Archive for July 8, 2026

The CISA Scanning Fed Software with Anthropic Mythos

Posted in Commentary with tags on July 8, 2026 by itnerd

Reuters reports that the CISA is said to be using Anthropic’s Mythos AI model to scan federal government software for security vulnerabilities. The CISA’s Attack Surface Evaluation team is using the model to audit source code and identify flaws that could be exploited by cybercriminals or nation-state actors.

The initiative is part of a pilot program to evaluate whether AI can accelerate software security reviews across government systems. Reuters reports that Mythos has identified multiple vulnerabilities during testing, although specifics on the number of vulnerabilities, severity, or affected software are not disclosed.

Bronwen Aker, AI Research & Strategy Analyst, Black Hills Information Security:

The federal government can’t seem to decide what it thinks about AI in general, or Mythos, in particular. One week Anthropic is a supply-chain risk, the next week CISA is handing Mythos the keys to scan federal code for vulnerabilities. That inconsistency would be bad enough to start with, but because it’s not clear what Mythos is actually scanning, it’s much, much worse. Is this government-written code, or software built by third-party contractors and vendors? In-house bugs are one problem. Vendor bugs running across federal systems are a supply chain problem, and the public has a right to know which one this is.

Chris Traynor, Penetration Tester at BHIS and Instructor at Antisyphon:

Software code review and analysis is nothing new. Realistically, most issues found are not exploitable without very specific conditions being met (i.e. – the vulnerable function needs to actually be invoked and exposed to the attacker in order to be abused).

I believe AI vulnability scanning will likely find many new and novel issues that were simply too complex to identify with legacy tools before. But added complexity can cause limitations exploitability. AI scanning will likely produce a lot of unactionable output very quickly that will need to be reviewed by experts to find the real risks.

Seemant Sehgal, Founder & CEO, BreachLock:

“AI finding vulnerabilities in federal code at scale is interesting, but the harder question is what happens after the finding. A vulnerability that exists in a library no one calls, behind a network segment no one reaches, is not the same problem as one sitting in a critical authentication path. Without validating exploitability and reachability, every finding lands with the same weight, and that creates its own kind of risk. The real test of this program is whether the output helps prioritize action or just expands the backlog.”

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:

“Using AI to scan for vulnerabilities in legacy code while AI generates vulnerable new code on the other end only solves half the problem. CISA pointing Mythos at government codebases is a smart move. I’ve seen federal systems running code that hasn’t had a serious security review in a decade, and a model like Mythos can cover that volume in hours instead of months.

“The blind spot is the generation side. Every federal agency and contractor also has developers writing code with AI assistants, and those tools produce insecure output more often than secure output. Authorization flaws, hardcoded credentials, missing input validation, all shipping by default because the models optimize for “does it run” and skip “is it safe.”

“Combine both facts and you get a treadmill. Mythos finds legacy bugs, teams patch them, and AI coding tools introduce fresh vulnerabilities into the same repos at machine speed. The backlog doesn’t shrink. It gets younger.

“Power grids and water systems are privately run but sit squarely in nation-state crosshairs. CISA can’t harden federal code and call it done. If the agency has a scanning tool this capable, the operators running critical infrastructure need access to it too, because those are the systems that actually keep the lights on.

“I’d want CISA to pair this initiative with secure-generation standards for AI coding tools in federal development, and extend scanning access to critical infrastructure operators. We are draining the pool while the hose is still running.”

I for one would like the CISA to combine vulnerability scanning via AI with human follow up. Because relying on just AI alone is a recipe for failure. This of course ignoring the fact that the Trump Administration seems to flip flop on Anthropic and their potential harms to society. .

A single GitHub Issue was enough to leak private repos

Posted in Commentary with tags on July 8, 2026 by itnerd

A critical prompt-injection vulnerability in GitHub Agentic Workflows could allow unauthenticated attackers to leak private repository data. A single crafted GitHub Issue was enough to trick the AI workflow into pulling content from private repos and posting it publicly. The agent had broad read access and treated user-submitted text as executable instructions rather than untrusted input, requiring no credentials from the attacker.

Gidi Cohen, CEO & Co-Founder, Bonfy.AI had this to say:

“This disclosure shows that AI-powered automation is now a real exfiltration risk, not a theoretical one, and leaders need to treat it with the same seriousness as SQL injection. A single crafted GitHub Issue was enough to trick an AI workflow into pulling content from private repositories and posting the results publicly, because the agent had broad read access and treated user text as executable instructions rather than untrusted input.

The deeper lesson is structural: an AI agent’s context window is effectively its attack surface, and anything it reads, such as issues, pull requests, comments, files, tickets, can be weaponized if the system does not enforce clear boundaries between ‘data’ and ‘commands.’ This is bigger than GitHub. Any agentic AI wired into production systems, given powerful credentials, and controlled through natural language creates a new, systemic vulnerability class. Executives should assume prompt injection is inevitable and focus on governance: enforce least-privilege access for agents, strictly constrain what they can post or expose publicly, and mandate sanitization or filtering of all user-controlled content before it reaches AI workflows.

The questions leaders should now be asking their teams are simple and pointed: where are AI agents plugged into our workflows, what can they read and write, and what stops a single malicious ticket, issue, or chat message from triggering a large-scale leak? Framed well, this becomes a ‘responsible automation’ stance: we will move fast with AI, but not by blindly expanding our attack surface in ways we do not understand.”

Again, this illustrates that organizations need to have defenses that are on point. Because we’re seeing good guys come out with exploits quickly. Which means that the bad guys will come out with exploits quicker.

AI just turned a weeks-long hack into 72 hours

Posted in Commentary with tags on July 8, 2026 by itnerd

Sygnia researchers observed a lone threat actor use agentic AI to compress what would normally be a multi-week cloud intrusion into just 72 hours. According to their analysis, the attacker didn’t rely on novel malware or zero-day exploits; instead, an AI agent ran reconnaissance, credential abuse, and lateral movement using known, well-documented techniques, executing them in parallel at machine speed rather than sequentially by hand.

Roman Sannikov, VP, Threat Intelligence, iCOUNTER had this to say:

“This is the strategic inflection point we’ve been tracking: AI isn’t giving attackers new capabilities, it’s eliminating the human bottlenecks that used to slow them down. Reconnaissance, credential abuse, and lateral movement running in parallel rather than sequentially means the operational tempo of an intrusion is no longer bound by how fast a human operator can work.

That changes the defender’s decision timeline at the board level, not just the SOC level. When a cloud compromise that used to take weeks can now happen in 72 hours, the assumption that there’s time to detect, investigate, and respond before meaningful damage occurs no longer holds. Organizations need external visibility into adversary infrastructure and campaign activity before an intrusion reaches this speed, not after.

The technique here wasn’t novel; rather, that’s what makes it significant. Threat actors don’t need new tools when AI lets them run the tools they already have faster than any defender can react manually. Operational resilience now depends on intelligence-led defense that can match that tempo, not just harden the perimeter and wait.”

The fact that time to pwnage is shrinking dramatically shows that an organizations defences need to be up, active, and fluid. Otherwise that pwnage is going to happen.

Back-to-School Brands Are Chasing Clicks – New Data Shows Billboards Help Create Them

Posted in Commentary with tags on July 8, 2026 by itnerd

As Canadians gear up for back-to-school shopping, brands are pouring marketing dollars into digital channels to capture purchase intent. But new research suggests many buying decisions begin long before consumers ever open a browser.

A new national survey from Vistar Media found that 39% of Canadians have taken action after seeing a billboard or digital out-of-home (DOOH) ad, reinforcing that out-of-home isn’t just an awareness channel, it’s helping drive real consumer behaviour.

At a time when marketers are largely focused on clicks, conversions and attribution, the findings suggest many may be overlooking one of the most effective ways to build intent before shopping begins – especially at a time when 99% of Canadian parents plan to shop in-store for at least some of their Back-to-School purchases, .

Key findings include:

  • 39% of Canadians took at least one action after seeing a billboard or DOOH ad in the past month.
  • 22% looked up a brand online after seeing an ad.
  • 18% visited a company’s website.
  • 36% say a billboard influenced or reinforced the last action they took.
  • Gen Z is the most responsive audience, with 52% taking action after seeing an out-of-home ad, well above Boomers (32%).

Scott Mitchell, Managing Director, Canada at Vistar Media, is available to discuss:

  • Why the most effective back-to-school campaigns build demand before consumers start searching.
  • Why marketers should rethink the idea that out-of-home is simply an “upper funnel” awareness play.
  • How DOOH complements digital by building trust, consideration and purchase intent before consumers click.
  • What Canadian marketers should consider when planning omnichannel campaigns during one of the year’s biggest retail moments.

You can read the report here.

Wagepoint and Xero deliver connected payroll and accounting experience for Canadian small businesses 

Posted in Commentary with tags , on July 8, 2026 by itnerd

Wagepoint and Xero today introduced a seamless and integrated experience for small business payroll and accounting. With this enhanced experience, payroll data — including wages, taxes, deductions and benefits — flows automatically into Xero, reducing manual entry and making it easier for Canadian small businesses to keep accurate, up-to-date financial records in one streamlined workflow. 

For many small businesses, payroll and accounting remain disconnected: payroll is processed in one system, then manually reconciled in another, creating duplicate work, more room for error, and delayed visibility into where the business stands financially. Building on a long-standing integration already trusted by businesses across Canada, the enhanced experience brings Wagepoint and Xero closer together through an intuitive single sign-on, letting users easily access Wagepoint with their existing Xero credentials and move more easily between payroll and accounting. By reducing duplicate processes and creating a more connected experience across two trusted platforms, the integration saves time, simplifies day-to-day financial management and gives customers a more unified way to manage their business.

Together, Wagepoint and Xero bring two of the easiest-to-use payroll and accounting solutions to business owners, combining a more connected experience with competitive bundled pricing and without the complexity, cost or feature bloat of enterprise-style platforms. Built around the way Canadian small businesses operate, the enhanced offering provides a meaningful cloud alternative for businesses and their advisors looking to simplify their processes, meet federal and provincial payroll requirements with less effort, and manage payroll and accounting through two trusted platforms that work in sync.

This comes at a critical moment for Canadian small businesses. Xero Small Business Insights (XSBI) data points to continued cash flow pressure across the sector, with many owners still waiting weeks to be paid after they invoice, even as sales begin to steady after several softer quarters. In this environment, a seamless payroll-to-accounting workflow saves time and gives owners a clearer, more current view of their numbers to make a real difference on cash flow confidence.

The enhanced integration is available now to Canadian small businesses, accountants and bookkeepers through Wagepoint and the Xero App Store, with new customers eligible for three months free when they get started with Wagepoint, Xero or both.

Galaxy Unpacked Exclusive offers now available from Samsung

Posted in Commentary with tags on July 8, 2026 by itnerd

The countdown is on for Samsung’s next launch later this month in London! But Canadians don’t have to travel across the pond to get in on the excitement of Galaxy Unpacked.

By registering now at https://www.samsung.com/ca/unpacked, Canadians can stay up to date on all things Unpacked and access exclusive pre-order benefits.

In addition to teasers and general updates, readers who sign up will receive:

  • A $50 e-voucher toward a 2026 Galaxy device
  • A chance to win one of 10 $500 e-vouchers toward their next purchase
  • A chance to win a 65″ The Frame Pro TV
  • Savings of up to $1,500 on a 2026 Galaxy device with an eligible trade-in

Galaxy Unpacked will showcase the newest additions to Samsung’s Galaxy portfolio, including the next generation of Galaxy foldables designed to deliver more personal, adaptive AI experiences.

I’ve also got this registration link to share. And for additional details, I invite you to check out the Samsung Canada Newsroom.

HR Path secures nearly USD 1 billion in funding to accelerate growth in Canada and North America

Posted in Commentary with tags on July 8, 2026 by itnerd

HR Path today announced a near USD 1 billion funding transaction led by Ardian. This investment will support the Group’s next phase of international growth, accelerate its acquisition strategy and reinforce its presence in strategic markets, including Canada and North America.

Canada: a strategic foundation for North American growth

Founded in 2001, HR Path helps organizations transform and optimize their HR function through a unique model built around three complementary service lines: AdviseImplement and Outsource.

Over the past two years, the Group has achieved nearly 70% revenue growth, supported by both organic expansion and an active acquisition strategy. HR Path now generates €360 million in annual revenue, employs 2,600 professionals, operates in 30 countries and supports organizations representing more than 20 million employees worldwide.

Canada has become a key market in HR Path’s North American expansion. The acquisitions of IN-RGY in October 2024 and Covalence Consulting in 2026 significantly strengthened the Group’s regional expertise, particularly across SAP SuccessFactors, UKG and ADP Workforce Software, while complementing broader capabilities in other HR technology solutions such as Oracle, Workday and Dayforce. Today, HR Path supports leading Canadian organizations, including Ontario Power Generation, Dollarama, Domtar, Videotron, Magellan Aerospace and Scotiabank, in their HR transformation initiatives.

What this means for Canada

For Canadian organizations, this funding means access to a stronger local HR transformation partner backed by global scale. HR Path intends to invest further in Canadian talent, expand delivery capacity, deepen expertise across core HR, payroll, workforce management and talent solutions, and pursue targeted acquisitions and partnerships that strengthen its national capabilities. The investment will also help HR Path address the priorities shaping the Canadian market, including HR modernization, productivity improvement, skills and talent challenges, payroll complexity, employee experience and the need for scalable solutions that support both Canadian and international operations.

Accelerating the next phase of growth in Canada

With this new funding, HR Path plans to further strengthen its Canadian operations and accelerate its development across North America.

The Group will continue investing in strategic acquisitions, expanding local expertise and deepening partnerships with leading HR technology providers. Canada will play a central role in this strategy, particularly in the development of HR technology implementation, managed services and multi-country HR transformation programs.

With operations in 30 countries and ambitions to reach 40 countries5,000 employees and 700 million in revenue over the next three years, HR Path intends to continue strengthening its presence in Canada while establishing itself as one of the leading HR transformation providers in North America

If You Have Ubiquiti UniFi Gear (and even if you don’t) You Need To Patch It Now

Posted in Commentary with tags on July 8, 2026 by itnerd

Users of Ubiquiti UniFi hardware along with those using the stand alone server product need to patch all the thing ASAP. Take what they brought out this morning for example:

  •  Tracked as CVE-2026-50746 this issue can allow command line injection attacks. T

But last Thursday, Ubiquiti patched another six (you read that right) vulnerabilities:

  • Ubiquiti patched CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, and CVE-2026-55116. All of which require Ubiquiti users to be running a variety of UniFi applications.

In both cases, more info can be found here.

Why this matters is simple. Ubiquiti has been used as a jump off point for nation state actors doing their evil things since at least 2024. Evil things such as botnets for example. So if you are offered patches (which you should check for constantly over the next few days) inside your Ubiquiti console, install them ASAP.