All episodes
Week of Jun 1, 2026

Threat Vectr Weekly — week of Jun 1

13 min

Stories covered this week

Transcript

Narrated by two AI anchors. Lightly formatted for reading.

Marcus

Welcome to Threat Vectr Weekly for the week of June first. I'm Marcus, and we have a packed ten minutes for you today. We're covering the Laravel supply chain attack that may have hit your CI pipeline without you ever knowing it, Microsoft's first zero-day-free Patch Tuesday in two years and what might be behind it, Anthropic wiring Claude directly into enterprise security stacks, and India just dropped a twelve-hour patch deadline on critical vulnerabilities. That's just the start. Let's get into it.

Marcus

First up, a new open-source project is trying to solve one of container security's most annoying daily problems: the fact that if you run three different image scanners against the same Docker image, you will often get three different answers about what's actually wrong. DockSec, now an OWASP incubator project, sits on top of scanner output from tools like Trivy, Grype, and Snyk, correlates the findings, and tries to generate a single actionable verdict, including specific Dockerfile edits written in plain English. Engineers in the container space have been calling this mess 'alert soup' for years, and the pitch here is real. The catch is the AI component. DockSec claims it can produce exact Dockerfile fixes, and that is a very specific promise. AI-generated code suggestions have a documented tendency to be syntactically correct but contextually wrong, and in a Dockerfile that can mean quietly shipping a misconfigured image to production. OWASP's project team had not answered questions about validation or red-team testing by the time we recorded. Worth watching, but verify before you trust the output.

Elena

That validation gap is the whole story, isn't it. 'It looks right' and 'it is right' are two very different things when you're building container images at scale. Speaking of learning to do things right, there is a free on-demand security summit now available covering threat detection and incident response. No single CVE driving it, no named threat actor, just a structured library of sessions on detection engineering, alert triage, and post-incident analysis. The sessions are genuinely solid, especially the incident response material around reducing mean time to detect and mean time to respond. But here is the honest caveat: the gap between watching a session on IR frameworks and actually having documented playbooks your team can execute at two in the morning is enormous. If your team has not yet formalised detection logic or written response runbooks, this is worth your time. If you already have that foundation, you will be excavating for the specific gems. Either way, free is a good price. Link is in the newsletter.

Marcus

Digging for gems is honestly how I'd describe most conference content. Now, Anthropic had a big week. Two separate stories, and they are worth treating separately. First, the company announced twenty-eight new enterprise security integrations for Claude, connecting it directly to platforms including CrowdStrike Falcon, Palo Alto Networks, Microsoft Defender, Okta, Zscaler, Netskope, Cloudflare, Fortinet, and Wiz. The idea is to make Claude an operational layer inside security workflows, not just a chat window you paste alerts into. It spans endpoint detection and response, cloud security posture management, identity and access management, and secure access service edge. That is a serious stack. The caveat Anthropic did not address in its announcement is compatibility. Enterprises running older Okta or Zscaler contract tiers may find some of these integrations unavailable to them. CrowdStrike declined to comment on the depth of their integration. Palo Alto pointed to existing disclosures. The direction is significant, but the fine print matters before you start routing live alert data through it.

ElenaSponsored

A quick word from our sponsor, Train2Secure. Your people are your biggest cyber risk — and your strongest defence. Train2Secure runs realistic phishing simulations and short, engaging security-awareness training your team will actually finish, with compliance-ready reporting that runs on autopilot. Turn your staff into a human firewall. Start your free trial today at Train2Secure dot com — that's Train, the number two, Secure, dot com.

Elena

And now, the story I'd put at the top of the list for anyone running Laravel applications or any PHP project with Composer dependencies. The laravel-lang slash lang package was backdoored. Attackers gained write access to the GitHub repository and re-pointed existing version tags at new commits that included a malicious post-install script. When Composer ran, it executed that script with whatever privileges the developer or CI runner had, and harvested credentials from the build environment. This is not a typosquat. This is not a phishing attack on a maintainer account in the usual sense. The attackers rewrote history on tags that already had trust. The window ran from roughly the tenth of November until an emergency rollback. Here is what makes this especially dangerous: laravel-lang is a transitive dependency, meaning most affected developers never typed its name in their own config file. It came along for the ride inside starter kits and admin panels. If you run any Laravel project, check your lock file, rotate any credentials that lived in your build environment during that window, and if you are not passing the no-scripts flag in CI, now is the time to revisit that.

Marcus

Credential rotation from your build environment is not optional here, and that supply chain attack pattern is becoming the norm. Let's move to Lithuania, where authorities are investigating a data breach that exposed more than six hundred thousand entries from national civil registration databases. That number represents roughly one fifth of Lithuania's entire population. Exposed records may include names, national identification numbers, addresses, and civil status information. Officials have said they suspect a foreign state or foreign-linked actor, though no specific country has been named publicly. No ransomware group has claimed it. Lithuanian authorities have not characterized it as a ransomware event. The pattern, data collection rather than extortion, is consistent with intelligence-gathering operations, and Lithuania has previously attributed cyberattacks to groups operating out of Russia and Belarus. The country sits on NATO's eastern flank and is a routine target for exactly this kind of operation. The method of exfiltration has not been disclosed while the investigation is ongoing.

Elena

State-sponsored data collection at population scale, and we still don't know how they got in. That should make every government database operator uncomfortable. Now, over to something that caught the whole industry's attention this week: Microsoft's Patch Tuesday shipped fixes for one hundred and eighteen vulnerabilities, and for the first time in roughly two years, not one of them was a zero-day under active exploitation. Sixteen are rated critical. None were previously publicly disclosed. The lead vulnerability is a stack-based buffer overflow in Windows Netlogon, CVE-2026-41089, which gives an unauthenticated attacker SYSTEM-level access on a domain controller with low complexity and no user interaction required. That patches back to Windows Server 2012. Rapid7 also flagged an Entra ID bypass via forged credentials that Microsoft itself rates as exploitation more likely, and a DNS client remote code execution rounding out the top three. Patch those three this week. Do not wait for your regular cycle.

Marcus

And here is the thread running underneath that Patch Tuesday story that nobody is being fully transparent about. A project called Glasswing, built by Anthropic, is a code-auditing capability that a number of large software vendors have been given access to. Microsoft acknowledged participation in a single sentence and would not say how many of this month's one hundred and eighteen fixes came from Glasswing findings versus internal security work. Apple and Oracle also declined to discuss it on the record. The fact that this is the first zero-day-free Patch Tuesday in two years, in the same month Glasswing is surfacing in vendor briefings, is not a coincidence anyone is willing to confirm on the record. That is itself worth noting.

Elena

Which brings us to the second Anthropic story this week, and it connects directly to that Glasswing thread. Anthropic's AI-assisted code analysis system called Mythos has flagged approximately twenty-three thousand potential vulnerabilities across one thousand open-source software projects. Many of those findings have been confirmed as critical or high-severity, and the total is expected to keep climbing. The question Anthropic has not answered publicly is which projects were scanned, how many findings have been assigned CVE identifiers, and whether any confirmed vulnerabilities were exploited before disclosure. Three questions, sent May twelfth, one holding reply, no answers. Katie Moussouris of Luta Security has argued publicly that mass automated scanning divorced from coordinated disclosure infrastructure does more harm than good when the volume of findings outpaces maintainers' ability to respond. Twenty-three thousand flags across one thousand repositories averages twenty-three per project. That is either very thorough scanning or a false-positive rate doing a lot of work in that headline number. Anthropic has not separated the two at any granular level, and that distinction matters enormously.

Marcus

It really does, and until we see confirmed versus unconfirmed broken out, that number should be treated with appropriate skepticism. And that brings us to our final story, which in some ways is the logical conclusion of everything we have discussed today. India's Computer Emergency Response Team, CERT-In, has issued a directive telling operators of internet-facing systems to patch critical vulnerabilities within twelve hours. Not forty-eight hours. Not a week. Twelve hours. The justification is direct: attackers are now using large language models and AI agents to automate vulnerability discovery and exploit building, and the old patching cadences have become a luxury defenders cannot afford. Researchers at Palo Alto Networks and GreyNoise have documented mass exploitation of newly disclosed bugs within hours of a public proof of concept dropping. The Citrix Bleed Two vulnerability saw opportunistic scanning before some customers had even read the advisory. CERT-In is responding to a real compression of the attacker's timeline. The guidance includes maintaining real-time asset inventories, pre-approving emergency change procedures, and having tested rollback capability ready before you patch, not after. The twelve-hour window has a 'where feasible' qualifier, but regulators who write that language tend to ask questions when feasibility is claimed for a system that had no documented patch process at all.

Marcus

That is going to do it for Threat Vectr Weekly. Thank you for spending ten minutes with us. All of the stories we covered today, including links to the DockSec project, the Laravel-lang advisory, the full CVE list from Microsoft's Patch Tuesday, and the CERT-In directive, are in the newsletter at threatvectr dot com slash newsletter. Subscribe now so next week's briefing lands in your inbox the moment it drops. Stay patched, stay skeptical, and we will see you next week.

© 2026 Threat Vectr