An AI found 10,000 critical vulnerabilities in the world's most important software — and told nobody but 50 organisations. Scammers built an entire fraud empire around a football tournament starting Thursday. CISA quietly confirmed two exploited-in-the-wild flaws in Linux and Android. And Instagram exposed user data through a password reset bug that a junior developer should have caught in 2011. A perfectly normal Sunday in security, then.
☕ ~5 minute read · 5 stories todayThe biggest cybersecurity story of 2026 so far quietly expanded this week. Anthropic announced it is scaling Project Glasswing — its vulnerability-hunting programme using Claude Mythos Preview, an unreleased frontier model — to approximately 150 new organisations across more than 15 countries, including operators in power, water, healthcare, and telecommunications.
The backstory: in April, Anthropic gave around 50 partners exclusive access to Mythos, a model it describes as surpassing all but the most skilled humans at finding and exploiting software vulnerabilities. In one month, those partners collectively uncovered more than 10,000 high- or critical-severity vulnerabilities across the most systemically important codebases in the world. One example: Mythos discovered a flaw in wolfSSL — an open-source cryptography library used by billions of devices — that would have let an attacker forge certificates for bank and email provider websites. Fully convincing. Totally undetectable to the end user. Now patched as CVE-2026-5194.
That shift — from discovery bottleneck to remediation bottleneck — is the structural change nobody prepared for. Open-source maintainers are being flooded with vulnerability reports faster than they can process them. On average, patching a Mythos-identified critical bug takes two weeks. A security team that can't ship fixes faster than the AI finds bugs isn't more secure — it's just more aware of how exposed it already was.
The FIFA World Cup kicks off in North America on 11 June — and if you've clicked on anything football-related in the past ten months, there is a non-trivial chance you've already been targeted. The FBI, Group-IB, Fortinet, Kaspersky, Proofpoint, and Check Point have all published warnings this week about a fraud operation that is not improvised. It is industrial.
Group-IB identified the primary operation as GHOST STADIUM, a Chinese-speaking, financially motivated group running a single phishing kit across more than 300 of those domains. The kit clones FIFA's login page convincingly enough to harvest real account credentials. The broader scheme includes banking trojans embedded in pirate streaming apps, fake job ads, spoofed calendar invites, and fraudulent ticket marketplaces.
The FBI warning specifically flags lookalike domains using minor spelling variations and alternate TLDs: .org, .xyz, .live, .sale. If you're attending matches, buying tickets, or streaming: verify URLs manually. Do not click links from social media. Do not install anything to watch a game for free. The malware is absolutely real.
On 2 June, CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalogue — confirming in-the-wild exploitation of both. Federal agencies had until 5 June to patch. Private organisations should treat the same deadline as their own.
A separate, unpatched critical vulnerability — CVE-2026-20245 — was flagged this week allowing arbitrary command execution as root on affected systems. No vendor patch is yet available. Monitor exposure actively until a fix ships.
On 6 June, researchers disclosed a critical logic bug in Instagram's web-based password reset flow. The flaw exposed unredacted email addresses and phone numbers associated with user accounts — the kind of data that enables targeted phishing, SIM-swap attacks, and account takeover at scale.
The bug has since been patched. But the timing is, let's say, interesting — arriving one week before a global sporting event that will drive millions of casual users to check their social accounts, many of them using recycled passwords across platforms.
For users: rotate Instagram credentials. Enable two-factor authentication. Use a password manager. Not exciting recommendations — they just happen to work.
A Cloud Security Alliance report published 2 June surveyed more than 900 cybersecurity leaders and found that 82% of organisations lack effective runtime visibility into their production environments — meaning most companies can't see the vulnerabilities that Mythos-class AI would find in minutes. Meanwhile, attackers are already using AI to generate malware, bypass basic security checks, and convert vague malicious intent into functional code.
The asymmetry is the problem. Defenders need to secure everything; attackers only need to find one gap. AI makes that gap-finding faster, cheaper, and more scalable than at any previous point in the history of the internet.
One more thing to keep in mind as WWDC opens Monday with Apple unveiling a Gemini-powered Siri and a multi-model AI Extensions system: every new AI surface integrated into your operating system is also a new attack surface. The security implications of AI-native OS design have barely been discussed. Expect that to change.