The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Friday 22 May 2026

AI-Assisted Kernel Exploit Lands on Apple Silicon — and It Won't Be the Last

An AI model helped find and exploit a kernel memory corruption bug in Apple's M5 chip — and TeamPCP's supply chain attack spree has now claimed GitHub, npm, and hundreds more organisations in its wake.

Lead story

AI-Assisted Kernel Exploit Lands on Apple Silicon — and It Won't Be the Last

A security research group used Anthropic's Mythos AI model to discover and exploit a kernel memory corruption vulnerability on Apple's M5 chip. That's a sentence that would have sounded like science fiction three years ago. It's now just a Thursday news item.

The exploit targets a flaw in the macOS kernel that corrupts memory in a way that can give an attacker low-level access to the system. The researchers used Mythos — reportedly a more capable, less publicly visible model than Claude — to assist in both locating the vulnerability and constructing a working proof-of-concept. Bruce Schneier flagged the development, noting that AI-assisted exploit development has moved from theoretical threat to demonstrated practice.

Why this matters more than the specific bug. The vulnerability itself will be patched. Apple is fast on kernel fixes. What won't be patched is the capability shift: AI models are now materially accelerating the bug-finding and exploit-development pipeline. The asymmetry that's always favoured defenders in a "patch fast, move on" world starts to erode when attackers can discover novel vulns at machine speed.

For context, Google has separately reported a surge in Chrome vulnerabilities — more than 200 in recent releases marked as "reported by Google" — widely attributed to AI-assisted fuzzing on the defensive side. Both halves of the same story are now real: AI finds bugs faster for defenders and attackers alike. The question is who scales it first.

The M-series chip angle is notable. Apple Silicon is now the dominant platform in enterprise Mac fleets globally, and M5 machines are actively being deployed in organisations that considered themselves relatively insulated from the kind of low-level exploits that plague x86 hardware. A working kernel exploit on M5 serves as a reminder that architectural novelty isn't a security moat.

Apple has not yet issued a CVE or patched the vulnerability publicly as of writing. The researchers have presumably reported through responsible disclosure, but the timeline for a fix isn't public.

Watch for the second-order effect. This is the first widely reported instance of an AI model being credited as a co-author in a real kernel exploit chain — not just a CTF challenge or a research paper. Expect more. Offensive security teams and nation-state actors have the same access to frontier models that researchers do, and in some cases more compute to run them. Australia's ACSC and similar agencies have flagged AI-assisted vulnerability research as an emerging threat category; this story is that category becoming concrete.

The full technical write-up hasn't been published yet. When it drops, it'll be worth reading closely — not for the specific bug, but for the methodology.

Also today

TeamPCP's Supply Chain Spree: GitHub Was Just the Latest Scalp

The group behind last week's GitHub internal repository breach — now confirmed to have entered via a poisoned Nx Console VS Code extension linked to the TanStack npm compromise — turns out to be a prolific supply chain attacker called TeamPCP. Wired reports the gang has hit hundreds of organisations in an ongoing spree that has targeted the npm ecosystem at unprecedented scale. GitHub's breach was notable for its size, but it's now looking less like an isolated incident and more like one stop on a very busy tour. Australian developers using affected npm packages or VS Code extensions in CI/CD pipelines should audit their dependency trees.

WIRED Security

9-Year-Old Linux Kernel Flaw Lets Any Local User Run Commands as Root

A vulnerability sitting undetected in the Linux kernel for nine years has been disclosed as CVE-2026-46333. It's rated a relatively modest 5.5 on CVSS, but the impact is punchy: an unprivileged local user on a default installation of several major distros can read sensitive files and execute arbitrary commands as root. That combination — low entry bar, high impact — is exactly what makes local privilege escalation bugs dangerous in multi-tenant cloud environments and shared hosting setups. Patches are in progress across distributions; administrators running Linux servers, including the many Australian government and enterprise deployments on Ubuntu and RHEL, should watch for distro advisories.

The Hacker News

Cisco Secure Workload Gets a Perfect-10 Patch — Again

Cisco has shipped a fix for a maximum-severity (CVSS 10.0) vulnerability in its Secure Workload platform. The flaw lives in the product's REST APIs, where insufficient validation allows a remote, unauthenticated attacker to grab Site Admin privileges — and from there, read sensitive data and make configuration changes across tenant boundaries. Cisco's Secure Workload is used in enterprise data centres and hybrid cloud environments, including by large Australian financial and government organisations. It's the latest in a string of perfect-10 bugs from Cisco in recent months. If you're running this product and haven't applied the patch, stop reading and go do that.

The Register

Zombie Account Let Hackers Control a City's Water Supply

A post-mortem on a water utility breach has confirmed the root cause: an active account belonging to a former employee that was never disabled. Attackers used the dormant credentials to gain access to operational systems controlling the city's water infrastructure. It's a painfully familiar story — identity hygiene failures at critical infrastructure operators have featured in multiple high-profile incidents over the past decade. For Australian water utilities and critical infrastructure operators governed under the SOCI Act, this is a direct reminder that offboarding processes and regular access reviews aren't optional. The Protective Security Policy Framework requires exactly this kind of lifecycle management.

The Register

Microsoft Open-Sources Two Agentic AI Safety Tools

Microsoft has released RAMPART and Clarity as open-source tools designed to help developers build and maintain safer AI agents. RAMPART focuses on constraining agent behaviour within defined boundaries — essentially a guardrail framework for agentic systems — while Clarity provides observability tooling so developers can inspect what an agent actually did during a run. The release comes as AI agents proliferate across enterprise environments and identity security researchers flag that agent credentials are becoming a major unmanaged attack surface. Both tools are available on GitHub. Given the pace of Australian enterprise AI adoption, local development teams building agentic workflows on Azure will find both worth evaluating.

The Register

Google's 'Deleted' API Keys Stay Active for 23 Minutes

A security researcher has found that Google Cloud API keys remain fully functional for up to 23 minutes after being explicitly deleted — despite Google's documentation stating that deletion is immediate. The window is short, but in a breach scenario where an attacker has exfiltrated a key, a 23-minute grace period is more than enough time to harvest data, spin up resources, or rack up costs. Google has not yet publicly acknowledged the issue. The finding adds to a broader pattern of cloud providers' security UX not matching their security documentation — a problem that's particularly acute in incident response, where teams delete keys believing they've contained a compromise.

The Register

HackerOne Slashes Bug Bounty Payouts by Over 75%

HackerOne has cut critical vulnerability payouts on its platform by more than 75%, a move that has immediately drawn criticism from the security research community. The bug bounty market has long been criticised for undervaluing researchers relative to the commercial risk the vulnerabilities represent, and this cut deepens that tension. Critics argue the reduction will push researchers toward grey-market brokers and vulnerability acquisition firms — Zerodium, Crowdfences — where payouts remain high. The timing is notable: it comes as AI-assisted vulnerability discovery is making researchers more productive, which means the effective cost-per-bug to HackerOne was probably already rising.

The Register

Trump Pulls Back AI Security Executive Order, Citing Concern About Slowing Innovation

President Trump has delayed signing an executive order that would have required pre-release security reviews of AI models by the NSA, Treasury, and other federal agencies. The draft order gave agencies 90 days to test new models for national security risks before deployment. Trump's stated reason: he doesn't want government review requirements to slow AI leadership. The decision is a meaningful reversal from the Biden-era AI safety posture and signals the current administration's preference for industry self-governance over regulatory gates. Australia's AI safety approach under the Albanese government has leaned toward risk-based frameworks rather than mandatory pre-deployment review — the US pullback gives that approach more room to differentiate.

TechCrunch AI

Anthropic Is About to Post Its First Profitable Quarter — on $10.9B Revenue

Anthropic has told investors it expects to report its first profitable quarter, with Q2 revenue projected at roughly $10.9 billion — more than double the prior quarter. The figure is remarkable for a company that was burning cash at extraordinary rates just 18 months ago and speaks to the rapid enterprise adoption of Claude across coding, legal, and operational workflows. The profitability milestone matters beyond the balance sheet: it reduces Anthropic's dependence on continued mega-rounds from Amazon and Google, and strengthens its position as an independent counterweight to OpenAI. Anthropic's Code with Claude event in London this week underlined its hard push for developer mindshare.

TechCrunch AI

EU Nations Are Dumping US Tech Tools Over Trump-Era Geopolitical Friction

France has moved government and enterprise users away from Zoom and Microsoft Teams toward domestically developed alternatives, and other European nations are following. The shift is driven less by technical preference and more by geopolitical anxiety: the Trump administration's posture toward Europe has accelerated concerns about data sovereignty, cloud dependency, and what happens if US tech firms become instruments of leverage. The trend has direct implications for Australian cloud and SaaS strategy — particularly for Defence, Home Affairs, and critical infrastructure operators weighing Five Eyes alignment against supply chain concentration risk. The EU's pivot is a preview of a conversation Australia will need to have more openly.

WIRED Security

Singtel Open to Selling a Stake in Optus

Singtel has publicly confirmed it is open to selling a meaningful minority stake in Optus, framing the move as finding a "like-minded long-term partner" rather than a fire sale. Optus has had a rough few years — the 2022 mega-breach, executive turnover, and network outage fallout have made it a complicated asset. A partial sale would raise questions about continuity of security investment, incident response capability, and how a new co-owner might affect Optus's obligations under Australia's SOCI Act and the Telecommunications Security Act. Any prospective partner would face close scrutiny from the Foreign Investment Review Board given Optus's role as critical national infrastructure.

iTnews

Sources consulted