A rival AI company officially launched GPT-5.4-Cyber, a frontier model optimized for defensive cybersecurity, days after Project Glasswing — making the AI cyber arms race live with two competing frontier models now shipping for enterprise security. A critical authentication bypass (CVE-2026-33032, CVSS 9.8) was discovered in the Model Context Protocol (MCP) integration for nginx-ui, allowing any network attacker to invoke all MCP tools without authentication. Patch Tuesday zero-days identified: CVE-2026-32201 (SharePoint spoofing, in KEV, deadline April 28) and CVE-2026-33825 (Defender privilege escalation to SYSTEM, the "BlueHammer" disclosure). A new cybercrime platform ATHR offers fully automated voice phishing using human operators and AI agents. Attackers are exploiting Marimo Python notebooks to deploy NKAbuse malware hosted on Hugging Face Spaces.

Links & Resources

• https://thehackernews.com/2026/04/openai-gpt-54-cyber-defensive-model.html
• https://thehackernews.com/2026/04/nginx-ui-mcp-auth-bypass-cve-2026-33032.html
• https://www.securityweek.com/microsoft-patches-exploited-sharepoint-zero-day-and-160-other-vulnerabilities/
• https://www.bleepingcomputer.com/news/security/athr-voice-phishing-platform-ai-agents/
• https://www.bleepingcomputer.com/news/security/marimo-python-notebook-nkabuse-hugging-face/
• https://www.integrity360.com/cyber-news-roundup-april-17th-2026
• https://www.anthropic.com/glasswing
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog