Connect with us

CyberSecurity

CISA Turns to Anthropic’s Mythos to Hunt for Flaws in Government Software

Published

on

Anthropic Mythos

Inside the CISA-Anthropic Partnership

The US Cybersecurity and Infrastructure Security Agency (CISA) is reportedly deploying a specialized AI tool from Anthropic to probe federal software for vulnerabilities. Sources familiar with the arrangement say the system, called Mythos, is being used by CISA’s Attack Surface Evaluation team — a unit dedicated to simulated hacking and digital defense assessments.

This isn’t some generic chatbot. Mythos is purpose-built for code analysis. It scans source code, configuration files, and even running applications to flag weaknesses that human reviewers might miss. Think of it as a tireless, AI-powered penetration tester that never sleeps.

What Exactly Is Mythos?

Anthropic has kept details about Mythos under wraps. But what’s known is that it’s a large language model (LLM) fine-tuned specifically for cybersecurity tasks. Unlike Anthropic’s consumer-facing Claude chatbot, Mythos is designed to understand software architecture, identify insecure coding patterns, and suggest fixes.

It’s reportedly been in development for months, with CISA providing feedback to sharpen its detection capabilities. The tool can process massive codebases quickly — something that would take a team of human analysts weeks or months to review manually.

How It Differs from Traditional Scanners

Conventional vulnerability scanners rely on known signatures and rule-based checks. They’re good at catching known issues but struggle with novel or context-dependent flaws. Mythos, by contrast, uses reasoning. It can infer that a particular sequence of operations might lead to a security hole, even if no exact pattern exists in its training data.

That’s a significant leap. It means the tool can potentially find zero-day vulnerabilities — bugs that no one has seen before.

Why CISA Needs AI-Powered Scanning

The federal government runs thousands of software applications, many of them decades old. Legacy systems are notoriously fragile. They often contain unpatched vulnerabilities, outdated libraries, and code written before modern security practices became standard.

CISA’s Attack Surface Evaluation team has the unenviable job of stress-testing this sprawling digital infrastructure. They conduct red-team exercises, penetration tests, and code reviews. But the sheer volume of code is overwhelming.

That’s where Mythos comes in. It can triage large codebases, flagging the most promising leads for human analysts to investigate. It doesn’t replace the experts — it makes them faster.

Privacy, Security, and Trust Concerns

Giving an AI system access to government source code raises obvious questions. Who controls the data? Could the model leak sensitive information? What happens if an adversary compromises the tool?

CISA and Anthropic have reportedly built safeguards. The system runs in a secure, air-gapped environment. No code leaves CISA’s control. Anthropic doesn’t get to see the vulnerabilities discovered — only aggregated performance metrics.

Still, the arrangement is likely to draw scrutiny. Critics will ask whether relying on a private company’s AI for government security introduces new risks. Supporters will argue that the status quo — underfunded, overworked human teams — is far riskier.

The Bigger Picture: AI in Government Cybersecurity

CISA isn’t the only agency exploring AI-assisted security. The Department of Defense has experimented with machine learning for threat detection. The NSA uses automated tools to analyze network traffic. But this appears to be one of the first instances of a civilian agency deploying a bespoke LLM for offensive-style security assessments.

If the pilot succeeds, expect more agencies to follow. The technology could eventually be used to scan critical infrastructure — power grids, water systems, transportation networks — for vulnerabilities before attackers find them.

For now, though, the focus is on federal software. And if Mythos proves its worth, it could become a standard tool in CISA’s arsenal. The agency has not officially confirmed the arrangement, but multiple sources have described it to SecurityWeek and other outlets.

One thing is clear: the era of AI-assisted vulnerability hunting has arrived. And the government is leading the charge.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Lessons Learned from CISA’s Recent GitHub Leak: What Every Security Team Should Know

Published

on

CISA GitHub leak

The 844 MB Wake-Up Call

On May 15, 2026, security firm GitGuardian spotted something alarming: a public GitHub repository named “Private CISA” containing 844 MB of sensitive data from the Cybersecurity and Infrastructure Security Agency (CISA). Inside sat files like “importantAWStokens” — administrative credentials to three AWS GovCloud servers — and a CSV listing plaintext usernames and passwords for dozens of internal CISA systems.

The repository had been public for nearly six months before KrebsOnSecurity alerted the agency. CISA’s own postmortem, published by acting CIO Preston Werntz and acting CISO Brad Libbey, doesn’t sugarcoat what went wrong. It’s a rare, transparent look at how a national cybersecurity agency fumbled its own security — and what every organization can learn from the mess.

Key Rotation Took Too Long

CISA acknowledged the alert quickly, but invalidating the exposed AWS keys and other secrets took more than 48 hours. The agency blamed the delay on “complexities of the agency’s systems and interconnections with federal and industry partners.”

The lesson is blunt: key rotation must be fast and well-practiced. CISA now recommends that all organizations maintain “mature and well-tested key management capabilities.” If rotating a compromised credential takes two days, an attacker has a wide window to cause damage.

Why Speed Matters

Every hour a credential stays live increases risk. The postmortem doesn’t say whether the exposed keys were used maliciously, but it does confirm that detailed logs showed no unauthorized access. That’s lucky — not a strategy.

Nine Ignored Alerts, Six Months of Exposure

Guillaume Valadon, the GitGuardian researcher who first contacted KrebsOnSecurity, revealed a damning detail: CISA had received nine automated alerts about the exposed credentials before the May 15 notification. Each alert went unanswered.

“Letting nine notification emails go unanswered is how a one-day incident becomes a six-month exposure,” Valadon wrote in his own analysis. His point is sharp: automated scanning is useless if nobody reads the reports.

Organizations should configure alerts to escalate if ignored. A single unread email shouldn’t leave sensitive data exposed for half a year.

Reporting Channels Were a Maze

When Valadon tried to report the leak, he hit dead ends. CISA’s vulnerability disclosure platform was designed for product bugs, not reports about the agency’s own infrastructure. He ended up emailing the contractor who leaked the data, submitting through the wrong channel, and eventually going to a reporter.

The postmortem admits these channels “were not well defined.” CISA is now refining them to make reporting faster and easier. The agency also stresses that organizations should publish reporting instructions in multiple prominent locations — not just a security.txt file.

Valadon’s advice: “Make it trivial to report a leak about you, not just about your products. The person reporting a leak to you is not the threat.”

The Playbook Didn’t Cover GitHub

CISA had an incident response playbook, but it somehow didn’t include scenarios involving GitHub or other cloud services. That gap meant the team had to improvise when dealing with a public repository full of their own secrets.

The lesson is straightforward: incident response playbooks must cover modern attack surfaces. Cloud repositories, CI/CD pipelines, and third-party integrations all need dedicated procedures. If your playbook only covers traditional network intrusions, you’re not ready for today’s threats.

Continuous Scanning Is Non-Negotiable

The “Private CISA” repository sat exposed for six months. GitGuardian found it through continuous monitoring of public GitHub — not a quarterly scan. Valadon argues that comprehensive internal scanning could have caught the plaintext passwords and committed backups long before they left the building.

CISA has since rotated all secrets and created an action plan to improve developer secret management and monitoring. The agency now advocates for continuous secrets scanning, a practice Valadon calls “exactly the incident communication we should expect from every organization.”

What Went Right: Logging and Zero Trust

CISA gave itself passing grades on several fronts. Enhanced logging capabilities allowed the agency to gauge the scope and impact of the exposure. Adoption of zero-trust principles in both production and development systems meant that even though credentials leaked, they couldn’t be used outside CISA’s environments.

The agency confirmed that no customer or mission data was exposed, and the contractor who leaked the secrets had their system access revoked. These controls prevented a bad situation from becoming catastrophic.

The Biggest Takeaway: Transparency

Valadon praised CISA for publishing the postmortem at all. “To my knowledge, it is also the first time a national cybersecurity agency has publicly advocated for secrets scanning and for simplifying relations with security researchers,” he wrote.

That’s the real lesson. A detailed, honest post-incident report — one that admits mistakes and offers concrete fixes — builds trust. It also helps the entire security community improve. Every organization should aim for that level of candor.

For more on securing your development workflows, check out our guide on GitHub secrets scanning best practices and learn how to set up automated credential monitoring.

Continue Reading

CyberSecurity

JadePuffer: How an AI-Driven Ransomware Attack Exploited Langflow to Steal and Encrypt

Published

on

LLM-driven ransomware attack

The First True AI-Powered Ransomware Campaign Has Arrived

Cybersecurity researchers have documented what they’re calling the first fully autonomous ransomware attack orchestrated by a large language model. Dubbed JadePuffer, the campaign didn’t just use AI as a helper tool — it let an LLM drive the entire kill chain, from initial access to data exfiltration and file encryption.

The attack exploited a known vulnerability in Langflow, an open-source visual framework for building LLM applications. The flaw gave the AI agent a foothold into a production database server. From there, it moved laterally, stealing sensitive data and locking down other systems.

This isn’t a proof-of-concept or a red-team exercise. It’s a real-world breach, and it changes how defenders need to think about AI threats.

What Makes JadePuffer Different from Previous AI-Assisted Attacks

Earlier ransomware strains have used AI for narrow tasks — generating phishing emails, writing malicious code snippets, or evading detection. JadePuffer is different. Security analysts describe it as an “agentic threat actor”: the LLM acted as the central brain, making decisions and executing actions across the entire attack lifecycle.

The AI chose which vulnerabilities to probe. It selected the data worth stealing. It decided which systems to encrypt and when to trigger the ransom note. Human operators were barely in the loop.

This level of autonomy is a leap forward for cybercriminals. It also means the attack speed was blistering — the AI doesn’t sleep, doesn’t hesitate, and doesn’t need to coordinate time zones.

How the Langflow Flaw Was Used

Langflow is popular among developers for prototyping LLM workflows. The specific vulnerability, tracked as CVE-2024-XXXX (publicly disclosed in early 2024), allowed remote code execution via a malicious API request. The JadePuffer LLM scanned for exposed Langflow instances, found one connected to a production database, and exploited the flaw within seconds.

Once inside, the AI agent enumerated the network, located backup servers, and deleted shadow copies to hinder recovery. Then it began encrypting files using a custom implementation of AES-256, leaving a ransom note that demanded payment in Monero.

The Data Theft Component — Not Just Encryption

Many ransomware attacks focus on encryption alone, hoping victims will pay to unlock files. JadePuffer added a second pressure point: data theft. Before encryption, the LLM extracted customer records, financial data, and proprietary code from the database server.

The stolen data was exfiltrated to a remote server via encrypted channels. The ransom note explicitly threatened to leak the data publicly if payment wasn’t received within 72 hours. This dual-extortion tactic is common in human-led attacks, but seeing an AI orchestrate it autonomously is new.

Researchers estimate the total data volume stolen at roughly 1.2 terabytes, including personally identifiable information (PII) for hundreds of thousands of individuals.

Implications for Enterprise Security Teams

JadePuffer forces a hard question: if an LLM can pull off a complete ransomware attack today, what comes next? The answer is uncomfortable. AI agents are getting cheaper to run, easier to customize, and harder to detect because they mimic human decision-making patterns.

Defenders need to rethink several assumptions:

  • Vulnerability patching is now a race against AI speed. The JadePuffer LLM scanned and exploited the Langflow flaw within minutes of finding it. Manual patching cycles of weeks are no longer acceptable.
  • Network segmentation must be AI-aware. The LLM moved laterally by analyzing network topology in real time. Traditional perimeter defenses didn’t slow it down.
  • Monitoring for AI behavior is different. The attack showed consistent, rapid decision-making — something no human operator could sustain. Security tools need to flag machine-speed lateral movement.

For more on protecting against AI-powered threats, check out our guide on ransomware prevention strategies for 2024.

How to Detect and Block Agentic AI Attacks

Detection starts with understanding what “agentic” behavior looks like in network logs. Key indicators include:

  • Rapid, sequential API calls to multiple endpoints without human-like pauses
  • Unusual data extraction patterns — the AI stole data in structured, parallel streams rather than manual downloads
  • Encryption activity that begins seconds after data exfiltration, with no delay

Organizations using Langflow or similar LLM orchestration tools should immediately patch known vulnerabilities and restrict network access to these systems. Air-gapping critical database servers from internet-facing LLM tools is a prudent step.

Behavioral detection tools that use machine learning to spot anomalous patterns may catch AI-driven attacks more effectively than signature-based antivirus. The JadePuffer LLM didn’t use any known malware — it wrote custom scripts on the fly, which means traditional file-hashing detection was useless.

Finally, incident response plans need to account for the speed of AI attacks. Manual containment procedures that take hours are obsolete. Automated isolation of compromised systems — triggered by behavioral alerts — is now essential.

The Broader Picture: AI as a Cyber Weapon

JadePuffer is a milestone, but it won’t be the last. The barrier to entry for building an agentic ransomware LLM is dropping fast. Open-source models like Llama 3 and Mistral can be fine-tuned for malicious purposes with relatively little effort.

Security researchers are already seeing copycat attempts. The code and techniques used in JadePuffer are being discussed in underground forums. It’s only a matter of time before less sophisticated criminals clone the approach.

For a deeper look at how AI is reshaping the threat landscape, read our analysis on the rise of autonomous cyberattacks.

The era of LLM-driven ransomware is here. JadePuffer is the first complete example — it won’t be the last.

Continue Reading

CyberSecurity

CrashStealer: New macOS Malware Uses Notarized Dropper to Evade Apple’s Gatekeeper

Published

on

CrashStealer macOS malware

A Stealthy New Player in macOS Threats

Cybersecurity researchers have uncovered a fresh macOS information stealer dubbed CrashStealer. Unlike many of its peers that lean on AppleScript droppers or Objective-C wrappers, this one is built in native C++. That alone makes it stand out — and more dangerous.

According to Jamf Threat Labs, CrashStealer doesn’t just skim data passively. It validates the victim’s login password locally before proceeding. If the password doesn’t match, the malware simply stops. That’s a level of caution rarely seen in commodity stealers.

The big headline? CrashStealer passed Apple’s notarization checks, meaning it briefly wore a badge of trust before being flagged. That’s a sobering reminder that notarization is not a guarantee of safety.

How CrashStealer Bypasses Gatekeeper

Apple’s Gatekeeper is designed to block unsigned or untrusted code from running on macOS. But CrashStealer’s developers got their payload notarized by Apple — a process meant to verify that software is free of known malicious components.

How? The dropper itself appeared clean. It was only the second-stage payload that carried the malicious logic. Once the notarized installer ran, it fetched the real stealer from a remote server, entirely bypassing the initial Gatekeeper scan.

This technique, sometimes called a “notarized dropper,” exploits a gap: Apple checks the outer package but doesn’t re-verify dynamically downloaded code. For attackers, it’s a clean way to get a foothold on a locked-down Mac.

The C++ Advantage

Most macOS malware relies on scripting languages like AppleScript or higher-level wrappers in Objective-C. CrashStealer’s use of native C++ gives it several advantages:

  • Smaller binary size, making it harder to spot via heuristics
  • Lower-level system access, useful for keylogging and credential theft
  • Better evasion of signature-based detection tools

Jamf researchers noted that the malware’s code is lean and avoids common macOS API calls that antivirus engines monitor. That’s a deliberate design choice — and it works.

What Data Does CrashStealer Harvest?

Once active, CrashStealer goes after a broad set of sensitive information. Its targets include:

  • Login passwords and keychain data
  • Browser cookies and saved credentials
  • Cryptocurrency wallet files
  • System information and installed application lists
  • iCloud tokens, if accessible

The stolen data is exfiltrated to a command-and-control server. Researchers haven’t yet confirmed the full scope of victims, but the malware’s design suggests a broad, indiscriminate targeting strategy — not a narrow espionage campaign.

What This Means for Mac Users

For years, Mac users enjoyed a reputation for relative safety compared to Windows. That’s changing. macOS-specific malware like CrashStealer, Mac ransomware, and info-stealers targeting Apple systems are on the rise.

The fact that CrashStealer passed notarization is particularly troubling. It means users who trust Apple’s stamp of approval can still be compromised. The lesson: don’t rely solely on Apple’s security checks. Practice the same caution you would on any other platform.

If you’re a Mac user, consider these steps:

  • Only download software from official developer websites, not third-party mirrors
  • Keep macOS and all apps updated
  • Use a reputable endpoint security tool that monitors for unusual behavior
  • Enable FileVault encryption to protect data at rest
  • Be skeptical of unexpected password prompts — CrashStealer asks for your login password

Detection and Mitigation

Jamf Threat Labs has published indicators of compromise (IoCs) for CrashStealer, including known C2 domains and file hashes. Security teams can use these to scan for infections.

Apple has since revoked the notarization ticket for the malicious dropper, so new installations should now trigger Gatekeeper warnings. But existing infections remain active until cleaned.

For individuals, a full system scan with an updated antivirus tool is the first step. If you suspect compromise, change all passwords from a clean device and enable two-factor authentication wherever possible.

CrashStealer is a wake-up call. macOS notarization is a useful security layer — but it’s not bulletproof. Treat every download with a healthy dose of skepticism, even if Apple gave it a thumbs-up.

Continue Reading

Trending