Feds Restrict Fable Access, Maine Portal Disabled, Oracle Exploited

The US government, citing national security authorities, issued an export control directive on June 12, 2026 directing Anthropic to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees, per Anthropic's official statement. Anthropic received the directive at 5:21pm ET, confirmed it disabled both models for all customers to ensure compliance, and stated it disagrees with the action. Per Anthropic's statement, the government's concern centers on a narrow, non-universal jailbreak of Fable 5 -- specifically, a technique that asks the model to read a codebase and fix software flaws -- which Anthropic says is widely available from other publicly deployed models including OpenAI's GPT-5.5. Commerce Secretary Howard Lutnick sent the letter to Anthropic CEO Dario Amodei, per Axios.

Separately, BleepingComputer reports that the State of Maine disabled its public data-breach notification portal on June 12 after attackers submitted fake breach disclosures impersonating Discord and VRChat, including a fraudulent notice claiming exposure of 2.4 million users. The Maine Attorney General's Office removed the false reports and restricted public portal access while reviewing procedures.

CyberScoop and The Hacker News report that ShinyHunters exploited a critical Oracle PeopleSoft zero-day (CVE-2026-35273), an unauthenticated remote code execution flaw rated 9.8 CVSS requiring only network access over HTTP, to breach and extort over 100 organizations between May 27 and June 9, 2026. Google Mandiant attributes the campaign to the group it tracks as UNC6240; more than two-thirds of victims were US colleges and universities.

Government-imposed access restrictions on AI models typically accelerate vendor-level identity checks, geoblocking, and data-retention requirements in product deployments -- Anthropic had already required 30-day data retention for Mythos-class models to support jailbreak monitoring, per its statement. For defenders, incidents where threat actors submit false disclosures to state portals illustrate a recurring operational risk: lightly validated public intake forms can be weaponized to cause misinformation or denial-of-service at scale. Exploitation of unpatched Oracle PeopleSoft aligns with long-standing patterns where high-impact CVEs against enterprise ERP stacks enable extortion due to the sensitive data they hold.

The Commerce Department action joins other recent cases in which governments have sought to limit access to specific model capabilities, but Anthropic's public pushback -- stating the standard applied would "essentially halt all new model deployments for all frontier model providers" if applied across the industry -- makes this episode notable for AI governance. The combination of regulatory intervention affecting a frontier AI developer and simultaneous critical-infrastructure and university extortion campaigns underscores converging risks: regulatory compliance burden, public-facing portal integrity, and legacy enterprise patching debt.

Monitor Anthropic's status updates for restoration of Fable 5 and Mythos 5 access; the company stated it is working to restore access and will share more details. Track formal Commerce Department guidance for any compliance requirements tied to AI export restrictions. For security teams: patch Oracle PeopleSoft immediately (CVE-2026-35273 advisory was published June 10); prioritize validation and anti-abuse controls on public intake forms and disclosure portals.