July 7, 2026
Tuesday Morning Threat Report: Jul 7, 2026
Where the news is always bad, but the analysis is always good.

By Mark Maguire
4 min read
Good morning everybody! Happy Tuesday!
Anthropic celebrates Independence Day with a Mythos model free from export controls, and India demands WhatsApp explain a shift to usernames. Let's dive in!
Top Stories:
This week's biggest headlines. Analysis section below.
U.S. Government Lifts Ban on Mythos: The U.S. has lifted export controls on Anthropic's Claude Mythos 5, allowing it to be available to users globally starting July 1, 2026.
Nintendo Employee Data Stolen in Breach: Nintendo of America confirmed that employee data was exposed due to a breach of the third-party service TinyPulse, with hackers demanding a $2 million ransom for the stolen information.
Company Hacked by Snow Shovelers in the Parking Lot: Two professional cybersecurity testers gained network administrator access by posing as snow shovelers, exploiting physical security vulnerabilities in a corporate environment.
Alleged Scattered Spider Hacker Extradited to U.S.: Peter Stokes, a 19-year-old dual citizen of the U.S. and Estonia, was extradited to the U.S. from Finland to face charges related to his involvement in the Scattered Spider cybercrime group. He is accused of conspiracy, cyber intrusion, and fraud.
New Hacking Group Targets Governments and Power Companies: Armored Likho is a previously unknown hacking group that has been observed hacking power companies and government agencies across Russia, Brazil, and Kazakhstan.
Adobe Releases Patch for Seven Critical Vulnerabilities: Adobe has released patches for seven maximum-severity vulnerabilities in ColdFusion and Campaign Classic, all with a CVSS score of 10.0, indicating they can be exploited easily and pose a high risk.
Fortibleed Campaign Linked to Ransomware Groups: FortiBleed is linked to INC and Lynx ransomware operations, marking the first confirmed instance of mass FortiGate credential theft being directly associated with ransomware deployment.
900 Oracle Customers Vulnerable to EBS Attacks: Oracle E-Business Suite (EBS) is currently under attack due to a critical vulnerability (CVE-2026–46817) that allows unauthenticated attackers to take over systems.
My Takeaways
Analysis based on this week's news and my experience in the industry. More headlines below in the Lower Echelon.
What SaaSpocalypse: The capabilities of open-source Chinese models are rapidly converging with closed-source American frontier models. A few years ago, OpenAI and Anthropic models had a clear, commanding lead over all competitors, but as model capabilities asymptote, that gap is narrowing. For the cyber world, this has a very important implication: Mythos-level hacking capabilities will be available to all through open-source models in three to six months.
As AI has developed the ability to discover and exploit vulnerabilities, the situation at most companies has gone from bad to worse. Small and medium-sized businesses do not have the budget to support large cyber teams, meaning even before AI, most had a backlog of thousands of vulnerabilities they knew about but lacked the bandwidth to patch. Thanks to AI, vulnerabilities are being uncovered at an ever increasing rate, drowning already overloaded security teams.
I believe one likely result of this will be an increase in demand for Software-as-a-Service (SaaS) products. Unlike self-hosting, when companies use SaaS, the vendor handles patching for you. Every time a company swaps a self-hosted app for a SaaS one, it's one fewer app that the security team needs to worry about applying security patches to. To illustrate the point, let's consider Oracle customers. Oracle E-Business Suite is a self-hosted product. That means when a critical vulnerability is discovered, each customer is responsible for applying the patch. As we saw this week, over 900 customers still have not applied the patch, turning them into fish in a barrel for hackers. If those customers were on a SaaS product instead, Oracle would have applied the patch for them as soon as it was available, and none of their customers would have been exposed. While SaaS solutions are generally more expensive than self-hosting, I think the security benefits are going to cause many companies to reevaluate the true cost.
The Lower Echelon:
Interesting cybersecurity news that didn't quite make the cut to be a top story.
India Demands WhatsApp Explain Shift to Usernames: India's Ministry of Electronics and Information Technology has given WhatsApp a three-day ultimatum to explain why it shouldn't face action under Indian law for rolling out a new username feature that could increase impersonation.
Imposter Fraud Caused Americans Billions in Losses: The FTC reported Americans reported $3.5 billion in losses to imposter scams in 2025, with social media being a primary channel for these frauds.
CISA Warns SharePoint is Under Active Exploitation: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a high-severity Microsoft SharePoint remote code execution vulnerability (CVE-2026–45659) is being actively exploited, allowing attackers to execute arbitrary code.
Microsoft Researchers Demonstrate New AI Vulnerability: Microsoft researchers discovered a vulnerability called AutoJack, which allows a malicious webpage to take control of an AI agent and cause it to execute arbitrary code.
Unpatchable Exploit Impacts Apple Chips: Usbliter8 exploits a hardware vulnerability in Apple's A12 and A13 chips. Because the flaw exists in the hardware rather than the operating system, it cannot be fixed with a software update. However, successfully exploiting it requires physical access to a victim's device.
NSPM-12 Sets NIST Cyber Standards as Baseline: The National Security Presidential Memorandum 12 laid out a new governance framework for national security systems and requires all agencies to adhere to the NIST's cyber standards.
AI Agent Runs First Completely Autonomous Ransomware Attack: An AI agent named JADEPUFFER executed a ransomware attack using a vulnerability in Langflow, allowing it to break into a network, steal credentials, and encrypt a company's database.
Kubota Hackers Maintained Access for Over a Month: Kubota North America Corporation disclosed that hackers had access to its network systems for more than a month, with employee data being exposed.
On the right side of this page, you can follow and subscribe to receive this newsletter to your inbox weekly (no Medium account needed, just sign in with Google)!
Thanks for reading! See everyone next week!