Security: new tools and old holes

A penetration test is a hired break-in on a computer system, like paying a locksmith to prove your front door can be picked before a burglar does. This week, one new tool pushed that job onto a Linux laptop with no cloud connection at all. (github.com) METATRON is a command-line program that runs on a local machine, takes a target internet address, launches tools like Nmap, Whois, WhatWeb, Curl, Dig, and Nikto, and then hands the results to a local language model for analysis. Its GitHub page says it stores scan history in MariaDB and uses Ollama to run a fine-tuned Qwen model offline. (github.com) That “offline” detail is the whole pitch: a bank, contractor, or internal security team can scan sensitive systems without sending logs, hostnames, or findings to a remote application programming interface. On April 9, 2026, the repository showed about 1,700 stars and more than 300 forks, which is fast traction for a project only days old. (github.com) At almost the same moment, OpenSSL was fixing the opposite kind of problem: not a new helper, but an old plumbing layer that sits inside encrypted connections across servers, apps, and devices. On April 7, 2026, the OpenSSL project published an advisory for CVE-2026-31790 and rated it “Moderate.” (openwall.com) The bug lives in RSA key encapsulation, which is a way two machines wrap up a secret key before they start talking privately, like sealing a note in an envelope before handing it over. OpenSSL said some applications using RSA with RSASVE could send contents of an uninitialized memory buffer to a malicious peer if encryption failed but the code still reported success. (openwall.com) OpenSSL’s workaround was blunt: validate the public key with `EVP_PKEY_public_check` or `EVP_PKEY_public_check_quick` before calling `EVP_PKEY_encapsulate`. Its permanent fix was an upgrade path to versions 3.0.20, 3.3.7, 3.4.5, 3.5.6, and 3.6.2, while 1.0.2 and 1.1.1 were listed as not affected. (openwall.com) Then came the third piece of the week: Anthropic said it was holding back a cybersecurity model called Mythos while testing it with 40 companies for defensive work. The New York Times reported on April 7, 2026, that Anthropic described the system as strong enough to justify limited access instead of a public release. (nytimes.com) That puts METATRON and Mythos on the same side of the line, but at different ends of the market. METATRON is open source and runs on a Parrot operating system box with free tools, while Mythos is being tested behind closed doors with selected companies. (github.com) (nytimes.com) The attackers in this week’s news were not theoretical. TechCrunch reported on April 8, 2026, that researchers uncovered a hack-for-hire campaign targeting journalists, activists, and government officials across the Middle East and North Africa with Android spyware and phishing pages aimed at Apple iCloud accounts. (techcrunch.com) The cross-platform part is what stands out: the same operation reportedly used malicious Android software to take over phones and fake login pages to reach cloud backups and Signal-related accounts. That is the modern version of checking both the front door and the spare key under the flowerpot. (techcrunch.com) Put together, the week’s pattern is simple. Defenders are building local artificial intelligence tools to speed up audits, major vendors are still racing to patch memory leaks in core encryption libraries, and mercenary operators are stitching Android, iCloud, and messaging targets into one campaign because people now live across all three at once. (github.com) (openwall.com) (techcrunch.com)