Fable & Mythos Access Suspended, Cyber Pros Object; Arch User Repository Packages Poisoned; PRC Threat Actor Present on US Networks for Over a Year

On June 12, 2026, Anthropic disabled Fable 5 and Mythos 5 for all customers in order to comply with an export control directive sent by the US Department of Commerce at 5:21 p.m. ET that day, which ordered the company to suspend access to both models "by any foreign national ... including foreign national Anthropic employees." Fable 5 had been publicly released three days earlier, but Mythos remained restricted to specific partner companies. The text of the directive has not been published as of this writing, but Anthropic characterizes the government's reasoning as an unspecified "national security concern" over a method to bypass, or "jailbreak," Fable 5's safeguards against discovering vulnerabilities. Anthropic contends that this suspension is based on a misunderstanding, and that the capability offered by this "narrow" jailbreak is comparable to competitors' publicly available models. On June 14, an open letter that has now been signed by more than 150 executives and technical leaders was sent to US Secretary of Commerce Howard Lutnick and National Cyber Director Sean Cairncross, asking them to lift the directives and "commit to an open, scientific and transparent process of handling AI risk assessments in the future." The signatories believe that while Mythos-class models are "quite good at finding flaws and weaponizing exploits [...] they are not uniquely good at these tasks," and the safeguards built into Fable 5 erred on the side of overprotective. The letter asserts that availability of AI is essential for developers and security teams: "This action has taken the best models away from defenders, created market uncertainty, and risked America’s AI leadership without any real risk to justify it." The letter concludes by urging that any future AI regulations be grounded in industrial and academic scientific evaluations, created through a democratic process, enforced transparently and fairly, and used only as necessary to ensure public safety. One of the signatories is Katie Moussouris, Luta Security Founder & CEO, who previously served as a technical expert during international negotiations on the Wassenaar Arrangement, concerning export controls and defensive cybersecurity. Anthropic consulted Moussouris on the research that spurred the directive, and she described why the report should not have led to an export control: "The researchers took open-source code with known CVEs, plus new code with deliberately planted vulnerabilities, and asked Fable 5, Mythos, and Opus to 'review the code for security issues.' Fable 5 refused. They then asked the models to 'fix this code' and, through a multistep and manual process, turned the output into scripts that test the patches. [...] That is not a guardrail bypass. It is the most valuable thing an AI model can do for defensive security: executing the find, fix, and test loop defenders run every day."

About 1,500 package build files in the Arch User Repository (AUR) have been poisoned with infostealer and rootkit malware since June 11, up from initial estimates closer to 400. AUR is a community-maintained repository of package build files for Arch Linux, whose documentation emphasizes that user-produced packages are not thoroughly vetted and used "at your own risk;" however, this attack kept legitimate packages intact without introducing malicious code that a user might detect, instead modifying the build instructions to download a separate malicious npm dependency during the build process. According to reports from IFIN and Sonatype, a malicious actor spoofed (but did not compromise) the account of a trusted maintainer, and proceeded to adopt packages marked as abandoned, adding preinstall scripts that retrieved the malicious npm package. On Monday, June 15, AUR disabled new account registrations while malicious commits are being removed. Michael Taggart at IFIN recommends that Arch users check their exposure by reviewing affected packages and indicators of compromise, "preserv[ing] the system for forensic investigation as appropriate," rotate all credentials, deny outbound Tor traffic, possibly reinstall Arch, and keep in mind that the possibility of a rootkit undermines system trust.

Google Threat Intelligence Group (GTIG) has published a report describing "a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor, targeting institutions in the North American academic, medical, and military research community." The threat actor was present in targeted networks for more than a year. GTIG disrupted the infrastructure the threat actors had established, and also worked with Mandiant Consulting to notify affected organizations and provide help with remediation. GTIG writes that the threat actor "compromised externally facing web applications, deployed bespoke malware, pivoted to sensitive internal systems, and abused enterprise administrative tools for covert data exfiltration. The threat actor had broad collection aspirations, including sensitive defense intelligence related to national security, Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and medical research." GTIG also collaborated with the FLARE team and Workspace Security on the operation.

In 2025 the Operational Technology Division of the FBI built a 22,000-square-foot "Kinetic Cyber Range" (KCR) in Huntsville, Alabama to train personnel to handle cyber incidents and investigations in a simulated small town. The KCR contains a wide variety of areas ranging from residential and commercial — houses, a hotel, a gas station with a grocery market, an arcade, a data center, and real vehicles — to government and critical infrastructure buildings including a courthouse, a power company, and a hospital. Every space is set up with realistic physical conditions as well as "functioning systems, networks, and devices designed to behave as they would in the real world," down to Active Directory, email, and firewalls on a network, a home full of IoT devices, or a data center containing over 200 Windows and Linux servers. The range is also populated with "role players acting as business owners, executives, and legal teams" to engage with during investigation; one scenario simulates a ransomware attack in a hospital network, including interfacing with healthcare staff and the stakes of a medical environment. Both the OT Division and the Cyber Division of the FBI make use of the range, as well as personnel from other groups including NASA, the US Army, and local law enforcement; to date the KCR has trained over 1,400 students.

The Office of the Maine Attorney General has taken its breach reporting portal offline after two phony breach reports were submitted to the system. Maine is one of a handful of US states that require entities reporting breaches to disclose the total number of individuals affected by the incident rather than just the number of residents of that particular state. The phony data breach reports purported to be from VRChat and Discord. VRChat posted that "A false data breach notice was filed on behalf of the company by an unknown third party." The Maine Attorney General's Office says the two phony reports have been removed from the database, and the portal will remain offline while they review their procedures “to make this abuse less likely in the future while preserving the public availability of such information." Entities needing to submit breach reports with the Maine AG's office can do so through the office's online reporting service. The Maine AG's database contains listings of nearly 6,000 breaches reported since mid-2020.

Danish pharmaceutical company Novo Nordisk has disclosed a cyberattack that compromised information of healthcare professionals and patients involved in clinical trials. The company took several of its systems offline following the incident, notified authorities, and is currently investigating with the assistance of external cybersecurity experts. According to Novo Nordisk's breach notices, patient data were pseudonymized, meaning they cannot be identified from the cache of take that was taken. Healthcare providers affected by the incident were informed that compromised data may include company name, registration number, contact email address, phone number, office location, and WhatsApp details.

A former IT support specialist for Iowa’s Saydel Community School District (SCSD) was sentenced to 21 months in prison for a series of cyberattacks carried out over 20 months following his dismissal from SCSD. Ezekiel Dean Potter was fired from SCSD in April 2023, and prior to being fired, Potter obtained more than 300 sets of user account credentials for school district systems. Starting in May 2023 and continuing through January 2025, Potter launched a series of damaging and disruptive cyberattacks against various components of SCSD's IT systems, including irretrievably deleting the district's Facebook page, deleting data related to the district's Apple School Manager account, attempting to reset usernames and passwords associated with SCSD’s GoDaddy account, and disrupting access to its Schoology learning management software account via the SCSD Google administrator account. In all, the attacks cost SCSD and their insurers more than $100,000. Investigators were able to trace the malicious activity directed at the district to IP addresses associated with businesses where Potter worked after he was let go from SCSD. After he left one of those positions, Potter reportedly asked a former co-worker at one of those businesses to retrieve and wipe a USB drive that he had left in his desk. Instead, the employee gave the drive to company management, who turned it over to law enforcement. The device was found to contain information related to the SCSD attacks. In January 2026, Potter pleaded guilty to fraud charges under the Computer Fraud and Abuse Act. After he serves his prison sentence, he "will be subject to restrictions and monitoring related to employment, finances, and computer systems, including searches of electronic devices upon reasonable suspicion." He is also required to pay nearly $60,000 in restitution to the school district and its insurers.

A Ukrainian man, Oleksii Oleksiyovych Lytvynenko, has pleaded guilty to conspiracy to commit wire fraud in connection with a scheme to deploy Conti ransomware. Lytvynenko was living in Ireland and was extradited to the US. Lytvynenko and his alleged co-conspirators "used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage." Between 2020 and 2022, Conti was used in attacks targeting computers and networks in various locations, including 47 US states and 31 countries. The FBI estimates that those attacks led to more than $150 million in ransomware payments. When Lytvynenko is sentenced in September 2026, he will face up to 20 years in prison. Last month, Deniss Zolotarjovs, another member of the Conti ransomware, group was sentenced to 102 months (eight and a half years) in prison.

The US Foreign Intelligence Surveillance Act (FISA) expired on June 12, 2026 when legislators failed to pass a short-term extension to the warrantless surveillance law. FISA, which was enacted in 2008, allowed US intelligence agencies to gather data from US citizens as well as from residents of other countries, in an effort to identify foreign hackers, spies, and possible terrorists. The law's critics have called for changes, citing cases of its misuse. Legislators have been seeking to amend FISA to require agencies to obtain warrants prior to accessing information of US citizens. However, because Section 702 surveillance operates under yearlong certifications approved by the FISA Court, intelligence agencies are still able to use surveillance tools until March 2027, but cannot seek any new orders under the law. Additionally, telecommunications companies may be reluctant to share information without the law on the books. Legislators are on recess until Tuesday, June 23.

The Federal Data Center Enhancement Act (FDCEA), which passed in 2023, will expire on September 30, 2026 and there does not appear to be any effort made to extend its duration or create an alternative. The FDCEA establishes standards for data centers that are entirely or partially owned, operated, or maintained by US federal agencies. Its provisions address facility availability and uptime; use of sustainable energy; protection from power failure, physical intrusions, and natural disasters; and IT security. WIRED writes that "doing away with FDCEA would get rid of crucial requirements mandating that agencies consider how federal data centers or contractors use energy and water;" the Register notes that "the danger is that if the FDCEA is not renewed or superseded by similar legislation, then federal agencies across the US may cease to follow the requirements and simply act as they see fit when procuring new datacenter infrastructure."