AI and Cybersecurity: The Internet Is Getting More Dangerous

Four serious security incidents in the past 30 days — cPanel CVE-2026-41940, the Canvas LMS breach affecting 275 million users, the Linux kernel Copy.Fail and Dirty Frag flaws — all followed the same pattern: the vulnerability was being exploited at scale before, or on the same day as, public disclosure. That isn't a coincidence. AI tooling is collapsing the window between "a vulnerability is discovered" and "a patch is shipped." If you run any website, email account, or company data, update your operating systems, browsers, and control panels to the latest versions immediately, and make sure you have an off-site backup you can actually roll back to.

AI and Cybersecurity: The Internet Is Getting More Dangerous
AI tooling is collapsing the safety window between a vulnerability being discovered and being exploited at scale, making the internet less safe with every passing month.

What happened in the last 30 days

EventDateImpact
cPanel CVE-2026-41940 authentication bypassExploited from ; disclosed ~1.5 million cPanel servers, CVSS 9.8. Attackers log in without username or password
Copy.Fail (CVE-2026-31431) Linux kernel LPEDisclosed All major Linux distributions since 2017. A 732-byte Python script escalates an unprivileged user to root
Canvas LMS breach by ShinyHunters8,809 institutions, ~275 million users. Instructure reportedly paid USD $10M in ransom
Dirty Frag (CVE-2026-43284, 43500) Linux kernelCovers about 9 years of kernel versions. Public exploit code released before patches

The "safety buffer" we used to rely on is gone

After managing several hundred client sites over the years, 5U Website has gotten used to the cadence of security updates. The past month forces a re-think. The old playbook used to work like this: a security researcher quietly finds a vulnerability, contacts the vendor, the vendor builds a patch, an update ships a few weeks or months later, and by the time the CVE goes public, most operators have patched. CISA, NVD, and the coordinated-disclosure ecosystem exist precisely to keep the white hats a few steps ahead of the black hats.

That playbook is breaking. Anthropic released Claude Mythos Preview on — a general-purpose model, not designed for security work — and on internal evaluation discovered Mythos can find a 27-year-old remote-crash bug in OpenBSD, a 16-year-old flaw in FFmpeg, and chain several Linux kernel bugs together to escalate from unprivileged user to full machine control. In seven weeks, Mythos found roughly 2,000 previously unknown vulnerabilities, in every major operating system and browser.

To make that concrete:

  • Mozilla let Anthropic's Claude Opus 4.6 run against Firefox for two weeks in . It surfaced over 100 bugs and 22 high-severity CVEs. Firefox 148 shipped the fixes.
  • Mythos returned in and found 271 more previously unknown Firefox vulnerabilities, more than human research teams had found in the prior 18 months combined. Firefox 150 patches all 271 in one release.
  • The Copy.Fail Linux kernel zero-day in the table above was first surfaced by an AI tool called Xint Code: "one operator prompt, no harnessing, about an hour of scan time."

Here's the problem. Finding bugs is something white hats and black hats both do. Once AI compresses "find a previously unknown vulnerability" from months down to about an hour, both sides got that capability at the same time.

What Anthropic is doing about it: Project Glasswing

Anthropic has been publicly clear that a model with Mythos-level capability released directly to the public would be unsafe. They've done three things:

  1. Mythos is not being released to the public for now. Access is limited to vetted partners through Project Glasswing, who use the model to patch vulnerabilities in their own products before similar capabilities go mainstream.
  2. They launched Project Glasswing in . Initial partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Verizon joined on .
  3. They committed USD $100M in model usage credits for Glasswing participants to scan the critical code they maintain and patch known vulnerabilities at scale.

But Anthropic is also clear-eyed about one thing: anything they can build, other labs can build. Glasswing isn't buying us "permanent safety." It's buying a few months of head start. Once comparable models from other labs ship, the world gets less safe again.

What ordinary small businesses should do

Most of 5U Website's clients are small businesses here in Vancouver. We don't recommend waiting on this round of CVEs. What we tell our clients is straightforward:

1. The "we're too small to be a target" assumption is dead. That used to be a reasonable bet. It isn't anymore. Attackers now sweep entire IP ranges with AI tooling faster than you can grab a coffee. The Canvas LMS breach hit top-100 American universities and several-hundred-student community colleges in the same sweep. Automated attacks don't filter by org size.

2. Update operating systems and browsers as soon as a new version ships. The old advice to "wait a few weeks for the dot-x release before upgrading" was reasonable. It isn't now. Firefox 148 fixed 22 CVEs, Firefox 150 fixed 271. A month's delay is a month exposed. Same for iOS, Android, Windows, and macOS.

3. Run only the latest officially supported server stack. Using cPanel? Check your version today. Site running on a Linux server? Ask your host what kernel version you're on, and whether Copy.Fail and Dirty Frag have been patched. If the answer is vague, that is the answer.

4. Have a backup you can actually roll back to. Local RAID is not a backup. Your hosting provider's "automatic backup" is not a backup either, because if they get breached your snapshots go with them. You need off-site, encrypted, and occasionally tested. For the full playbook — 7+3+12 restore points plus write-only remote storage — see our backup strategy guide.

What 5U Website does on this

For the sites we manage:

  • Within 24 hours of a major CVE being public, we assess impact and apply patches. Copy.Fail and Dirty Frag kernel updates are already rolled out on client servers. cPanel authentication-bypass patches went on immediately.
  • Every managed site has an off-site, encrypted backup. If something goes wrong (ransomware encryption, malicious script injection, defacement), we can roll back to the last clean version.
  • We monitor Anthropic, CISA, NVD, Red Hat, and the vendor advisories continuously. When something new lands, we act on it; we don't wait for a client to ask.

The internet is going to go through a rough transition. Glasswing buying the world a few months ahead of the attackers is genuinely good news; but as a user or site owner, you can't bet your business on those months. Patch what you can patch, back up what you can back up, and don't assume the attackers won't notice you.

Get a 5U® Website Consultation

Free Quote

778-883-9222

1-day reply, guaranteed
2-hour, free consultation

WeChat

WeChat Us

Get a 5U® Website Consultation

WeChat Us

778-883-9222

1-day reply, guaranteed
2-hour, free consultation