"The suspension of Anthropic's Mythos 5 and Fable 5 models should be viewed as a warning and an opportunity. Whether these models remain unavailable for weeks or months, the reality is that these capabilities are concerningly powerful and they will eventually become widely deployed. Too much of the conversation is focused on whether these models should be available today. The more important question is whether your organization is prepared for when they are available tomorrow." - Danny Jenkins
From the ThreatLocker blog
VPNs, identity security, and OT systems are all under attack
Authentication should have failed—the session was established anyway
What's happening: CVE-2026-50751 is a flaw in Check Point's VPN certificate validation process allowing attackers to establish trusted sessions without valid credentials. Attackers gained network access and were treated as legitimate users. The flaw highlights a key problem regarding VPNs: They were built when the network perimeter was a true perimeter and organizations could assume that users inside the network could be trusted.
Why it matters: VPNs grant more than a connection. They grant trust. Once connected, users do not have multiple security layers left to navigate. That implicit trust is exactly what makes VPN infrastructure an attractive target to threat actors.
The big picture: There are options to reducing the blast radius of a VPN compromise, including: network segmentation, behavioral monitoring, and multi-factor authentication. These all come with limitations and narrow windows to act, however. Zero Trust Network Access (ZTNA) on the other hand removes implicit trust and dependency on network location in favor of policy-driven access controls.
What's happening: Organizations are being breached despite robust MFA deployments. More than 90% of cyberattacks begin with phishing, and AI technologies have played a large part in this. Instead of targeting MFA directly, attackers are increasingly using adversary-in-the-middle attacks to intercept authenticated sessions through phishing pages.
Why it matters:Microsoft 365 has become one of the most targeted platforms for identity attacks, which signals an increased focus on businesses. Because of this, identity security must extend beyond the entry point.
The big picture: MFA is still valuable, but only if it is one layer among many. Assume compromise and implement continuous verification policies such as allowlisting, least privilege access, application containment, and device verification through Zero Trust Cloud Access.
How to secure systems that can't be easily patched or replaced
What's happening: Manyorganizations in the manufacturing and public sectors rely on operational technology (OT) environments that still rely on legacy systems. Systems that were built before ransomware and supply chain attacks became everyday threats. These organizations tend to prioritize availability above all else, and they are running OT assets that cannot be regularly patched, use insecure protocols, have limited visibility, and lack modern authentication controls. Modern threat actors are increasingly targeting these environments through attacks that begin in the IT environment and move laterally.
Why it matters:Many legacy devices in OT systems cannot support modern security controls, like endpoint protection or segmentation, which means prevention and containment controls are critical.
The big picture:Securing these systems doesn't need more tools. It needs a Zero Trust mindset shift. Most organizations are concerned that this requires a complete overhaul and will disrupt vital operations. In reality, most Zero Trust controls can be implemented around the legacy systems without impacting production.
ThreatLocker events
Meet the Cyber Hero Team in person at these upcoming events
What's happening: Researcher Nightmare Eclipse released another exploit shortly after the June 2026 Patch Tuesday. GreatXML allows attackers with administrator access to bypass BitLocker without a prompt. A previous exploit recently patched, YellowKey, also allowed for BitLocker bypass. The exploit abuses how BitLocker, Windows Recovery Environment, Microsoft Defender Offline scan, and Windows Setup answer-file automation interact with other. In the end, it allows an attacker to use a Windows Unattend file to spawn a terminal as System in the WinPE/WinRE context.
Why it matters: If done correctly, an attacker can gain unrestricted access to the BitLocker volume. However, this exploit does not act as an initial access vector and requires admin credentials.
The big picture: GreatXML is a post-compromise tool, reinforcing the urgency for organizations to assume compromise and prevent further damage beyond the initial access vector.
What's happening: Mastra is an AI development framework used for building, testing, and deploying AI agents and applications. A malicious dependency was injected into the entire Mastra npm scope, resulting in more than 140 packages executing a two-stage infostealer with varying control flaws for Windows, Mac, and Linux. The compromised maintainer had publish permissions to more than 140 packages which led to mass republishing through the compromised account.
Why it matters: In this attack, the lack of least privilege access controls led to millions of downloads of a malicious package. Simply uninstalling the malicious package or upgrading to a clean version is insufficient in this instance. Affected environments should be isolated immediately.
The big picture: Assuming a compromise is a core principle of Zero Trust, but it does not stop at initial access. Containing a breach is just as critical as preventing one from executing. This is particularly important given the uptick in supply chain compromises.
AI usage in the workplace is creating significant problems. Many employees think they rely on it too much and some also think it is making them less intelligent.
It's also opening security gaps across your environment.
In this live ThreatLocker webinar, learn how your organization can embrace AI tools without sacrificing security or control.