#5 — Anthropic Mythos Finds Thousands of Zero-Days, Axios Reaches OpenAI, Cisco Buys Galileo

This was the week the AppSec story stopped being about scanning and started being about who finds the bugs first.

Anthropic announced it has been quietly running an unreleased model, Claude Mythos Preview, through every major operating system and browser, surfacing thousands of zero-days. One of them is a 17-year-old root RCE in FreeBSD’s NFS server. Another, in OpenBSD, has been sitting in the SACK implementation for 27 years.

Meanwhile, the axios supply chain attack I’ve covered for the last two weeks reached OpenAI’s macOS signing pipeline. ChatGPT Desktop, Codex, and Atlas all sign through that workflow.

And Cisco picked the same week to buy Galileo, an AI agent observability tool I list in my AI Security category, which then shipped two releases on its way to becoming part of Splunk.

49 releases across 8 categories. Here’s what shipped, what got broken, and where this is all going.

This Week at a Glance

49 releases across 8 active categories.

• AI Security (11) — Akto 5 releases, Arize Phoenix 3, Galileo 2 (then acquired), Promptfoo 0.121.4
• SCA (12) — Snyk CLI ships aibom test, Grype v0.111 with hummingbird + CSAF VEX, Renovate 5 releases, FOSSA, SCANOSS, Syft, Dependabot, Chainguard apko
• SAST (11) — Semgrep v1.158/1.159, OpenGrep v1.18/1.19, PHPStan ships a bisect command, TruffleHog, SonarLint, SonarQube, Betterleaks, Corgea
• IaC Security (6) — Mondoo adds 73 AWS/Azure/GCP checks, Falco, OPA Gatekeeper, Checkov, Lacework
• Mobile (3) — mitmproxy v12.2.2, radare2 6.1.4 “CottonMouse”, Ostorlab continues HarmonyOS
• Container Security (3) — Red Hat ACS (StackRox) triple patch (4.10.1, 4.9.5, 4.8.10)
• ASPM (2) — DefectDojo 2.57.1, Faraday v5.20.0
• IAST (1) — Datadog dd-trace-java v1.61.0

Quiet this week: DAST, RASP, API Security

New on the Radar

Anthropic’s Claude Mythos Preview and Project Glasswing — On April 7, Anthropic announced an unreleased frontier model built for vulnerability discovery, along with Project Glasswing, a limited-access program that puts the model in the hands of a small circle of defenders.

The numbers are the headline. Anthropic says Mythos Preview has identified thousands of zero-days across every major operating system and every major browser. Two specific examples:

• CVE-2026-4747 — A 17-year-old stack buffer overflow in FreeBSD’s NFS server. Exploited via RPCSEC_GSS authentication manipulation, bypasses canary instrumentation gaps, and yields root from an unauthenticated network attacker.
• A 27-year-old OpenBSD SACK implementation bug — Still under responsible disclosure.

The Project Glasswing partners list reads like a who’s-who of critical infrastructure: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic is committing up to $100M in Mythos Preview usage credits and $4M in direct donations to open-source security organizations ($2.5M to Alpha-Omega/OpenSSF via the Linux Foundation, $1.5M to the Apache Software Foundation).

My take: This is the moment AppSec changed shape. For two years I’ve heard “AI will find vulnerabilities faster than humans” as a slogan. This week Anthropic published the receipts, including a CVE-2026-4747 that survived 17 years of human auditing in one of the most security-conscious open-source codebases on Earth. The interesting part isn’t that the model exists. It’s that Anthropic decided not to release it. They handed it to defenders first because they think the offensive version is close enough to be dangerous. If you build security tools, your moat just shrank. If you defend systems, the question is no longer “do we find bugs faster than attackers”, it’s “do we have access to the same model they will?”

Axios supply chain attack reaches OpenAI’s signing pipeline — The axios npm compromise I covered in #3 and #4 jumped tiers this week. On April 11, OpenAI confirmed that a GitHub Actions workflow used in its macOS app-signing process pulled the malicious axios v1.14.1 on March 31. The workflow had access to certificates that notarize ChatGPT Desktop, Codex, and Atlas.

OpenAI says no evidence of cert exfiltration but is rotating anyway. The old certificate is fully revoked on May 8. After that, anything signed with it stops launching on macOS. Users will need to update.

Two pieces of new context this week:

• Attribution: Google’s Threat Intelligence Group attributes the attack to UNC1069, a North Korean threat actor inside the Lazarus orbit, based on a new variant of the WAVESHAPER tooling.
• Payload: The second-stage payload is a cross-platform RAT (Windows, macOS, Linux) delivered after a postinstall hook pulls from C2. Anyone who installed axios 1.14.1 or 0.30.4 should rotate credentials and downgrade to 1.14.0 or 0.30.3.

The root cause OpenAI named is the one Datadog’s State of DevSecOps flagged in February: a GitHub Action pinned to a floating tag with no minimumReleaseAge gate. Same flaw I covered the Trivy compromise around in #2. The 71% of orgs that don’t pin to commit SHAs just got a much bigger reason to.

Marimo CVE-2026-39987, exploited in 9 hours 41 minutes — On April 9, Endor Labs disclosed a pre-auth RCE in Marimo, a Python notebook for data science. The /terminal/ws WebSocket endpoint skipped validate_auth() entirely, handing any unauthenticated visitor a full PTY shell.

CVSS 9.3. Patched in v0.23.0. Affects every version prior to 0.23.0 (Endor’s initial advisory body said ≤ 0.20.4, but the corrected range covers 0.21.x and 0.22.x as well).

The story isn’t the bug, it’s the timing. Sysdig’s Threat Research Team caught the first exploitation attempt against a honeypot within 9 hours and 41 minutes of the advisory going public.

No PoC existed. The attacker built one straight from the advisory description, dropped into the shell, and ran a credential-theft session that grabbed an .env file with AWS access keys in under three minutes end-to-end (Sysdig logged session three from 07:43 to 07:45 UTC).

My take: Marimo is not a household name. It’s a niche scientific computing tool. The fact that someone wrote a working exploit for an obscure Python notebook from advisory text in under 10 hours, with no PoC, says one thing clearly: the asymmetry between disclosure and exploitation just collapsed. If you treat advisory feeds as “low priority unless trending,” that calculation is dead. The Sysdig team’s hypothesis is that attackers are now using LLMs to weaponize advisory descriptions. I’d believe it.

GlassWorm goes native with a Zig dropper — Aikido reported on April 8 that the GlassWorm campaign, first uncovered in March 2025, has switched to a Zig-compiled native dropper hidden inside a fake Open VSX extension called specstudio.code-wakatime-activity-tracker (it impersonates WakaTime).

The dropper ships as win.node (PE32+ DLL) on Windows and mac.node (universal Mach-O for x86_64 and arm64) on macOS. Once loaded, it enumerates every IDE on the machine that supports the VS Code extension format (VS Code, Cursor, Windsurf, VSCodium) and silently installs a malicious extension into each one.

It geofences Russian systems, beacons C2 over a Solana blockchain transaction stream, and persists via secret exfiltration plus a malicious Chrome extension. If specstudio.code-wakatime-activity-tracker or floktokbok.autoimport shows up in any of your IDE extension lists, treat the machine as fully compromised.

Notable Updates

• Snyk CLI v1.1304.0 — Ships snyk aibom test, the first CLI command for AI Bill of Materials scanning. It detects agents, tools, models, datasets, MCP servers, and AI-specific libraries in Python projects, then validates against your tenant’s Evo policies. First-mover in CLI-based AIBOM. Experimental, available on all plans during early access.
• Anchore Grype v0.111.0 — db diff for v6 databases, in-memory SBOM processing via ProvideFromReader, a CSAF VEX transformer, and curated CPE-to-package-specifier mappings. The CSAF VEX support is the under-the-radar one: VEX adoption is finally getting tooling that doesn’t make you write a converter.
• Mondoo v13.4 — 73 new security checks for AWS, Azure, and GCP. Plus a Linux security policy fix for Ansible remediation snippets and a corrected Terraform resource name in the AWS VPC Block Public Access check. Biggest single check-batch from Mondoo this year.
• Semgrep v1.158.0 — Pro interfile taint analysis redesigned with a claimed 20-40% speedup. Taint config computation (1/4-1/2 of the inter-file scan time) now runs in parallel. New supply-chain hook for the Semgrep Plugin. macOS binaries now dynamically link system libs.
• PHPStan 2.1.47 — Ships a bisect command. Find the first PHPStan release that introduced a regression with a binary search across versions, exactly like git bisect. If you maintain a large PHP codebase that pins to PHPStan, this is the feature you’ve wanted for years.
• OpenGrep v1.18/v1.19 — Two releases. Elixir taint propagation through pipes and for comprehensions, Ruby parsing fixes for obj[key], and removal of redundant Call wrapping in expr_as_stmt. The Semgrep/OpenGrep fork keeps shipping at parity.
• Datadog Code Security (IAST) v1.61.0 — Skips XSS check for Freemarker built-in escaping (was firing false positives). Also adds server.request.body.filenames support for Tomcat, Netty 4.1, and commons-fileupload. AI Guard SDS findings now flow into the SDK response.

SAST

11 releases this week. The shared thread: tooling for the people who write rules and the people who debug regressions.

Semgrep shipped twice in two days, v1.158.0 and v1.159.0. The big one is the Pro interfile taint analysis redesign (Semgrep estimates 20-40% faster), plus parallel taint config computation that takes 1/4 to 1/2 of inter-file scan time and parallelizes it across jobs. They also moved manylinux binaries to require glibc ≥ 2.35 (Ubuntu ≥22.04, Debian ≥12, RHEL ≥10), which is the kind of upgrade that catches you if your CI runners are old.

OpenGrep v1.18 and v1.19 doubled down on Elixir support with taint propagation through pipes and for comprehensions, plus Ruby parsing fixes. The Semgrep/OpenGrep fork keeps surfacing real differences in coverage priorities now: Semgrep is investing in inter-file performance, OpenGrep in language breadth.

PHPStan 2.1.47 deserves more attention than it’ll get. The new bisect command does git-bisect-style binary search across PHPStan releases to find the version that introduced a regression. If you’ve ever tried to debug a PHPStan rule break across 30 minor versions by hand, this is hours back.

TruffleHog v3.94.3 added handling for AADSTS50173 as an explicit revocation signal for Azure refresh tokens, plus AnalysisInfo to verified results and a nil-check fix in the GitHub analyzer. Also a release-bot workflow: TruffleHog is automating its own release process.

SonarLint 12.1.0 for IntelliJ landed, SonarQube 26.4.0 shipped with a release note that literally reads “To be filled out later” (good to see security tools using the same TODO comments the rest of us do), and Betterleaks cut its binary from 51.3MB to 40.3MB by dropping Lipgloss and lazy-loading word lists. Corgea v1.8.6 and v1.8.7 added JWT and cookie auth.

SCA

12 releases. The standout is Snyk’s snyk aibom test command in CLI v1.1304.0, the first CLI tool I’ve seen ship AI Bill of Materials scanning as a first-class command.

It detects agents, tools, models, datasets, MCP servers, and AI-specific libraries in Python projects, generates an AI-BOM, and validates it against your tenant’s Evo policies in one shot. Experimental and Python-only for now, but the MCP server detection alone is novel.

The same release deprecates older --jar-depth parameters in favor of broader Java runtime binary scanning, adds --maven-skip-wrapper for environments that don’t trust Maven wrapper scripts, and patches seven CVEs across dependencies.

Anchore Grype v0.111.0 is a meatier release than the version number suggests. New features:

• db diff for v6 — compare two vulnerability databases at a glance
• In-memory SBOM processing via ProvideFromReader
• CSAF VEX transformer (this is the one to watch; VEX adoption finally has tooling beyond hand-rolled converters)
• Curated CPE-to-package-specifier mappings
• Hummingbird package matching

Plus an APK NAK (“Not A Keep”) handling fix that previously misclassified Alpine package overlap relationships.

FOSSA v3.17.0 added uv.lock editable package handling for missing version fields, Vendetta single-file and multi-location dependency support, and Gradle additional development/test configuration support for common plugins. The uv.lock fix is a sleeper: uv adoption is exploding and most SCA tools haven’t caught up.

Anchore Syft v1.42.4 added similar package aggregation and ArangoDB binary version detection. Dependabot core v0.369.0 added SwiftPM sub-dependency updates and --ignore-scripts for bun install/update, useful given this week’s headlines.

SCANOSS v1.52.0 added querying components by development status, Renovate shipped 5 releases (43.111.2 through 43.113.0) with Maven cache schema improvements, and Chainguard apko v1.2.3 was a routine deps bump.

AI Security

11 releases, the busiest category this week, but the story is one acquisition.

Galileo AI shipped v2.1.0 and v2.1.1 of its Python client this week with bug fixes around session start handling and CrewAI hierarchical traces. Then on April 9, Cisco announced it’s acquiring Galileo to fold its AI agent observability platform into Splunk.

Two releases on Wednesday-Thursday from a company that announced its acquisition mid-week is either remarkably disciplined or politely awkward, depending on how you read it. Either way, if you use Galileo today, expect Splunk-flavored everything within 12 months.

Arize AI Phoenix shipped three releases this week (v14.1.1, v14.2.0, v14.2.1). The 14.2.0 main feature is an “assistant agent settings page” plus a re-export of openinference-core from phoenix-otel. The 14.2.1 patch removed WebSocket support for GraphQL subscriptions in favor of HTTP multipart. Phoenix and Galileo are clearly racing for the same observability seat.

Akto shipped five releases this week (v1.97.0, v1.97.1, v1.97.2, threat-1.12.13, threat-1.12.14). Almost all empty changelogs, which is a recurring pattern in Akto’s release cadence: they ship fast and document later.

Promptfoo 0.121.4 added per-test opt-out for defaultTest assertions, expanded Codex SDK eval controls, and added grouped serial generation. Promptfoo also crossed 20K stars this week.

IaC Security

6 releases. Mondoo dominated the week with a single 73-check batch, the largest from them this year.

Mondoo v13.4.0 and v13.4.1 brought 73 new security checks for AWS, Azure, and GCP services, the largest single check batch I’ve seen from them. Plus a hostPath volume filter fix in the socket path check (you don’t want to scan socket paths against non-hostPath volumes), Linux security policy Ansible remediation fixes, and a corrected Terraform resource name for the AWS VPC Block Public Access check.

OPA Gatekeeper v3.22.1 fixed mutation-webhook-only operation without a constraint client and migrated OCI pulls to oras-go v2. If you run Gatekeeper as a mutation webhook only (no constraints), this is the fix you’ve been waiting for.

Checkov 3.2.519 added aws:VpceAccount to recognized condition keys in CKV_AWS_70 and fixed a GoogleKMSKeyIsPublic crash on unhashable types in membership checks. Niche, but if your CI was crashing on a specific GCP KMS check, this is it.

Falco 0.43.1 was a one-line release: bump libs to 0.23.2 and container plugin to 0.6.4. Lacework shipped agent v8.1.0.30690 (now under the Fortinet brand).

Mobile Security

Three releases. None of them feature work, but two are infrastructure milestones.

mitmproxy v12.2.2 shipped a routine maintenance update. mitmproxy is at 43,070 GitHub stars now, the most-starred tool I track in any category. radare2 6.1.4 “CottonMouse” came with 340 commits from 20 contributors, a normal-sized radare2 release, which is to say enormous.

Ostorlab v1.20.0 continues its HarmonyOS push: HarmonyOS model fixes, vulnerability location support, missing HarmonyOSMetadata patches, and a HarmonyOS library protobuf addition. Ostorlab is the only mobile scanner I track with heavy HarmonyOS investment.

Container Security

Red Hat Advanced Cluster Security (StackRox) shipped three patches simultaneously: 4.10.1, 4.9.5, and 4.8.10. Patching three minor versions in parallel is a sign Red Hat is supporting an unusually long matrix of customer deployments, which is common in regulated industries. If you’re on any of those minor versions, the patches are out.

ASPM

DefectDojo 2.57.1 fixed the Wazuh 4.8 parser to attach endpoints/locations to findings, and corrected an unsaved_tags vs tags= issue in the Finding constructor. If you’re running DefectDojo against Wazuh 4.8 and saw missing endpoint context, upgrade.

Faraday v5.20.0 fixed a serious one: user passwords were not being validated on create/edit actions. Also moved the workspace-update debouncer to Redis for distributed single-execution across Celery workers, and migrated build packaging to uv.

IAST

Datadog Code Security (IAST) v1.61.0 skipped the XSS check for Freemarker built-in escaping expressions in 2.3.24 instrumentation. The false positive was loud enough to ship a patch. Also added server.request.body.filenames AppSec address support for Tomcat, Netty 4.1, and commons-fileupload, plus AI Guard SDS findings flow into SDK responses now.

Quiet This Week

No GitHub releases from DAST, RASP, or API Security, though Wallarm and Salt Security both published security analysis posts that I cover in Worth Reading below. DAST has been quiet for three weeks straight now.

Deals & Funding

Two deals worth tracking. The first one is unique to me.

• Cisco to acquire Galileo (April 9) — Galileo, an AI agent observability platform I cover in my AI Security category, gets folded into Splunk’s Observability portfolio. Galileo and Cisco have history: a year ago they co-launched the AGNTCY consortium with LangChain. Closes Q4 of Cisco’s fiscal 2026; price undisclosed. Galileo shipped two more open-source Python client releases this same week, which is the kind of grace under acquisition pressure I respect.

• Linx Security raises $50M Series B (March 31) — Identity governance for human, non-human, and agent identities. Insight Partners led; Cyberstarts and Index Ventures followed on. Total funding $83M. Founded 2023 by Israel Duanis and Niv Goldenberg. Recently shipped Linx Autopilot, which they’re calling the first autonomous identity governance agent. Identity is the biggest unsolved category as agentic systems multiply non-human identities. Worth watching.

Star Watch

GitHub star milestones worth noting:

• mitmproxy 43,070 — Now the most-starred tool I track in any category. Network inspection still wins.
• Trivy 34,481 — Still the SCA leader by stars; recovering well from the March compromise.
• Harbor 28,258 — Up from ~28K in #2.
• Promptfoo 20,043 — Just crossed 20K. AI red-teaming is now a 20K-star category.
• Grype 12,017 — Crossed the 12K milestone since #2 (was 11.8K).
• Arize Phoenix 9,268 — Approaching 10K. The AI observability category is consolidating fast.
• OpenGrep 2,375 — Still climbing, fork is healthy.

Quick Hits

• Anchore Syft v1.42.4 fixed similar package aggregation, ArangoDB binary detection, and Go binary version handling
• Dependabot core v0.369.0 added bun --ignore-scripts and SwiftPM sub-dependency updates
• SCANOSS v1.52.0 supports querying components by development status
• Renovate 43.111.2–43.113.0 shipped 5 releases including a Maven cache writeSchema feature
• Chainguard apko v1.2.3 routine deps bump
• Lacework agent v8.1.0.30690 released under the new Fortinet branding
• DefectDojo 2.57.1 fixed Wazuh 4.8 parser endpoint attachment
• Faraday v5.20.0 fixed an unvalidated password create/edit bug

On AppSec Santa This Week

Updated this week:

• Semgrep — Added v1.158/v1.159 Pro interfile taint redesign details
• Snyk — Added the aibom test CLI command and AI-BOM Early Access notes
• Grype — Added v0.111.0 with CSAF VEX transformer and hummingbird matching
• Mondoo — Added v13.4 with 73 new AWS/Azure/GCP checks
• PHPStan — Added the new bisect regression-finder command
• Galileo — Added the Cisco acquisition note alongside the v2.1.x releases

Most read this week: Semgrep, Snyk, Trivy, SonarQube, Grype

If you spot anything outdated or wrong on a tool page, reply to this email — I update pages based on reader feedback.

Worth Reading

• Anthropic — Claude Mythos Preview and Project Glasswing — The technical post and the partner/program page. Carlini, Cheng, Lucas, Moore, and Nasr are the named leads on a 22-author paper. Worth reading both, especially the “we built it, and decided not to ship it” governance discussion at the bottom of the technical post.
• Endor Labs — Malware in Open Source Ecosystems Surges 14x — 92% of all npm account takeovers ever recorded happened in 2025 alone. 88% of orgs say release cooldown is a top mitigation; only 21% enforce one. The numbers behind the supply-chain story.
• Sysdig — Marimo OSS Python Notebook RCE: From Disclosure to Exploitation in Under 10 Hours — The honeypot timeline matters more than the bug. Read it for the operational detail of how the attacker built the exploit and what files they grabbed first.
• Wiz — Cloud Threats Retrospective 2026 — 80% of documented cloud intrusions in 2025 still came from known weaknesses (vulns, exposed secrets, misconfigurations). AI didn’t introduce a new class of risk, but it expanded the attack surface and sped up attacker workflows.
• Aikido — GlassWorm Goes Native: Zig Dropper — Includes IOCs and the IDE enumeration logic. If you allow OpenVSX extensions, read this and audit installed extensions today.
• Salt Security — The AI Supply Chain Is Actually an API Supply Chain (LiteLLM lessons) — Eric Schwake’s post-mortem on what the LiteLLM compromise means for orgs that route LLM traffic through gateways and MCP servers. The frame is right: it’s an API supply chain problem.

Wrapping Up

That’s issue #5. 49 releases tracked, one acquisition that lands inside my coverage area, and one announcement from Anthropic that I’ll be referring back to for the rest of 2026.

The pattern this week is the same one playing out across the Worth Reading links: the gap between “vulnerability disclosed” and “vulnerability weaponized” is collapsing toward zero, and the only workable answer is finding bugs faster than attackers can. Mythos Preview is one expression of that. Sysdig’s 9-hour Marimo timeline is another.

I track 113 GitHub repos and 96 RSS feeds every week. If a tool ships a release, it shows up here, with context on what it means.

If I missed something or got something wrong, reply, I read every response. See you next Tuesday.

AppSec Santa Weekly — changelog analysis and category trends from 290+ AppSec tools. Browse all tools or subscribe for weekly updates.