U.S. intelligence agencies have continued to deploy Anthropic’s new Mythos Preview model even after the Department of Defense designated the company a ‘supply‑chain risk’, multiple reports said on April 19-20, 2026. Sources told Axios and other outlets that the National Security Agency — part of the DoD — is among roughly 40 organisations given access to the model and is using it more widely inside the department. Mythos, which Anthropic describes as especially capable at coding and cybersecurity tasks, is being used primarily to scan for vulnerabilities and strengthen defenses, according to users. The development comes as Anthropic’s CEO Dario Amodei met senior White House and Treasury officials for what both sides called a “productive” discussion about the model and wider AI safety and security issues. The move follows a broader standoff: the Pentagon has sued and pressed vendors to sever ties after Anthropic resisted allowing its models to be used for mass domestic surveillance or autonomous weapons. Banks and finance officials have also been urged to test systems for risks tied to Mythos, amid warnings from analysts and think tanks that the model could materially change the cyber threat landscape.

Multiple U.S. government sources and reporting on April 19-20, 2026 say agencies including the National Security Agency are using Anthropic’s most capable model, Mythos Preview, even after the Department of Defense designated the company a “supply-chain risk.” Anthropic has limited Mythos access to roughly 40 organisations via Project Glasswing — a vetted coalition of private firms and some government partners — and sources say the NSA is among the unnamed users. Agencies and private participants are mainly using Mythos to scan networks and find high‑severity software vulnerabilities; Anthropic and analysts warn the same capability could dramatically lower the skill floor for offensive cyber operations. The White House held a “productive and constructive” meeting with Anthropic CEO Dario Amodei on April 17–18 to discuss Mythos, while the company continues litigation with the Pentagon over the blacklist. Treasury officials and major banks have been urged to test systems against potential AI‑enabled threats. Officials and experts are debating whether narrow, controlled access can mitigate the dual‑use risks posed by a model that accelerates vulnerability discovery and exploit development.

Vercel, the U.S. cloud platform behind Next.js, disclosed a security incident on April 19–20, 2026 after attackers used a compromised third‑party AI application's Google Workspace OAuth credentials to access internal systems. The company said a limited subset of customers had credentials exposed after an attacker gained access to Vercel environments and enumerated environment variables that were not flagged as “sensitive.” Vercel published an indicator-of-compromise (OAuth client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com) and said it is working with Google‑owned Mandiant, other cybersecurity firms and law enforcement. Context.ai — the third‑party AI tool implicated — has acknowledged an earlier March AWS incident and likely OAuth token compromise. A threat actor claiming to be ShinyHunters posted data for sale and asked about $2 million, but Vercel says its open‑source projects (Next.js, Turbopack) remain safe and that “sensitive” environment variables, which are encrypted at rest, show no evidence of access. Vercel has contacted impacted customers and urged rotation of unprotected secrets, review of activity logs, and tighter OAuth and environment‑variable protections.

Security vendors on April 18, 2026, warned of a new Mirai-family botnet called Nexcorium that exploits a command-injection flaw (CVE-2024-3721) in TBK DVR models — primarily DVR-4104 and DVR-4216 — to build large-scale DDoS botnets. Fortinet FortiGuard Labs and other researchers found attackers delivering a downloader script that fetches multi-architecture payloads (ARM, MIPS, x86-64), then establishes persistence via modifications to /etc/inittab, /etc/rc.local, systemd services and cron jobs. Nexcorium embeds XOR-encoded configuration data, supports multiple flood types (UDP, TCP SYN/ACK, SMTP and others), includes brute-force Telnet credentials and reuses older exploits such as CVE-2017-17215 to broaden its reach. Unit 42 and others also observed scans targeting end-of-life TP‑Link routers; CISA had previously listed related flaws in its Known Exploited Vulnerabilities catalogue. Researchers note the campaign bears markers referencing a so‑called “Nexus Team.” Organisations are advised to patch or decommission vulnerable devices, remove default credentials, apply network segmentation and monitor for abnormal outbound connections to known C2 domains.

Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty in the U.S. Central District of California to conspiracy to commit wire fraud and aggravated identity theft for his role in a phishing campaign that stole at least $8 million in virtual currency. Prosecutors say Buchanan and co‑conspirators ran the scheme from September 2021 to April 2023, sending hundreds of spoofed text messages that directed employees to fraudulent websites and captured login credentials. Stolen credentials and cryptocurrency seed phrases were reportedly shared on a Telegram channel administered by Buchanan. Court documents say the group targeted telecoms, IT suppliers, cloud communications firms, virtual asset companies and individuals — impacting at least a dozen companies and, in some filings, as many as 45 victims across the United States, Canada, India and the United Kingdom. Police Scotland assisted the FBI. Buchanan has been in U.S. custody since April 2025 and faces a maximum sentence of 22 years at a sentencing hearing set for Aug. 21. Several alleged co‑conspirators remain charged in U.S. courts; one has already pleaded guilty and been sentenced.

Nicholas Moore, a 25-year-old Tennessee man who admitted repeatedly accessing the U.S. Supreme Court’s electronic filing system and the networks of AmeriCorps and the Department of Veterans Affairs, was sentenced to 12 months of probation on April 17, 2026. Moore pleaded guilty in January to a misdemeanor count of fraud and related activity in connection with computers, admitting he used stolen login credentials to view and sometimes post victims’ personal information to an Instagram account called @ihackedthegovernment. Prosecutors said he accessed the Supreme Court e-filing account on more than 25 days in 2023 and revealed details from other federal systems, including phone numbers and medical data, but reported no financial losses. The Justice Department recommended probation rather than incarceration, characterizing Moore as a “vulnerable young man” with long-term disabilities; prosecutors had sought up to 36 months of probation while the defense sought 12 months. U.S. District Judge Beryl Howell imposed the 12-month probation term and did not order prison time or fines at sentencing.