Alex: Welcome to Cleartext for Wednesday, June 10th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. So, the UK government spent months crafting telecoms security requirements specifically to address Salt Typhoon — arguably the most consequential espionage campaign against Western communications infrastructure in a decade — and then folded when the telcos said it was too expensive. That's where we are.

Alex: We have a packed show today. We're going to dig into that UK story and the broader pattern of nation-state threats against the IT sector. We'll cover Anthropic's fascinating new dual-track AI model. We've got two major exploitation stories — ServiceNow and Cisco SD-WAN — plus a ransomware gang burning through Check Point VPNs with a three-day federal deadline. And CISA is about to fundamentally reshape how the government prioritizes vulnerabilities, which will ripple directly into your programs. Let's get into it.

Jordan: Let's start with the UK. The Record is reporting that Britain has weakened the telecoms cybersecurity protections that were specifically designed in response to Salt Typhoon. These were proposed rules to harden network infrastructure against Chinese state-sponsored actors who had, let's be clear, already compromised major telecoms globally. The industry lobbied against the measures, and the government blinked.

Alex: This is the pattern that keeps me up at night. We have a threat intelligence community that does extraordinary work identifying and attributing these campaigns. We have regulators who, to their credit, actually tried to translate that intelligence into binding requirements. And then the implementation gap swallows everything. The telcos said the mandates were too costly or operationally burdensome, and the government rolled them back.

Jordan: What's particularly galling is the specificity here. This wasn't a generic cybersecurity framework. These were targeted defenses against a known, named, active threat actor with documented TTPs against this exact sector. Salt Typhoon compromised telcos in the US, in Europe, in Asia. The UK said, "We should do something about that," and then un-did it.

Alex: For CISOs listening, here's the direct implication. If you have telecoms supply chain dependencies in the UK — and many of you do — the regulatory floor just got lower. That means your third-party risk assessments for UK telco partners need to account for the fact that the government is no longer mandating the protections you might have assumed were coming. You own that gap now.

Jordan: And this connects directly to the CrowdStrike annual threat report that dropped yesterday. They're quantifying what we've been seeing: the IT sector is the primary target for Chinese state-sponsored IP theft campaigns. Not energy, not defense — IT. They want the tools that build everything else.

Alex: The report also flags AI-enabled acceleration of attacks and, notably, North Korean remote IT worker infiltration. That second one is something I think a lot of organizations still treat as an edge case. It's not. If you don't have robust identity verification in your hiring pipeline for remote technical roles, you have an insider threat problem you haven't scoped yet.

Jordan: The North Korean IT worker schemes are genuinely clever. These aren't crude attempts. They're using sophisticated identity packages, VPN infrastructure to mask their location, and they're targeting roles that give them access to source code and internal systems. If your insider threat program is still oriented around disgruntled employees, you're fighting the last war.

Alex: Let's shift to Anthropic, because this is a story that has significant strategic implications. They've released two versions of their latest model. Claude Fable 5 is the public version with safety classifiers that Anthropic says prevent use for cyberattacks. Claude Mythos 5 is the same underlying model with those restrictions removed, available only to vetted cybersecurity organizations.

Jordan: This is the first time we've seen a major AI lab formally implement a tiered-access model for offensive capabilities. Anthropic is essentially saying: this model can do things that are dangerous, so we're going to let the good guys have the full version and give everyone else the guardrailed version. They claim no universal jailbreaks exist in Fable 5's safety layer.

Alex: I have two reactions. First, as a governance precedent, this is significant and probably inevitable. We were always heading toward a world where AI capabilities would be gated by trust level. Anthropic just formalized it. Second, the "no universal jailbreaks" claim is bold. Every safety layer eventually gets circumvented. The question is how long and at what cost to the attacker.

Jordan: Right. The practical question for CISOs is twofold. Are you evaluating Mythos 5 as a tool for your red team or threat intelligence functions? Because if your adversaries have access to unrestricted models — and some of them do — your defensive teams need parity. And simultaneously, are you modeling the risk that safety classifiers on public models erode over time?

Alex: Both good questions. I'd add a third: how does this affect your AI governance policy? If you're a vetted partner getting Mythos 5, you now have a dual-use tool inside your organization that requires its own access controls and audit trail. That's a new category of asset management for most shops.

Jordan: Let's move to the active exploitation stories, because there are several and they're all urgent. ServiceNow disclosed that threat actors exploited an unauthenticated access flaw via an API endpoint to gain what they're calling "deeper unauthorized access" to customer instances. They patched hosted instances on June 5th.

Alex: ServiceNow is the nervous system of enterprise IT operations for a huge swath of our audience. Your ITSM data, your incident records, your change management workflows, your CMDB — it's all there. Unauthorized access to a ServiceNow instance isn't just a data breach. It's an intelligence goldmine for an attacker mapping your environment.

Jordan: The "unauthenticated" part is what makes this particularly concerning. No credentials required. If you're running ServiceNow, verify your instance was patched as of June 5th. If you're self-hosted, which some of you are, check the advisory immediately. And review your API endpoint exposure. This is the kind of flaw that gets found because attackers are systematically probing SaaS APIs.

Alex: Next up, the Microsoft GitHub compromise. Seventy-three repositories across Azure, Microsoft, Azure-Samples, and MicrosoftDocs organizations were compromised to inject an information stealer. Microsoft temporarily took repos offline, and the investigation — dubbed Miasma — is ongoing. Some repos are back, others aren't.

Jordan: This is a supply chain attack against one of the largest open-source publishers on the planet. If your CI/CD pipelines pull from Microsoft GitHub organizations — and statistically, many of you do — you need to audit what you've consumed recently. The injected code was an infostealer, which means credentials, tokens, and session data from developer workstations and build environments could be compromised.

Alex: The remediation here is painful but necessary. Identify any dependencies sourced from the affected organizations during the compromise window. Rebuild from known-good sources. Rotate credentials on any build systems that may have executed compromised code. This is exactly the scenario that makes software supply chain security so difficult at scale.

Jordan: Now, Cisco SD-WAN. This is the seventh — seventh — actively exploited zero-day in Cisco SD-WAN products this calendar year. And there's no patch. Active exploitation confirmed in the wild.

Alex: Seven zero-days in one product line in six months. At some point, this stops being a vulnerability management problem and becomes an architecture problem. If you're running Cisco SD-WAN, you need to be having a serious conversation about your network infrastructure strategy. Compensating controls, segmentation, monitoring — yes, all of that immediately. But also, what's your long-term plan?

Jordan: And on the Check Point side, CISA gave federal agencies a 72-hour remediation window for a VPN vulnerability that a ransomware affiliate is actively exploiting across dozens of organizations. Three days. That tells you everything about the severity.

Alex: If you're running Check Point remote access VPN, this is a drop-everything item. A ransomware affiliate at scale means this is already weaponized, already automated, and already being used against targets of opportunity. Don't wait for your normal patch cycle.

Jordan: The last story ties several threads together. CISA is releasing a binding operational directive today — Wednesday — that fundamentally changes how federal agencies prioritize vulnerabilities. Acting Director Andersen is signaling this is a move away from the treat-all-KEV-entries-equally approach toward explicit risk tiering. Some vulnerabilities get elevated, others get deprioritized.

Alex: This is long overdue and directionally correct. The KEV catalog was a breakthrough, but the flat priority model created perverse incentives. Agencies were burning cycles on lower-risk KEV entries while higher-impact vulnerabilities outside the catalog went unaddressed. Risk tiering acknowledges operational reality.

Jordan: Andersen also indicated this framework will extend into critical infrastructure and private sector guidance. So if you're a federal contractor or you operate in any of the critical infrastructure sectors, expect this to reshape your compliance conversations within months.

Alex: For CISOs, this is a chance to get ahead. If CISA is moving toward risk-tiered vulnerability prioritization, align your program now. The organizations that can demonstrate their vulnerability management already reflects business-context risk tiering will be in a much stronger position when this becomes the expected standard.

Jordan: Looking at the week's arc, there's a clear theme: the gap between knowing and doing. We know Salt Typhoon is real, but the UK can't sustain the regulatory will to address it. We know Cisco SD-WAN is fundamentally compromised, but organizations are still running it. We know AI capabilities need governance, and Anthropic is the first to actually try. The question isn't whether we have the intelligence. It's whether institutions have the will to act on it.

Alex: And that's exactly the role of the CISO right now. You are the translation layer between threat intelligence and organizational action. The UK telco story is a warning: if you delegate your security posture to regulatory mandates, you're exposed to political winds. Own your risk. Build your program to the threat, not to the compliance floor.

Jordan: Well said.

Alex: That's our show for Wednesday, June 10th. Show notes and links to every story we covered are at cleartext.fm. We'll be back tomorrow. Stay sharp.

Jordan: Stay sharp.