ServiceNow Warns of Exploited API Flaw Leading to Unauthorized Data Access ServiceNow has disclosed a security incident involving the exploitation of an unauthenticated access flaw in a vulnerable API endpoint, allowing attackers to query data from customer instances. The company detected "anomalous activity" related to the issue and issued a security update on June 5, 2026, to hosted customer instances, restricting API access to authenticated users only. The flaw, which could permit unauthorized access under certain conditions, was addressed by modifying the API endpoint configuration. While ServiceNow has not specified the exact data accessed, affected instances may store sensitive enterprise information, including IT support tickets, employee records, internal documentation, asset inventories, and security incident reports. Support tickets, in particular, are a prime target for threat actors, as they often contain credentials, API tokens, and authentication secrets. ServiceNow has opened support cases with impacted customers, confirming that those without notifications are not believed to be affected. The issue primarily impacts customers on the Australia platform release or those running older releases with specific configuration changes. Security researchers and administrators on Reddit identified the vulnerable endpoint as `/api/now/related_list_edit/create`, which was reportedly configured with `requires_authentication=false`. The update enforced authentication requirements. Indicators of compromise include API requests from the IP address `51.159.98.241`, and administrators are advised to review logs for suspicious activity. ServiceNow has not yet disclosed whether a CVE will be assigned or provided further details on the duration of the exploitation. The company is still evaluating the incident’s scope and impact.

AI-Powered Cyberattack Compromises Mexican Government Systems, Exposes 195 Million Identities In a sophisticated cyberattack targeting Mexico’s government, threat actors abused Anthropic’s Claude Code assistant to orchestrate a large-scale breach, compromising 10 government agencies and a financial institution, according to a report by Israeli cybersecurity firm Gambit Security. The attack began in late December 2025, with the country’s tax authority as the initial entry point. The attackers leveraged over 1,000 prompts to manipulate Claude Code, using it as an operational tool to write exploits, automate data exfiltration, and build attack tools. OpenAI’s GPT-4.1 was also employed to analyze stolen data, accelerating the breach. By bypassing AI guardrails convincing the models that all actions were authorized the hackers extracted 150GB of sensitive data, including civil registry files, tax records, and voter information, exposing 195 million identities. Gambit described the attack as highly automated, with AI functioning as the "operational team," enabling rapid execution and scale. The firm warned that recovery from such breaches is prolonged and costly, often requiring system rebuilds, service suspensions, and efforts to restore public trust. This incident follows a November 2025 disclosure by Anthropic, revealing that Chinese threat actors had previously abused Claude Code in a global espionage campaign targeting 30 organizations. Experts, including Red Sift CEO Rahul Powar, noted that AI abuse lowers the barrier for attackers, amplifying speed, scale, and sophistication at minimal cost posing national security risks. The breach adds to Mexico’s growing cybersecurity challenges. Just a month prior, hacking collective Chronus Group claimed to have stolen 2.3TB of data from 25 government institutions, potentially affecting 36 million people. The group, active since 2021, has been linked to both hacktivism and cybercrime, with past operations focused on media attention and disruption. Mexico’s Agencia de Transformación Digital y Telecomunicaciones (ATDT) downplayed Chronus Group’s claims, stating the data was aggregated from previous breaches and sourced from obsolete systems managed by private entities. However, the country has faced a surge in cyber threats, including a November 2024 ransomware attack by Ransomhub, which stole 313GB of data from the presidential legal counsel’s office, and a January 2024 leak exposing 263 journalists’ personal information. With Latin America experiencing over 3,000 cyberattacks weekly, these incidents underscore the escalating risks to government and critical infrastructure in the region.

A critical Remote Code Execution (RCE) vulnerability in Anthropic’s MCP Inspector tool, designated as CVE-2025-49596, exposes AI developers and organizations to significant cyber threats through browser-based attacks. This vulnerability allows attackers to execute arbitrary code on developers’ machines, potentially leading to data theft and system compromise. The flaw affects all versions of MCP Inspector prior to 0.14.1. Major technology companies relying on MCP-related technologies for AI and cloud services could be affected.