Critical: Splunk RCE, Arch Linux supply-chain hijack, phishing-as-a-service dismantled

Executive Summary

• FBI, Google, and Black Lotus Labs disrupted “Outsider Enterprise,” an AI-powered phishing-as-a-service platform operating approximately one million phishing URLs targeting credential and payment data.
• Over 400 packages in the Arch User Repository (AUR) were hijacked to deploy a Rust-based credential stealer and eBPF rootkit; developers who built affected packages risked immediate compromise.
• Splunk Enterprise vulnerability (CVE-2026-20253, CVSS 9.8) permits unauthenticated remote code execution; Splunk has released patches.
• Meta's AI support assistant was abused to reset Instagram accounts, including those of the Obama White House and U.S. Space Force Chief Master Sergeant.
• Anthropic took Fable 5 and Mythos 5 models offline globally to comply with U.S. government export control directives prohibiting access by foreign nationals.

Top Threats Today

1. Massive Phishing-as-a-Service Network Dismantled

Severity: HIGH   Affected: technology, finance

The FBI, working with Google and Black Lotus Labs, has dismantled a Chinese phishing-as-a-service operation called Outsider Enterprise that operated thousands of ⚠ phishing websites ^[1]. The network was used to steal credit card data and passwords at scale ^[1].
Sources:[1] BleepingComputer

2. Arch Linux Supply Chain Hijack: 400+ Packages Compromised

Severity: CRITICAL   Affected: technology

Attackers compromised over 400 packages in the Arch User Repository (AUR) and rewrote their build scripts to install a credential stealer on machines that built them ^[1]. The malware is a Rust binary designed to harvest developer secrets, and when executed with root privileges, it can load an eBPF rootkit ^[1].
Sources:[1] The Hacker News

This represents a direct threat to developer workstations and CI/CD systems that consume AUR packages ^[1]. Developers who built affected packages between the hijacking and discovery are potentially compromised.
Sources:[1] The Hacker News

3. Splunk Enterprise Remote Code Execution (CVE-2026-20253)

Severity: CRITICAL   Affected: technology

Splunk Enterprise contains a critical vulnerability (CVE-2026-20253) rated 9.8 on the CVSS scale that allows unauthenticated attackers to conduct remote code execution ^[1]. Splunk has released security updates to address the flaw ^[1].
Sources:[1] The Hacker News

4. Meta AI Support Bot Abused to Seize High-Profile Instagram Accounts

Severity: HIGH   Affected: government, media

The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were defaced with pro-Iranian images and messages after attackers circulated instructions on Telegram showing how to trick Meta’s “AI support assistant” bot into resetting account credentials ^[1].
Sources:[1] Krebs on Security

5. U.S. Government Orders Anthropic to Take Advanced AI Models Offline

Severity: MEDIUM   Affected: technology, government

The U.S. government has ordered Anthropic to disable its most advanced AI models, Claude Fable 5 and Mythos 5, for all users globally after citing national security concerns regarding foreign national access ^[1]. Anthropic has complied by taking both models offline, though the company disputes the basis for the directive, characterizing the cited jailbreak as narrow and the ⚠ capability as widely available elsewhere ^[1][2].
Sources:[1] The Hacker News[2] BleepingComputer

Today’s Action Checklist

• ☐ URGENT: Patch all Splunk Enterprise instances with CVE-2026-20253 update immediately
• ☐ URGENT: If your organization uses AUR packages in development, audit and re-secure all developer credentials and systems
• ☐ Notify users of high-risk accounts (financial, email, social media) to check for unauthorized access attempts
• ☐ Review and update account recovery and password reset procedures to reduce reliance on AI support bots
• ☐ Document and alert stakeholders about discontinuation of Fable 5 and Mythos 5 access