Security Digest

From the Goblins to the Hearing

Two weeks at once. OpenAI hardcoded a system-prompt override to stop ChatGPT 5.1 from talking about goblins. DENIC broke the .de TLD with bad DNSSEC and Cloudflare disabled validation to keep Germany online. Trellix's source code was breached. A Linux kernel LPE and a Palo Alto firewall RCE both landed on CISA KEV with active exploitation. The DOJ Epstein archive crossed 269,000 PDFs and the Stortinget control hearing on the Norwegian-Epstein thread is running this week.

8 min read By FTRCRP

This Two Weeks in Brief

This issue runs across weeks 19 and 20, covering the window from 28 April through 12 May. The defining story of the period is OpenAI publishing a postmortem on why ChatGPT 5.1 began obsessively dropping goblins, gremlins, raccoons, trolls, ogres, and pigeons into responses. The fix was a hardcoded clause in the Codex CLI system prompt forbidding the words. The frame matters more than the comedy, a frontier model deployed to hundreds of millions of users developed an emergent behaviour its operators could not predict and could only mitigate by string-matching. On the network side, DENIC pushed broken DNSSEC signatures for the entire .de zone and Cloudflare’s 1.1.1.1 had to disable DNSSEC validation to keep Germany resolving. Trellix had a portion of its source code stolen. CISA added a Linux kernel local-privilege-escalation flaw to KEV with active exploitation, and Palo Alto Networks confirmed a critical PAN-OS Captive Portal buffer overflow being exploited in the wild for unauth root RCE on PA-Series and VM-Series firewalls. The DOJ Epstein archive grew past 269,000 PDFs, the Nordic OCR scanner remains down, and the Stortinget control hearing on the Norwegian-Epstein thread is running 11 to 12 May, the centrepiece of the week-20 calendar.

Security

OpenAI Hardcodes the Goblin Override

OpenAI published Where the goblins came from on 29 April, an unusually candid postmortem on a real production incident. After the rollout of ChatGPT 5.1, users began noticing the model dropping goblins, gremlins, raccoons, trolls, ogres, and pigeons into otherwise normal responses. References to “goblin” rose 175%. Root cause per OpenAI, the company over-rewarded a “Nerdy” personality archetype during personality-customization training. The Nerdy archetype accounted for 2.5% of all responses but 66.7% of goblin mentions. The behaviour leaked beyond the archetype into the general response distribution. OpenAI retired the Nerdy personality entirely and added an explicit override to the Codex CLI system prompt: “never talk about goblins, gremlins, raccoons, trolls, ogres, pigeons, or other animals or creatures unless it is absolutely and unambiguously relevant to the user’s query.”

The story is comedy on the surface and concerning underneath. A frontier model deployed at hundreds-of-millions scale developed an emergent behaviour its operators could not predict from training and could only mitigate by string-matching. For anyone using LLM output in a security pipeline, this is the hard case for treating model output as adversarial input. OWASP LLM Top 10:2025 LLM06 (Excessive Agency) and LLM05 (Improper Output Handling) are the canonical references.

DENIC Breaks the .de TLD with Bad DNSSEC, Cloudflare Pulls Validation

On 5 May around 19:30 UTC, DENIC, the operator of the .de country-code TLD, began publishing incorrect DNSSEC signatures for the .de zone. Validating resolvers, including Cloudflare’s 1.1.1.1, were required by the DNSSEC specification to reject the records and return SERVFAIL. Germany’s TLD is one of the most-queried on the internet. Cloudflare temporarily disabled DNSSEC validation for .de on 1.1.1.1 (per RFC 7646) to keep millions of domains reachable. Validation is set to be re-enabled when DENIC’s signing problems are confirmed resolved.

The incident touched our local network on 6 May, the n3tw4tch monitor logged a sustained “INTERNET_DOWN” pattern between 11:50 and 13:50 UTC against Cloudflare reachability. DNSSEC is doing its job when it returns SERVFAIL on bad signatures, but the operational reality is that the only resolver behaviour users tolerate is the one that keeps the names resolving. The lesson is the durability of bypass posture, which validating resolver to use, and how fast it is willing to fall back when the signing chain fails upstream.

Trellix Source Code Breach

On 2 May, Trellix disclosed unauthorised access to a portion of its source code repository. The company is working with forensic experts. Trellix is itself a cybersecurity vendor, the same calculus that applied to SolarWinds, Kaseya, ConnectWise, and most recently ChipSoft applies here, the value of a vendor breach is the multiplier across that vendor’s customers. Watch for downstream advisories.

Linux Kernel LPE on KEV (CVE-2026-31431)

CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on 3 May. Local privilege escalation in the Linux kernel, CVSS 7.8, evidence of active exploitation in the wild, federal remediation deadline applies. Multiple distributions affected. Patch from your distribution vendor or backport the upstream fix, prioritise multi-tenant systems and any host where you allow user shell access.

Palo Alto PAN-OS Captive Portal RCE Exploited (CVE-2026-0300)

Palo Alto Networks confirmed active exploitation of a critical buffer overflow in the User-ID Authentication Portal (Captive Portal) service of PAN-OS. Unauthenticated attacker, arbitrary code execution as root on PA-Series and VM-Series firewalls, via specially crafted packets to the Captive Portal endpoint. If the Captive Portal is exposed to untrusted networks on any of your firewalls, treat as compromised until proven otherwise, apply the vendor advisory’s mitigation immediately and patch on the vendor’s published cadence. Out-of-band firewall management, segregated mgmt VLAN, and disabling Captive Portal where not strictly required are the structural answers.

Continuing — SharePoint, ChipSoft, Vishing-at-Scale, Mythos

  • CVE-2026-32201 (SharePoint) — KEV deadline passed 28 April. Anyone not compliant by then remains exposed and out of scope for federal authorisation.
  • ChipSoft (Netherlands) — into the fifth week of degraded operations at affected Dutch hospitals. Still no claimed responsibility. The ongoing silence remains the operational tell.
  • Voice phishing at helpdesk scale — campaign volume has not slowed across the two-week window. Helpdesk tabletops continue to surface the same gap, callback verification missing or routinely skipped under time pressure.
  • Anthropic Mythos banking review — India’s reviews are widening, Singapore’s MAS is reportedly preparing a parallel advisory, EU and UK financial regulators expected to follow during May.

Conflicts

Hormuz: Posture Holds, Traffic Still Paused

No new escalation step across the period. The “shoot and kill” order against mining-equipped Iranian small craft remains in force, three US carriers are in the region, and commercial traffic through the Strait remains effectively paused. Insurance pricing has stabilised at war-risk premium levels. Islamabad talks have not restarted. Iranian maximalist demands (no missile-program limits, formal Hormuz control, war-damage compensation, security guarantees) stand unchanged.

Israel-Lebanon: Ceasefire Holds, Tactically Strained

The three-week extension agreed in week 18 has rolled into week 20 on paper. Limited tactical exchanges continue. Hezbollah targeting remains the most likely flashpoint into the next reporting period.

Climate Cost Tracking

The Climate and Community Institute’s quantification of the war’s carbon cost continues to show up in European environment-ministry briefings. Arms-export licensing debates in three EU member states have cited the analysis directly during the period.

DOJ Epstein Archive

Metric Issue 014 (28 Apr) Issue 016 (12 May) Δ over two weeks
Total PDFs (local mirror) 259,591 269,761 +10,170
Archive size 27 GB 29 GB +2 GB
Tracked: rod-larsen 1,225 1,267 +42
Tracked: jagland 791 849 +58
Tracked: ehnbom 633 664 +31
Tracked: andersson-dubin 18 18 unchanged
Tracked: Mona Juul 7 7 unchanged

The two-week growth landed almost entirely in week 19. Week 20 has been quiet on the pull side, no active downloaders running at the time of writing, DataSet 12 paused at 152 files, DataSets 13 through 15 still queued. The Nordic text scanner is running steady (378,448 files scanned all-time, 6,624 hits all-time). The Nordic OCR scanner remains paused, image-heavy DataSets 9, 10, and 11 have not been processed against image-derived text. Expect a step-change in tracked-figure hits when OCR resumes and DataSet 12 onward picks back up.

Stortinget Control Hearing — Running This Week

The Stortinget control and constitutional affairs committee’s hearing on the Norwegian-Epstein thread is taking place 11 to 12 May, the central event of week 20. Ehnbom’s two interviews from week 14 (SVT Nära ett monster and SvD Alla köpte Epsteins förklaring) remain the most extensive on-record statements going into the proceedings. Post-hearing document drops and transcript releases will land in the next reporting period.

By the Numbers

Category Two-week scope
OpenAI’s hardcoded Codex CLI override creature ban list 6
Goblin-mention increase since ChatGPT 5.1 launch +175%
Nerdy personality share of all responses 2.5%
Nerdy personality share of all goblin mentions 66.7%
Cloudflare 1.1.1.1 DNSSEC validation, .de zone temporarily disabled
Local n3tw4tch internet-down window during the .de outage 2 hours
New CVEs added to CISA KEV in the period (covered above) 2
DOJ archive PDFs (local mirror) 269,761
Two-week DOJ tracked-figure hits delta across the top three +131
Trellix portion of source code repository confirmed exfiltrated 1
Stortinget hearing days 2

What to Do These Two Weeks

  1. Patch Palo Alto firewalls. CVE-2026-0300 in PAN-OS Captive Portal is being exploited for unauth root RCE. If your Captive Portal is internet-facing, treat the device as compromised until proven otherwise and rebuild after patching.
  2. Patch the Linux kernel. CVE-2026-31431 is on KEV with active exploitation, prioritise multi-tenant hosts and any system that grants untrusted local accounts.
  3. Audit DNS resolver fallback posture. The .de outage shows that DNSSEC validation can take down a whole TLD when the upstream signing breaks. Know which resolver your stack uses, know its disable-validation behaviour, decide your policy now rather than during the next outage.
  4. Review LLM-output trust boundaries. OpenAI’s goblin postmortem is the cleanest public case yet for treating LLM output as untrusted input. If any part of your pipeline ingests model output without sanitisation, this is the prompt to fix that.
  5. Monitor for Trellix downstream advisories. Vendor breaches multiply across customers. If your stack runs Trellix products, watch the company’s communications closely and plan for credential or signing-key rotation if it is recommended.
  6. Stortinget hearing follow-up. The hearing is wrapping today. Anyone tracking the Norwegian-Epstein thread should be pre-positioning monitoring for transcript releases, document drops, and follow-on committee reporting in the days immediately after.

FTRCRP Security Digest, published on a catch-up cadence this issue. Sources: FTRCRP evidence pipeline (DOJ tracker, Nordic scanner, n3tw4tch network monitor), open-source reporting (OpenAI blog, Cloudflare blog, BleepingComputer, The Hacker News, CISA KEV, Reuters, Wall Street Journal). Issue 016, weeks 19 and 20, 2026-05-12