Mythos Breached, Supply Chain Burning, Patch Everything Now

28:4313 scenes8 speakersBriefing

01 Cold Open: An Offensive AI Weapon Loose in the Wild

Chapters

01Cold Open: An Offensive AI Weapon Loose in the Wild

02Sponsor — Blue Cortex AI

03What Mythos Actually Does — And What It Doesn't

04How Hobbyists Got In: The Contractor Vector

05The Controlled-Access Model Has Failed

06Five Supply Chain Attacks in Fourteen Days

07Cisco SD-WAN: The Chain That Hands You the Keys — New Exploitation Details

08Quest KACE: CVSS 10.0, Active Since March, Mimikatz Everywhere

09Microsoft April Patch Tuesday and the Full Triage Stack

10The Money: Anthropic's $50–400M Exposure

11The Legal Clock: What Anthropic Must Do Right Now

12The Geopolitical Stakes: State Actors, AI Governance, and the Signal in the Noise

13Synthesis: The Governance Model Failed. Here's What You Do.

Speakers

HalilDr.AlexLenaDr.JamesPierreDr.

▶01Cold Open: An Offensive AI Weapon Loose in the Wild00:00

HalilGrey-hat researchers breached Anthropic's most restricted offensive AI model — not in a lab, not in simulation — and they say they still have access.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilWe've covered Mythos before — its capabilities, its governance problem. What's new today is the breach itself, confirmed April 22 via third-party contractor compromise.

HalilThree threads today. First: how did hobbyists get into the most restricted AI model on the planet, and what does that mean for the controlled-access governance model?

HalilSecond: five supply chain attacks on AI development tools in fourteen days. Claude Code, Axios, LiteLLM, PyPI — the AI dev ecosystem is being hollowed out in real time.

HalilThird: patch triage. Cisco SD-WAN exploit chain, Quest KACE CVSS ten point zero actively exploited since March, and Microsoft's 165 CVEs. A brutal load.

HalilArjun Patel on AI security. Lena Hartmann on attribution. Alex Mercer on vulnerabilities. James Okafor on defense. Elena Rossi on geopolitics. Pierre Lefevre on the money. Sofia Andersen on the legal exposure. Let's go.

▶02Sponsor — Blue Cortex AI01:41

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03What Mythos Actually Does — And What It Doesn't02:51

HalilArjun, we've touched on Mythos's capabilities over the past week. What's the delta today — what does unauthorized access to this thing actually enable?

Dr.So, the UK AI Safety Institute — the independent evaluation, not Anthropic's marketing — found Mythos completes a 32-step corporate network intrusion end-to-end.

Dr.Succeeds in three of ten attempts. Averages 22 steps completed. On expert CTF challenges, seventy-three percent success rate — no model could do this before April 2025.

HalilThat sounds terrifying. But you're about to qualify that, aren't you.

Dr.I am. AISI tested in a cyber range. No active defenders. No EDR or XDR tooling. No alert penalties. Autonomous against a vulnerable network on rails — not a hardened enterprise.

AlexRight. And that's the thing people miss. The attack surface hasn't changed. Same vulnerabilities. Mythos just compresses discovery-to-exploitation from weeks to hours.

Dr.Exactly. Ninety times the exploit success rate on browser targets. One hundred eighty-one working Firefox shell exploits in testing. It found a twenty-seven-year-old OpenBSD bug.

AlexBut an actor with Mythos is still working through the same intrusion steps a human would. Just faster. If your network is properly segmented and monitored—

Dr.The model's still constrained by your architecture. The danger is operational tempo, not new capability classes.

HalilSo the headline — 'offensive AI weapon loose in the wild' — is it overblown?

Dr.It's — well, it's directionally right but mechanically overblown. The real danger is that your patch cadence can't keep up when exploit discovery compresses to hours.

AlexPatch Tuesday is already a fiction. Mythos makes it a joke.

▶04How Hobbyists Got In: The Contractor Vector04:57

HalilLena, the breach itself. Third-party contractor, Discord reconnaissance, URL guessing. Walk us through what actually happened.

LenaSo — unauthorized access via a contractor, combined with data from the Mercor breach, and educated guessing of Anthropic's URL conventions.

LenaThis group operates via private Discord. They tracked unreleased AI models. Got access the same day Mythos launched — April 7 — and they've maintained it.

HalilWho are they?

LenaThe TTPs don't fit classic APT patterns. No custom malware. No C2 infrastructure. No evidence of state backing. This is sophisticated hobbyists or grey-hat researchers.

LenaThey gave live demos to Bloomberg. They said, I'm quoting, they were 'interested in playing around with new models, not wreaking havoc.' No state-linked actor working on anything sensitive gives interviews.

Dr.I initially over-read geopolitical significance into this. Timing, UN Security Council AI governance meetings, US AI export restrictions. I floated a 'demonstration operation' thesis.

Dr.But the disorganization here is genuine, not manufactured. They're talking to journalists. I revise my assessment.

LenaAppreciated. The attackers had specific knowledge of Anthropic's vendor ecosystem. They leveraged compromised Mercor credentials. They knew internal infrastructure patterns.

HalilSo this is a traditional espionage play — credential reuse, insider knowledge — not some novel AI attack.

Dr.Classic supply chain lateral movement. The fact that hobbyists accessed it first suggests defender failure, not attacker sophistication at any nation-state level.

LenaTimeline: recon on vendor relationships predated the Mythos announcement. Access within hours of launch. Continued operational use suggests no immediate detection response.

HalilThey still have access. That's the part that should be keeping Anthropic up at night.

▶05The Controlled-Access Model Has Failed07:07

HalilArjun, let's go there. The finding I care about most: if hobbyists can breach a controlled-access frontier AI model within hours, what does that say about the governance framework?

Dr.It says the controlled-access containment model fails at the first real test. Full stop.

Dr.Anthropic's Project Glasswing restricted Mythos via controlled access. The breach wasn't a model weight exfiltration — it was a vendor ecosystem failure. The container leaked, not the model.

Dr.And that's the strategic point. State actors — China, Russia — don't need to breach Anthropic. They have their own programs. The fact that hobbyists got there first exposes the model's weakness.

LenaThe third-party contractor vector is the critical gap. Standing credentials. No just-in-time access. Anthropic's vendor ecosystem is attack surface they don't fully control.

HalilElena, you mentioned Reuters confirmed OpenAI had the exact same contractor problem April eleventh. Is this an industry-wide failure?

Dr.Systemic industry vulnerability. It's not Anthropic-specific. The pattern is: restricted model, trusted vendor, reused credentials, access achieved.

Dr.And the capability class — autonomous 32-step intrusion — now exists regardless. Anthropic can restrict Mythos. They cannot un-invent it.

HalilSo what's the actual fix?

Dr.Just-in-time access provisioning for any vendor touching restricted AI systems. Revoke standing contractor credentials. Zero trust at the vendor boundary.

LenaAnd verify — right now — that no Mercor-breach-linked credentials provide access to any AI model testing environment.

▶06Five Supply Chain Attacks in Fourteen Days09:05

HalilArjun, five supply chain attacks on AI dev tools in fourteen days. Coordinated or opportunistic?

Dr.Both, operating simultaneously. Aikido Security documented five distinct incidents.

Dr.Claude Code npm leak — March thirty-first, five hundred twelve thousand lines via source map, human packaging error. Axios trojanization — UNC1069 slash TeamPCP RAT via compromised maintainer account.

LenaUNC1069 — that's Mandiant's tracking name for a North Korean-linked threat cluster. We've covered TeamPCP extensively this past week.

Dr.Right. Then LiteLLM via Mercor breach — same actor, TeamPCP backdoor through Trivy scanner compromise. PyPI poisoning targeting Telnyx. Same credential-stolen approach.

HalilAnd then the package squatting.

Dr.That's the telling signature. Within twenty-four hours of the Claude Code leak going public, attackers registered names like audio-capture-napi, image-processor-napi, url-handler-napi.

Dr.All empty stubs published by user 'pacifier136.' They parsed the leaked source for internal dependency patterns and pre-positioned before developers tried to compile.

AlexThat's not a person clicking. That's automated pipeline. Registry monitoring, source code parsing, squatting at scale.

LenaThe UNC1069 cluster shows clear actor-level coordination — chaining stolen credentials across Trivy, then LiteLLM, then Mercor, then Telnyx. Consistent toolchains, consistent infrastructure.

Dr.The Axios compromise and the Anthropic squatting appear opportunistic — capitalizing on the same high-profile exposure window with established playbooks.

HalilJames, this is your territory. Developer workstations as primary attack surface — how do you defend that?

JamesHonestly, the first thing you do is quarantine. Hold all npm and PyPI packages published within forty-eight hours before allowing installation.

JamesImplement package signature verification. Audit right now for the five known compromised packages — Claude Code npm, the Axios trojanized versions, the LiteLLM backdoor, Telnyx PyPI poisoning, and anything published by pacifier136.

▶07Cisco SD-WAN: The Chain That Hands You the Keys — New Exploitation Details11:45

HalilWe covered the Cisco SD-WAN chain yesterday. What's new today, Alex — CISA just added more to the KEV catalog. What's the updated picture?

AlexThe chain is the story. CVE 2026-20133 — CVSS six point five, unauthenticated — reads OS-level files via API. Reconnaissance.

AlexCVE 2026-20128 — seven point five — steals DCA credentials from unencrypted credential files once you're in. CVE 2026-20122 — seven point five — file overwrite, escalates from DCA to full vManage admin.

HalilSo the individual scores don't tell the story.

AlexIndividual scores are committee fiction. Chain them together and you go from anonymous internet user to controlling the SD-WAN fabric for thousands of branch routers.

AlexSD-WAN managers have credentials, VPN configs, routing tables, lateral movement baked into their legitimate function. This isn't APT-only — LockBit-tier groups are watching VulnCheck's blog and building playbooks.

JamesAnd CISA gave federal agencies four days for these three versus weeks for everything else. That timing gap is CISA screaming without a megaphone.

HalilNo workarounds exist?

JamesCisco's own advisory says no. Patch to 20.18 or later. If you can't patch immediately, pull the management interface offline — VPN-only access within twenty-four hours.

JamesOn detection: monitor for unauthenticated HTTP requests to the dataservice API endpoints returning status 200 without authorization headers. Alert on file upload operations to web-accessible directories.

AlexVulnCheck confirmed successful webshell uploads in testing. So behavioral detection is your fallback when patching is delayed.

JamesDeploy Suricata rules 65938 and 65958. Hunt for new files in webroot with executable extensions, and watch for subsequent GET requests to those files — that's your webshell callback.

▶08Quest KACE: CVSS 10.0, Active Since March, Mimikatz Everywhere14:05

HalilQuest KACE SMA — CVE 2025-32975, CVSS ten point zero — Arctic Wolf confirmed exploitation since March ninth. Alex, how bad is this one actually?

AlexThe CVSS is accurate here. Unauthenticated admin impersonation. Any user, including admin, no credentials. Then remote command execution via KPluginRunProcess.

AlexAttackers are dropping Mimikatz disguised as asd.exe. KACE SMA runs as SYSTEM. It touches every managed endpoint. You don't need lateral movement — you're already everywhere.

JamesAnd this patch has been available since May 2025. This is a one-year-old bug being re-exploited against organizations that never patched.

HalilHmm.

AlexThe management plane is the blast radius. When you compromise it, you have SYSTEM-level command execution across your entire fleet. That's not a breach — that's a takeover.

JamesFixed versions: 13.0.385, 13.1.81, 13.2.183, 14.0.341, 14.1.101. Any internet-facing instance — assume compromise. Hunt now.

JamesIOCs: payload delivery from IP 216.126.225.156, the binary runkbot.exe, and Windows Event ID 4720 — that's new admin account creation. Also look for PowerShell with Base64 payloads.

HalilHow does this sit in the priority stack versus Cisco SD-WAN?

AlexCisco is priority one if your SD-WAN manager is internet-exposed. KACE is priority one if KACE is internet-facing. Most KACE instances are behind VPN — so likely second. But if it's exposed? Ties for first.

JamesTreat any compromised management plane as Tier 0 credential exposure. Rotate everything associated with those environments. Segment the management plane from production.

▶09Microsoft April Patch Tuesday and the Full Triage Stack16:23

HalilAlex, where does the Microsoft load land in the priority stack? One hundred sixty-five CVEs — how much attention do they need this week?

AlexOne CVE gets emergency treatment: CVE 2026-33827. TCP/IP RCE, actively exploited, internet-facing Windows systems. Patch that now.

AlexThe remaining one hundred sixty-four? Standard accelerated cycle. Seven days. Don't let Microsoft's volume distract from the two infrastructure emergencies we just covered.

JamesPriority matrix: one — internet-facing and actively exploited. Two — internal but critical for lateral movement. Three — everything else.

HalilAnd CISA added eight new entries to the KEV catalog — the Known Exploited Vulnerabilities list — on top of the SD-WAN additions. James, is this volume unusual?

JamesEight KEV additions in a single day is elevated. The KACE addition alongside three Cisco CVEs in the same bulletin signals CISA is seeing concurrent exploitation across unrelated product families.

AlexWhich, honestly, tracks with what Arjun said about operational tempo compression. More exploits becoming viable faster. CISA's catching up to actors who move in hours, not weeks.

HalilSo for a CISO this morning — what's the 48-hour plan?

JamesToday: Cisco SD-WAN and KACE. Patch or isolate. No exceptions for internet-facing instances.

JamesTomorrow: TCP/IP RCE on Windows. Then credential rotation across all affected environments. The Microsoft remainder runs on your standard accelerated cycle.

AlexAnd if you have EDR coverage gaps — fill them before you sleep. Behavioral detection is your buffer when you can't patch fast enough.

▶10The Money: Anthropic's $50–400M Exposure18:25

HalilPierre, what's the financial damage here — for Anthropic and for downstream organizations using compromised AI dev tools?

PierreAnthropic first. The regulatory penalties are — actually limited. FTC maxes at fifty-three thousand dollars per knowing violation under Section 5. And this is a third-party contractor failure, not an AI-washing case.

PierreThe real damage is contractual. Apple and Goldman Sachs. Anthropic just announced a thirteen billion dollar raise at a hundred eighty-three billion valuation. Goldman is an investor and a design partner.

PierreThose restricted testing agreements have liquidated damages clauses. My estimate: twenty-five to a hundred fifty million combined from those two relationships.

HalilWow.

PierreThen reputational damage. This is their second major opsec failure in weeks — the five hundred twelve thousand lines of Claude Code leaked via npm packaging error came first.

PierreAt five billion projected revenue, enterprise customer churn risk from brand erosion: fifty to a hundred fifty million in annual recurring revenue at risk.

PierreConservative total: fifty to a hundred million. Stress case: four hundred million if Goldman and Apple escalate or UK and US AI safety regulators find systemic control failures.

HalilAnd for the downstream enterprises caught in the supply chain attacks?

PierreLiteLLM has ninety-five million monthly downloads. Axios has a hundred million weekly. IBM data shows supply chain breaches average four point nine one million and are seventeen times costlier than first-party breaches.

PierreFor a mid-size enterprise — one thousand to five thousand employees — emergency remediation runs eight hundred fifty thousand to one point eight million dollars. Fourteen to forty-five days to baseline.

HalilAnd I know you push back on catastrophe framing.

PierreLook, Anthropic's thirteen billion cash position absorbs even my stress case. The bigger worry is operational disruption across the AI supply chain. Not existential — but systemic.

▶11The Legal Clock: What Anthropic Must Do Right Now20:57

HalilSofia, the regulatory picture. Anthropic's breach involves model weights, not personal data. What are the actual legal obligations here?

Dr.So — GDPR Article 33 requires notification to the supervisory authority within seventy-two hours of becoming aware of a breach. But that trigger is personal data. Model weights are not personal data.

Dr.GDPR notification is not triggered here unless the compromised environment processed EU personal data. Anthropic needs to confirm that within forty-eight hours.

HalilWhat about US obligations?

Dr.The BIS interim final rule — effective May fifteen, twenty twenty-five — controls closed-weight AI model weights trained on more than ten to the twenty-sixth operations under ECCN 4E091.

Dr.But that regulates export, not internal theft. If the leaked weights were exfiltrated to foreign actors, BIS notification obligations under Section 764.5 of the EAR are triggered. If purely domestic — no EAR notification required.

LenaAnd we still don't know the nationality of the researchers. The foreign nexus question is genuinely open.

Dr.Exactly. Determine within seven days whether unauthorized recipients include foreign persons. If yes — BIS notification is mandatory.

Dr.CFIUS has no jurisdiction here unless foreign acquisition of covered AI technology is confirmed. Breach by domestic contractor without foreign nexus — no CFIUS filing.

HalilWhat's the action item for Anthropic's legal team today?

Dr.Four things. One — determine foreign nexus for BIS assessment. Two — trigger contractual notifications to Apple and Goldman within seventy-two hours. Those NDAs have short windows.

Dr.Three — document the decision not to notify under GDPR if no personal data is confirmed. Four — engage UK AISI politically if UK operations exist. The UK government's public letter creates reputational urgency even without a statutory requirement.

▶12The Geopolitical Stakes: State Actors, AI Governance, and the Signal in the Noise23:20

HalilElena, you walked back your initial state-actor thesis. But the geopolitical dimension doesn't disappear just because the Mythos breach was hobbyists. What's the real story here?

Dr.The real story is the governance gap. The ODNI confirmed last week all four major state actors — China, Russia, Iran, North Korea — are actively integrating AI into cyber operations.

Dr.China has already been caught using Anthropic technology against Western targets. Russia needs tactical advantages for Ukraine. Neither needed to breach Anthropic — they have their own programs.

HalilSo the breach reveals less about what state actors can do, and more about what the controlled-access framework can't prevent.

Dr.Precisely. April 2026 is when the UN Security Council is actively debating AI governance controls. US Congress just passed AI export restrictions targeting China. And a contractor at a vendor leaked access to the most capable offensive AI model publicly known.

Dr.And that's the asymmetry that keeps me up at night. Defenders need the governance framework to hold. Attackers just need one contractor with reused credentials.

LenaThe Mercor breach data was the key. Credentials from one breach, reused to access the most restricted AI system in the world. That's not a sophisticated attack. That's a credential hygiene failure with catastrophic consequences.

Dr.And as Arjun said — the capability class exists now regardless of whether Anthropic restricts access. You cannot un-invent a thirty-two-step autonomous intrusion engine.

HalilIs there a policy answer? Or are we just watching an arms race with no off-ramp?

Dr.Just as WannaCry in 2017 forced a reckoning with North Korea cyber policy — this breach could be a similar inflection point for AI governance. But only if it's used that way.

Dr.The question is whether governments treat this as a wake-up call or a talking point. Right now, it's going to testimony. Whether it becomes binding standards — that's the political bet.

▶13Synthesis: The Governance Model Failed. Here's What You Do.25:32

HalilLet me pull the threads. Three takeaways from today.

HalilFirst: the controlled-access model for frontier offensive AI is broken. Not theoretically — demonstrably. Sophisticated hobbyists breached Anthropic's most restricted model through a contractor with reused credentials. If hobbyists can do this, state actors already have.

HalilSecond: the AI development supply chain is under systematic assault. Five attacks in fourteen days. Automated package squatting within twenty-four hours of a source leak. This is infrastructure-level targeting of the tools developers trust by default.

HalilThird: the patch load is brutal but triage is clear. Cisco SD-WAN — patch to 20.18 today or pull management interfaces offline. Quest KACE — patch or firewall, assume compromise if internet-facing. TCP/IP RCE on Windows — seven days. Everything else on your standard accelerated cycle.

HalilFor the boards: Pierre's number is eight hundred fifty thousand to one point eight million for mid-size enterprise emergency remediation. Budget for a thirty-day response cycle. Sofia's clock is ticking — Anthropic's contractual notifications to Apple and Goldman must go out within seventy-two hours.

HalilWhat we're watching tomorrow: whether Anthropic confirms or denies continued unauthorized access. Whether the foreign nexus on the Mythos breach becomes clear — that's the BIS trigger. And whether the five compromised AI dev packages show up in enterprise dependency audits.

HalilPatch now. Audit your vendor access. Quarantine unverified packages. Assume your AI dev toolchain has been targeted.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Tue28Apr

Grid in the Crosshairs: Cisco SD-WAN, Gemini CLI, and Two Deadlines Expiring Today

30:4311 sc

Sun26Apr

Correction Day: The LAPSUS$ Claim Falls Apart, Signal Phishing Is Real

29:2910 sc

Sat25Apr

Pay or Leak: The 48-Hour Clock, Two CVEs You Must Patch, and DeFi's Governance Confession

29:1912 sc

Fri24Apr

Shai-Hulud: The Worm That Ate the Pipeline