The Information Machine

AI-Enabled Offensive Cyberattacks Escalate · history

Version 7

2026-05-24 20:52 UTC · 250 items

What

Four confirmed developments define the AI-enabled offensive cyber landscape in late May 2026. TeamPCP's 'Mini Shai-Hulud' supply chain attack compromised 314+ npm/PyPI packages—including mistralai Python client version 2.4.6 [5]—affecting OpenAI, Mistral AI, the European Commission, and others [2][4]. Google confirmed the first criminal AI-generated zero-day, targeting a 2FA trust assumption [15]. Anthropic's Project Glasswing—publicly disclosed in April 2026 [24][23]—documents Claude Mythos autonomously chaining exploits [38][26]; an open-source outside-in replication of the methodology, built on Claude Opus 4.7 at ~$1 per run, is now publicly available on GitHub [29]. Policy pressure is crystallizing: Microsoft has called for government cyber testing of frontier AI models [31], and a letter to the White House urges formal oversight guidance [32].

Why it matters

The open-source Mythos replication at ~$1/run [29] transforms what was a controlled institutional capability disclosure into an accessible public scaffold, directly challenging whether gated access to the original Mythos model is sufficient to contain the exploit-chaining methodology. As institutional defenders, legal analysts, and policymakers simultaneously converge on government testing mandates [31][32][36], the gap between regulatory response time and capability proliferation is widening faster than any formal framework can close it.

Open questions

  • Does the Keyvanhardani open-source Mythos replication [29] actually reproduce the exploit-chaining results Cloudflare documented [26], or does its eight-phase pipeline approximate them at lower fidelity? No independent validation of the replication's findings against primary-source Glasswing benchmarks has been confirmed.

  • Will TeamPCP follow through on the public leak threat against Mistral AI [12]? The specific compromise of mistralai Python client 2.4.6 is now documented in a GitHub security issue [5], but Mistral has still not disclosed the scope of what was taken [13], and hints of a prior SDK security disclosure preceding the breach [14] remain unresolved.

  • What does the METR Frontier Risk Report (covering February–March 2026) [20] find regarding autonomous AI cyber capability trajectories, and does it corroborate or qualify the AISI's ~4.5-month doubling rate [19]?

  • Microsoft's call for government cyber testing [31], the White House oversight letter [32], and OpenAI's self-regulatory gated access model [33] point toward competing regulatory architectures—which approach, if any, will gain institutional traction before the next major AI-assisted incident?

Narrative

Beginning May 11, 2026, threat group TeamPCP's 'Mini Shai-Hulud' supply chain attack exploited GitHub Actions publishing machinery to push malicious package versions without credential theft [1]. The campaign expanded from 42 compromised TanStack repositories to 314+ npm and PyPI packages by May 19 [2], with a confirmed blast radius spanning AI industry tooling and government infrastructure: OpenAI, Mistral AI, the European Commission, UiPath, Guardrails AI, and SAP were all affected through the same vector [3][4]. The specific compromise of mistralai version 2.4.6—the Mistral AI Python client—is documented in a GitHub security issue [5] and in CSO Online's coverage of the Mistral AI SDK attack [6]; LiteLLM separately published a security update addressing the Mistral AI PyPI attack [7]. OpenAI's post-incident disclosure specifies two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, and a June 12, 2026 revocation deadline after which unpatched apps will stop functioning [8]. TeamPCP's campaign against Mistral escalated through a 5GB exfiltration claim across 450 repositories [9], a $25,000 sale listing [10][11], and an explicit public leak threat [12]. Mistral confirmed the breach but has not disclosed scope [13]; hints of a prior Mistral SDK security disclosure preceding the TeamPCP breach [14] add an unresolved dimension about whether Mistral had advance knowledge of the exploited vulnerability.

Running parallel to the supply chain campaign, Google's Threat Intelligence Group confirmed the first criminal actor using AI to discover and weaponize a zero-day—a hardcoded trust assumption in a two-factor authentication flow—intercepted before mass deployment [15]. Attribution reporting names APT45 and UNC2814 with North Korean infrastructure cited [16][17]. The incident establishes that AI is being applied to discover novel vulnerability classes, not merely automate exploitation of known ones [18]. The UK AI Safety Institute has documented autonomous AI cyber capability doubling at approximately every 4.5 months [19]. METR published a Frontier Risk Report covering February to March 2026 [20], providing capability assessment from the period immediately preceding the major incidents. The ExploitGym benchmark from Berkeley's Center for Responsible, Decentralized Intelligence independently evaluates AI agents' ability to turn known vulnerabilities into working exploits, providing an academic framework for the capability trajectory the AISI figure describes [21][22].

Anthropics's Project Glasswing—which engages external organizations to test Claude Mythos against real-world codebases—was publicly disclosed in April 2026, weeks before the Mini Shai-Hulud attack. The Internet Governance Project published analysis framing Glasswing as reshaping 'the changing institutional economics of bugs' on April 16 [23], IANS Research characterized it as exposing 'the next challenge for vulnerability management' on April 19 [24], and Bruce Schneier published commentary on the Mythos Preview and Glasswing in April [25]. Cloudflare, as a formal testing partner, documented that Mythos chains exploits in ways earlier frontier models missed when run against 50+ repositories [26]; the Cloud Security Alliance characterized this as crossing an 'autonomous offensive threshold' [27]. Anthropic has not released Mythos publicly, a decision NBC News framed as driven by the model's dangerous capabilities [28]. A significant development in accessibility has since emerged: an open-source outside-in replication of the Mythos methodology—authored by Keyvanhardani and hosted on GitHub—implements an eight-phase sink-guided pipeline using Claude Opus 4.7 at approximately $1 per run, framed as an OSS self-scan and coordinated disclosure tool [29]. This moves the Glasswing replication from a ResearchGate paper to a publicly accessible scaffold, directly challenging whether controlled access to Mythos itself can contain the underlying methodology. Unverified Reddit discussion has amplified claims that Mythos can find 'tens of thousands of zero-days' [30], a scale that exceeds primary-source documentation.

At the policy level, pressure toward formal government oversight of AI models is coalescing from multiple directions simultaneously. Microsoft has explicitly called for frontier AI models to be subject to government cyber testing [31]. A letter to the White House separately urges formal guidance on oversight of AI models [32]. OpenAI's 'Trusted Access for Cyber' program—confirmed via a blog post published May 7, predating the Mini Shai-Hulud attack—gives vetted security defenders access to GPT-5.5 and the specialized GPT-5.5-Cyber [33]. The US DoD's CSIAC published 'Counter-AI Offensive Tools and Techniques,' signaling AI-native offensive capabilities now warrant organized national defense response [34]. Palo Alto Networks published a 'Defender's Guide to Frontier AI Impact on Cybersecurity' [35], and legal analysis from Lowenstein Sandler frames frontier AI as requiring a recalibration of institutional cybersecurity risk thresholds [36]. Three distinct deployment philosophies among frontier labs—Anthropic's full restriction [28], Microsoft's internal MDASH deployment [37], and OpenAI's gated external access tier [33]—persist without resolution into any common standard, even as Microsoft's regulatory call [31] signals that at least one major lab views government-imposed testing as preferable to voluntary norms.

Timeline

  • pre-2010: fast16.sys virus deployed, selectively corrupting floating-point results in nuclear physics and precision engineering software—establishing an early template for targeted scientific sabotage through invisible degradation rather than overt disruption [107][108][109]
  • 2026-02/03: METR assesses frontier AI risks during February–March 2026, producing findings published in the Frontier Risk Report in May 2026 [20]
  • 2026-04-16: Internet Governance Project publishes 'AI, Project Glasswing, and the Changing Institutional Economics of Bugs,' providing one of the earliest substantive public analyses of Glasswing—weeks before the Mini Shai-Hulud attack [23]
  • 2026-04-19: IANS Research publishes that Project Glasswing 'Exposes the Next Challenge for Vulnerability Management'; Bruce Schneier publishes commentary on Anthropic's Mythos Preview and Project Glasswing; security commentariat engages with Glasswing's implications for the vulnerability disclosure ecosystem [24][25]
  • 2026-05-07: OpenAI publishes 'Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber' on the OpenAI Blog, establishing a formal program granting vetted security defenders access to GPT-5.5 and the specialized GPT-5.5-Cyber model to accelerate vulnerability research and protect critical infrastructure—predating the Mini Shai-Hulud attack by four days [33][39][40][41][42][43][44]
  • 2026-05-11: TeamPCP's Mini Shai-Hulud supply chain attack begins: 42 TanStack GitHub repositories compromised via GitHub Actions publishing machinery, 84 malicious npm package versions published without credential theft; Google GTIG detects the first known AI-generated zero-day exploit targeting a 2FA trust assumption and intercepts it before mass deployment [1][15][17][53][113][51][52]
  • 2026-05-12: Microsoft publishes the primary-source Security Blog post announcing MDASH, its multi-model agentic security system, which has already found 16 Windows vulnerabilities including 4 critical RCE flaws and tops leading industry benchmarks [37][81][82][86]
  • 2026-05-13: OpenAI publishes its official post-incident disclosure specifying two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, June 12 revocation deadline set, and no customer data or production systems affected; UK AISI publishes primary-source blog documenting autonomous AI cyber capability doubling at approximately every 4.5 months [8][114][91][19]
  • 2026-05-14: Attack scope confirmed across Mistral AI, OpenAI, UiPath, and OpenSearch npm packages; TeamPCP claims 5GB Mistral breach across 450 repositories; node-ipc (3M+ downloads) separately compromised [115][116][9][117]
  • 2026-05-15: Attack scale reaches 169+ npm and PyPI packages; OpenAI, Mistral AI, the European Commission, UiPath, Guardrails AI, and SAP all named as affected via the same supply chain vector; Trump-Xi summit in Beijing takes place, with US and China later disagreeing on what was agreed [45][46][118][3][48][4][119]
  • 2026-05-16: Cloud Security Alliance CISO briefing cites the AI-generated zero-day; attribution reporting names APT45 and UNC2814 with North Korean infrastructure cited [16][49][89]
  • 2026-05-17: Attack formally named 'Mini Shai-Hulud'; Mistral AI and TanStack npm/PyPI packages confirmed as central targets [55]
  • 2026-05-18: TeamPCP threatens to leak Mistral AI's code publicly if no buyer is found; DarkWebInformer documents the ~5GB exfiltration claim across social channels; US and China announce deals following the Trump-Xi summit [12][60][120][121][122]
  • 2026-05-19: Total compromised packages reaches 314+ npm/PyPI; Cloudflare tests Mythos against 50+ repositories within Project Glasswing, documenting its ability to chain exploits; MCP/AI skills ecosystem flagged as analogous supply chain attack surface; METR publishes Frontier Risk Report covering February–March 2026 [54][2][111][73][75][78][26][20]
  • 2026-05-20: US DoD CSIAC publishes formal technical response report 'Counter-AI Offensive Tools and Techniques'; regulatory debate emerges on whether governments should mandate access to offensive models or fund sovereign AISI-style capabilities; Microsoft calls for government cyber testing of frontier AI models [34][106][102][103][31]
  • 2026-05-21: Security community characterizes the AI-assisted zero-day as a major escalation milestone marking the emergence of AI-native threat actors [18][123][124]
  • 2026-05-22: TeamPCP lists Mistral AI source code for sale at $25,000 across multiple channels; Mistral AI officially confirms the breach but declines to disclose what data was taken; Cybernews confirms 450 repositories exposed; CSO Online reports on the Mistral AI SDK and TanStack Router npm supply chain attack [10][11][56][57][65][13][61][62][63][64][6]
  • 2026-05-23: Anthropic's Project Glasswing confirmed as Anthropic-owned initiative; Cloudflare Blog publishes primary-source account; Anthropic red team assessment published at red.anthropic.com; NBC News reports Anthropic won't release Mythos publicly; Bloomberg, CNBC, SecurityWeek, and CyberScoop report Google's AI zero-day; the AI zero-day story goes viral on social media; Zvi Mowshowitz covers Glasswing on Substack [69][26][38][28][53][113][51][52][15][125][110][79][126]
  • 2026-05-24: OpenAI's Trusted Access for Cyber program confirmed as a formal initiative via official blog post; Keyvanhardani publishes an open-source outside-in replication of Project Glasswing Mythos on GitHub—an eight-phase sink-guided pipeline on Claude Opus 4.7 at ~$1/run with coordinated disclosure framing; mistralai Python client version 2.4.6 specifically documented as compromised in a GitHub security issue; LiteLLM publishes a security update addressing the Mistral AI PyPI supply chain attack; hints emerge of a prior Mistral SDK security disclosure preceding the TeamPCP breach [33][39][29][5][7][67][14][68]

Perspectives

OpenAI

Published the most detailed primary-source incident disclosure of any confirmed breach victim—two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, June 12 revocation deadline, no customer data or production systems affected—framing the incident as a 'broader shift' toward supply chain targeting. Separately confirmed, via an official blog post predating the Mini Shai-Hulud attack, a formal 'Trusted Access for Cyber' program giving vetted security defenders access to GPT-5.5 and GPT-5.5-Cyber for vulnerability research and critical infrastructure protection.

Evolution: Consistent with prior synthesis; GPT-5.5-Cyber program remains confirmed via official blog post (7134) published May 7, 2026, four days before the attack.

Google Threat Intelligence Group (GTIG)

Confirmed the first criminal AI-assisted zero-day exploit targeting a 2FA trust assumption; attribution reporting names APT45 and UNC2814 with North Korean infrastructure; GTIG intercepted the exploit before mass deployment. The Google Cloud Blog primary-source post documents adversaries using AI for vulnerability exploitation, augmented operations, and initial access—framing the zero-day as one instance of a systematic shift rather than an isolated incident.

Evolution: Consistent with prior synthesis; no new primary-source disclosures this pass.

TeamPCP (threat group)

Operators of Mini Shai-Hulud; have escalated from breach-and-claim through active sale listing ($25,000) to an explicit leak threat stating they will publish Mistral AI data publicly if no buyer is found.

Evolution: Consistent; escalation arc is documented but no new phases have materialized since the leak threat. Social media amplification continues.

Mistral AI

Officially confirmed the breach but has not disclosed what data is involved; remains silent on whether TeamPCP's 5GB/450-repository claim accurately characterizes the scope. The specific compromise of mistralai Python client version 2.4.6 is now documented in a GitHub security issue independent of Mistral's own disclosures.

Evolution: The GitHub security issue for mistralai 2.4.6 (17371) provides version-level specificity not previously in the record. Hints of a prior Mistral SDK disclosure (17157) remain an unresolved dimension.

Anthropic (Project Glasswing)

Project Glasswing is Anthropic's own defensive security initiative, confirmed via anthropic.com/glasswing and a red team capability assessment at red.anthropic.com; the project was publicly disclosed in April 2026 and engages external organizations to test Claude Mythos against real-world codebases. Mythos discovers exploit chains earlier frontier models missed. Controlled access is a deliberate safety decision—Anthropic has not released Mythos publicly.

Evolution: The April 2026 disclosure date (17373, 17374, 12277) predates the Mini Shai-Hulud attack by over three weeks—earlier than the May 23 framing suggested by prior synthesis. An open-source replication of the methodology is now publicly available (17372), adding pressure to the safety rationale for non-release.

Cloudflare (Glasswing testing partner)

Participated in Project Glasswing as a testing partner; the Cloudflare Blog published a primary-source account documenting that Mythos chains exploits in ways earlier frontier models missed when run against 50+ repositories. Advocates for narrow-scope AI agent design to limit blast radius from autonomous exploitation.

Evolution: Consistent with prior synthesis.

Keyvanhardani (independent replication researcher)

Published an open-source outside-in replication of Anthropic's Mythos Preview / Project Glasswing on GitHub, implementing an eight-phase sink-guided pipeline using Claude Opus 4.7 at approximately $1 per run, framed as an OSS self-scan and coordinated disclosure scaffold.

Evolution: Previously tracked as a ResearchGate paper (17155); now a full public GitHub repository (17372) with specific technical implementation details, significantly increasing accessibility beyond academic paper format.

Bruce Schneier

Published commentary on Anthropic's Mythos Preview and Project Glasswing in April 2026, representing significant engagement from the security research commentariat with Anthropic's capability disclosure.

Evolution: New voice this pass; previously absent from the perspectives record.

Microsoft (MDASH team + regulatory stance)

Multi-agent vulnerability discovery system MDASH independently found 16 Windows vulnerabilities including 4 critical RCE flaws; Microsoft's Security Blog documents MDASH as topping leading industry benchmarks for defensive AI vulnerability discovery. Microsoft has separately and explicitly called for frontier AI models to be subject to government cyber testing.

Evolution: Government cyber testing call (17378) is new this pass, adding a regulatory dimension to Microsoft's previously purely technical-deployment stance.

IANS Research

Frames Project Glasswing as 'exposing the next challenge for vulnerability management,' positioning the Mythos capability disclosure as requiring institutional security programs to reconsider how they detect and respond to autonomous exploit chaining.

Evolution: New voice this pass.

Internet Governance Project

Frames Project Glasswing as reshaping 'the institutional economics of bugs'—arguing that autonomous AI exploit discovery alters the cost and incentive structures governing vulnerability research, disclosure, and patching at a systemic level.

Evolution: New voice this pass; published April 16, 2026, predating the Mini Shai-Hulud attack.

METR

Published a Frontier Risk Report covering February to March 2026 assessing autonomous AI capabilities and frontier risk trajectories in the period immediately preceding the major May 2026 incidents.

Evolution: New voice this pass.

Palo Alto Networks

Published a 'Defender's Guide to Frontier AI Impact on Cybersecurity,' positioning the major security vendor as providing defensive framing for organizations navigating AI-augmented threat environments.

Evolution: New voice this pass.

Lowenstein Sandler LLP

Legal analysis frames frontier AI models as requiring a 'recalibration of risk for a faster threat environment,' positioning AI cybersecurity readiness as a legal and compliance imperative for institutional programs beyond purely technical response.

Evolution: New voice this pass.

LiteLLM

Published a security update specifically addressing the Mistral AI PyPI supply chain attack, providing an affected-ecosystem perspective on the downstream impact of the mistralai package compromise.

Evolution: New voice this pass.

Cloud Security Alliance (CSA)

Characterized Claude Mythos as crossing an 'autonomous offensive threshold' in a research note; separately cited the AI-generated zero-day in a CISO briefing, positioning the incident as a formal inflection point for institutional security posture.

Evolution: Consistent with prior synthesis.

UK AI Safety Institute (AISI)

Published primary-source blog formalizing data on the doubling of autonomous AI cyber capability, with the specific reported figure being approximately every 4.5 months.

Evolution: Consistent with prior synthesis.

Berkeley RDI / ExploitGym researchers

Published the ExploitGym benchmark on arxiv evaluating whether AI agents can turn known security vulnerabilities into real attacks, providing an independent academic framework for measuring AI-assisted exploit development capability.

Evolution: Consistent with prior synthesis.

US DoD / CSIAC

Published formal technical response report 'Counter-AI Offensive Tools and Techniques,' signaling that AI-native offensive capabilities now warrant organized institutional response at the national defense level.

Evolution: Consistent with prior synthesis.

Samuel Ajiboyede

Raises the regulatory question of whether governments should mandate reciprocal access to offensive AI models or fund sovereign capabilities like AISI, framing this as a policy design choice rather than a settled answer.

Evolution: Consistent with prior synthesis.

Grant Harvey (The Neuron)

Frames AI cybersecurity as a genuine two-sided escalation where autonomous capabilities power both offense and defense; emphasizes AI's advantage in tracing user flows to identify trust-assumption flaws; cautiously optimistic that defensive multi-agent verification can scale.

Evolution: Consistent with prior synthesis.

Jack Clark (Import AI)

Uses fast16.sys as a cautionary historical metaphor to argue the most dangerous AI-enabled cyberweapons will be subtle and degradation-focused; frames proliferation as analogous to how a superintelligence might prevent competitors from developing comparable capabilities.

Evolution: Consistent with prior synthesis.

Zvi Mowshowitz (AI commentary, Substack)

Dedicated a Substack post to Claude Mythos and Project Glasswing cybersecurity findings, signaling active engagement from the AI safety and policy commentary community with the offensive-capability disclosure.

Evolution: Consistent with prior synthesis.

NBC News / mainstream media

Frames the Mythos restricted access as driven by the model's dangerous capabilities ('Why Anthropic won't release its new Mythos AI model to the public'), translating the Glasswing story from technical security reporting into consumer-facing AI safety narrative.

Evolution: Consistent with prior synthesis.

AgentGraph

Argues that the MCP/AI skills ecosystem recreates the npm supply chain vulnerability problem at a faster pace, with unverified community packages receiving implicit trust from AI agents.

Evolution: Consistent with prior synthesis.

RupeeMindset

Argues the structural asymmetry favoring offense is economic, not merely technical: defensive costs scale poorly while offensive AI costs favor attackers, and AI deepens rather than resolves this gap.

Evolution: Consistent with prior synthesis.

Tensions

  • The open-source Mythos replication at ~$1/run using Claude Opus 4.7 [29] directly challenges Anthropic's rationale for not releasing Mythos publicly [28]: if the exploit-chaining methodology is replicable cheaply as an open-source tool, gated access to the original model may not meaningfully contain the capability proliferation it was designed to prevent. [29][28][38][26]
  • Microsoft's explicit call for government cyber testing of frontier AI models [31] sits in tension with OpenAI's self-regulatory gated access model [33]: one approach relies on state-imposed testing mandates as the oversight mechanism, the other on industry-designed vetting programs—implying fundamentally different theories of accountability for offensive-capable AI. [31][33][32]
  • Microsoft's MDASH results and Grant Harvey's framing suggest defensive AI can scale to meet offensive AI [87][37]; RupeeMindset counters that defensive cost structures are prohibitively higher than offensive ones, and AI deepens rather than resolves that asymmetry [112]—a structural economics argument that MDASH's capability demonstration does not address. [87][37][112]
  • Anthropic's Project Glasswing finding—documented in primary-source reports from both Anthropic's red team and the Cloudflare Blog—that Mythos finds exploit chains earlier frontier models missed [38][26] sharpens the gap with Microsoft MDASH's defensive benchmark: MDASH was optimized for finding individual vulnerabilities [37], not countering chained exploit sequences, leaving open whether defensive AI architecture is keeping pace with the specific chaining capability being demonstrated on offense. [38][26][37][91]
  • OpenAI's Trusted Access for Cyber program gives vetted external researchers access to both the general GPT-5.5 and the specialized GPT-5.5-Cyber [33], while Anthropic has not released Mythos publicly at all [28]—two distinct theories of how AI labs should handle offensive-capable models: controlled external access versus full restriction. No common industry standard has yet resolved this fault line. [33][28]
  • Mistral AI confirms the breach but declines to say what data was taken [58], while TeamPCP publicly threatens to leak the data if no buyer is found [12]—an information asymmetry where the attacker discloses more about breach scope than the victim. New hints of a prior Mistral SDK disclosure [14] add a further dimension: whether Mistral had advance awareness of a vulnerability that TeamPCP subsequently exploited. [58][12][13][10][11][14]
  • OpenAI's disclosure that no customer data or production systems were compromised [8] sits in tension with the practical impact of code-signing certificate revocation: macOS users who do not update by June 12 will find OpenAI apps non-functional—a direct consumer disruption that complicates the 'limited blast radius' framing even absent data exfiltration. [8]
  • Samuel Ajiboyede frames the policy choice as mandating reciprocal access to offensive AI models versus funding sovereign capabilities like AISI [106]—approaches implying fundamentally different theories of defense—while Microsoft's government testing call [31] introduces a third model (state-imposed testing without state-owned capability) that neither Ajiboyede pole fully addresses. [106][91][31]
  • The dual-use optimism in Harvey's framing [87] and Clark's degradation-focused alarm [107] face a concrete test: Mini Shai-Hulud's CI/CD compromise method and the AI-assisted 2FA zero-day both exploit trust-assumption logic rather than memory errors [15][1], suggesting Clark's 'invisible degradation' template may already be operational at the infrastructure layer rather than purely at the scientific-data layer. [87][107][15][16][1]

Sources

  1. [1] The npm supply chain attack that hit TanStack, Mistral AI, and UiPath on May 11 didn't involve stolen credentials.42 Tan... — reactive:ai-offensive-cyber (2026-05-14)
  2. [2] 314 npm packages compromised in the Shai-Hulud supply chain attack. — reactive:ai-offensive-cyber (2026-05-19)
  3. [3] @IntCyberDigest The list keeps growing: OpenAI, Mistral, UiPath, Guardrails AI, SAP. All hit through the same npm supply... — reactive:ai-offensive-cyber (2026-05-15)
  4. [4] 170 npm packages compromised in one coordinated supply chain attack — OpenAI, Mistral AI, even the European Commission g... — reactive:ai-security-nexus (2026-05-23)
  5. [5] [SECURITY] Supply chain compromise in mistralai 2.4.6 ... - GitHub — reactive:ai-offensive-cyber
  6. [6] Mistral AI SDK, TanStack Router hit in npm software supply chain attack | CSO Online — reactive:ai-offensive-cyber
  7. [7] Security Update: Mistral AI PyPI Supply Chain Attack - LiteLLM — reactive:ai-offensive-cyber
  8. [8] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
  9. [9] TeamPCP claims it breached @MistralAI and stole 5GB of data across 450 repositories, while Mistral confirms impact from ... — reactive:ai-offensive-cyber (2026-05-14)
  10. [10] TeamPCP hackers advertise Mistral AI code repos for sale — reactive:ai-offensive-cyber
  11. [11] TeamPCP Hackers Put Mistral AI Source Code Up for Sale at $25,000 — reactive:ai-offensive-cyber
  12. [12] [2026-05-18] TeamPCP threatens to leak Mistral AI's code if no one ... — reactive:ai-offensive-cyber
  13. [13] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved | TechRadar — reactive:ai-offensive-cyber
  14. [14] The alleged breach comes just days after Mistral disclosed that ... — reactive:ai-offensive-cyber
  15. [15] Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Google Cloud Blog — reactive:ai-offensive-cyber
  16. [16] AI built the first zero-day exploit targeting 2FA. Google GTIG intercepted it before mass deployment. APT45, UNC2814, Ru... — reactive:ai-offensive-cyber (2026-05-16)
  17. [17] Google reports first known AI-assisted zero-day exploit in the wild — reactive:ai-offensive-cyber (2026-05-12)
  18. [18] A criminal group has used AI to discover and weaponize a 0-day vulnerability, marking a major escalation in offensive cy... — reactive:ai-offensive-cyber (2026-05-21)
  19. [19] Cyber Ceiling Broken: AISI's Actual Measurement Reveals Mythos' Capabilities Surging Towards ASI with 4.5 - Month Doubling Rate — reactive:ai-offensive-cyber
  20. [20] Frontier Risk Report (February to March 2026) - METR — reactive:ai-offensive-cyber
  21. [21] [2605.11086] ExploitGym: Can AI Agents Turn Security Vulnerabilities into Real Attacks? — reactive:ai-offensive-cyber
  22. [22] Center for Responsible, Decentralized Intelligence at Berkeley — reactive:ai-offensive-cyber
  23. [23] AI, Project Glasswing, and the Changing Institutional Economics of Bugs - Internet Governance Project — reactive:ai-offensive-cyber
  24. [24] Anthropic's 'Project Glasswing' Exposes the Next Challenge for ... — reactive:ai-offensive-cyber
  25. [25] On Anthropic's Mythos Preview and Project Glasswing — reactive:claude-mythos-capability-regulation
  26. [26] Project Glasswing: what Mythos showed us - The Cloudflare Blog — reactive:ai-offensive-cyber
  27. [27] Claude Mythos and the AI Autonomous Offensive Threshold — reactive:frontier-ai-cyber-capabilities
  28. [28] Why Anthropic won't release its new Mythos AI model to the public — reactive:ai-offensive-cyber
  29. [29] GitHub - Keyvanhardani/mythos-research: Outside-in replication of Anthropic's Mythos Preview / Project Glasswing — open-source agentic vulnerability-discovery scaffold on Claude Opus 4.7. Eight-phase sink-guided pipeline, ~$1/run, OSS self-scan and coordinated disclosure. · GitHub — reactive:ai-offensive-cyber
  30. [30] Anthropic's Mythos can find tens of thousands of zero-days ... - Reddit — reactive:ai-offensive-cyber
  31. [31] AI Frontier Models Should Be... | VitalLaw.com — reactive:ai-offensive-cyber
  32. [32] [PDF] Letter to White House: Guidance on Oversight of AI Models — reactive:ai-security-nexus
  33. [33] Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber — OpenAI Blog (2026-05-07)
  34. [34] Read CSIAC's technical response report, "Counter-AI Offensive Tools and Techniques." — reactive:ai-offensive-cyber (2026-05-20)
  35. [35] Defender's Guide to the Frontier AI Impact on Cybersecurity — reactive:ai-offensive-cyber
  36. [36] Frontier AI Models and Cybersecurity Readiness: Recalibrating Risk for a Faster Threat Environment | Lowenstein Sandler LLP — reactive:ai-offensive-cyber
  37. [37] Defense at AI speed: Microsoft's new multi-model agentic security ... — reactive:ai-offensive-cyber
  38. [38] Assessing Claude Mythos Preview's cybersecurity capabilities — reactive:frontier-ai-cyber-capabilities
  39. [39] OpenAI prepares GPT-5.5-Cyber for trusted security researchers - Techzine Global — reactive:frontier-ai-cyber-capabilities
  40. [40] OpenAI opens GPT-5.5-Cyber to vetted security researchers — reactive:ai-offensive-cyber
  41. [41] OpenAI Launches GPT-5.4-Cyber To Expand The Trusted Access ... — reactive:ai-offensive-cyber
  42. [42] Access to GPT-5.4-Cyber is granted exclusively to vetted ... - Instagram — reactive:ai-offensive-cyber
  43. [43] GPT-5.5-Cyber AI for Cybersecurity Red Team Use - LinkedIn — reactive:ai-offensive-cyber
  44. [44] OpenAI GPT-5.5-Cyber Ignites Security Race — reactive:ai-offensive-cyber
  45. [45] 🚨 OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack — reactive:ai-security-nexus (2026-05-16)
  46. [46] OpenAI confirms breach in TanStack supply chain cyberattack. — reactive:ai-security-nexus (2026-05-15)
  47. [47] 🚨 OpenAI just confirmed a real supply-chain attack. — reactive:ai-offensive-cyber (2026-05-15)
  48. [48] OpenAI recommends updating desktop agents, after the supply chain attack compromising nearly 170 npm packages; by TeamPC... — reactive:ai-offensive-cyber (2026-05-15)
  49. [49] CISO Daily Briefing: Google's TIG confirmed the first criminal AI-generated zero-day exploit — AI-native threat actors a... — reactive:ai-offensive-cyber (2026-05-16)
  50. [50] AI ZERO-DAY IN THE WILD COURTESY OF GOOGLE THREAT INTEL — reactive:ai-offensive-cyber (2026-05-14)
  51. [51] Google Detects First AI-Generated Zero-Day Exploit - SecurityWeek — reactive:ai-offensive-cyber
  52. [52] Google spotted an AI-developed zero-day before attackers could use it | CyberScoop — reactive:ai-offensive-cyber
  53. [53] Google Researchers Detect First AI-Built Zero-Day Exploit in Cyberattack - Bloomberg — reactive:ai-offensive-cyber
  54. [54] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
  55. [55] Mistral AI and TanStack npm packages were compromised in a supply chain attack named 'Mini Shai-Hulud.' GitHub creds, CI... — reactive:ai-offensive-cyber (2026-05-17)
  56. [56] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai-Hulud Attack — reactive:ai-offensive-cyber
  57. [57] TeamPCP Monetizes Shai-Hulud Fallout: Mistral AI Source Code — reactive:ai-offensive-cyber
  58. [58] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved — reactive:ai-offensive-cyber
  59. [59] TeamPCP hackers advertise Mistral AI code repos for sale | Simon J ... — reactive:ai-offensive-cyber
  60. [60] ‼️ Mistral AI allegedly breached: ~5GB of internal source code ... — reactive:ai-offensive-cyber
  61. [61] Alleged Mistral AI Breach Exposes Internal Repositories and Source ... — reactive:ai-offensive-cyber
  62. [62] TeamPCP is advertising alleged access to Mistral AI repositories ... — reactive:ai-offensive-cyber
  63. [63] Hackers Steal 450 Repos from Mistral AI for $25,000 - LinkedIn — reactive:ai-offensive-cyber
  64. [64] TeamPCP hackers advertise Mistral AI code repos for sale - Reddit — reactive:ai-offensive-cyber
  65. [65] Mistral AI breached in TanStack-linked attack? 450 repos exposed — reactive:ai-offensive-cyber
  66. [66] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
  67. [67] Security advisories | Mistral Docs — reactive:ai-offensive-cyber
  68. [68] Mistral AI Breach: A $25,000 Ransom That Exposes Billion-Dollar ... — reactive:ai-offensive-cyber
  69. [69] Project Glasswing: Securing critical software for the AI era - Anthropic — reactive:frontier-ai-cyber-capabilities
  70. [70] Anthropic Glasswing & Claude Mythos Explained for GovCon — reactive:ai-offensive-cyber
  71. [71] Project Glasswing: what Mythos showed us | Subhash Dasyam — reactive:ai-offensive-cyber
  72. [72] Claude Mythos Cracks All Security, Project Glasswing, and the New ... — reactive:ai-offensive-cyber
  73. [73] Cloudflare says Anthropic's Mythos Preview finds exploit chains that earlier frontier models missed — reactive:ai-offensive-cyber
  74. [74] Cloudflare just explained why Mythos is so important (and it is not ... — reactive:ai-offensive-cyber
  75. [75] Cloudflare Tests AI's Ability to Find and Exploit Vulnerabilities — reactive:ai-offensive-cyber
  76. [76] Cloudflare's approach to building safe AI agents with narrow scope ... — reactive:ai-offensive-cyber
  77. [77] 🤖Anthropic’s Mythos AI can now chain bugs into working exploits, according to Cloudflare. — reactive:ai-offensive-cyber (2026-05-19)
  78. [78] Cloudflare tests Mythos against 50+ repositories, highlights its ability ... — reactive:ai-offensive-cyber
  79. [79] Cloudflare Tests Mythos AI on 50 Repositories, Finds Vulnerabilities — reactive:ai-offensive-cyber
  80. [80] (PDF) An Outside-In Replication of Project Glasswing Mythos ... — reactive:ai-offensive-cyber
  81. [81] Microsoft's MDASH AI Security System Finds 16 Windows Vulnerabilities — reactive:ai-offensive-cyber
  82. [82] Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday — reactive:ai-offensive-cyber
  83. [83] MDASH Vulnerability Discovery - AI Security System | Saudi Shopper — reactive:ai-offensive-cyber
  84. [84] Microsoft MDASH finds Windows security flaws with AI | ETIH EdTech News — EdTech Innovation Hub — reactive:ai-offensive-cyber
  85. [85] 16 New Windows Vulnerabilities Discovered By Microsoft's AI ... — reactive:ai-offensive-cyber
  86. [86] Microsoft unveils MDASH, its AI agent-driven security platform — and it's already spotted a host of new Windows flaws | TechRadar — reactive:ai-offensive-cyber
  87. [87] 😿 AI hackers found a new lane — The Neuron (2026-05-17)
  88. [88] Using AI for Offensive Security | CSA — reactive:ai-offensive-cyber
  89. [89] CISO Daily Briefing – May 16, 2026 – Lab Space — reactive:ai-offensive-cyber
  90. [90] Recent evaluations from the UK AI Security Institute (AISI) highlight the accelerating pace of autonomous AI cyber capab... — reactive:ai-offensive-cyber (2026-05-14)
  91. [91] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
  92. [92] AI cyber capability is speeding past earlier projections - Help Net Security — reactive:ai-offensive-cyber
  93. [93] Cyber & Autonomous Systems | AISI Work Category — reactive:ai-offensive-cyber
  94. [94] "How fast is autonomous AI cyber capability advancing?", AISI Work ... — reactive:ai-offensive-cyber
  95. [95] Autonomous AI Cyber Capability Doubles Every Few Months — reactive:ai-offensive-cyber
  96. [96] AI-Powered Paper Summarization about the arXiv paper 2605.11086v1 — reactive:ai-offensive-cyber
  97. [97] Can AI Agents Turn Security Vulnerabilities into Real Attacks? — reactive:ai-offensive-cyber
  98. [98] Can AI agents turn security vulnerabilities into real attacks? This is ... — reactive:ai-offensive-cyber
  99. [99] CyberGym: A Real-World Benchmark for Testing AI Agents ... - Reddit — reactive:ai-offensive-cyber
  100. [100] Read CSIAC's technical response report, "Counter-AI Offensive ... — reactive:ai-offensive-cyber
  101. [101] DoD Modernization Exchange 2026: Ping Identity’s Kelvin Brewer on applying least privilege access to AI tools — reactive:ai-offensive-cyber
  102. [102] Counter-AI Offensive Tools and Techniques - CSIAC - dtic.mil — reactive:ai-offensive-cyber
  103. [103] [PDF] Counter-AI Offensive Tools and Techniques - CSIAC — reactive:ai-offensive-cyber
  104. [104] Do you work in software or data analysis? CSIAC ... — reactive:ai-offensive-cyber
  105. [105] Cyber Security & Information Systems Information Analysis Center — reactive:ai-offensive-cyber
  106. [106] Should regulators mandate reciprocal access to offensive models or fund sovereign capabilities like UK's AISI? — reactive:ai-offensive-cyber (2026-05-20)
  107. [107] Import AI 457: AI stuxnet; cursed Muon optimizer; and positive alignment — Import AI (2026-05-18)
  108. [108] Decades-old pre-Stuxnet cyber sabotage tool breaks cover, NSA listed it as 'nothing to see here' — fast16 targeted nuclear reactors, dam design, and other high-precision civil engineering software years before Stuxnet broke cover | Tom's Hardware — reactive:ai-offensive-cyber
  109. [109] Ethical Hacking — reactive:ai-offensive-cyber
  110. [110] Claude Mythos #2: Cybersecurity and Project Glasswing — reactive:ai-offensive-cyber
  111. [111] The supply chain attack surface for AI skills/MCPs is the same problem npm had in 2018, just moving faster. Unverified c... — reactive:ai-offensive-cyber (2026-05-19)
  112. [112] @TheEconomist The real vulnerability isn't just "trusted firms" leaking tools—it's the asymmetric economics. Defensive c... — reactive:ai-offensive-cyber (2026-05-15)
  113. [113] Google thwarts effort hacker group use AI 'mass exploitation event' — reactive:ai-offensive-cyber
  114. [114] Mass Supply Chain Attack Hits TanStack, Mistral AI NPM and PyPI Packages — reactive:ai-offensive-cyber (2026-05-13)
  115. [115] 🚨 node-ipc compromised (3M+ downloads) — reactive:ai-offensive-cyber (2026-05-14)
  116. [116] NEWS | A new NPM supply chain attack is now targeting the AI ecosystem, hitting packages tied to Mistral AI, OpenSearch,... — reactive:ai-offensive-cyber (2026-05-14)
  117. [117] Mass supply-chain attack slams npm and PyPi, with downstream impact affecting Mistral AI and others, as latest Mini Shai... — reactive:ai-offensive-cyber (2026-05-14)
  118. [118] A supply chain worm just hit over 169 npm packages and multiple PyPI packages. The affected ecosystems include TanStack,... — reactive:ai-offensive-cyber (2026-05-15)
  119. [119] Trump-Xi summit: China, US disagree on what they agreed ... — reactive:ai-offensive-cyber
  120. [120] U.S., China announce deals after Trump-Xi summit - CNBC — reactive:ai-offensive-cyber
  121. [121] Trump-Xi 2026 Summit - CSIS — reactive:ai-offensive-cyber
  122. [122] Summit stabilizes U.S.-China relations at critical moment for two great powers — reactive:ai-offensive-cyber
  123. [123] Wow. Someone pulled off the first known supply chain attack designed to steal credentials from an AI coding assistant. A... — reactive:ai-offensive-cyber (2026-05-21)
  124. [124] This exact supply chain attack proves the point I made yesterday. AI tools and extensions make it stupidly easy to pull ... — reactive:ai-offensive-cyber (2026-05-21)
  125. [125] First 2026 AI zero-day REVEALED — reactive:ai-offensive-cyber (2026-05-23)
  126. [126] AI Finding Zero-Day Vulnerabilities and Chaining Exploits - YouTube — reactive:ai-offensive-cyber