AI Is Getting Good at Finding Software Bugs, and the Government Just Stepped In
AI is changing how software vulnerabilities get found. In February 2026, Anthropic reported that its Claude Code Security tool, running on the Opus 4.6 model, found more than 500 vulnerabilities in widely used open-source projects, including bugs that had gone unnoticed for decades despite years of expert review. The same capability that helps defenders patch faster can also help attackers, so it cuts both ways.
Those capabilities are now drawing government attention. Anthropic launched two newer models, Fable 5 and Mythos 5, on June 9, 2026. Three days later, on June 12, the company says the U.S. government issued an export-control directive, citing national security, that barred any foreign national from accessing the two models, including Anthropic's own foreign-national employees. Because there is no practical way to separate foreign nationals from U.S. users in real time, Anthropic disabled both models for everyone to comply.
The government did not publicly state a specific reason. Anthropic's understanding is that officials were shown a way to jailbreak Fable 5, and the company has pushed back, saying the technique only surfaced a few minor, already-known issues. Anthropic says it believes the order is a misunderstanding and is working to restore access.
Why it matters for your business: the tools that find vulnerabilities are improving quickly on both the defensive and the offensive side. The practical advice has not changed, it has just gotten more urgent. Keep your systems patched, keep backups current, and do not sit on security updates. Staying on top of that is exactly what our managed IT and security service handles.
Malware Injected Into Steam Itself Uses the Platform's Own Notifications to Scam Players Out of Their Items
Reports surfacing in Chinese-language communities in April 2026 exposed a new strain of malware that targets Steam, the largest PC gaming platform. Once on a victim's machine, the malware injects a DLL into steam.exe and hijacks Steam's own toast-notification dispatcher to display a fake alert, seemingly from Steam itself, claiming the victim's account is "associated with the theft of other users' Steam accounts" and that account functionality has been restricted.
From there it's a pressure campaign. Using scare and urgency tactics, the attackers coerce victims into "protecting" themselves by trading away all of their in-game skins to an account the attackers control. These cosmetics are real money: individual items sell on third-party markets for anywhere from a few cents to hundreds of thousands of dollars, and they can be converted directly into real-world currency.
What makes this one stand out is the delivery. Steam has a sophisticated authentication and trust system for trades, including 2FA confirmation on every item transfer, and the malware doesn't break any of it. Instead, it makes the warning come from an application the victim already trusts, and the victim then walks their 2FA-protected items out the door themselves. It's a clean demonstration that when an attacker can piggyback on a trusted application, the strongest account security in the world can be talked around.
Why it matters for your business: the same playbook works outside of gaming. A convincing alert inside a trusted app, a claim that your account is in trouble, and an urgent "fix" that requires you to move something valuable, that pattern shows up in banking scams, Microsoft 365 phishing, and tech-support fraud every day. Treat any unexpected alert that pressures you to transfer assets or credentials as hostile until verified through a separate channel, and keep endpoint protection on machines where valuable accounts stay logged in.
Windows NTLM Hash Leak Actively Exploited, Patch Deadline May 12
CVE-2026-32202 is a zero-click NTLM hash leak in Windows that stems from an incomplete fix Microsoft shipped for a separate RCE vulnerability back in February. Attackers are using it in pass-the-hash attacks, stealing hashed credentials and using them to authenticate as the compromised user without ever knowing the actual password. From there they can move laterally across the network or pull sensitive data.
CISA added it to the Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by May 12. If your Windows machines aren't current on updates, now is the time. The attack requires a victim to open a malicious file, which is a realistic delivery method via phishing.
SharePoint Zero-Day Among 165 Vulnerabilities Patched in April Patch Tuesday
CVE-2026-32201 is a spoofing vulnerability in Microsoft SharePoint Server that was already being actively exploited when Microsoft patched it. An unauthenticated attacker on the network can use it to access and alter sensitive information. CISA added it to the KEV catalog with a federal patch deadline of April 28. April's Patch Tuesday was the second-largest ever by CVE count at 165 total vulnerabilities.
If your organization runs on-premises SharePoint, this needs to be patched immediately. Also notable in the same release: CVE-2026-33825, a Microsoft Defender privilege escalation flaw that was publicly disclosed before the patch dropped.
Chrome Zero-Day Exploited in the Wild, Update to 145.0.7632.76
CVE-2026-2441 is a use-after-free vulnerability in Chrome's CSS component. Google confirmed an exploit exists in the wild. The flaw was reported on February 11 and patched shortly after. A use-after-free in the browser can lead to arbitrary code execution if a user visits a malicious page, though Chrome's sandbox limits the immediate blast radius. Chained with a sandbox escape it becomes significantly more dangerous.
The fix is in Chrome 145.0.7632.75/76 for Windows and Mac, and 144.0.7559.75 for Linux. If Chrome hasn't auto-updated on your machines, push it manually. This is the first actively exploited Chrome zero-day of 2026.