EvilBit Threat Feed: AI, Scams, and Critical Infrastructure

I took a few weeks off the digest to finish my book. The threat landscape did not extend me the same courtesy. The queue I came back to is stacked with AI that hunts its own zero-days, the usual scams wearing fresh logos, and a patch list that does not care how the manuscript is coming along.

AI Is Hunting Its Own Zero-Days Now

Anthropic's restricted Claude Mythos model spent the last few weeks proving it can find and weaponize zero-days at a speed no human research team matches. Across roughly 1,000 open-source projects, Mythos surfaced tens of thousands of potential vulnerabilities, including decades-old bugs that survived every prior audit. Anthropic kept the model on a leash precisely because the same capability that patches faster also exploits faster.

For defenders, the takeaway is timing, not panic. The same week, the NCSC was at Infosecurity Europe urging immediate action: patch what's exposed, hunt for what's already inside, and stop burning cycles on theoretical risk while real bugs stack up faster than the fixes. The CVE list further down this issue is the leading edge. Prioritize your external attack surface first, the perimeter and internet-facing kit, then work inward toward cloud and on-prem.

Cyera's read on the same model is worth a beat. If discovery and exploitation both get cheaper, the defensible move is shrinking the blast radius. Their write-up lands on unglamorous data hygiene: classification, mapping identities to the data they can actually reach, and clawing back over-provisioned accounts. Boring, and exactly the right homework before AI-grade tooling lands in the wrong hands.

The defensive side is mobilizing through the same engine. Anthropic's Project Glasswing now puts Mythos in front of critical-infrastructure defenders, and Tenable has joined to fold the model's reasoning into exposure prioritization and attack-path analysis (Qualys and Netskope signed on too). It's building better traps for the cyber rats, just with more silicon, which beats letting attackers be the only ones holding the new tool.

Scammers Keepin' It Real... and Fake

Classic social engineering never really goes out of style, does it. A few familiar plays this week, fresh coat of paint on each.

First, the fake-invoice racket. Malwarebytes caught a campaign while the operators were still building it, spoofing PayPal, Amazon, and Geek Squad. The emails are "receipts" for charges that do not exist ("subscription renewed for $349"), and the only goal is to get you dialing the support number, where a fake agent talks you into remote access, your card, or a "refund" that somehow requires you to send money. If a receipt wants you on the phone to dispute it, log into the real account yourself and check the transaction history. There is no charge.

Then the FIFA World Cup 2026 scams. Yeah, they started early. The FBI's IC3 has a public advisory on fake ticketing sites, phishing pages, and malicious apps built to harvest credentials and financial data, with at least 36 fraudulent domains spoofing fifa.com already identified. Type fifa.com into the address bar yourself; do not trust a search result or an inbound link. Bad actors piggyback on every major event, and this one is a year-long target.

And the phone-number spoofing. The Police Service of Northern Ireland is warning that scammers are mimicking its official switchboard number, calling people, claiming to investigate fake money transfers, then pressuring them into gift cards or bank details. Caller ID is a suggestion, not proof. Hang up and call the official number back if anything feels off.

Critical Infrastructure and the GPS Game

GPS isn't just for finding the nearest donut shop. It's foundational timing for power grids, telecom, transportation, and financial markets, and like anything foundational, it's a target. The CyberWire's reporting on modern GPS attacks walks through the jamming and spoofing risk: a spoofed timing signal can trip generator protection schemes and cascade into outages, and aviation and maritime authorities now treat interference as a safety issue, not a curiosity.

If your sector leans on GPS for timing (energy, telecom, finance especially), the defender move is alternate timing sources and controlled failover before you need them, not improvised workarounds mid-incident. Think eLoran-style terrestrial backup or hardened PTP, plus monitoring that can actually detect interference instead of silently drifting. Don't put all your timing eggs in one satellite basket.

Patch 'Em Up, Patch 'Em Out

Even with the AI hype and the new scams, the bread and butter is still dealing with vulnerabilities.

• IBM WebSphere Application Server has a batch worth moving on, led by CVE-2026-9311 (CVSS 9.0, critical RCE via a security-control bypass). Alongside it: CVE-2026-9330 (high-severity RCE through SAML SSO deserialization), plus CVE-2026-9319 and CVE-2026-8644 (identity spoofing). They hit the 8.5 and 9.0 streams. Note the patch reality: IBM has interim fixes out now, but the full fix packs (8.5.5.30 and 9.0.5.29) are targeted for Q3 2026, so plan an interim-fix deployment rather than waiting on the pack. Details in IBM's bulletin.
• Microsoft pushed a Microsoft Edge update for multiple flaws, flagged by the Canadian Centre for Cyber Security as AV26-525. Anything older than Stable channel 148.0.3967.96 is behind; get current.
• Cisco Unified Communications Manager: CVE-2026-20230 is an SSRF in the WebDialer service that Cisco rates Critical (CVSS 8.6, but rated up because it can be chained to root via file writes), and public PoC code is out. Fixed in 14SU6, with 15SU5 due September 2026 and interim COP patches available. Can't patch this window? WebDialer is off by default; if you don't operationally need it, disabling it removes the attack surface outright. That's your compensating control.
• For the Go shops: CVE-2026-32281 (inefficient policy validation) and CVE-2025-61729 (excessive resource consumption in hostname-error printing) are denial-of-service bugs in Go's standard-library crypto/x509. Microsoft is tracking them in its Update Guide because Microsoft products built in Go inherit the flaw, but the real fix is upstream: rebuild affected binaries against a patched Go toolchain (61729 is resolved as of go1.25.5). Audit anything you ship that's compiled from Go, not just the Microsoft surface.

Reports and Red Tape

A couple of policy and trend signals worth tracking. ENISA's NIS360 2026 report shows EU cyber maturity creeping up overall, but the sectors that matter most are falling behind: health, drinking water, and wastewater have all slid into the risk zone, where criticality outpaces defensive maturity. The honest read is that improvement is real but too slow where the stakes are highest.

On the policy side, California's Governor Newsom signed a first-of-its-kind executive order on AI's labor impact, directing the state to explore severance standards, retraining, and even subsidies for companies that retain workers rather than replace them. It creates no immediate obligations on private employers, but it's an early read on how the automation fallout gets managed.

That's the digest. The connecting thread this time is speed: AI is collapsing the gap between a bug existing and a bug being weaponized, and the bugs are stacking up faster than anyone's shipping fixes, with this week's CVE list as the proof. Triage by exposure, deploy the interim fixes, and pull the attack surface you don't need. Stay patched, and think twice before clicking that suspiciously cheap World Cup ticket.

Mind the gaps in the weave. That's where they climb in.

~ UncleSp1d3r