Anthropic Previews Mythos Model; Passports Exposed in Eurail Breach; LAPD Files Exposed in City Attorney's Office Breach

Anthropic's Mythos announcement this week has generated enormous attention, and rightly so. Yesterday, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent meeting with Wall Street bank CEOs to discuss the cyber risks raised by Mythos and similar future models. https://www.reuters.com/business/finance/bessent-powell-warn-bank-ceos-about-anthropic-model-risks-bloomberg-news-reports-2026-04-10/

When an AI provider claims its model discovered thousands of zero-day vulnerabilities across every major operating system and web browser, the industry needs to pay attention and separate hype from reality. Much of the conversation so far has been heavy on alarm and light on substance.

Here is what I can tell you from 15 months of using current AI models for vulnerability discovery in penetration tests from SANS faculty and staff: the capability is real, it is accelerating, and you do not need access to Mythos to start seeing these results. Current models work and my team has found critical vulnerabilities in code that had been thoroughly tested by skilled humans for years.

That’s why SANS will run a webcast next Thursday devoted to the topic, focusing on capabilities that exist today.

SANS Critical Advisory: BugBusters - AI Vulnerability Discovery Hype vs. Reality Livestream on Thursday, April 16 | 12:00 PM Noon ET | No registration required

I am hosting this webcast with Chris Elgee, Principal Instructor at SANS Institute, and Joshua Wright, Faculty Fellow and Senior Technical Director at SANS Institute. Chris will demonstrate AI-assisted vulnerability discovery live on screen against real code. Josh will cover what the next 12 months mean for defenders. You can watch live on LinkedIn or keep an eye on SANS social channels early next week for a landing page link.

On Tuesday, April 7, 2026, Anthropic announced a preview of a new general-purpose LLM called Claude Mythos, alongside the launch of an industry group called Project Glasswing, focused on implementing the new model defensively ahead of public release. According to Anthropic, during internal testing Mythos was uniquely successful at scanning for and exploit zero-day vulnerabilities, some of which are decades old, across all major operating systems and browsers, including exploit chains of multiple flaws. While previous models Sonnet and Opus 4.6 have a <1% success rate at autonomously developing exploits, Mythos generated successful exploits in 72.4% of trials. Anthropic states that Mythos has identified thousands of vulnerabilities that are likely high and critical-severity, and the company has taken on contractors to manually validate bug reports as part of ongoing responsible disclosure. Anthropic does not plan to make Mythos Preview generally available; use will at first be limited to Project Glasswing, comprising 12 named partners and ~40 other organizations "that build or maintain critical software infrastructure," including Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic has chosen to be reticent about findings in the name of safety, but does detail a few notable discoveries, all of which have been disclosed and patched: a 27-year-old stack-based buffer overflow vulnerability in FreeBSD (CVE-2026-4747); a 16-year-old vulnerability in FFmpeg; and a chain of flaws allowing privilege escalation in the Linux kernel.

A December 2025 breach of Eurail B.V.'s customer database resulted in the theft of passport information belonging to more than 300,000 individuals. Eurail, which is based in the Netherlands, sells Interrail and Eurail train passes. The incident was initially disclosed in February 2026, at which time Eurail said the intruders accessed sensitive information, including names, passport details, ID numbers, bank account IBANs, health information, contact details, email addresses, and phone numbers. In a March 27, 2026 breach notification letter sent to affected individuals, Eurail acknowledged that the threat actors exfiltrated data. A filing with the Oregon Attorney General's office places the number of individuals affected by the breach at 308,777.

The Los Angeles Police Department (LAPD) has published a statement disclosing that "discovery documents from previously adjudicated or settled LAPD civil litigation cases" were compromised during a breach of a digital storage system at the LA City Attorney’s Office. The incident did not involve LAPD systems. An LA City Attorney’s Office spokesperson said they were alerted to "unauthorized access to a third-party tool used by the City Attorney’s Office to transfer discovery to opposing counsel and litigants" on March 20, 2026. According to the LA Times, the breach compromised 7.7 terabytes of LAPD records.

Germany's Federal Criminal Police Office (Bundeskriminalamt, BKA) has revealed the identities of two wanted Russian men believed to be former leaders of the GandCrab and later REvil ransomware-as-a-service (RaaS) operations. 31-year-old Daniil Maksimovich Shchukin and 43-year-old Anatoly Sergeevitsch Kravchuk are suspects in at least 130 cases of computer sabotage and extortion between 2019 and 2021, allegedly collecting about €2 million in ransom payments and causing over €35 million of damage. Brian Krebs notes that REvil and GandCrab "pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data." REvil formed after GandCrab dissolved, and targeted high-profile companies and individuals for extortion before being dismantled by FBI disruptions in 2021 and arrests in 2022. The BKA believes the two men to reside in Russia; both have been added to the EU Most Wanted list.

The US Cybersecurity and Infrastructure Security Agency has added a critical flaw in Ivanti Endpoint Manager Mobile (EPMM) to the Known Exploited Vulnerabilities catalog (CISA KEV). CVE-2026-1340, CVSS score 9.8, allows a remote unauthenticated attacker to achieve code execution due to a code injection vulnerability in Ivanti EPMM. This flaw was originally disclosed on January 29, 2026, simultaneously with another flaw with an identical description (CVE-2026-1281), less than 24 hours before attacks on mobile management infrastructure impacted the European Commission and government organizations in the Netherlands and Finland. CVE-2026-1281 was added to the CISA KEV the same day, but CVE-2026-1340 was not added until April 8. Customers should check the indicators of compromise (IoCs) linked in Ivanti's original advisory and follow the instructions and syntax to properly apply the RPM patch script appropriate to their system. Federal Civilian Executive Branch (FCEB) agencies are required to patch this flaw by February 11.

Chevin Fleet Solutions, a UK-based developer of software for managing the details and logistics of vehicle fleets, took its FleetWave platform offline following an "incident" on April 2, 2026, and it remains down as of this writing. The Register reports that an email sent to customers states that Chevin took FleetWave's Azure environments offline as a precaution, and that the company has engaged external cybersecurity experts to investigate and implement security controls. This outage has caused disruptions to users of the software in the US and the UK, though the EU and Australia still have working service. Chevin has not provided details on the nature, timing, scope, or impact of the incident, but their website indicates which components of their service are operational, and directs customers to Zendesk for updates.

A cybersecurity incident at Signature Healthcare in Brockton, Massachusetts on Monday, April 6, prompted the organization to divert ambulances from Brockton Hospital to other facilities. Signature Healthcare identified "suspicious activity within a portion of [its] network ... [and] activated ... incident response protocols." While the switch to downtime operations has not impacted the organization's surgeries and procedures, chemotherapy infusion services scheduled for Tuesday, April 7 were cancelled, and patients have been notified of possible delays at Signature Medical Group and related urgent care facilities. Some Signature Healthcare retail pharmacies were closed on Monday; when they reopened on Tuesday, April 7, they were able to provide consultations but unable to fill prescriptions. According to a Signature Healthcare update on Wednesday, April 8, lab work and tests are being conducted but may be delayed; requests for medical records are temporarily unable to be fulfilled; ambulance traffic remains diverted; and chemotherapy infusion services have resumed.

A zero-day vulnerability in Adobe Acrobat Reader has been under exploit since late last year, according to researcher Haifei Li, founder of the EXPMON, an analysis system that "uses crafted sandboxing and static analysis techniques to check if a file sample could be a potential exploit." The Adobe Reader exploit leverages maliciously crafted PDF documents. Li writes that according to EXPMON analysis, " the sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits. It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader." At the time of writing, Adobe has not released a statement regarding the vulnerability.

Dutch healthcare software company ChipSoft was the target of a ransomware attack that has resulted in its systems going offline on Tuesday, April 7. ChipSoft provides Electronic Health Record (EHR) systems to many hospitals in the Netherlands; eleven of those hospitals have taken their ChipSoft software offline. Z-CERT, the country's computer emergency response team, has published an advisory about the attack, noting that "ChipSoft indicates that all connections to the Zorgportaal, HiX Mobile, and the Zorgplatform have been disabled as a precaution and are currently unavailable. ChipSoft has started bringing the systems back online in phases, during which users are receiving new login credentials."