This week’s threat landscape spanned a high-profile AI model redeployment decision, a Linux kernel zero-day capable of full root compromise, a wave of critical browser and enterprise-software patches, and continued fallout from infostealer and phishing campaigns targeting both consumers and enterprises.
AI Security Model Cleared for Critical Infrastructure
Anthropic’s advanced cybersecurity-focused AI model, referred to in reporting as Claude Mythos 5, is being restored to vetted U.S. critical infrastructure organizations following a government-led suspension that began in mid-June. The model had demonstrated an unusually high success rate generating working exploits on the first attempt during testing, including chains against decades-old flaws in OpenBSD and FFmpeg, and autonomously chaining Linux kernel exploits to achieve full privilege escalation. U.S. authorities cleared a phased redeployment for organizations in energy, healthcare, financial services, and telecom, with broader rollout plans still under discussion.
“Bad Epoll”: A Linux Root Zero-Day
A race condition combined with a use-after-free bug in the Linux kernel’s epoll subsystem — dubbed “Bad Epoll” — allows an unprivileged local user to escalate to root with reliability reported near 99%. The flaw affects servers, desktops, and Android devices alike. Because the epoll subsystem cannot simply be disabled, the only effective mitigation is applying the upstream kernel patch as soon as possible.
Hundreds of Browser and Enterprise Software Patches
Google’s Chrome 151 stable release patched 382 separate vulnerabilities, 15 of them rated critical, the majority being use-after-free bugs across Extensions, GPU, WebUSB, Bluetooth, and Chromoting components that could enable drive-by code execution. Users on Windows, macOS, Linux, and iOS were urged to update immediately.
Separately, a new CitrixBleed-class memory-disclosure flaw in Citrix NetScaler appliances was actively exploited within roughly 24 hours of public disclosure. The unauthenticated bug targets NetScaler instances configured as SAML identity providers, leaking session tokens through an out-of-bounds read in the XML parser, and affects ADC/Gateway builds prior to 14.1-72.61.
- A critical vulnerability in Gemini CLI drew scrutiny from researchers this week.
- Microsoft 365 Apps carried an out-of-bounds read RCE vulnerability requiring prompt patching.
- Apache ActiveMQ disclosed flaws enabling denial-of-service and unauthorized access.
- Apache Tomcat also received fixes for multiple vulnerabilities affecting deployments.
Malware and Infostealer Activity
PamStealer, a newly identified macOS infostealer, has been spotted disguising itself as the popular open-source clipboard manager Maccy while silently harvesting sensitive user data and clipboard contents in the background — a reminder that even niche utility apps are being weaponized as delivery vehicles on macOS.
Law Enforcement and Platform Actions
Google and the FBI took joint action to dismantle a NetNut-linked residential proxy botnet that had hijacked roughly 2 million home devices, disrupting infrastructure commonly used to mask malicious traffic. Separately, an individual alleged to be a member of the Scattered Spider extortion collective was extradited to face charges, continuing a string of law-enforcement actions against the group over the past year.
Other Notable Developments
- WhatsApp rolled out a long-requested username feature, letting users connect without sharing phone numbers.
- Apple’s “Hide My Email” feature was found to have an unpatched flaw exposing users’ real email addresses.
- Kali Linux 2026.2 shipped with nine new tools and a claimed threefold improvement in VM boot time.
- India’s government directed Google and Apple to remove three apps allegedly misused to remotely disable e-rickshaws.
Takeaway for Defenders
This week’s pattern reinforces a familiar theme: kernel-level zero-days and unauthenticated appliance flaws continue to be exploited faster than patch cycles can keep pace, while infostealers keep finding new disguises to slip past user scrutiny. Prioritizing the Bad Epoll kernel patch and the CitrixBleed-class NetScaler fix should sit at the top of most security teams’ patch queues this week, alongside verifying Chrome 151 has propagated across managed endpoints.