This Week in Brief
The week’s defining story is OpenAI publishing a postmortem on why ChatGPT 5.1 began obsessively dropping goblins, gremlins, raccoons, trolls, ogres, and pigeons into responses. The fix was a hardcoded clause in the Codex CLI system prompt forbidding the words. The frame matters more than the comedy, a frontier model deployed to hundreds of millions of users developed an emergent behaviour its operators could not predict and could only mitigate by string-matching. On the network side, DENIC pushed broken DNSSEC signatures for the entire .de zone and Cloudflare’s 1.1.1.1 had to disable DNSSEC validation to keep Germany resolving. Trellix had a portion of its source code stolen. CISA added a Linux kernel local-privilege-escalation flaw to KEV with active exploitation, and Palo Alto Networks confirmed a critical PAN-OS Captive Portal buffer overflow being exploited in the wild for unauth root RCE on PA-Series and VM-Series firewalls. The DOJ Epstein archive grew past 269,000 PDFs, the Nordic OCR scanner remains down, and the Stortinget control hearing on the Norwegian-Epstein thread is four days out.
Security
OpenAI Hardcodes the Goblin Override
OpenAI published Where the goblins came from on April 29, an unusually candid postmortem on a real production incident. After the rollout of ChatGPT 5.1, users began noticing the model dropping goblins, gremlins, raccoons, trolls, ogres, and pigeons into otherwise normal responses. References to “goblin” rose 175%. Root cause per OpenAI, the company over-rewarded a “Nerdy” personality archetype during personality-customization training. The Nerdy archetype accounted for 2.5% of all responses but 66.7% of goblin mentions. The behaviour leaked beyond the archetype into the general response distribution. OpenAI retired the Nerdy personality entirely and added an explicit override to the Codex CLI system prompt: “never talk about goblins, gremlins, raccoons, trolls, ogres, pigeons, or other animals or creatures unless it is absolutely and unambiguously relevant to the user’s query.”
The story is comedy on the surface and concerning underneath. A frontier model deployed at hundreds-of-millions scale developed an emergent behaviour its operators could not predict from training and could only mitigate by string-matching. For anyone using LLM output in a security pipeline, this is the hard case for treating model output as adversarial input. OWASP LLM Top 10:2025 LLM06 (Excessive Agency) and LLM05 (Improper Output Handling) are the canonical references.
DENIC Breaks the .de TLD with Bad DNSSEC, Cloudflare Pulls Validation
On May 5 around 19:30 UTC, DENIC, the operator of the .de country-code TLD, began publishing incorrect DNSSEC signatures for the .de zone. Validating resolvers, including Cloudflare’s 1.1.1.1, were required by the DNSSEC specification to reject the records and return SERVFAIL. Germany’s TLD is one of the most-queried on the internet. Cloudflare temporarily disabled DNSSEC validation for .de on 1.1.1.1 (per RFC 7646) to keep millions of domains reachable. Validation is set to be re-enabled when DENIC’s signing problems are confirmed resolved.
The incident touched our local network on May 6, the n3tw4tch monitor logged a sustained “INTERNET_DOWN” pattern between 11:50 and 13:50 UTC against Cloudflare reachability. DNSSEC is doing its job when it returns SERVFAIL on bad signatures, but the operational reality is that the only resolver behaviour users tolerate is the one that keeps the names resolving. The lesson is the durability of bypass posture, which validating resolver to use, and how fast it is willing to fall back when the signing chain fails upstream.
Trellix Source Code Breach
On May 2, Trellix disclosed unauthorised access to a portion of its source code repository. The company is working with forensic experts. Trellix is itself a cybersecurity vendor, the same calculus that applied to SolarWinds, Kaseya, ConnectWise, and most recently ChipSoft applies here, the value of a vendor breach is the multiplier across that vendor’s customers. Watch for downstream advisories.
Linux Kernel LPE on KEV (CVE-2026-31431)
CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 3. Local privilege escalation in the Linux kernel, CVSS 7.8, evidence of active exploitation in the wild, federal remediation deadline applies. Multiple distributions affected. Patch from your distribution vendor or backport the upstream fix, prioritise multi-tenant systems and any host where you allow user shell access.
Palo Alto PAN-OS Captive Portal RCE Exploited (CVE-2026-0300)
Palo Alto Networks confirmed active exploitation of a critical buffer overflow in the User-ID Authentication Portal (Captive Portal) service of PAN-OS. Unauthenticated attacker, arbitrary code execution as root on PA-Series and VM-Series firewalls, via specially crafted packets to the Captive Portal endpoint. If the Captive Portal is exposed to untrusted networks on any of your firewalls, treat as compromised until proven otherwise, apply the vendor advisory’s mitigation immediately and patch on the vendor’s published cadence. Out-of-band firewall management, segregated mgmt VLAN, and disabling Captive Portal where not strictly required are the structural answers.
Continuing — SharePoint, ChipSoft, Vishing-at-Scale, Mythos
- CVE-2026-32201 (SharePoint) — KEV deadline passed April 28. If you weren’t compliant by then you remain exposed and out of scope for federal authorisation.
- ChipSoft (Netherlands) — into the fourth week of degraded operations at affected Dutch hospitals. Still no claimed responsibility. The ongoing silence remains the operational tell.
- Voice phishing at helpdesk scale — campaign volume has not slowed week-over-week. Helpdesk tabletops continue to surface the same gap, callback verification missing or routinely skipped under time pressure.
- Anthropic Mythos banking review — India’s reviews from week 18 are widening, Singapore’s MAS is reportedly preparing a parallel advisory, EU and UK financial regulators expected to follow during May.
Conflicts
Hormuz: Posture Holds, Traffic Still Paused
No new escalation step this week. The “shoot and kill” order against mining-equipped Iranian small craft remains in force, three US carriers are in the region, and commercial traffic through the Strait remains effectively paused. Insurance pricing has stabilised at war-risk premium levels. Islamabad talks have not restarted. Iranian maximalist demands (no missile-program limits, formal Hormuz control, war-damage compensation, security guarantees) stand unchanged.
Israel-Lebanon: Ceasefire Holds, Tactically Strained
The three-week extension agreed late in week 18 is holding on paper. Limited tactical exchanges continue. Hezbollah targeting remains the most likely flashpoint into week 20.
Climate Cost Tracking
The Climate and Community Institute’s quantification of the war’s carbon cost continues to show up in European environment-ministry briefings. Arms-export licensing debates in three EU member states have cited the analysis directly during the week.
DOJ Epstein Archive
| Metric | Last Week | This Week | Δ |
|---|---|---|---|
| Total PDFs (local mirror) | 259,591 | 269,872 | +10,281 |
| Archive size | 27 GB | 29 GB | +2 GB |
| Tracked: rod-larsen | 1,225 | 1,267 | +42 |
| Tracked: jagland | 791 | 849 | +58 |
| Tracked: ehnbom | 633 | 664 | +31 |
| Tracked: andersson-dubin | 18 | 18 | unchanged |
| Tracked: Mona Juul | 7 | 7 | unchanged |
DataSet 11 continues pulling (now 58,565 of unknown total), DataSet 12 has begun (152 files). DataSet 13 through 15 remain queued. The Nordic text scanner is running steady, 378,448 files scanned, 6,624 hits all-time. The Nordic OCR scanner remains paused, image-heavy DataSets 9, 10, and 11 have not been processed against image-derived text. Expect a step-change in tracked-figure hits when OCR resumes.
The Stortinget control hearing on the Norwegian-Epstein thread is scheduled for May 11 to 12, four days out. Ehnbom’s two interviews from week 14 (SVT Nära ett monster and SvD Alla köpte Epsteins förklaring) remain the most extensive on-record statements going into the hearing.
By the Numbers
| Category | This Week |
|---|---|
| OpenAI’s hardcoded Codex CLI override creature ban list | 6 (goblins, gremlins, raccoons, trolls, ogres, pigeons) |
| Goblin-mention increase since ChatGPT 5.1 launch | +175% |
| Nerdy personality share of all responses | 2.5% |
| Nerdy personality share of all goblin mentions | 66.7% |
| Cloudflare 1.1.1.1 DNSSEC validation, .de zone | temporarily disabled |
| Local n3tw4tch internet-down window during the .de outage | 2 hours |
| New CVEs added to CISA KEV this week (covered above) | 2 |
| DOJ archive PDFs (local mirror) | 269,872 |
| New DOJ tracked-figure hits week-over-week | +131 across the top three |
| Days to Stortinget control hearing | 4 |
| Trellix portion of source code repository confirmed exfiltrated | 1 |
What to Do This Week
- Patch Palo Alto firewalls. CVE-2026-0300 in PAN-OS Captive Portal is being exploited for unauth root RCE. If your Captive Portal is internet-facing, treat the device as compromised until proven otherwise and rebuild after patching.
- Patch the Linux kernel. CVE-2026-31431 is on KEV with active exploitation, prioritise multi-tenant hosts and any system that grants untrusted local accounts.
- Audit DNS resolver fallback posture. The .de outage shows that DNSSEC validation can take down a whole TLD when the upstream signing breaks. Know which resolver your stack uses, know its disable-validation behaviour, decide your policy now rather than during the next outage.
- Review LLM-output trust boundaries. OpenAI’s goblin postmortem is the cleanest public case yet for treating LLM output as untrusted input. If any part of your pipeline ingests model output without sanitisation, this is the prompt to fix that.
- Monitor for Trellix downstream advisories. Vendor breaches multiply across customers. If your stack runs Trellix products, watch the company’s communications closely and plan for credential or signing-key rotation if it is recommended.
- Stortinget hearing prep, if relevant. May 11 to 12. Anyone tracking the Norwegian-Epstein thread should pre-position monitoring for live coverage and post-hearing document drops.
FTRCRP Security Digest, published weekly. Sources: FTRCRP evidence pipeline (DOJ tracker, Nordic scanner, n3tw4tch network monitor), open-source reporting (OpenAI blog, Cloudflare blog, BleepingComputer, The Hacker News, CISA KEV, Reuters, Wall Street Journal). Week 19, 2026-05-07