🚨 CVE-2026-53435, a high severity (CVSS 8.8) deserialization vulnerability in Jenkins is now seeing active exploitation as per @DefusedCyber.
Scan your infrastructure: https://t.co/Bow5Vo1QGD
Patches are available per the vendor advisory: https://t.co/JgVytDoXfJ
This was completely predictable. Anthropic has spent months marketing its models through fear. Every major release comes with the same playbook. The model is too dangerous. It changes the entire cybersecurity landscape. It could become a national security threat. Governments need to step in. Access has to be restricted. Only a small group of approved organizations should be allowed to use the full capabilities. Now the government took them seriously.
Anyone who tested Mythos through Glasswing, or saw what @elder_plinius was able to get out of these models, knows the capabilities were real. Mythos was very good. It made certain attacks faster, cheaper and easier to operationalize. It could iterate more effectively, find vulnerabilities, generate working proof of concepts and close the loop with much less friction than most other models.
But Anthropic kept talking about it like they had built a digital nuke. The underlying attack surface was already there. The techniques were already there. The vulnerabilities were already there. Other frontier models could already do a meaningful part of the same work. Mythos improved the speed, the reliability and the level of autonomy. That is a serious capability jump. It still does not justify months of apocalyptic marketing.
And trying to shift any responsibility toward Pliny or toward the people who tested the model would be ridiculous. Pliny did what security researchers are supposed to do. He pushed the system, broke the guardrails when possible and showed what the model could actually do once the polished demo layer was removed.
If a few jailbreaks were enough to trigger a regulatory crisis, the deployment strategy was already cooked. Anthropic built the entire political and commercial narrative around the idea that its safety layer was the thin line separating a useful product from a strategic threat. Then independent researchers showed how fragile that line really was.
That is on Anthropic. They wanted the market to believe Mythos was powerful enough to justify special treatment. They wanted regulators to believe frontier models needed tighter controls. They wanted investors to believe they were sitting on capabilities so advanced that only Anthropic could be trusted to decide who should get access.
Now the government decided Anthropic should not get to make that decision by itself.
The ban is heavy handed. It will hurt legitimate researchers, security teams and foreign nationals working inside the US. It will also push more people toward open models, local deployments and providers outside the reach of US regulators.
But Anthropic cannot act surprised. Dario Amodei spent months turning fear into a marketing strategy, a fundraising strategy and a way to build institutional power around Anthropic.
Eventually, someone was going to take the narrative at face value. The government did.
🚨 CVE-2026-10520, a critical (CVSS 10.0) OS Command Injection vulnerability in Ivanti Sentry is now under active exploitation as reported by @DefusedCyber
Scan infrastructure to see if you're vulnerable:
https://t.co/roIHUnSn9G
Patches are available as per Ivanti's advisory:
https://t.co/tLztidouhh
"You can run OpenClaw inside your company now." Annoucing our work with @Microsoft to bring OpenClaw to the Microsoft and Windows ecosystems. Claws now work securly in the enterprise.
Microsoft’s handling of Nightmare Eclipse reveals how little they actually value independent security researchers when it becomes inconvenient.
Nightmare Eclipse followed the proper reporting channels, had his MSRC account revoked, received what amounted to legal threats, published PoCs for several unpatched Windows zero-days, and was subsequently banned from GitHub. Now @msftsecresponse issues a statement claiming they have no intention of pursuing researchers, while continuing to insist that coordinated disclosure is the only acceptable approach. Nightmare Eclipse still has no accounts reinstated and has received no meaningful apology.
Several researchers and observers have been clear about this today. @kln_nurv correctly notes that publishing exploits after attempting responsible disclosure is not a crime, yet there has been neither reinstatement nor apology, only damaged trust. @0x0Fuck rightly demands a public apology from Tom Gallagher (@secbughunter) and full reinstatement of Nightmare Eclipse’s accounts before MSRC can expect any credibility. @Stric_Nine, @PierreGrivet and others have made the same point, this is damage control, not accountability.
I once criticized @elder_plinius for releasing powerful jailbreaks and obliteration tools so openly. I believed it would introduce unnecessary risk and noise into the ecosystem. Under different circumstances, in other times, that view might still apply.
However, Microsoft and other large vendors have deliberately created an environment in which researchers who go public after official channels fail them are punished and silenced. In this reality, Pliny was correct. When companies treat disclosure as a threat to be managed rather than a necessary part of security, radical public release becomes one of the few remaining mechanisms researchers have to maintain visibility and pressure.
This problem is made worse by the rise of agentic attacks that can automatically discover and chain vulnerabilities at scale. The more vendors punish transparency, the greater the advantage they hand to automated exploitation.
Nightmare Eclipse should never have been forced into this position. Given how he was treated, his actions were entirely justified. I stand with the researchers who refuse to accept rules designed primarily to protect vendors.
If @msftsecresponse genuinely valued the security community, Nightmare Eclipse would have his accounts reinstated and there would be a substantive apology. Anything less is simply an attempt to reassert control while avoiding a real responsibility.
Three Charged with Conspiring to Unlawfully Divert Cutting Edge U.S. Artificial Intelligence Technology to China
“The indictment unsealed today details alleged efforts to evade U.S. export laws through false documents, staged dummy servers to mislead inspectors, and convoluted transshipment schemes, in order to obfuscate the true destination of restricted AI technology—China,” said John A. Eisenberg, Assistant Attorney General for National Security. “These chips are the product of American ingenuity, and NSD will continue to enforce our export-control laws to protect that advantage.”
🔗: https://t.co/QXQDrCSIGJ