International Cyber Digest

Dear US government, Since you've just blocked Fable and Mythos on critical national security grounds, here are some other tools that pose a similar threat to the American people: - Microsoft Teams - LinkedIn - Fortinet - Salesforce - Jira - Outlook - AWS Please do what you must to save America 🇺🇸

Europeans after hearing they can’t use Anthropic’s AI models anymore.

‼️The ban on foreign use of Anthropic's frontier models, might also cripple the development of USA's next-gen models. Anthropic's stated the order suspends access by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees.

‼️🚨 BREAKING: Amazon researchers snitched to the US government about jailbreaking Fable 5 and Mythos 5, forcing Anthropic to immediately shut down worldwide access. A security export control directive from Commerce Secretary Howard Lutnick enforced the action. Anthropic is fighting the directive and calls it a misunderstanding. This isn't the first clash. The Trump administration had already tried to get Anthropic to pause the release of its latest models before this directive landed.

‼️🚨 Anthropic immediately shut down Fable 5 and Mythos 5 worldwide after a US government export control directive citing national security. This follows pliny's Fable 5 jailbreak we recently posted about. Anthropic calls it a misunderstanding, meanwhile pliny is well aware of what he has done 😂

🚨 BrEaKiNg: Splunk, a security product, has zero authentication in its built-in database service and accepts any credentials, according to the security researchers who just dropped a full pre-auth RCE chain for Splunk Enterprise (CVE-2026-20253, CVSS 9.8). Splunk Enterprise on AWS is vulnerable out of the box. https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/

This is awesome. These fellas build drones they fly into tornadoes for science. They're part of the OTUS Project, a self-funded effort founded by students in meteorology and engineering. They build custom UAVs and sensor systems to study tornadoes inside and out. The goal is to protect lives and property. The wind and thermodynamic data they collect feeds into predictive models, sharpens hazard forecasting, and helps make structures more resilient. https://www.theotusproject.com/

Fixed it (sound on)

‼️🚨 BrEaKiNg: Nintendo has allegedly been breached by a threat actor. They've published some data as evidence. Our preliminary analysis shows this ain't Nintendo being breached, but they've had access to a Nintendo USA tenant on TINYpulse by WebMD, which is an employee feedback and engagement software solution. The data includes some sensitive stuff, like employees giving feedback on their employer. The data confirms: Nintendo employees are happy at work. End of story, everybody loves a happy ending.

🚨 BREAKING: More than 400 Arch Linux User Repository packages have been compromised with infostealer malware and a rootkit. Attacker posed as a trusted maintainer and "adopted" orphaned packages. Arch maintainers are purging infected packages now. Audit your AUR installs. https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577

‼️🚨 BREAKING: Nightmare Eclipse just dropped GreatXML, a new BitLocker bypass 0-day vulnerability PoC. He has a new GitHub account. Check it out before it gets deleted again: https://github.com/MSNightmare

‼️🚨 MAJOR OPSEC FAIL by controversial Israeli spyware company NSO Group. They uploaded an image of a desktop mat displaying their own company's logo. WhatsApp court documents show the group created test accounts and groups on WhatsApp, despite receiving a permanent injunction that barred them from ever targeting WhatsApp and its users.

‼️🚨 MAJOR OPSEC FAIL by controversial Israeli spyware company NSO Group. They uploaded an image of a desktop mat displaying their own company's logo. WhatsApp court documents show the group created test accounts and groups on WhatsApp, despite receiving a permanent injunction that barred them from ever targeting WhatsApp and its users.

‼️🚨 Unauthenticated attackers are gaining SYSTEM on domain controllers with crafted packets. The vulnerability being exploited is CVE-2026-41089, a CVSS 9.8 hole in Windows Netlogon, and exploitation in the wild has been confirmed. A patch has existed since May 12. Every DC still behind is not just vulnerable, but according to the Centre for Cybersecurity Belgium are also actively being pwnd.

❗️ That '$200 sub burns $14,000 of compute' chart measures the ceiling of the ceiling. An unrealistic scenario,where every step re-reads the full context and single tasks chew through millions of tokens. And you don't have to take my word for it. The companies already told us how this works. Anthropic confirmed the skew: its weekly limits target users running Claude Code 24/7, affecting less than 5% of subscribers. The light majority covers the heavy few. And when Max users exceed the cap, overflow is sold at standard API rates. The subsidy ends exactly where the average ends. Altman admitted OpenAI was losing money on $200 Pro subs: 'people use it much more than we expected.' He set the price himself expecting profit. That is gym pricing, priced on the average user. Meanwhile the enterprise tier buys what consumers never get: no training on inputs by contract, SLAs, stable limits, compliance paperwork. Consumer plans often train on chats by default, and agentic coding traces are the most valuable training data in the industry. Today's heavy user builds the model enterprises buy tomorrow at full rate.

🚨 GitHub moves against npm supply chain attacks. npm v12 ships next month and stops executing preinstall/install/postinstall scripts from dependencies by default. Git and remote URL dependencies get blocked by default too.

‼️ Google is about to disable all adblocker extensions in Chrome. Instead of letting the adblocker inspect traffic itself, extensions now have to hand Google's browser a limited list of filtering rules and hope for the best. This leads to weaker blocking and more ads getting through. Google makes the vast majority of its money selling ads. The company that profits from every ad you see also controls the browser most people use, with Chrome 149 being the last version supporting adblockers. For example, under the new rules, uBlock Origin cannot exist. For millions of people, that extension is the only thing standing between them and a wall of ads, trackers, and autoplay garbage. One user put it bluntly: "The web is literally unusable without uBlock Origin." https://github.com/w3c/webextensions/issues/1000

‼️ Anthropic's recently released frontier model Fable 5 was jailbroken by someone using a jailbroken version of Claude Opus. The researcher who goes by the moniker pliny carried out the jailbreak and says: "the consensus seems to be that this has been one of the most disappointing model drops of all time, effectively preventing legitimate researchers from contributing their talents to our collective advancement" The jailbroken version can be used for research into and exploitation of vulnerabilities.

🚨 Meta has removed its controversial facial recognition code from its Meta AI smart glasses app within 48h after a WIRED report exposed it. The code could turn faces into biometric signatures to ID strangers in public.

ServiceNow confirms a vulnerability let unauthorized actors query customers' instance tables. Customer instance data was directly accessible.