(Credit: Getty Images)
We need to talk about Anthropic’s Claude Mythos AI model. It’s not even out yet, and Anthropic is keeping it close to its pocket for the time being, but it’s already sent the security world into a tailspin. The model is apparently powerful enough to find critical vulnerabilities in virtually any software it’s pointed at within minutes or hours, which, as you can imagine, has a lot of security experts and developers sweating. Even worse, it doesn’t look like it’s just hype: Those who have tested it are also concerned, and when it’s eventually released, it could change the way we interact with our devices forever.
You or I probably won’t have to worry about Mythos directly. What we will have to worry about is the sheer number of patches and updates that will come when it’s in the wild, and how quickly we learn about and apply those updates. If you, as a company, have a tool that can find security holes in anything and also tell you how they can be exploited, all in mere minutes, that may sound good on paper, but once you have a laundry list of issues and patches you need to send out to your customers, it’s not much fun anymore.
If you’re a hacker, this is great because it makes finding and exploiting vulnerabilities in everything from huge websites to a smart refrigerator much, much easier. If it's your fridge, you need to learn how to patch that fridge quickly, as soon as the patch is available, because waiting can mean the difference between your fridge working as intended versus your energy bill spiking because your fridge just joined a botnet and is mining crypto while you’re sleeping. If that sounds bad, imagine actually patching the fridge, and then your smart oven, and then your robot vacuum cleaner, and then your phone and PC, and then doing it again several times a week because an AI model is out there fighting another AI model in a never-ending battle of “find exploit, patch exploit.” See the issue?
Also this week, senior writer Kim Key took a look at the trend of people asking AI chatbots to generate secure passwords for them, or even vibe code their own password generator, and found that, regardless of the chatbot used, AI generates hilariously insecure passwords. Not on the order of “password123,” mind you, but passwords with repeated patterns and similarities that may be vulnerable to brute force attacks. I know it’s tempting to use AI, but let us show you how to build a better password generator on your own.
You didn’t think we’d get through this week without major hacks, did you? On Monday, Booking.com suffered a massive data breach, with hackers making off with everything from booking details to account names, email addresses, and phone numbers associated with user accounts, as well as any details and notes a user provided as part of their booking. We don’t know exactly how many accounts have been affected by the breach, but if you use or have used the site, check your inbox. Also, if you spent last weekend tinkering with your PC after downloading tools like CPU-Z or HWMonitor from CPUID.com, the official website, you may have gotten malware. A hacker hijacked the official website, displaying links to malicious downloads instead of the real ones, but on the bright side, the breach lasted only about six hours. The malware appears to be designed to steal browser credentials and other sensitive data and even bypass some antivirus software.
Let’s take a look at what else is going on in the cybersecurity world this week.
CSA Urges Security Pros to Prepare for Mythos-Powered Threats
As we mentioned above, there’s a good bit of worry in the infosec community right now about Anthropic’s Mythos AI model, since so far it’s been able to find critical software vulnerabilities in just about anything it’s pointed at, within minutes. This might not sound terrible, but in the wrong hands—and let’s be honest, it will absolutely end up in the wrong hands—it could be used to find and exploit vulnerabilities in every internet-connected device faster than either manufacturers or owners can patch or secure them. It’s no surprise that Anthropic is keeping it under wraps for the time being.
Here’s another indicator that we may be living in that world very soon: According to SecurityWeek, the Cloud Security Alliance (CSA) recently published a report calling on information security leaders to start preparing for Mythos now, rather than waiting to see what might happen when it’s more widely available. They warn that waiting will only force them to be more reactionary when it is eventually released, and that even if Anthropic tries to limit access to the new model to specific types of users, it’ll inevitably get out. At that point, security professionals everywhere will have to deal with a potential adversary (or potential ally, depending on how it’s used) that never sleeps and works constantly to find holes in their products. Buckle up, and keep your devices up to date.
Fake YouTube Copyright Notices Can Steal Your Google Account
The thing about phishing attacks is that they’re designed to make you think less and act quickly. That’s how they get you, by making you think that it’s an annoyance you have to resolve right away, so you click through and type in your password and...your account and data are gone. We’ve talked about how to spot phishing scams before, including more complicated “spear phishing,” which uses personal data to target specific people. Well, over at the Malwarebytes blog, we caught a new phishing scam targeting creators and streamers: fake copyright notices claiming to be from YouTube.
Of course, the copyright notices aren’t real; they’re not from YouTube, and if you go directly to your YouTube dashboard to review any action taken against your channel, you won’t see them there. But that’s not the goal. Instead, the phishers want you to see the copyright notice in your inbox, have the kind of small panic that only a content creator can truly understand, click to take action or review the notice, and when they’re prompted to log in to their Google account to check it out, type in their credentials. Predictably, you’re not logging into Google at all; you’re handing over your credentials to a scammer who could turn around and either sell them along with other stolen accounts or steal your Google account right away, which includes your YouTube channel. Be on the lookout, and remember, if you ever get a suspicious-looking email (or personally, I do this with any email that looks important), go directly to the service provider who sent it and see if you can find it in your account or on their site.
French Authorities Free Mother and Son After 20-Hour Crypto Kidnapping
I was going to open this section with a witty reference to Liam Neeson's “special set of skills” from the movie Taken, but then I realized the movie is almost 20 years old. Anyway, not to make too light of the situation, but over in France, there have been a string of high-profile kidnappings and ransoms for cryptocurrency in recent months. This case, reported by The Register, is particularly egregious, since a woman and her 10-year-old son were kidnapped and held for ransom for over 20 hours while the kidnappers demanded several hundred thousand euros from the pair’s husband and father, who also happens to be a crypto entrepreneur.
The kidnappers never got the money and were captured by authorities a day after they were abducted, and the woman and her son were freed and returned home. In a previous case, kidnappers held the wife of another crypto company executive and her elderly mother for almost 30 hours before a passerby heard their calls for help and freed them (and alerted authorities, of course). All told, there have been at least 19 reported kidnappings for crypto ransom in France just in 2026 so far, and many of them haven’t ended as well, so it’s a disturbing trend.