Security Digest 021 — Audio
Listen to the audio version of this digest, voiced by Brian.
This Week in Brief
Week 26, 19-25 June. The defining event surfaced through Senator Mark Warner of Virginia, who said NSA chief Gen. Joshua Rudd had told him that Anthropic’s Mythos AI model, in a controlled red-team test against a replica of NSA classified systems, found vulnerabilities in nearly all of them within hours (first reported by The Economist; aggregated by Gizmodo, 24 June). Mythos identified the flaws but did not exploit them, and there is no official government confirmation; this is a senator recounting a private briefing. Within days the Five Eyes alliance issued a joint advisory that cutting-edge AI is poised to supercharge offensive hacking against governments and critical infrastructure, with major breaches potentially arriving “within months” (Reuters, 22 June).
On the breach side, World Leaks ransomware posted roughly 630 GB of iPhone assembly specifications and Tesla component drawings from Tata Electronics, with a ransom demand directed at Apple. A supply-chain OAuth compromise at Klue exposed LastPass customer support records, with the affected count undisclosed. Operation Endgame concluded with 326 servers and 142 domains taken down and 27 million stolen credentials recovered. In Ukraine, Liutyi drones struck Kapotnya refinery outside Moscow on 18-19 June and reached Tyumen at roughly 2,000 kilometres on 20 June, triggering Russia’s worst national fuel crisis in years. The EU AI Act’s general provisions enforcement deadline is 38 days away, on 2 August 2026.
Security
Five Eyes Warning: AI as Offensive Weapon
In a controlled red-team test, Anthropic’s Mythos AI model was run against a replica of NSA classified systems and found vulnerabilities in nearly all of them within hours. It identified the flaws but did not exploit them. This is not an official confirmation: Senator Mark Warner said publicly that NSA chief Gen. Joshua Rudd had told him of the result, a private briefing first reported by The Economist and aggregated by Gizmodo (24 June). The Five Eyes nations (US, UK, Canada, Australia, New Zealand) issued a joint advisory on 22 June stating AI is “poised to supercharge offensive hacking capabilities” and that major breaches could materialise “within months” (Reuters, 22 June). The red-team finding is the trigger; the Five Eyes statement is the intelligence community signalling it treats the risk as operational, not theoretical.
Operational read: Map what AI tooling has access to sensitive networks now, before the advisory ages. Apply least-privilege controls to AI-adjacent system interfaces; governments and critical infrastructure are explicitly named as primary targets.
World Leaks Ransomware: Tata Electronics, Apple and Tesla Supply Chain
Ransomware group World Leaks published roughly 630 GB (around 200,000 files) from Tata Electronics on 22 June, including iPhone circuit board inspection standards and Tesla Model 3 component drawings (Reuters, 22 June; TechRepublic; BankInfoSecurity). A ransom demand went to Apple; Tata confirmed a cybersecurity incident and Apple’s cyber team confirmed an active investigation. Assembly-level technical drawings in the wild represent a direct competitive and manufacturing security exposure.
Operational read: OEM-tier partner security is now a material attack surface. Any organisation holding detailed supplier technical documentation should audit access controls and data classification on that material.
Operation Endgame: Amadey and StealC Networks Dismantled
A two-week joint operation concluded 24 June with 326 servers and 142 domains taken down, 27 million stolen credentials recovered, and roughly $47 million (€41 million) in cryptocurrency flagged (The Hacker News, 24 June; ESET; Europol). Partners included Bitdefender, Bitsight, Microsoft, and law enforcement from the Netherlands, Canada, Germany, and the US. The SocGholish, Amadey and StealC networks operated as a shared infostealer-to-ransomware pipeline, with the credential harvest feeding downstream ransomware staging and financial fraud. Few operations at this scale recover credentials in volume.
Operational read: 27 million credentials now in law enforcement hands will flow to breach notification services. Check your domains against haveibeenpwned and comparable monitoring; this dataset is large enough to contain enterprise accounts at most organisations.
LastPass: Support Data Exposed via Klue OAuth Breach
Attackers compromised Klue, a competitive intelligence SaaS vendor, and abused its OAuth tokens to reach LastPass’s Salesforce CRM environment, exfiltrating names, email addresses, phone numbers, physical addresses, and support case contents. LastPass has not disclosed how many customers were affected; the company reported around 33 million total users as of 2024 (TechCrunch, 23 June; BleepingComputer). Password vaults were not accessed. Reporters drew the same third-party OAuth-abuse playbook as the Salesloft Drift and Gainsight compromises; the vector, a trusted OAuth integration between a smaller vendor and a large CRM, is now a documented recurring attack pattern.
Operational read: Audit third-party OAuth grants to your CRM and support tooling. If Klue is in your vendor stack, treat user contact data as compromised.
Other Security Developments This Week
Microsoft confirmed CVE-2026-50656, dubbed “RoguePlanet,” a race condition in the Defender malware-protection engine granting full system-level (SYSTEM) access on Windows 10 and 11; it is under active exploitation, with a patch in progress as of mid-June (Help Net Security; Qualys; PCWorld). KDDI Japan disclosed that 14.2 million managed email credentials across six ISPs using its hosted infrastructure were exposed (The Register, 24 June). Meta paused its Model Capability Initiative employee-monitoring AI program after a Severity 2 internal incident exposed staff keystroke and activity data company-wide (BBC; The Guardian; Wired, 23 June). The Taiko Ethereum L2 bridge lost an estimated $1.7 million after attackers extracted the SGX enclave signing key to generate fraudulent bridge release proofs (CoinDesk; Decrypt, 22 June).
Norway and the Nordics
Marius Borg Høiby Convicted, Four Years
The Oslo court handed Marius Borg Høiby, son of Crown Princess Mette-Marit, a four-year prison sentence for rape and domestic violence on 15 June (The Guardian; BBC; Reuters). The conviction matters here for the international media cycle it reactivates, returning the Norwegian royal house to front pages across Europe. The Epstein angle to Mette-Marit was raised in coverage of the trial’s opening in February, not in the verdict reporting.
Russian Tu-160 Bombers: Norwegian F-35s Scrambled
Two Russian Tu-160 nuclear-capable strategic bombers, escorted by MiG-31 interceptors from the Kola Peninsula, conducted a 16-hour patrol over the Barents and Norwegian Seas on 22-23 June, including an aerial refuelling exercise in international airspace (Reuters; Barents Observer; AeroTime). Norwegian F-35s scrambled from Evenes Air Station; the aircraft subsequently tracked past the UK coastline near Shetland. NATO intercepted similar Russian Arctic patrols 41 times in 2025. Norwegian Defence Minister Tore O. Sandvik separately warned this week that Russia is seeking control of the Bear Gap, the waterway between Bear Island and Norway’s northern mainland, which would give Russian submarines Norwegian Sea access and hypersonic missile range to the UK and Denmark (The Conversation, 24 June).
Ramstein Flag 26 and HMS Prince of Wales
US Marine Corps F-35Bs conducted STOVL operations from a Finnish public highway at Tervo during NATO Ramstein Flag 26, the first time the manoeuvre was executed from Finnish road infrastructure, demonstrating dispersed air warfare doctrine against the scenario of main airbases destroyed (Finnish Air Force; UK Defence Journal). HMS Prince of Wales diverted to Stavanger, Norway, for repairs during the exercise’s Arctic phase, described officially as a minor technical issue (Navy Lookout; UK Defence Journal, 22 June). The carrier’s reliability record accumulates another entry.
Regulatory and Policy
US Troop Review and UDCG Arms Package
US Defense Secretary Pete Hegseth announced a six-month Pentagon review of American forces in Europe at NATO headquarters on 19 June, covering allied defense contributions, US base access, and European military posture (AP News, 19 June). At the Ukraine Defense Contact Group the same weekend in Brussels, allies pledged roughly $4 billion in arms, including approximately $1 billion for Patriot missile systems; Norway, Germany, the Netherlands, Latvia, Lithuania, Denmark, Luxembourg, Croatia, Sweden, Iceland, and Australia contributed to a procurement fund, while the UK committed roughly 150,000 Ukrainian-produced drones and air-defence missiles (Ukrinform; Kyiv Independent). German Chancellor Merz pledged to “strengthen the European pillar.”
Russia Sanctions: UK, EU, and G7
The European Council extended existing Russia sanctions for a further 12 months at the Brussels summit on 19-20 June (Sofia Globe). The UK sanctioned Yandex Bank, two additional financial institutions, and around 27 ships facilitating Russian oil and gas exports as part of a shadow-fleet disruption (Reuters, 15-22 June). At the G7 summit in Évian-les-Bains on 15-17 June, Trump signalled plans to reimpose sanctions on Russian oil shipments; the UK timed its shadow-fleet action to run in parallel (AP; Reuters). The US Senate passed a war powers resolution on 23 June requiring Congressional approval before further military action against Iran (Reuters; KCCI).
EU AI Act: 38 Days to Enforcement
General provisions enforcement under the EU AI Act is 38 days away, on 2 August 2026. High-risk system operators should be completing conformity assessments and documentation now.
Epstein
Presumption of innocence applies to all named individuals. All items are from public reporting and official document releases. The Jagland and Rød-Larsen material is handled in depth, with the necessary context, in FTRCRP’s investigation; the summary below stays inside the same limits.
Mette-Marit: Conviction Reactivates Coverage
The Marius Borg Høiby verdict (see Norway section, 15 June) returned royal-family coverage to The Guardian, BBC, and Reuters. The Mette-Marit-Epstein angle itself was raised earlier, in February’s trial-opening coverage, not in the verdict reporting. No new documentation on Mette-Marit’s own Epstein ties emerged this week.
Rød-Larsen and Jagland: DOJ Datasets 9-11 Cross-Referenced
Public DOJ Epstein disclosure datasets 9-11, released under the Epstein Transparency Act and reported on by E24, Aftenposten, Nettavisen, Filter Nyheter, and NRK, contain a sequence of documents with direct Nordic evidentiary weight. The documents show access and channels, not abuse; no one named is indicted or convicted.
On Terje Rød-Larsen: a December 2015 email shows Epstein accountant Richard Kahn confirming “yes. wired” in response to Epstein asking whether “terje money get wired,” characterised by E24 (5 February 2026) as a $250,000 transfer (the figure is E24’s and does not appear in the email). A 2018 document involves Norwegian lawyer Kåre I. Moljord and a DnB 25-million-kroner mortgage with an option, on a property in a chain involving Rød-Larsen. Other documents show Rød-Larsen forwarding a confidential UN briefing on Security Council resolution 1559 (received from UN official Fabrice Aidan) to Epstein, and forwarding IPI expense records and Gates Foundation polio materials in 2013 (DN, Aftenposten, Filter Nyheter).
On Thorbjørn Jagland, two of the lines in the documents are context-locked: the documents establish only that the words were written, the meaning is not established, and FTRCRP draws no conclusion from them. In a May 2012 email Jagland wrote “I have been in Tirana (Albania) extraordinary girls”; the document shows no abuse and no sexual act, and we build nothing on the words. A second line, from January 2013, appears inside an email about a family holiday (his wife’s 60th birthday) and becomes a different statement entirely once torn from that context, so we do not excerpt it here; it is handled in full in FTRCRP’s investigation. The clearer items: a 2013 email shows Epstein pitching Jagland on brokering a Putin meeting around “reinventing the financial system,” with Jagland replying that his “job is to get a meeting” (no meeting is documented as having taken place); and a June 2018 email shows Epstein, as the sender, suggesting Lavrov as a contact and noting “vitaly churkin used to. but he died,” with Jagland as the recipient, not shown to have acted on it (NRK for Jagland context; CBC, Politico, The Dial for document identifiers).
These are primary sources from the publicly released DOJ datasets. Several items reported in Norwegian press, including a Rød-Larsen Paris apartment arrangement, the “du er min helt” SMS, and a Jagland Oslo housing arrangement, are not present in the currently released datasets.
Conflicts
Ukraine: Deepest Strikes Yet, Moscow Fuel Crisis
On 18-19 June, a large wave of Liutyi long-range kamikaze drones struck the Kapotnya oil refinery outside Moscow, the largest single drone attack of the war, producing what eyewitnesses described as black rain over the city and disrupting four Moscow airports for hours (The Guardian; Reuters; AP). On 20 June, Fire Point drones struck the Tyumen refinery approximately 2,000 kilometres from Ukraine’s border, with Zelenskyy confirming the operation. Drone strikes on the Crimean Bridge and Kerch oil depot followed 21-22 June, halting fuel sales in Russian-held Crimea. The campaign has produced Russia’s worst nationwide fuel shortages in years, affecting at least 55 of 83 federal entities, with Kapotnya offline until at least year-end. Putin warned of “massive coordinated strikes on a regular basis”; Medvedev raised nuclear threats (Reuters; RFERL; Forbes).
Iran-US Ceasefire Talks in Switzerland
Negotiations in Switzerland, mediated by Pakistan and Qatar, ran through the week toward a 60-day ceasefire extension but were repeatedly disrupted by Israeli strikes on Lebanon (Al Jazeera; Reuters; CNN). VP JD Vance led the US delegation; Iran was represented by parliament speaker Mohammad Bagher Ghalibaf and Foreign Minister Abbas Araghchi. Iran closed the Strait of Hormuz multiple times during the week, citing the Lebanon strikes as ceasefire violations. Trump threatened resumed bombing in a Fox News interview while Vance was at the table; Iran’s delegation lodged a formal complaint. The US Senate passed its war powers resolution capping unilateral presidential military action against Iran on 23 June.
Israel-Hezbollah; Russia Presses Belarus; Yabloko Jailing
Israel conducted multiple rounds of airstrikes on southern Lebanon during the week, killing at least 15 on 19 June; the UN tracked 4,057 deaths and 12,121 injuries in southern Lebanon since 2 March (Al Jazeera; Times Now). Zelenskyy gave Belarus a one-week ultimatum on 24 June to remove Russian military equipment or face military action, as Moscow pressed Lukashenko to open a second front (WSJ; Reuters). A deputy leader of Russia’s Yabloko party received a seven-year sentence for social media posts on the same day, charged with spreading false information about the Russian army (Reuters, 24 June).
By the Numbers
| Figure | Context |
|---|---|
| 630 GB | Tata Electronics data posted by World Leaks ransomware |
| 33 million | LastPass total users as of 2024 (affected count undisclosed; Klue OAuth breach) |
| 326 servers, 142 domains | Taken down in Operation Endgame |
| 27 million | Stolen credentials recovered, Operation Endgame |
| $47 million | Cryptocurrency flagged, Operation Endgame |
| 14.2 million | KDDI managed email credentials exposed |
| $1.7 million | Taiko Ethereum L2 bridge losses |
| 2,000 km | Strike range demonstrated, Tyumen refinery |
| 55 of 83 | Russian federal entities hit by fuel shortages |
| $4 billion | NATO UDCG arms pledges for Ukraine, this round |
| $250,000 | Rød-Larsen wire characterised in DOJ dataset coverage (E24) |
| 38 days | To EU AI Act general enforcement, 2 August 2026 |
What to Do This Week
- Review AI access to sensitive systems. The Five Eyes advisory names governments and critical infrastructure as primary targets. Map what AI tooling touches your sensitive networks and apply least-privilege access controls before this week’s advisory ages into background noise.
- Audit third-party OAuth grants. The Klue-to-LastPass vector is clean and replicable. Review all SaaS-to-CRM OAuth connections and revoke anything unused or over-permissioned.
- Check breach exposure from Endgame recovery. 27 million credentials will flow to notification services. Run your domains against haveibeenpwned and equivalent monitoring; this dataset is large enough to contain enterprise accounts across most organisations.
- Track CVE-2026-50656 (Defender RoguePlanet). The zero-day affects all Windows 10 and 11 systems and is under active exploitation, with a patch in progress. Apply it the moment it ships and monitor Microsoft’s security update channel; full system access via a race condition in a security product is an urgent exposure.
- EU AI Act, 38 days. If you operate high-risk AI systems in the EU, conformity assessments and technical documentation should be complete. The 2 August 2026 deadline does not extend.
Researched against the local SearXNG instance and cross-checked against named open-source outlets. Presumption of innocence applies throughout the Epstein coverage; the Jagland and Rød-Larsen material is treated in full in FTRCRP’s investigation.
Sources this issue: Reuters, The Economist, The Guardian, AP, Gizmodo, The Hacker News, ESET, Europol, BleepingComputer, TechCrunch, TechRepublic, BankInfoSecurity, The Register, PCWorld, Help Net Security, Qualys, FirstPost, CoinDesk, Decrypt, Barents Observer, AeroTime, UK Defence Journal, Navy Lookout, Finnish Air Force, E24, Aftenposten, Nettavisen, Filter Nyheter, NRK, CBC, Politico, The Dial, Sofia Globe, Ukrinform, Kyiv Independent, Al Jazeera, CNN, WSJ, RFERL, Forbes, The Conversation, KCCI, BBC, Wired, Times Now.
Issue 021, weeks 25-26, 25 June 2026