Security firm AIR showed how easily AI agent skills can be weaponized by building a benign-looking design skill, publishing it to marketplaces, and promoting it with an Instagram ad until it reached roughly 26,000 agents, including some on corporate accounts. Every skill-scanning tool they tested, including offerings from Cisco and Nvidia, marked it safe. The trick is that the skill itself stays clean but tells the agent to fetch instructions from an external page the attacker controls, which passes review while pointing at harmless content and can be swapped for a malicious install script later. Skills load into an agent with the same authority as a user's prompt.
Zafran Security disclosed four vulnerabilities, collectively named DifyTap, in Dify, a popular open-source platform for building AI agents and workflows. Two are critical, two need no authentication, and three allow cross-tenant access on Dify's multi-tenant cloud, meaning one customer could quietly read another's private AI conversations and model responses, a covert exfiltration channel. The flaws include an authorization bypass that exposes any application's trace data (CVE-2026-41947), a path traversal into the internal Plugin Daemon API (CVE-2026-41948), and a file-preview authorization bypass (CVE-2026-41949). Most were fixed in Dify 1.14.2, but the path-traversal flaw remains unpatched pending the next release.
Palo Alto's Unit 42 disclosed a flaw, nicknamed Pickle in the Middle, in Google Cloud's Vertex AI SDK for Python that let an attacker with no access to a victim's project hijack their machine-learning model uploads and run code across tenant boundaries. When a model was uploaded without a custom staging bucket, the SDK generated a predictable storage bucket name from the project ID and region and failed to verify ownership, so an attacker could pre-create that bucket, receive the victim's model, and swap in a malicious one that executes on deployment. Google fully fixed it in SDK version 1.148.0 in April; Unit 42 saw no exploitation in the wild.
Researchers at Varonis disclosed SearchLeak, a flaw chain in Microsoft 365 Copilot Enterprise Search that let a single click on a legitimate microsoft.com link silently pull a victim's emails, calendar, and indexed files, including security and MFA codes, with no password or further interaction. It worked by smuggling instructions into the search URL's query parameter, which Copilot obeyed as commands, then exfiltrating the data through a Bing image request that bypassed content protections. Because the link used a real Microsoft domain, anti-phishing filters were unlikely to flag it. Microsoft assigned CVE-2026-42824, rated it critical, and fixed it on its backend, so no customer action is required.
Meta has confirmed that attackers took over 20,225 Instagram accounts by abusing a flaw in its AI-assisted account recovery tool, called High Touch Support. A bug meant the system never checked that the email address someone supplied actually belonged to the account, so an attacker could request a password reset for any account and have the link sent to their own inbox, then walk in, unless the target had two-factor authentication on. High-profile accounts, reportedly including the Obama White House and US Space Force personnel, were hijacked and sold on the dark web. Meta has secured the accounts and is fixing the verification check before relaunching the tool.
A security startup's autonomous AI agent scanned FFmpeg, the open-source media library built into countless video and audio tools, and turned up 21 previously unknown bugs, each with working proof-of-concept code that crashes or corrupts memory when the software processes a malicious media file. Several flaws are 15 to 20 years old; one dates back to 2003. Nine already carry CVE numbers (CVE-2026-39210 through CVE-2026-39218), and the rest are fixed but not yet numbered. The whole run cost about $1,000. Because FFmpeg sits inside browsers, media servers, and apps everywhere, any product that decodes untrusted video could be at risk.
A critical flaw in Zcash's Orchard privacy pool, the system that lets people send the ZEC cryptocurrency while hiding amounts and parties, could have let an attacker mint unlimited counterfeit coins without detection. Security researcher Taylor Hornby, hired by developer Shielded Labs to probe the code, found it on May 29 using Anthropic's Claude Opus 4.8 model paired with a custom auditing tool, and wrote a working exploit within a day. The bug had survived four years and multiple expert reviews. An emergency fix shipped by June 1. Because the pool hides balances, there is no way to prove whether anyone exploited it earlier.
Anthropic has confirmed it will roll out Claude Mythos-class models to the general public in the coming weeks. Mythos was originally announced in April as a restricted preview available only to select security researchers and partners; Anthropic cited significant security risks if released too broadly. The company now says it has developed sufficient guardrails. Anthropic frames the trade-off as compressing the attacker advantage: 'in the short term, this could be attackers, if frontier labs aren't careful... in the long term, defenders will more efficiently direct resources and use these models to fix bugs.' Pricing and tier availability are not yet disclosed.
Anthropic appears to be preparing the public rollout of Claude Mythos - the restricted security-focused frontier model that uncovered 10,000 high or critical vulnerabilities in its first month under Project Glasswing. References to 'claude-mythos-1-preview' have briefly appeared in the public Claude Code and Claude Security products, with at least one user reportedly seeing a toggle to enable Mythos before it was pulled. Anthropic originally announced Mythos in early preview on April 7 and held back the public release pending guardrails, warning the model 'can automatically develop functional cyberattacks at a highly professional level.' Pricing and tier availability are not yet disclosed.
Anthropic has named the program behind its Claude Mythos Preview model 'Project Glasswing' and disclosed the first-month results. Working with AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, the program flagged 6,202 high or critical vulnerability candidates across 1,000+ open-source projects; 1,726 were validated by human reviewers and 1,094 confirmed as genuine high or critical severity. A WolfSSL certificate-forgery flaw (CVE-2026-5194, CVSS 9.1) is the named-and-shamed example. 97 upstream patches and 88 security advisories have landed. Anthropic itself warns that finding flaws is far easier than fixing them.