Cybersecurity researchers have disclosed a one-click attack via Microsoft Visual Studio Code (VS Code) that makes it possible to steal a user's GitHub token.
"Just by clicking a link, it's possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones," security researcher Ammar Askar said.
GitHub supports a feature called GitHub.dev that runs as
Cisco Secure Access extends SSE and identity controls to agentic AI, helping organizations govern agent actions across models, MCP tools, APIs, and web.
The Fragmented State of Modern Enterprise Identity
Enterprise IAM is approaching a breaking point. As organizations scale, identity becomes increasingly fragmented across thousands of applications, decentralized teams, machine identities, and autonomous systems.
The result is Identity Dark Matter: identity activity that sits outside the visibility of centralized IAM and beyond the reach of
Assume the breach. Zero-days keep shipping, AI is writing exploits faster than anyone patches, and "patch everything in time" stopped working years ago. Stop betting the org on winning that race. You don't control which bug lands. You control what it can reach once it does.
That is a question about the shape of your network, and most teams have the shape wrong. HD Moore, creator of Metasploit
UK banks are set to receive access to OpenAIโs GPT-5.5 Cyber after being excluded from Anthropicโs latest expansion of Project Glasswing. Project Glasswing, and access to the Mythos Preview model, is geared toward ensuring critical infrastructure providers are prepared to handle the threat posed by advanced AI models, once they inevitably make their way into the public domain, and therefore the hands of attackers. However, amid a fourfold expansion of Glasswingโs partners, only JPMorganChase was named among the financial institutions to receive access to Mythos Preview, despite financial services falling under the critical infrastructure umbrella. In light of the news, HSBC, Lloyds Banking Group, and Nationwide will be among the banks to receive access to GPT-5.5 Cyber, the BBC reported, while NatWest and Santander have already been playing with it as part of separate agreements. OpenAI offered nine UK banks access to its Mythos-rival model in total, after they were snubbed from Glasswing. It is not clear if this number also includes the Bank of England, whose governor, Andrew Bailey, has been outspoken about its exclusion from Glasswing. Bailey told Bloomberg TV last week that despite pushing for access so the UKโs financial system is protected, Anthropic has not handed over the keys to Mythos Preview. Liam Salsi, director of architecture at Talion, told The Register he suspects the decision to exclude UK banks was political. Bailey had also previously alluded to suspicions that Anthropic had not yet granted access to Mythos Preview due to processes at play related to the US administration. โThe US government wants to control who has access to the platform and this is largely because it will limit the chances of it falling into the wrong hands,โ said Salsi. โHowever, limiting access will ultimately leave some banks more exposed to cyber threats and could impact their vulnerability management, leaving larger windows of opportunities for attackers. โIt's hopeful these gaps won't exist for too long because of competition among Advanced AI platforms. GPT-5.5 was issued only a few weeks after Mythos, and it's safe to assume more advanced AI platforms will surface soon, closing gaps and delivering more of these systems to a larger pool of critical organizations.โ He added that it could also introduce a single point of failure in the global banking sector if every institution were using the same product. Anthropic has not commented publicly on its approach regarding which financial institutions receive Mythos access, although it's not just financiers who are pondering the companyโs decision-making. It transpired this week that the EUโs cybersecurity agency, ENISA, will receive access to Mythos Preview, while the US equivalent, CISA, is yet to be selected. Glasswing goes big In other news, Anthropic said on Tuesday it is looking to induct many more organizations into its Project Glasswing initiative, taking the total number of members from around 50 to 200. The additional 150 or so organizations hail from 15 different countries and will join the old guard, comprised of security shops and other tech giants, government agencies, and open-source maintainers. It has not named these organizations officially, although reports suggest that South Korea is among the 15 countries, and its science ministry, Samsung, SK Hynix, and SK Telecom are among the new inductees. Project Glasswing is something of a private membersโ club โ a carefully selected cohort of organizations with early access to Anthropicโs most advanced Mythos Preview model, the one the company claims will fundamentally alter the cybersecurity landscape. The cynics among us may see such claims as an extension of Anthropicโs marketing playbook, which some believe involves stoking excitement about a product through fear. When the AI biz announced Mythos in April, it did so by dubbing it too dangerous to unleash on the public. It was billed as an expert bug hunter and zero-day specialist, capable of finding vulnerabilities in code far more efficiently than humans. The oft-touted nugget from launch was the 27-year-old OpenBSD bug Mythos found during initial testing, but there were many more zero-days and other critical vulnerabilities โ novel ones โ Anthropic said its model was able to unearth. Those who have tinkered with Mythos Preview already report mixed results. Cloudflare CISO Grant Bourzikas wrote in May that the model represented โa real step forward,โ and was able to find a series of low-severity bugs and chain them into working exploits. Others, such as cURLโs Daniel Stenberg, called Mythos Preview โan amazingly successful marketing stunt,โ after it found just one vulnerability in the data transfer software. Likewise, security expert Kevin Beaumont said the model โis not great,โ and โitโs marketing, essentially.โ He said Mythos Preview was good at finding bugs in vibe-coded applications, but aside from that, it was not discovering much beyond what the models of yesteryear were capable of. Regarding the new intake of Glasswing partners, Anthropic but said each would have to pass its own security requirements before being granted access to Mythos Preview. It also said the new organizations brought into the fold all managed critical infrastructure services, and a successful attack on their systems could be โcatastrophic.โ โFor most partners, we estimate that a major attack could affect more than 100 million people, with important ramifications for both global and national security,โ the company said on Tuesday. โThis expansion is the next step toward our long-term goals: for AI to make all software more secure, and for us to help the industry adjust to how AI could change many of the core assumptions of cybersecurity.โ The big when? As for when the Mythos model will be made available to the wider public, Anthropic has kept that largely under wraps, but donโt expect it to be anytime soon. In its latest Glasswing announcement, the company said the safeguards required to prevent abuse are not yet available. โWeโre working as quickly as we can to safely release Mythos-level capabilities in general access,โ it stated. โTo do so, weโll need highly robust safeguards that prevent the modelโs cyber capabilities from being misused โ safeguards that we (and, to our knowledge, all other AI developers) have yet to develop. โBecause cybersecurity has both helpful and destructive uses, making safeguards that are both strong and precise enough is a major challenge.โ Anthropic may face some tough decisions in the next year, however, as by its own reckoning other AI companies will produce Mythos-level capabilities within their own models inside 6-12 months. Confusingly, it also said on Friday that it would be releasing Mythos-class models to all customers in the coming weeks. Anthropic said it will expand Glasswing further before Mythos is more widely launched, bringing in more critical infrastructure orgs, open-source maintainers, and safety testers. โWe intend for future expansions to cover organizations in the US and overseas, just as this one does. We also intend to scale up our Cyber Verification Program, which would grant Mythos-class capabilities to many more organizations for specific cyberdefense tasks.โ ยฎ
The Amazfit Active 3 Premium offers everything you need to create a custom training plan, track metrics during your runs, and improve your fitness in just weeks.
Cybersecurity researchers have disclosed details of an unpatched issue that could be exploited to disclose a user's NTLMv2 hash to the attacker.
Like in the case of CVE-2026-33829, which impacted the Windows Snipping Tool's ms-screensketch: URI handler, the newly flagged issue resides in the search: URI handler, per Huntress.
CVE-2026-33829 refers to a spoofing vulnerability that could expose
Rhino Linux has always been a beautiful desktop Linux distribution, and there are some major changes on the horizon that will converge mobile and desktop.
Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.
The vulnerability has been codenamed HTTP/2 Bomb by Calif.
"The vulnerable behavior exists in each server's default HTTP/2 configuration," the company said, adding it was discovered by OpenAI Codex by chaining
If you've ever broken your phone's screen but still wanted to get data or files from it, you know how painful that can be, but there is a way to do it.
Login
ZDNet | security RSS
The Hacker News
The Register - Security
/r/netsec - Information Security News & Discussion
