Blog

ASD's ACSC confirmed this week that CVE-2026-41940, a critical authentication bypass in cPanel and WHM, is being actively exploited against Australian organisations. The advisory carries no sector carve-outs — ACSC's position is that no particular industry is being targeted, which means the attacker...

Two things happened in the last few weeks that, taken together, mark a genuine shift in how security work gets done. First, Anthropic moved Claude Security into public beta for Enterprise customers. The product — previously called Claude Code Security when it launched in limited preview in Februar...

For most of recorded commercial history, voice was the check. If you received a written instruction to move money, you called the person who sent it. You heard them confirm it. That was the loop. It was imperfect but it worked because cloning a voice in real time — well enough to deceive someone who...

Source: Criminal IP — "Analyzing Phishing Infrastructure and Attack Patterns Using Daily Malicious Phishing Data" (27 April 2026). Criminal IP is a threat intelligence platform; not a competitor of Artificer Cyber. Threat intelligence firm Criminal IP recently published an analysis of their...

The new attack surface for browser extensions In late 2025, researchers at OX Security identified two Chrome browser extensions that had accumulated over 900,000 installations while quietly exfiltrating user data to attacker-controlled infrastructure. Both extensions impersonated a legitimate AI s...

A cache plugin becomes a webshell dropper A critical vulnerability in the Breeze Cache plugin, a performance optimisation tool for WordPress built and maintained by cloud hosting provider Cloudways, is under active exploitation. Tracked as CVE-2026-3844, the flaw carries a CVSS score of 9.8 and al...

Mozilla ran two successive AI-assisted security reviews of Firefox — first with Claude Opus, then with Claude Mythos Preview. The same codebase. The same technique. Six weeks apart. Opus found 22 bugs. Mythos found 271. Mozilla has inadvertently run the most instructive AI vulnerability benchm...

The Mythos story has moved in a way that changes the planning horizon for every organisation that was quietly assuming it had until general release to get ready. A roundup of the headlines: Bloomberg, via Yahoo — "Anthropic's Mythos model accessed by unauthorized users." TechCrunch — "Unauth...

Anthropic's announcement of Claude Mythos Preview and Project Glasswing has done what frontier-model announcements tend to do to Australian security conversations. Boards are asking whether they need access. Vendors are positioning around it. And a number of organisations that do not operate cri...

Business email compromise and brand-impersonation fraud have sat near the top of the ASD Annual Cyber Threat Reports for years, and the 2023–2024 edition is no exception — self-reported BEC losses to Australian organisations have continued to climb, and the adversary playbook is stable: impersonate...