The Information Machine

AI-Enabled Offensive Cyberattacks Escalate · history

Version 4

2026-05-23 03:53 UTC · 89 items

What

A coordinated supply chain attack named Mini Shai-Hulud—attributed to threat group TeamPCP—compromised over 314 npm and PyPI packages linked to major AI labs including OpenAI, Mistral AI, and others [3][4]. TeamPCP has escalated through three phases: breach, sale listing of Mistral AI source code at $25,000 [9][10], and now an explicit leak threat—the group has stated it will publish the data publicly if no buyer is found [13][14]. Mistral AI confirms the breach but has not disclosed what data is involved [13]. Separately, Anthropic has confirmed via an official page (anthropic.com/glasswing) that Project Glasswing is its own defensive security initiative [21]; Cloudflare participated as a testing partner, running Claude Mythos against 50+ repositories and documenting its ability to chain exploits [22].

Why it matters

The leak threat transforms the Mistral incident from a closed criminal negotiation into a potential public data release—if TeamPCP publishes rather than sells, the competitive intelligence value is moot but adversarial proliferation risk rises sharply. The confirmation that Project Glasswing belongs to Anthropic—not just a third-party endorsement—means the exploit-chaining capability claim is now a primary-source disclosure from the model developer itself, lending it substantially more institutional weight than previously framed secondary attribution.

Open questions

  • Will TeamPCP follow through on the leak threat if no buyer materializes, and on what timeline? [13][14]

  • What specifically does Anthropic's official Project Glasswing page disclose about Mythos's test methodology, scope, and capability findings beyond Cloudflare's 50-repository benchmark? [21][22]

  • Does Mistral AI's confirmed breach encompass only the npm supply chain vector or also TeamPCP's separately claimed direct intrusion across 450 repositories? [13][8]

  • Has any buyer been identified for the advertised Mistral source code, and does the shift to a leak threat indicate the sale has stalled? [13][9]

Narrative

A coordinated supply chain attack named 'Mini Shai-Hulud' by its operators—threat group TeamPCP—began on May 11, 2026, targeting 42 TanStack GitHub repositories and publishing 84 malicious npm package versions [1]. The attack weaponized GitHub Actions publishing machinery rather than stealing developer credentials, exploiting the implicit trust that CI/CD pipelines extend to automated build outputs. The scale grew rapidly: more than 169 npm packages and multiple PyPI packages were confirmed compromised by May 15 [2], reaching over 314 npm packages by May 19 [3]. The downstream blast radius spanned the AI industry's core tooling supply chain: OpenAI, Mistral AI, UiPath, Guardrails AI, and SAP were all confirmed affected through the same npm vector [4]. OpenAI confirmed the breach and recommended users update desktop agents [5][6].

TeamPCP has moved through escalating phases against Mistral AI specifically: initial breach, public claim of 5GB exfiltration across 450 repositories [7][8], sale listing of Mistral source code at $25,000 across multiple channels [9][10][11][12], and now an explicit leak threat—the group has stated it will publish the data publicly if no buyer is found [13][14]. DarkWebInformer documented the ~5GB claim across social channels [15], and security researchers including Simon J tracked TeamPCP's advertising activity [16]. Mistral AI has confirmed the breach but has not disclosed what data is involved [13][17], leaving the scope unspecified while the attacker's disclosures become progressively more public. This information asymmetry—where the attacker is more forthcoming about breach scope than the victim—complicates independent verification and downstream risk assessment.

Running parallel to the supply chain campaign, the exploitation of AI for offensive cyber operations has taken formalized shape. Google's Threat Intelligence Group confirmed the first instance of a criminal actor using AI to discover and weaponize a zero-day vulnerability targeting two-factor authentication via a hardcoded trust assumption [18]. Attribution reporting names APT45 and UNC2814, with North Korean infrastructure cited [19][18]. GTIG reportedly intercepted the exploit before mass deployment, but the incident establishes a qualitative precedent: AI is now being applied to discover novel vulnerability classes, not just automate exploitation of known ones [20].

Anthropics's Project Glasswing—confirmed via an official page at anthropic.com/glasswing [21]—is the model developer's own defensive security initiative in which external organizations test Claude Mythos against real-world codebases. Cloudflare participated as a testing partner, running Mythos against 50+ repositories and documenting its ability to chain exploits in ways earlier frontier models missed [22]. Community commentary from Subhash Dasyam and video analysis characterize the findings as a meaningful capability step [23][24]. The UK AI Safety Institute separately published primary-source data on the doubling of autonomous AI cyber time horizon in months [25], and the US DoD CSIAC published a formal technical response report titled 'Counter-AI Offensive Tools and Techniques' [26][27], together signaling that governments are treating AI-native offensive capabilities as a defined institutional threat requiring organized response.

Timeline

  • pre-2010: fast16.sys virus deployed, selectively corrupting floating-point results in nuclear physics and precision engineering software—establishing an early template for targeted scientific sabotage through invisible degradation rather than overt disruption [50]
  • 2026-05-11: TeamPCP's Mini Shai-Hulud supply chain attack begins: 42 TanStack GitHub repositories compromised via GitHub Actions publishing machinery, 84 malicious npm package versions published without credential theft [1]
  • 2026-05-12: Google reports the first known AI-assisted zero-day exploit in the wild, targeting 2FA via a hardcoded trust assumption [18]
  • 2026-05-13: SafeDep publishes technical report on the mass supply chain attack; UK AISI publishes primary-source blog documenting doubling of autonomous model cyber time horizon; H4ckmanac observes Mistral AI source code and internal repositories as compromised assets [25][51][52]
  • 2026-05-14: Attack scope confirmed across Mistral AI, OpenAI, UiPath, and OpenSearch npm packages; TeamPCP claims 5GB Mistral breach across 450 repositories; node-ipc (3M+ downloads) separately compromised [53][54][7][55]
  • 2026-05-15: OpenAI confirms breach and recommends desktop agent updates; attack scale reaches 169+ npm packages and PyPI packages; OpenAI, Mistral AI, UiPath, Guardrails AI, SAP all named as affected via the same supply chain vector [5][33][2][4][6]
  • 2026-05-16: Cloud Security Alliance CISO briefing cites the AI-generated zero-day; Decryption Digest names APT45 and UNC2814 in attribution; attack confirmed as first criminal AI-generated zero-day in Google's Threat Intelligence reporting [19][28]
  • 2026-05-17: Attack formally named 'Mini Shai-Hulud'; Mistral AI and TanStack npm/PyPI packages confirmed; Microsoft MDASH system credited with discovering 16 Windows vulnerabilities including 4 critical RCE flaws [31][49]
  • 2026-05-18: TeamPCP threatens to leak Mistral AI's code publicly if no buyer is found; DarkWebInformer documents ~5GB exfiltration claim across social channels [14][15]
  • 2026-05-19: Total compromised packages reaches 314+ npm; Cloudflare tests Mythos against 50+ repositories within Project Glasswing, documenting its ability to chain exploits; MCP/AI skills ecosystem flagged as analogous supply chain attack surface [30][3][46][36][38][22]
  • 2026-05-20: US DoD CSIAC publishes formal technical response report 'Counter-AI Offensive Tools and Techniques'; regulatory debate emerges on whether governments should mandate access to offensive models or fund sovereign AISI-style capabilities [42][48][26][27]
  • 2026-05-21: Security community characterizes the AI-assisted zero-day as a major escalation milestone marking the emergence of AI-native threat actors [20]
  • 2026-05-22: TeamPCP lists Mistral AI source code for sale at $25,000 across multiple channels; Mistral AI officially confirms the breach but declines to disclose what data was taken; Cybernews confirms 450 repositories exposed [9][10][11][12][8][32]
  • 2026-05-23: Anthropic's Project Glasswing confirmed as Anthropic-owned initiative via official anthropic.com/glasswing page; Yahoo Tech and others report TeamPCP's leak threat alongside the sale listing; Simon J and community commentary amplify Mistral breach and Mythos capability findings [21][13][16][23][24][17]

Perspectives

Google Threat Intelligence Group (GTIG)

Confirmed the first criminal AI-assisted zero-day exploit targeting a 2FA trust assumption; attribution reporting names APT45 and UNC2814, with North Korean infrastructure cited; GTIG intercepted the exploit before mass deployment but characterizes it as a qualitative escalation milestone

Evolution: Consistent from prior synthesis; no new items this pass

TeamPCP (threat group)

Operators of the Mini Shai-Hulud supply chain attack; have escalated from breach-and-claim through active sale listing ($25,000) to an explicit leak threat—stating they will publish Mistral AI data publicly if no buyer is found

Evolution: Further escalation this pass: the group added a public leak threat to its sale listing, shifting pressure from 'find a buyer' to a classic double-extortion dynamic

Mistral AI

Officially confirmed the breach but has not disclosed what data is involved; remains silent on whether TeamPCP's 5GB/450-repository claim accurately characterizes the scope

Evolution: No new disclosures this pass; the gap between TeamPCP's increasingly public escalation and Mistral's silence is widening

OpenAI

Confirmed breach via the TanStack npm supply chain attack; recommended users update desktop agents; acknowledged developer machines as primary impact zone

Evolution: Consistent from prior synthesis; remains the most transparent of the confirmed breach victims

Anthropic (Project Glasswing)

Project Glasswing is Anthropic's own defensive security initiative, confirmed via an official page at anthropic.com/glasswing; the project engages external organizations to test Claude Mythos against real-world codebases; the finding that Mythos discovers exploit chains earlier frontier models missed is now a primary-source claim from the model developer itself

Evolution: New perspective this pass: Anthropic's official Glasswing page establishes the project as Anthropic-owned, correcting the prior synthesis's framing that attributed the project primarily to Cloudflare

Cloudflare (Glasswing testing partner)

Participated in Project Glasswing as a testing partner, running Claude Mythos against 50+ repositories; findings highlight Mythos's ability to chain exploits in ways earlier frontier models missed; advocates for narrow-scope AI agent design to limit blast radius from autonomous exploitation

Evolution: Attribution corrected this pass: Cloudflare is a testing partner within Anthropic's Glasswing program, not the project originator as previously framed; the 50+ repository test count is new quantitative detail

UK AI Safety Institute (AISI)

Published primary-source blog formalizing data on the doubling of autonomous AI cyber time horizon in months; the publication elevates prior cited statistics to official government documentation

Evolution: Consistent from prior synthesis

US DoD / CSIAC

Published formal technical response report 'Counter-AI Offensive Tools and Techniques,' signaling that AI-native offensive capabilities now warrant organized institutional response at the national defense level; DoD modernization discussions are applying least-privilege access principles to AI tools

Evolution: Consistent from prior synthesis

AgentGraph

Argues that the MCP/AI skills ecosystem recreates the npm supply chain vulnerability problem at a faster pace, with unverified community packages receiving implicit trust from AI agents

Evolution: Consistent from prior synthesis

RupeeMindset

Argues the structural asymmetry favoring offense is economic, not merely technical: defensive costs scale poorly while offensive AI costs favor attackers, and AI deepens rather than resolves this gap

Evolution: Consistent from prior synthesis

Samuel Ajiboyede

Raises the regulatory question of whether governments should mandate reciprocal access to offensive AI models or fund sovereign capabilities like AISI, framing this as a policy design choice rather than a settled answer

Evolution: Consistent from prior synthesis

Grant Harvey (The Neuron)

Frames AI cybersecurity as a genuine two-sided escalation where autonomous capabilities power both offense and defense; emphasizes AI's advantage in tracing user flows to identify trust-assumption flaws; cautiously optimistic that defensive multi-agent verification can scale

Evolution: Consistent from prior synthesis

Jack Clark (Import AI)

Uses fast16.sys as a cautionary historical metaphor to argue the most dangerous AI-enabled cyberweapons will be subtle and degradation-focused; frames proliferation as analogous to how a superintelligence might prevent competitors from developing comparable capabilities

Evolution: Consistent from prior synthesis

Microsoft (MDASH team)

Multi-agent vulnerability discovery system independently finds and verifies real threats at scale, demonstrating defensive AI viability as a force multiplier

Evolution: Consistent from prior synthesis; faces implicit challenge from Anthropic's Glasswing finding that Mythos chains bugs in ways earlier models missed—suggesting offense is pulling ahead on the exploit-chaining capability dimension specifically

Tensions

  • Microsoft's MDASH results and Grant Harvey's framing suggest defensive AI can scale to meet offensive AI [49]; RupeeMindset counters that defensive cost structures are prohibitively higher than offensive ones, and AI deepens rather than resolves that asymmetry [47]—a structural economics argument that MDASH's capability demonstration does not address. [49][47]
  • Anthropic's Project Glasswing finding—now a primary-source claim—that Mythos finds exploit chains earlier frontier models missed [21][22] sharpens the tension with Microsoft MDASH's defensive benchmark: MDASH was optimized for finding individual vulnerabilities, not countering chained exploit sequences, leaving open whether the defensive AI architecture tested by Microsoft is keeping pace with the specific chaining capability being demonstrated on offense. [21][22][49][25]
  • Mistral AI confirms the breach but declines to say what data was taken [13], while TeamPCP publicly threatens to leak the data if no buyer is found [14]—an information asymmetry where the attacker discloses more about breach scope than the victim, now amplified by the leak threat's deadline pressure that forces Mistral toward public acknowledgment or silent acceptance of public exposure. [13][14][32][9][10]
  • Samuel Ajiboyede frames the policy choice as mandating reciprocal access to offensive AI models versus funding sovereign capabilities like AISI [48]; these approaches imply fundamentally different theories of defense—one relies on deterrence through capability parity, the other on specialized state institutions—and no voice in the thread has yet argued for both simultaneously. [48][25]
  • The dual-use optimism in Harvey's framing [49] and Clark's degradation-focused alarm [50] now face a concrete test: Mini Shai-Hulud's CI/CD compromise method and the AI-assisted 2FA zero-day both exploit trust-assumption logic rather than memory errors, suggesting Clark's 'invisible degradation' template may already be operational at the infrastructure layer rather than purely at the scientific-data layer. [49][50][19][1]

Sources

  1. [1] The npm supply chain attack that hit TanStack, Mistral AI, and UiPath on May 11 didn't involve stolen credentials.42 Tan... — reactive:ai-offensive-cyber (2026-05-14)
  2. [2] A supply chain worm just hit over 169 npm packages and multiple PyPI packages. The affected ecosystems include TanStack,... — reactive:ai-offensive-cyber (2026-05-15)
  3. [3] 314 npm packages compromised in the Shai-Hulud supply chain attack. — reactive:ai-offensive-cyber (2026-05-19)
  4. [4] @IntCyberDigest The list keeps growing: OpenAI, Mistral, UiPath, Guardrails AI, SAP. All hit through the same npm supply... — reactive:ai-offensive-cyber (2026-05-15)
  5. [5] 🚨 OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack — reactive:ai-security-nexus (2026-05-16)
  6. [6] OpenAI recommends updating desktop agents, after the supply chain attack compromising nearly 170 npm packages; by TeamPC... — reactive:ai-offensive-cyber (2026-05-15)
  7. [7] TeamPCP claims it breached @MistralAI and stole 5GB of data across 450 repositories, while Mistral confirms impact from ... — reactive:ai-offensive-cyber (2026-05-14)
  8. [8] Mistral AI breached in TanStack-linked attack? 450 repos exposed — reactive:ai-offensive-cyber
  9. [9] TeamPCP hackers advertise Mistral AI code repos for sale — reactive:ai-offensive-cyber
  10. [10] TeamPCP Hackers Put Mistral AI Source Code Up for Sale at $25,000 — reactive:ai-offensive-cyber
  11. [11] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai-Hulud Attack — reactive:ai-offensive-cyber
  12. [12] TeamPCP Monetizes Shai-Hulud Fallout: Mistral AI Source Code — reactive:ai-offensive-cyber
  13. [13] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved — reactive:ai-offensive-cyber
  14. [14] [2026-05-18] TeamPCP threatens to leak Mistral AI's code if no one ... — reactive:ai-offensive-cyber
  15. [15] ‼️ Mistral AI allegedly breached: ~5GB of internal source code ... — reactive:ai-offensive-cyber
  16. [16] TeamPCP hackers advertise Mistral AI code repos for sale | Simon J ... — reactive:ai-offensive-cyber
  17. [17] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
  18. [18] Google reports first known AI-assisted zero-day exploit in the wild — reactive:ai-offensive-cyber (2026-05-12)
  19. [19] AI built the first zero-day exploit targeting 2FA. Google GTIG intercepted it before mass deployment. APT45, UNC2814, Ru... — reactive:ai-offensive-cyber (2026-05-16)
  20. [20] A criminal group has used AI to discover and weaponize a 0-day vulnerability, marking a major escalation in offensive cy... — reactive:ai-offensive-cyber (2026-05-21)
  21. [21] Project Glasswing: Securing critical software for the AI era - Anthropic — reactive:frontier-ai-cyber-capabilities
  22. [22] Cloudflare tests Mythos against 50+ repositories, highlights its ability ... — reactive:ai-offensive-cyber
  23. [23] Project Glasswing: what Mythos showed us | Subhash Dasyam — reactive:ai-offensive-cyber
  24. [24] Claude Mythos Cracks All Security, Project Glasswing, and the New ... — reactive:ai-offensive-cyber
  25. [25] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
  26. [26] Counter-AI Offensive Tools and Techniques - CSIAC - dtic.mil — reactive:ai-offensive-cyber
  27. [27] [PDF] Counter-AI Offensive Tools and Techniques - CSIAC — reactive:ai-offensive-cyber
  28. [28] CISO Daily Briefing: Google's TIG confirmed the first criminal AI-generated zero-day exploit — AI-native threat actors a... — reactive:ai-offensive-cyber (2026-05-16)
  29. [29] AI ZERO-DAY IN THE WILD COURTESY OF GOOGLE THREAT INTEL — reactive:ai-offensive-cyber (2026-05-14)
  30. [30] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
  31. [31] Mistral AI and TanStack npm packages were compromised in a supply chain attack named 'Mini Shai-Hulud.' GitHub creds, CI... — reactive:ai-offensive-cyber (2026-05-17)
  32. [32] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved | TechRadar — reactive:ai-offensive-cyber
  33. [33] OpenAI confirms breach in TanStack supply chain cyberattack. — reactive:ai-security-nexus (2026-05-15)
  34. [34] OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack https://t.co/AMdx5vvk0a — reactive:ai-security-nexus (2026-05-15)
  35. [35] 🚨 OpenAI just confirmed a real supply-chain attack. — reactive:ai-offensive-cyber (2026-05-15)
  36. [36] Cloudflare says Anthropic's Mythos Preview finds exploit chains that earlier frontier models missed — reactive:ai-offensive-cyber
  37. [37] Cloudflare just explained why Mythos is so important (and it is not ... — reactive:ai-offensive-cyber
  38. [38] Cloudflare Tests AI's Ability to Find and Exploit Vulnerabilities — reactive:ai-offensive-cyber
  39. [39] Cloudflare's approach to building safe AI agents with narrow scope ... — reactive:ai-offensive-cyber
  40. [40] 🤖Anthropic’s Mythos AI can now chain bugs into working exploits, according to Cloudflare. — reactive:ai-offensive-cyber (2026-05-19)
  41. [41] Recent evaluations from the UK AI Security Institute (AISI) highlight the accelerating pace of autonomous AI cyber capab... — reactive:ai-offensive-cyber (2026-05-14)
  42. [42] Read CSIAC's technical response report, "Counter-AI Offensive Tools and Techniques." — reactive:ai-offensive-cyber (2026-05-20)
  43. [43] Read CSIAC's technical response report, "Counter-AI Offensive ... — reactive:ai-offensive-cyber
  44. [44] DoD Modernization Exchange 2026: Ping Identity’s Kelvin Brewer on applying least privilege access to AI tools — reactive:ai-offensive-cyber
  45. [45] Do you work in software or data analysis? CSIAC ... — reactive:ai-offensive-cyber
  46. [46] The supply chain attack surface for AI skills/MCPs is the same problem npm had in 2018, just moving faster. Unverified c... — reactive:ai-offensive-cyber (2026-05-19)
  47. [47] @TheEconomist The real vulnerability isn't just "trusted firms" leaking tools—it's the asymmetric economics. Defensive c... — reactive:ai-offensive-cyber (2026-05-15)
  48. [48] Should regulators mandate reciprocal access to offensive models or fund sovereign capabilities like UK's AISI? — reactive:ai-offensive-cyber (2026-05-20)
  49. [49] 😿 AI hackers found a new lane — The Neuron (2026-05-17)
  50. [50] Import AI 457: AI stuxnet; cursed Muon optimizer; and positive alignment — Import AI (2026-05-18)
  51. [51] Mass Supply Chain Attack Hits TanStack, Mistral AI NPM and PyPI Packages — reactive:ai-offensive-cyber (2026-05-13)
  52. [52] Source code, internal repositories Observed: May 13, 2026 Status — reactive:ai-offensive-cyber
  53. [53] 🚨 node-ipc compromised (3M+ downloads) — reactive:ai-offensive-cyber (2026-05-14)
  54. [54] NEWS | A new NPM supply chain attack is now targeting the AI ecosystem, hitting packages tied to Mistral AI, OpenSearch,... — reactive:ai-offensive-cyber (2026-05-14)
  55. [55] Mass supply-chain attack slams npm and PyPi, with downstream impact affecting Mistral AI and others, as latest Mini Shai... — reactive:ai-offensive-cyber (2026-05-14)