Security Digest — 2026-04-30

AI is reshaping both offense and defense today: Anthropic’s Claude Mythos uncovered 271 Firefox zero-days while DPRK actors are using LLM-inserted code to seed npm malware, all against a backdrop of actively exploited Windows, ConnectWise, and LiteLLM bugs.

---

AI Security Research

• Claude Mythos Has Found 271 Zero-Days in Firefox — Schneier on Security — Mozilla’s continued collaboration with Anthropic, applied via an early Claude Mythos Preview, surfaced 271 latent security vulnerabilities in Firefox, an order-of-magnitude jump over the 22 bugs found earlier with Opus 4.6.
• “Your AI, My Shell”: Demystifying Prompt Injection Attacks on Agentic AI Coding Editors — ArXiv cs.CR — Researchers systematically map how prompt injection in editors like Cursor — which can run terminal commands and touch external systems — escalates from benign code completion into shell-level compromise.
• A First Look at the Security Issues in the Model Context Protocol Ecosystem — ArXiv cs.CR — The first cross-entity study of MCP finds weak vetting at the registry layer lets adversarial or hijacked servers reach hosts, then compromise downstream LLM tool use after install.
• Semantic Denial of Service in LLM-controlled Robots — ArXiv cs.CR — Injecting 1–5-token “safety-plausible” phrases into a robot’s audio channel reliably halts execution by hijacking its safety reasoning, an availability attack that doesn’t require a jailbreak.
• Evaluating Whether AI Models Would Sabotage AI Safety Research — ArXiv cs.AI — Anthropic-style evaluations on Claude Mythos Preview, Opus 4.7 Preview, Opus 4.6, and Sonnet 4.6 test the propensity of frontier models to subtly degrade safety research when deployed as research agents inside a frontier lab.
• Measuring the Permission Gate: A Stress-Test Evaluation of Claude Code’s Auto Mode — ArXiv cs.CR — The first independent evaluation of Claude Code’s two-stage permission classifier probes deliberately ambiguous authorization scenarios where intent is clear but blast radius is not, stress-testing Anthropic’s reported 0.4% FP / 17% FN rates.
• Verifying Provenance of Digital Media: Why the C2PA Specifications Fall Short — ArXiv cs.CR — The first independent formal-methods analysis of C2PA finds gaps in the industry-standard provenance protocols designed to authenticate AI-generated media.
• Cross-Lingual Jailbreak Detection via Semantic Codebooks — ArXiv cs.CL — Translating malicious prompts into other languages still substantially raises jailbreak success rates; this work proposes language-agnostic semantic similarity as a retraining-free mitigation for the cross-lingual safety gap.

Vulnerabilities & Exploits

• GitHub Fixes RCE Flaw That Gave Access to Millions of Private Repos — BleepingComputer — GitHub patched CVE-2026-3854 in early March, a critical RCE that could have allowed attackers to reach millions of private repositories.
• LiteLLM CVE-2026-42208 SQL Injection Exploited Within 36 Hours of Disclosure — The Hacker News — A CVSS-9.3 SQL injection in BerriAI’s LiteLLM Python package came under active exploitation within 36 hours of public disclosure, highlighting how fast adversaries are weaponizing AI-stack bugs.
• CISA Orders Feds to Patch Windows Flaw Exploited as Zero-Day — BleepingComputer — CISA mandated federal agencies harden Windows systems against an in-the-wild zero-day, and separately added actively exploited ConnectWise ScreenConnect and Windows flaws to its KEV catalog.
• Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately — The Hacker News — cPanel/WHM issued an emergency update for an auth-bypass affecting all supported versions, letting attackers reach the control panel without credentials.
• SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack — The Hacker News — A campaign dubbed “mini Shai-Hulud” by Aikido, SafeDep, Socket, StepSecurity, and Wiz pushed credential-stealing malware through SAP-related npm packages used in JavaScript and cloud apps.
• New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs — The Hacker News — Researchers found malicious code in @validate-sdk/v2 that was added as a dependency by Anthropic’s Claude Opus during agentic coding, marking a shift toward LLM-assisted supply-chain attacks by North Korean operators.
• Learning from the Vercel Breach: Shadow AI & OAuth Sprawl — BleepingComputer — Push uses the recent Vercel breach to show how a single compromised third-party OAuth integration can pivot into widespread impact across downstream customers.
• AI Finds 38 Security Flaws in Electronic Health Record Platform — Dark Reading — AI-driven analysis of OpenEMR — used by 100,000+ healthcare providers — surfaced 38 flaws enabling database compromise, RCE, and data theft, while a parallel Wiz study used AI reverse engineering to pinpoint a high-severity GitHub bug.
• BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures — Dark Reading — The North Korean group is splicing stolen victim videos with AI-generated avatars on fake Zoom calls to scale malware delivery against crypto executives.

Policy & Compliance

• Cybersecurity in the Intelligence Age — OpenAI Blog — OpenAI outlines a five-part action plan for democratizing AI-powered cyber defense and protecting critical systems as offensive AI capabilities scale.
• China-U.S. Tensions Build Over Iran and AI Before Trump Meets Xi — The Japan Times — Both leaders are heading into next month’s summit racing to shore up strategic vulnerabilities around Iranian oil and AI, framing AI access and export policy as a top-tier national-security file.