match any known TTP cluster.

Why it matters: Detection logic keyed to predictable post-exploitation sequencing (recon, lateral, exfil over fixed intervals) fails against per-intrusion-unique agent behavior; behavioral and identity-anomaly baselines are the only durable signal.

Sources: Medium / Ali Mansoor | Cybernoz

Kimsuky Adopts VS Code Remote Tunnels as C2 and JSONPing Sandbox Evasion

DPRK-aligned Kimsuky (Velvet Chollima) ran a tailored March to April 2026 wave against South Korean military and corporate targets, delivering a new HTTPSpy variant and HelloDoor backdoor through spoofed security-software installer pages and Webex meeting pages tied to genuine scheduled invites. The campaign abuses Microsoft Visual Studio Code Remote Tunnel service for C2, making malicious traffic indistinguishable from legitimate developer activity, and introduces "JSONPing," a local JSONP endpoint query to confirm successful execution before serving later-stage payloads.

Why it matters: Outbound traffic to Microsoft tunnel infrastructure bypasses reputation-based egress controls, and JSONPing defeats passive sandbox detonation; egress baselines for VS Code tunnel endpoints belong on the hunt list now.

Sources: TheCyberSignal | IPBan | OffSeq

APT28 Hijacks Router DHCP and DNS for Long-Dwell OAuth Token Harvest

GRU-attributed APT28 (Fancy Bear) was confirmed exploiting edge routers to overwrite DHCP and DNS settings, redirecting victim traffic through attacker-controlled resolvers for AitM credential harvesting against web and email services. The redirected resolutions specifically target OAuth tokens, which often bypass MFA and persist beyond password resets.

Why it matters: Edge-device hijacking sits below endpoint visibility and survives client-side hardening, and OAuth-token persistence converts a network compromise into months of cloud-mail access.

Sources: SecuriTricks

CISA KEV Triple Adds: DAEMON Tools, TanStack, Nx Console Hit Supply Chain Simultaneously

CISA added CVE-2026-8398 (DAEMON Tools Lite, where AVB Disc Soft's build infrastructure was compromised between April 8 and May 5 to ship trojanized signed binaries DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe), CVE-2026-45321 (TanStack), and CVE-2026-48027 (Nx Console) on May 27. GitHub later attributed a 3,800-repo internal breach to the malicious Nx Console VS Code extension, and confirmed the TanStack attacker did not steal maintainer credentials but instead hijacked the build pipeline itself, so 84 malicious versions across 42 @tanstack packages shipped with valid SLSA provenance attestations. Grafana's separate breach was traced to a single unrotated GitHub workflow token from the same incident.

Why it matters: SLSA provenance attests to the build, not the intent; build pipeline integrity and post-incident credential rotation completeness are now the load-bearing controls.

Sources: Security Affairs | PRSOL:CC Grafana | PRSOL:CC GitHub

CISA Adds PAN-OS GlobalProtect Auth Bypass to KEV; Fortinet EMS Exploit Disguises as Patch

CISA added CVE-2026-0257 (a PAN-OS GlobalProtect authentication bypass allowing unauthenticated attackers to forge session cookies and establish VPN connections) to KEV on May 29, with the initial federal remediation deadline set to June 1 (since extended to June 19). Separately, Arctic Wolf and watchTowr confirmed active exploitation of CVE-2026-35616, a critical FortiClient EMS RCE patched in April, with attackers delivering the EKZ infostealer disguised as a legitimate Fortinet patch.

Why it matters: Edge security appliances remain the highest-yield initial-access vector for ransomware and APT operators, and the "fake patch" delivery vector preys on remediation urgency itself.

Sources: Cybernoz | SecurityWeek | TheCyberThrone

CISA Issues 4-Day Federal Deadline on LiteSpeed cPanel Root RCE (CVE-2026-48172)

CISA added CVE-2026-48172, a CVSS 10.0 privilege escalation in the LiteSpeed User-End cPanel plugin (versions 2.3 through 2.4.4), to KEV on May 26 with a four-day federal patch deadline of May 29. The lsws.redisAble function allows any cPanel tenant to execute arbitrary scripts as root, collapsing tenant isolation across shared hosting environments.

Why it matters: Compressed BOD 22-01 timelines signal observed exploitation volume, not theoretical risk; shared-hosting providers running unpatched LiteSpeed are effectively distributing webshell-staging marketplaces.

Sources: BleepingComputer | CyberSecureFox

Lazarus Steals $577M Across Two April Crypto Heists, Ships Memory-Only RemotePE RAT

DPRK-aligned Lazarus extracted approximately $577M from crypto platforms in two April 2026 operations (76% of all 2026 crypto theft year-to-date) by impersonating a trading firm for six months in long-running social engineering rather than smart-contract exploitation. In parallel, Fox-IT documented Lazarus deploying RemotePE, a memory-only three-stage RAT using Hell's Gate direct syscalls and ETW patching, against financial institutions and crypto firms.

Why it matters: DPRK has decisively pivoted from technical exploits to long-duration human-targeted operations and fileless tradecraft; memory-acquisition workflows and behavior-based detection are now the only defensible posture in finance and fintech.

Sources: Cryptonews | SecurityOnline | SecurityAffairs

Volt Typhoon Confirmed Inside U.S. Municipal Utility for 300 Days

Disclosure of the Chinese state-sponsored VOLTZITE subgroup's 300-day intrusion at Littleton Electric Light and Water Departments, a Massachusetts distribution utility, between February and November 2023 demonstrates that Volt Typhoon pre-positioning against U.S. electric grid infrastructure is not theoretical. Discovery came via FBI notification, not internal detection, and the targeting of a small municipal utility (rather than a major IOU) signals systematic mapping of grid-edge infrastructure where distribution-operator compromise can cascade upstream.

Why it matters: Grid and ICS operators should assume Volt Typhoon dwell elsewhere and shift hunting focus from IOC-based detection to living-off-the-land behavior over multi-quarter timeframes.

Sources: Cybertech Insights

May Patch Tuesday Delivers 130 CVEs Headlined by DNS Client RCE and Azure DevOps Exposure

Microsoft's May 2026 Patch Tuesday addressed 130 CVEs, 30 rated Critical, including a pre-authentication Windows DNS Client remote code execution flaw and an Azure DevOps data exposure issue. DNS resolution is unavoidable, frequently traverses untrusted networks, and rarely sits inside segmentation policies, making the DNS Client RCE a worm-favorable primitive.

Why it matters: Quantity of CVEs is the wrong KPI when one is wormable and pre-auth; prioritize DNS Client and Azure DevOps over the rest of the cycle and audit Azure DevOps project permissions before exposure becomes exploitation.

Sources: InnoVirtuoso

AI News

Claude Opus 4.8 Ships With Effort Controls and 1,000-Subagent Dynamic Workflows

Anthropic released Claude Opus 4.8 on May 28 (41 days after Opus 4.7) at flat pricing of $15 per million output tokens, adding user-adjustable effort controls, a 3x cheaper fast mode, and Dynamic Workflows in Claude Code coordinating up to 1,000 parallel subagents per session. Benchmark wins include Terminal-Bench 2.1, OSWorld-Verified at 82.3%, and 89.2% on GPQA Diamond. Salesforce reported a 231-day API migration completed in 13 days using Claude Code at unlimited token contract terms, with developer pull request throughput up 79%.

Why it matters: Effort dials move cost/latency/quality tradeoffs out of model selection into runtime, and Salesforce's 18x compression is the first concrete enterprise validation that agent-driven development survives contact with conservative engineering orgs.

Sources: gHacks | The Decoder | TrueFoundry

Anthropic Crosses OpenAI to $965B Valuation, Teases Broader Mythos Release

Anthropic closed a $65B Series H at a $965B post-money valuation, overtaking OpenAI's $852B mark, and signaled broader access to its "Mythos-class" cybersecurity-capable model in the coming weeks. Project Glasswing has reportedly used Mythos-grade systems to find more than 10,000 critical software vulnerabilities to date, and Broadcom hit a record high Friday on news of a separate $36B Anthropic AI chip deal.

Why it matters: A widely-available bug-hunting frontier model collapses the patch-window math: the EU and CAISI are already requesting access talks specifically because of Mythos's capability profile, and offensive parity for defenders is the explicit bet.

Sources: Techstrong.ai | Help Net Security | ts2.tech

Google Ships Gemini Omni and Gemini 3.5 Flash at I/O 2026

At I/O 2026 Google unveiled Gemini Omni, a natively multimodal model with conversational, physics-aware video editing, alongside Gemini 3.5 Flash, optimized for agentic execution. Google also shipped Gemini Spark, a 24/7 cloud-VM agent integrated into Gmail and Workspace, plus the open-source Agent Executor (AX) runtime under Apache 2.0. Demis Hassabis pulled his AGI timeline forward to "as early as 2029."

Why it matters: Google is collapsing the agent-as-product fight into Workspace distribution while open-sourcing the runtime layer, directly contesting AWS Bedrock AgentCore and proprietary runtimes for the abstraction beneath the model.

Sources: Google Blog | Dataphoenix | Techstrong.ai

OpenAI Retires GPT-4.5 and o3, Closing the GPT-4 Era

OpenAI announced it will sunset GPT-4.5 from ChatGPT on June 27 and o3 on August 26, citing low paid-subscriber usage and consolidation around GPT-5.x. The company also reworked GPT-5.5 Instant prose output and pulled Canvas from both GPT-5.5 variants. Sunsetting o3, the model that defined the reasoning category just over a year ago, signals confidence that GPT-5.x has absorbed o-series capabilities.

Why it matters: OpenAI is narrowing surface area at exactly the moment Anthropic widens it; pipelines pinned to o3 now have an August deadline, and model-dependency-as-technical-debt is growing faster than abstraction layers can paper over.

Sources: Applying AI | PiunikaWeb

NIST CAISI Locks In Pre-Release Testing With Google DeepMind, Microsoft, and xAI

NIST's Center for AI Standards and Innovation signed May 5 agreements with Google DeepMind, Microsoft, and xAI granting U.S. government access to evaluate frontier models before public release, extending a regime first piloted with Anthropic and OpenAI. NIST separately rebranded the AI Safety Institute Consortium to the "NIST AI Consortium" with broadened scope.

Why it matters: Pre-release government testing without legislation is the de facto U.S. baseline now, and xAI's participation despite Musk's regulatory posture confirms CAISI access has become table stakes for any U.S. frontier release.

Sources: VITON13 | Mirage News

Scrapped White House AI Cybersecurity EO Surfaces as Roadmap

The text of a canceled White House executive order on AI and cybersecurity surfaced publicly, revealing intended provisions for frontier-model pre-release cyber capability testing, government access to evaluations, and authority to gate releases deemed too dangerous. The order was shelved before signing, but its provisions track precisely what CAISI is now extracting voluntarily.

Why it matters: Pre-release cyber testing is coming through formal rule, voluntary agreement, or state-level patchwork; the administration is hedging across all three paths and frontier labs should plan for whichever arrives first.

Sources: Silicon Report

EU Digital Omnibus Delays AI Act High-Risk Obligations to December 2027

The European Parliament and Council reached political agreement on May 6 to 7 on the Digital Omnibus, pushing most high-risk deployer duties to December 2, 2027, narrowing some burdens on smaller firms, and adding new prohibitions including AI "nudification" software. GPAI enforcement still hits August 2, 2026 with mandatory training-data disclosure, and Brussels separately told CNBC it intends to "intensify" talks with the U.S. specifically over Anthropic's Mythos cyber capabilities.

Why it matters: This is Europe's first major retreat on AI Act enforcement posture and validates the competitive-drag argument; for deployers it is runway, not amnesty, and the carve-outs sharpen the regime where capability is moving fastest.

Sources: DeepLearning.AI | Pearl Cohen | CNBC

U.S. Senate Advances First Federal AI Oversight Bill With $50M-Per-Violation Penalty

The Senate Commerce Committee voted 14-8 to advance comprehensive federal AI accountability legislation carrying penalties up to $50M per violation, the first such bill to clear committee. The measure moves toward a floor vote while the Trump administration shelved its own voluntary-review executive order the same week and Illinois passed SB 315 requiring third-party safety audits of frontier systems.

Why it matters: The executive branch is retreating while Congress and state legislatures fill the gap with statutory teeth; the U.S. picture has shifted from "no federal AI law" to "credible bipartisan vote count" and the $50M figure is what labs will actually price into compliance budgets.

Sources: Singularity.Kiwi | NBC News

Cognition Raises $1B at $26B Valuation as Devin Revenue Approaches $500M

Cognition AI closed a $1B+ round at a $26B valuation, with Devin reportedly approaching $492M in revenue (up from $37M twelve months prior) and customers including Goldman Sachs, Mercedes-Benz, and the U.S. government. The company says roughly 90% of its own code is now written by Devin.

Why it matters: A pure-play coding-agent vendor scaling past nine figures of revenue against Claude Code, Codex, and Antigravity is the clearest signal that enterprises will pay for the harness as a distinct layer from the model.

Sources: Winbuzzer | The Next Web

Cerebras Serves Kimi K2.6 at 981 Tokens/Sec, 6.7x Faster Than GPU Clouds

Cerebras is serving the trillion-parameter open-weight Kimi K2.6 model at 981 tokens per second on wafer-scale hardware, roughly 6.7x the throughput of comparable GPU cloud deployments. Moonshot also shipped K2.6 as an open-weight MoE with 32B active parameters, 256K context, and the MoonViT vision encoder, deployable via FriendliAI.

Why it matters: Inference cost and latency now decide which agent workflows are economically viable (a subagent swarm at 1000 tok/sec breaks at 150), and concrete non-NVIDIA economics give CIOs a reason to consider alternative silicon for production agent fleets.

Sources: The Daily Brief | FriendliAI

ASPI Paper: Asking for Clarification Amplifies Prompt Injection in Agents

Scale Labs published "Seeking Ambiguity Clarification Amplifies Prompt Injection," showing that the safety-recommended pattern of having LLM agents ask clarifying questions on ambiguous instructions significantly amplifies prompt-injection vulnerability: the clarification turn opens a second attack surface where adversarial context can hijack the agent's interpretation of the original task.

Why it matters: This inverts a core design assumption ("ask before acting") behind every cautious agent harness, and joins CVE-Bench's 50% real-vulnerability-patch rate as evidence that production agent failure modes are not visible on leaderboards.

Sources: Scale Labs

Anthropic Discloses Natural Language Autoencoders to Decode Agent Cognition

Anthropic disclosed Natural Language Autoencoders, an interpretability technique that decodes intermediate model activations into human-readable natural language, exposing what an agent represents internally before producing output. The disclosure landed alongside Christopher Olah's separate remarks that interpretability work has found internal structures in Claude mirroring human neuroscience emotion results, which he called "unsettling."

Why it matters: Mechanistic interpretability is moving from toy circuits toward auditable agent cognition exactly when Opus 4.8's 1,000-subagent workflows make black-box behavior most dangerous; alignment claims become falsifiable if you can read the model's draft thoughts.

Sources: The Agent Report | The News

DeepMind AlphaProof Nexus Produces Machine-Checkable Proofs for Open Math Problems

Google DeepMind's AlphaProof Nexus generated formally verifiable Lean-checked proofs for nine open Erdős problems, with OpenAI and Anthropic separately claiming counterexample and proof results on the 1946 planar unit distance conjecture in the same window. One AlphaProof solve reportedly cost roughly the price of a steak dinner.

Why it matters: The LLM-proposer-plus-formal-verifier loop is the first credible blueprint for AI producing verifiably correct novel work in a hard domain at commodity cost, and the pattern transfers to any domain with a decidable checker, including code and exploit development.

Sources: AIchats Substack | ScienceAlert

ESMFold2 Releases Atlas of 1 Billion Predicted Protein Structures

An open-source AI tool called ESMFold2 released an atlas of approximately 1 billion predicted protein structures, dramatically expanding the catalogued protein universe beyond AlphaFold. The release includes designed binders against targets such as CTLA-4, demonstrating use for de novo protein design rather than just prediction.

Why it matters: Structure prediction has industrialized: billion-scale coverage shifts biology from a discovery problem to a search problem, and open-sourcing the scaffold has competitive implications for closed pharma-AI plays.

Sources: Scientific American

Active Exploitation Watchlist + Notable CVEs