The Government Is Now Scanning Its Own Code with Mythos

Top AI and Cybersecurity news you should check out today

Welcome Back to The AI Trust Letter

Once a week, we distill the most critical AI & cybersecurity stories for builders, strategists, and researchers. Let’s dive in!

🤖 JADEPUFFER: The First Ransomware Attack Run End-to-End by an AI Agent

The Story:

Sysdig's Threat Research Team has documented what it describes as the first complete ransomware operation driven entirely by a large language model, with no human issuing commands at any point between initial access and the extortion note. The operator, which Sysdig calls JADEPUFFER, broke into a server, harvested credentials, moved laterally to a separate production target, encrypted a database, and destroyed data, all without a human at the keyboard.

The details:

  • The entry point was CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source framework for building AI applications. CISA had added it to its Known Exploited Vulnerabilities catalog over a year before the attack. The affected server was never patched. From there, the agent swept the environment for API keys, cloud credentials, and database logins, then pivoted to a separate internet-facing MySQL server running Alibaba Nacos

  • None of the individual techniques were novel. Exploiting an exposed service, harvesting credentials, moving laterally, abusing default configurations, and destroying databases are standard attack playbook items. What changed is that an agent chained all of them autonomously, diagnosing failures and generating corrected payloads without human input. In one sequence, it went from a failed login to a working fix in 31 seconds

  • The agent encrypted 1,342 Nacos configuration records using MySQL's AES_ENCRYPT() function, printed the one-time encryption key to a terminal session that was never saved, and left a Bitcoin ransom demand. The data is likely unrecoverable even if the ransom is paid

  • Sysdig's senior director of threat research described the operational shift directly: "The skill floor for running a full ransomware operation just dropped to whatever it costs to run an agent"

Why it matters:

The individual techniques in JADEPUFFER were unremarkable. The significance is that an agent chained them into a complete attack at machine speed, self-correcting in real time, targeting infrastructure that most organizations do not watch closely. AI infrastructure like Langflow, config management platforms like Nacos, and object stores running on default credentials are now front-line attack surfaces, not internal tools below the threat model's threshold.

🇨🇳 China Has Its Own Mythos. One Version Is Already Free to Download.

The Story:

At the ISC.AI 2026 conference in Beijing, Qihoo 360 founder Zhou Hongyi unveiled Tulongfeng, a multi-agent vulnerability hunting platform the company positions as China's answer to Anthropic's Mythos. The same week, Beijing-based Z.ai released GLM-5.2, a comparable model under an MIT license with no subscription gates and no geographic restrictions.

The details:

  • Zhou described Mythos as a "cyber nuclear weapon" and framed the US export ban as proof that Washington intends to hold a monopoly over frontier AI vulnerability discovery. He argued China cannot wait for its frontier models to close the gap with Western systems and instead built Tulongfeng as a multi-agent swarm that coordinates specialized models trained on Qihoo 360's 20-year database of 250,000 vulnerabilities. The company claims 3,432 vulnerabilities found to date, with 105 confirmed by Chinese authorities, though no independent verification has been published

  • Zhou acknowledged that Chinese frontier AI models still trail leading US systems by roughly 20 to 30 percent in overall capability, which is why Qihoo's approach substitutes agent coordination and domain expertise for raw model power. He described it as building a professional attack-and-defense team where the US approach is building a single genius hacker

  • Qihoo 360 has been on the US Commerce Department's Entity List since 2020 over alleged links to China's military. Chinese law also requires that every vulnerability discovered by Tulongfeng be reported to a Beijing government agency within 48 hours, before any affected vendor is notified and before any public disclosure. This detail was not addressed in Zhou's conference remarks

  • Z.ai's GLM-5.2, released freely while the Anthropic ban was still in effect, scored higher than Claude Code on at least one key vulnerability detection benchmark at a reported cost of roughly $0.17 per finding

Why it matters:

The US strategy of restricting Mythos to a vetted coalition assumed that capability would take years to replicate. Qihoo 360 is offering a partial rebuttal to that assumption, and Z.ai is offering a free one. The legal obligation to disclose vulnerabilities to Beijing before vendors are notified reframes what "Chinese Mythos" actually means in practice: it is not just a defensive tool. Every zero-day it finds goes to the state first.

🎣 One Misconfigured Server Exposed Three Separate Microsoft 365 Phishing Operations

The Story:

A threat actor running a live Microsoft 365 phishing campaign left a Python web server listening on a public port with directory listing enabled. From that single operational mistake, French security firm Lexfo retrieved the operator's complete toolkit and pivoted through it to uncover two additional phishing operations, three campaigns in total.

The details:

  • All three operations used custom forks of Evilginx, an open-source adversary-in-the-middle proxy freely available on GitHub. The largest campaign had been running for over a year, with victims drawn almost entirely from corporate mailboxes. The leaked server logs gave Lexfo full visibility into targets, session capture rates, and infrastructure across all three operations

  • The three campaigns bypassed MFA through two mechanically different methods: one proxied the live login session in real time to capture the authenticated session cookie, the other abused a legitimate Microsoft device code authentication flow. Each requires a different defensive response, and most Microsoft 365 environments are not configured to detect both

  • The phishing pages showed users the real Microsoft login interface, relayed through the attacker's server, making visual inspection by end users effectively useless as a detection mechanism. Only anomalies in sign-in logs, such as authentication originating from unexpected IP ranges followed by immediate account rule changes, provide reliable indicators

Why it matters:

Three separate phishing operations were running in parallel, one for over a year, using free tools and standard infrastructure. The only reason they were exposed is that one operator made a configuration error. This is the realistic baseline for MFA bypass at scale: cheap, persistent, and largely invisible until something breaks on the attacker's side.

🔑 Accenture Confirms Breach After Hacker Claims 35GB of Source Code and Cloud Keys Stolen

The Story:

A threat actor using the handle "888" posted on a cybercrime forum in early July offering to sell what they claim is 35GB of data stolen from Accenture, including source code, RSA and SSH keys, Azure personal access tokens, and Azure Storage access keys. Accenture confirmed the breach in a statement, said the source had been remediated, and reported no impact on operations or service delivery.

The details:

  • The proof provided was a screenshot showing a private Azure DevOps repository being cloned from an accenture.com-hosted address. The specific repository named was tied to an internal talent development project. Accenture did not confirm the volume of data taken, whether the listed credential types are authentic, or how access was obtained

  • Security researchers have flagged that the data types claimed are more significant than the source code headline suggests. Azure personal access tokens, storage access keys, RSA keys, and SSH keys give potential attackers the means to access live environments and move through infrastructure without needing to repeat the initial breach vector. If the credentials were active at the time of exfiltration, containment of the original access path does not close exposure

  • The same threat actor previously listed Accenture employee data following a third-party breach in 2024. Accenture at the time disputed the scope of that claim. This is the third publicly disclosed breach linked to Accenture, following a LockBit ransomware incident in 2021 and a misconfigured AWS bucket exposure in 2017 that included nearly 40,000 plaintext passwords

Why it matters:

Accenture sits inside the systems of many of the world's largest enterprises, managing cloud environments, codebases, and identity infrastructure for major clients. A consulting firm at that position in the ecosystem is not just a target. It is a potential stepping stone. Whether the stolen credentials were active, and whether any client-connected systems were touched, remains undisclosed.

🛡️ CISA Is Using Anthropic's Mythos to Audit U.S. Government Code

The Story:

Reuters reported on July 6, citing three people familiar with the matter, that CISA is using Anthropic's Mythos model to scan government code repositories for security vulnerabilities. The audits are being run by CISA's Attack Surface Evaluation team, the unit within the agency that conducts digital security assessments and simulated hacking exercises across federal systems. Two of the sources said the audits have already identified a large number of vulnerabilities.

The details:

  • The NSA has separately been using Mythos since at least April 2026, according to prior Axios reporting. The New York Times later reported that NSA analysts tested the model in classified environments and came away impressed by its capabilities. CISA and Anthropic both declined to provide on-the-record comment to Reuters

  • The arrangement is notable for its timing. Anthropic and the US government had a bruising public confrontation this year: the Pentagon designated Anthropic a supply-chain risk in February after the company refused to remove safeguards restricting its AI from autonomous weapons or domestic surveillance use. A judge blocked the designation in March. The export ban on Fable and Mythos followed in June and was lifted only at the end of June

  • No information is public about which government systems have been scanned, how findings are triaged, or what happens to vulnerabilities after Mythos surfaces them. Analysts have noted the optics: a defense agency is pointing an offensive-grade AI at its own government's code, through a company the same government recently classified as a supply-chain risk

Why it matters: 

The government has moved from restricting Mythos to using it on its own infrastructure, within the span of a few weeks. That shift reflects a pragmatic calculation that the defensive value of the model outweighs the risks, but the absence of any public disclosure about what was found, how much code was reviewed, or what access controls govern the arrangement leaves the accountability picture incomplete.

🔧 IBM and Red Hat Launch Lightwell: Automated Vulnerability Remediation for Open Source at Scale

Matt Hicks, President and CEO of Red Hat

The Story:

IBM and Red Hat commercially launched Lightwell on July 8, a platform built to solve a problem that has become structurally worse as AI accelerates both software development and exploit generation: the average enterprise codebase carries 581 open source vulnerabilities, most of which never get patched because the remediation process breaks production systems. Lightwell is designed to deliver certified fixes that can be pulled directly into existing environments without forcing major version upgrades.

The details:

  • Lightwell launches two offerings: Lightwell Network, generally available now, provides access to a catalog of 6,500+ remediated, digitally signed, and certified application-layer dependencies across Java and Python. Lightwell Clearinghouse Premier enters limited availability for financial services organizations, functioning as a trusted intermediary for coordinated patch embargoes and threat coordination before vulnerabilities are publicly disclosed

  • The platform uses a generative AI-powered remediation engine that combines frontier and open AI models with human engineering expertise to identify, validate, and remediate vulnerabilities. Rather than pushing organizations to upgrade to the latest upstream release, it backports security patches to the specific versions companies are already running in production, which is where most remediation programs stall

  • The launch is backed by a $5 billion commitment IBM and Red Hat announced in May 2026, with 20,000 engineers focused on scaling the AI-powered remediation pipeline. Technology partners include AWS, Microsoft, NVIDIA, Palo Alto Networks, GitLab, and ServiceNow

  • Open source comprises up to 90% of enterprise codebases. The JADEPUFFER attack documented this week exploited CVE-2025-3248, a Langflow vulnerability that had been patched over a year before the attack, on an internet-exposed server that was never updated. Lightwell is a structural bet that the patch management gap will not close without automation at the dependency level

Why it matters:

Patching speed is now a competitive disadvantage in a threat environment where AI compresses exploit timelines from weeks to hours. The Verizon 2026 DBIR confirmed that vulnerability exploitation has overtaken credential theft as the leading breach entry point for the first time in 19 years, and that median patching time increased to 43 days in 2025. Lightwell's model, automated remediation at the dependency level without forcing production upgrades, directly targets the friction that keeps most organizations' patch cycles so far behind the threat.

What´s next?

Thanks for reading! If this brought you value, share it with a colleague or post it to your feed. For more curated insight into the world of AI and security, stay connected.