"Everything is still on fire." That blunt assessment opens this week's ThreatsDay bulletin — and the details that follow explain why: a cascade of simple mistakes, bold exploit techniques, and incentive structures that reward spectacle over security.
Palo Alto Networks CVE-2026-0300: exploitable buffer overflow in PAN-OS
Palo Alto Networks has issued its first round of fixes for CVE-2026-0300, a critical buffer overflow in the User-ID Authentication Portal service of PAN-OS that allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. The vendor said it has observed exploitation in limited attacks "since at least last month," and that threat actors have used the flaw to drop payloads such as EarthWorm and ReverseSocks5. The company released patches; organizations running affected PAN-OS instances should prioritize deploying them and validating mitigations for the exposed portal service.
HiddenLayer: tokenizer tampering lets attackers steer model output
Researchers at HiddenLayer demonstrated a supply-chain style manipulation that targets the tokenizer shipped with Hugging Face models. By modifying the tokenizer.json file, an attacker can gain "direct control over model output," enabling stealthy tool-call injections and exfiltration without touching model weights. HiddenLayer noted the technique works across Safetensors, ONNX, and GGUF formats and warned that "tokenizer.json ships with the model in a HuggingFace repository, as shown above, and is loaded automatically when the model is initialized for inference, making it a direct attack surface."
Anthropic Mythos and cURL: one real bug, several false positives
cURL developer Daniel Stenberg reported that an Anthropic Mythos model's scan of cURL flagged five "confirmed security vulnerabilities," but that one was low-severity and the remainder were false positives. Stenberg said the single confirmed bug will be published as a low-severity CVE in sync with the planned cURL 8.21.0 release in late June, adding that "The flaw is not going to make anyone grasp for breath." He also acknowledged a broader point: that AI-powered code analyzers are "significantly better at finding security flaws and mistakes in source code than any traditional code analyzers."
Social engineering, trusted tools, and small technical tricks that break big systems
- Multiple campaigns are exploiting trust and predictable handling of files. CYFIRMA described a multi-stage intrusion that used a weaponized PowerShell payload disguised as a JPEG (sysupdate.jpeg) to deliver a trojanized ConnectWise ScreenConnect for stealthy remote access.
- Rapid7 reported threat actors abusing Microsoft Teams external access by impersonating IT Support. The attacker delivered a Dropbox-hosted Python payload (ModeloRAT), escalated to SYSTEM via CVE-2023-36036, and deployed a fake Windows lock screen to harvest domain passwords; Rapid7 linked the campaign to an initial access broker tracked as KongTuke.
- Cyble documented an aid-themed infostealer campaign that used a malicious LNK inside a RAR and retrieved a fileless Python-based implant from GitHub Releases to perform surveillance and credential harvesting while presenting a decoy document.
- ReliaQuest observed a ClickFix compromise that used scheduled tasks and the open-source PySoxy SOCKS5 proxy to give attackers encrypted proxy access and redundant C2 paths without traditional malware.
- A threat luring victims with "free OnlyFans accounts" distributed a ZIP that executed a VBScript loader to install Python-based malware (crpx0 ransomware), enabling remote commands, updates, and crypto-theft techniques according to Aryaka.
- Kim Dvash published a proof-of-concept called GhostLock showing that a domain user with read access can deny access to files on SMB by calling CreateFileW with dwShareMode = 0x00000000; the resulting STATUS_SHARING_VIOLATION can render systems effectively unusable without any ransomware or elevated privileges.
- Sysdig observed an operator using a NATS server as a command-and-control channel in activity tied to exploitation of CVE-2026-33017 in Langflow, marking an unusual pivot from HTTP or chat-based C2 to a high-performance messaging system.
Meta Incognito Chat and zero-auth leaks: privacy promises and API failures
Meta announced Incognito Chat with Meta AI for its main app and WhatsApp, which CEO Mark Zuckerberg described as "a completely private way to interact with AI, similar to how end-to-end encryption means no one can read your conversations, even Meta or WhatsApp." He added that Incognito Chat runs inference in a Trusted Execution Environment and that "conversations on your phone also disappear when you exit the session." By contrast, Strix reported a zero-auth data exposure in Schemata — an AI-powered virtual training platform used by defense customers — where ordinary low-privilege accounts could access data across tenants via API endpoints lacking authorization. Schemata posted a statement saying it has no "evidence that any third party exploited the vulnerability to access customer data."
What this means for technologists, policymakers, and procurement leaders
- Technologists and security teams: prioritize patching PAN-OS for CVE-2026-0300, monitor for GhostLock-style SMB locks, audit model repositories for untrusted tokenizer.json files, and track the cURL 8.21.0 release for the pending CVE.
- Policymakers and regulators: note the FCC's extension of the banned-router update deadline until "at least" January 1, 2029 — an extension that applies to software and firmware updates to ensure continued device safety.
- Procurement and enterprise leaders (including defense contractors): validate API authorization controls after the Schemata disclosure, and weigh supply-chain risk in light of contests that explicitly encourage using worms and public proof-of-compromise submissions.
The bulletin closes where it began — with urgency and a plain prescription: "Do the boring work. Patch. Change keys. Check users. Test backups. Block the obvious junk. We’ll be back when the fire moves." The week’s incidents are a reminder that many of the most damaging attacks still rely on cheap confidence tricks, weak checks, and predictable system behavior. The fixes are often mundane; the costs of ignoring them are not.
