AI-Enabled Offensive Cyberattacks Escalate · history
Version 8
2026-05-25 05:04 UTC · 283 items
What
Five concurrent developments define the AI-enabled offensive cyber landscape in late May 2026. TeamPCP's 'Mini Shai-Hulud' supply chain attack has compromised 314+ npm/PyPI packages affecting OpenAI, Mistral AI, the European Commission, and others [2][4]; a second distinct attack, 'TrapDoor,' has simultaneously hit 34+ packages across npm, PyPI, and Crates.io, stealing wallet credentials and SSH keys [13][14]. Google confirmed the first criminal AI-generated zero-day targeting a 2FA trust assumption [18]. Anthropic's Project Glasswing and a public open-source Mythos replication at ~$1/run [34] continue to drive capability disclosure debates. The METR Frontier Risk Report covering February–March 2026 is now confirmed published and circulating [26], and StepSecurity documents five supply chain attacks in 48 hours as a single converging wave [15].
Why it matters
TrapDoor's emergence alongside Mini Shai-Hulud confirms that the supply chain attack wave is multi-actor and cross-registry, with independent groups converging on the same CI/CD trust-assumption vulnerabilities across different package ecosystems simultaneously. The 'five attacks in 48 hours' framing signals that the pace of exploitation now exceeds incident-by-incident response capacity, and the disclosure that AI agents like OpenAI Codex are downstream victims of npm poisoning [17] connects the supply chain threat directly to the AI deployment layer.
Open questions
What specific findings does the METR Frontier Risk Report [26] contain about autonomous AI cyber capability trajectories, and do they corroborate or qualify the AISI's ~4.5-month doubling rate [24]?
Who operates TrapDoor [13][14], and is it affiliated with TeamPCP or an independent threat group—does simultaneous targeting of npm, PyPI, and Crates.io represent coordinated escalation or independent parallel convergence on the same attack surface?
Will TeamPCP follow through on the public leak threat against Mistral AI [10]? Mistral has confirmed the breach but has not disclosed what data was involved [11], and the specific compromise of mistralai 2.4.6 remains documented without a public remediation scope [6].
Does the Keyvanhardani open-source Mythos replication [34] reproduce the exploit-chaining results Cloudflare documented [32] at comparable fidelity, or does its eight-phase pipeline approximate them at lower quality—and has any independent validation been conducted?
Narrative
Beginning May 11, 2026, threat group TeamPCP's 'Mini Shai-Hulud' supply chain attack exploited GitHub Actions publishing machinery to push malicious package versions without credential theft, starting with 42 TanStack repositories and 84 npm package versions [1]. The campaign expanded to 314+ npm and PyPI packages by May 19 [2], with a confirmed blast radius spanning OpenAI, Mistral AI, the European Commission, UiPath, Guardrails AI, and SAP [3][4]. OpenAI's post-incident disclosure specifies two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, and a June 12, 2026 revocation deadline after which unpatched apps stop functioning [5]. The specific compromise of mistralai Python client version 2.4.6 is documented in a GitHub security issue [6]; LiteLLM published a security update addressing the Mistral AI PyPI attack [7]. TeamPCP escalated through a $25,000 sale listing [8][9] to an explicit threat to leak Mistral AI's data publicly if no buyer emerges [10]; Mistral confirmed the breach but has not disclosed what data was involved [11]. The Cloud Security Alliance published a formal research note characterizing TeamPCP's methodology as a CI/CD Security Tool Supply Chain Compromise [12].
A second, entirely distinct supply chain attack—'TrapDoor'—was documented hitting 34+ packages across npm, PyPI, and Crates.io simultaneously, stealing wallet credentials and SSH keys [13][14]. StepSecurity's analysis, 'Five Supply Chain Attacks in 48 Hours,' frames TrapDoor and Mini Shai-Hulud as part of a broader converging wave rather than isolated incidents, arguing that securing one layer of the dependency chain is insufficient [15]. Both attacks exploit trust-assumption logic at the package publishing layer, suggesting systematic convergence on this attack surface by multiple independent actors. Darktrace has published analysis framing supply chain attacks as a structural problem in an era of automation and implicit trust [16], and Oligo Security specifically flagged that npm supply chain compromises create hidden downstream risks for AI agents like OpenAI Codex that rely on upstream package integrity [17]—connecting the supply chain threat surface directly to AI-native deployment pipelines.
Google's Threat Intelligence Group confirmed the first criminal actor using AI to discover and weaponize a zero-day—a hardcoded trust assumption in a two-factor authentication flow—intercepted before mass deployment [18]. Attribution reporting names APT45 and UNC2814 with North Korean infrastructure [19][20]. Social media amplification of this story has been substantial, with content creator David Bombal's 'First 2026 AI zero-day REVEALED' circulating widely across Facebook and Twitter [21][22][23], translating the GTIG technical finding into mainstream security discourse. The UK AI Safety Institute documented autonomous AI cyber capability doubling at approximately every 4.5 months [24], and Security Boulevard published analysis framing this trajectory as 'Beyond Moore's Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities' [25]. The METR Frontier Risk Report, covering February through March 2026, is confirmed published on Substack and circulating across LinkedIn and Threads [26][27][28], providing institutional capability assessment from the period immediately preceding the major May incidents—specific findings have not yet been extracted into this record.
Anthropics's Project Glasswing—which engages external organizations to test Claude Mythos against real-world codebases—was publicly disclosed in April 2026 [29][30][31], predating the Mini Shai-Hulud attack by over three weeks. Cloudflare documented Mythos chaining exploits in ways earlier frontier models missed when run against 50+ repositories [32]; Anthropic has not released Mythos publicly, a decision driven by the model's dangerous capabilities [33]. An open-source outside-in replication by Keyvanhardani, implementing an eight-phase sink-guided pipeline using Claude Opus 4.7 at approximately $1 per run, is now publicly available on GitHub [34], challenging whether gated access to the original model can contain the underlying methodology. MindStudio has published an overview of how Claude Mythos and GPT-5.5 are finding zero-day exploits [35], and Rubrik frames every frontier AI model as now constituting a cyber threat requiring enterprise-level response [36]. At the policy level, Microsoft has called for government cyber testing of frontier AI models [37]; OpenAI's 'Trusted Access for Cyber' program gives vetted defenders access to GPT-5.5 and GPT-5.5-Cyber [38]; and Anthropic's full restriction, OpenAI's gated external access, and Microsoft's internal MDASH deployment plus regulatory call persist as three competing deployment philosophies without resolution into any common standard.
Timeline
- pre-2010: fast16.sys virus deployed, selectively corrupting floating-point results in nuclear physics and precision engineering software—establishing an early template for targeted scientific sabotage through invisible degradation rather than overt disruption [121][122][123]
- 2026-02/03: METR assesses frontier AI risks during February–March 2026, producing findings published in the Frontier Risk Report [95]
- 2026-04-16: Internet Governance Project publishes 'AI, Project Glasswing, and the Changing Institutional Economics of Bugs,' providing early substantive public analysis of Glasswing—weeks before the Mini Shai-Hulud attack [30]
- 2026-04-19: IANS Research publishes that Project Glasswing 'Exposes the Next Challenge for Vulnerability Management'; Bruce Schneier publishes commentary on Anthropic's Mythos Preview and Project Glasswing [29][31]
- 2026-05-07: OpenAI publishes 'Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber' on the OpenAI Blog, establishing a formal program granting vetted security defenders access to GPT-5.5 and the specialized GPT-5.5-Cyber model—predating the Mini Shai-Hulud attack by four days [38][39][40][41][42][43][44]
- 2026-05-11: TeamPCP's Mini Shai-Hulud supply chain attack begins: 42 TanStack GitHub repositories compromised via GitHub Actions publishing machinery, 84 malicious npm package versions published without credential theft; Google GTIG detects the first known AI-generated zero-day exploit targeting a 2FA trust assumption and intercepts it before mass deployment [1][18][20][54][128][52][53]
- 2026-05-12: Microsoft publishes the Security Blog post announcing MDASH, its multi-model agentic security system, which has already found 16 Windows vulnerabilities including 4 critical RCE flaws and tops leading industry benchmarks [86][87][88][92][94]
- 2026-05-13: OpenAI publishes its official post-incident disclosure specifying two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, June 12 revocation deadline set, and no customer data or production systems affected; UK AISI publishes primary-source blog documenting autonomous AI cyber capability doubling at approximately every 4.5 months [5][129][102][24]
- 2026-05-14: Attack scope confirmed across Mistral AI, OpenAI, UiPath, and OpenSearch npm packages; TeamPCP claims 5GB Mistral breach across 450 repositories; node-ipc (3M+ downloads) separately compromised [130][131][57][132]
- 2026-05-15: Attack scale reaches 169+ npm and PyPI packages; OpenAI, Mistral AI, the European Commission, UiPath, Guardrails AI, and SAP all named as affected via the same supply chain vector [45][46][133][3][48][4]
- 2026-05-16: Cloud Security Alliance CISO briefing cites the AI-generated zero-day; attribution reporting names APT45 and UNC2814 with North Korean infrastructure [19][49][100]
- 2026-05-17: Attack formally named 'Mini Shai-Hulud'; Mistral AI and TanStack npm/PyPI packages confirmed as central targets [56]
- 2026-05-18: TeamPCP threatens to leak Mistral AI's code publicly if no buyer is found; DarkWebInformer documents the ~5GB exfiltration claim across social channels [10][62][134][135][136]
- 2026-05-19: Total compromised packages reaches 314+ npm/PyPI; Cloudflare tests Mythos against 50+ repositories within Project Glasswing, documenting its ability to chain exploits; METR Frontier Risk Report covering February–March 2026 published and begins circulating [55][2][125][78][80][83][32][95][26][27][28]
- 2026-05-20: US DoD CSIAC publishes formal technical response report 'Counter-AI Offensive Tools and Techniques'; Microsoft calls for government cyber testing of frontier AI models [113][120][116][117][37]
- 2026-05-21: Security community characterizes the AI-assisted zero-day as a major escalation milestone marking the emergence of AI-native threat actors [51][137][138]
- 2026-05-22: TeamPCP lists Mistral AI source code for sale at $25,000 across multiple channels; Mistral AI officially confirms the breach but declines to disclose what data was taken; CSO Online reports on the Mistral AI SDK and TanStack Router npm supply chain attack [8][9][58][59][67][11][63][64][65][66][72]
- 2026-05-23: Anthropic's Project Glasswing confirmed as Anthropic-owned initiative; Cloudflare Blog publishes primary-source account; NBC News reports Anthropic won't release Mythos publicly; Bloomberg, CNBC, SecurityWeek, and CyberScoop report Google's AI zero-day; the AI zero-day story goes viral on social media [73][32][74][33][54][128][52][53][18][139][124][84][140]
- 2026-05-24: Keyvanhardani publishes open-source Mythos replication on GitHub; mistralai Python client version 2.4.6 specifically documented as compromised; LiteLLM publishes security update; 'TrapDoor' supply chain attack documented hitting 34+ packages across npm, PyPI, and Crates.io simultaneously, stealing wallets and SSH keys; StepSecurity documents five supply chain attacks in 48 hours as a converging wave; CSA Labs publishes formal research note on TeamPCP's CI/CD attack methodology [34][6][7][69][70][71][13][14][15][12][38][39]
Perspectives
OpenAI
Published the most detailed primary-source incident disclosure of any confirmed breach victim—two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, June 12 revocation deadline, no customer data or production systems affected—framing the incident as a 'broader shift' toward supply chain targeting. Separately confirmed, via an official blog post predating the Mini Shai-Hulud attack, a formal 'Trusted Access for Cyber' program giving vetted security defenders access to GPT-5.5 and GPT-5.5-Cyber for vulnerability research and critical infrastructure protection.
Evolution: Consistent with prior synthesis; GPT-5.5-Cyber program remains confirmed via official blog post published May 7, 2026, four days before the attack.
Google Threat Intelligence Group (GTIG)
Confirmed the first criminal AI-assisted zero-day exploit targeting a 2FA trust assumption; attribution reporting names APT45 and UNC2814 with North Korean infrastructure; GTIG intercepted the exploit before mass deployment. The Google Cloud Blog primary-source post documents adversaries using AI for vulnerability exploitation, augmented operations, and initial access—framing the zero-day as one instance of a systematic shift rather than an isolated incident.
Evolution: Consistent with prior synthesis; no new primary-source disclosures this pass, but mainstream amplification of the story via content creators has broadened public reach.
TeamPCP (threat group)
Operators of Mini Shai-Hulud; have escalated from breach-and-claim through active sale listing ($25,000) to an explicit leak threat stating they will publish Mistral AI data publicly if no buyer is found.
Evolution: Consistent; escalation arc is documented but no new phases have materialized since the leak threat. The CSA Labs formal research note on TeamPCP's methodology provides new institutional characterization of the group's CI/CD attack vector.
TrapDoor (threat actor)
Operators of a second, distinct supply chain attack—separate from TeamPCP—hitting 34+ packages across npm, PyPI, and Crates.io simultaneously, stealing wallet credentials and SSH keys. No attribution or identity has been established.
Evolution: New voice this pass; TrapDoor's simultaneous cross-registry targeting distinguishes it structurally from Mini Shai-Hulud's npm/PyPI focus.
Mistral AI
Officially confirmed the breach but has not disclosed what data is involved; remains silent on whether TeamPCP's 5GB/450-repository claim accurately characterizes the scope. The specific compromise of mistralai Python client version 2.4.6 is now documented in a GitHub security issue independent of Mistral's own disclosures.
Evolution: The GitHub security issue for mistralai 2.4.6 provides version-level specificity not previously in the record. Hints of a prior Mistral SDK disclosure remain an unresolved dimension.
Anthropic (Project Glasswing)
Project Glasswing is Anthropic's own defensive security initiative, confirmed via anthropic.com/glasswing and a red team capability assessment at red.anthropic.com; the project was publicly disclosed in April 2026 and engages external organizations to test Claude Mythos against real-world codebases. Mythos discovers exploit chains earlier frontier models missed. Controlled access is a deliberate safety decision—Anthropic has not released Mythos publicly.
Evolution: Consistent with prior synthesis. An open-source replication of the methodology remains publicly available, adding ongoing pressure to the safety rationale for non-release.
Cloudflare (Glasswing testing partner)
Participated in Project Glasswing as a testing partner; the Cloudflare Blog published a primary-source account documenting that Mythos chains exploits in ways earlier frontier models missed when run against 50+ repositories. Advocates for narrow-scope AI agent design to limit blast radius from autonomous exploitation.
Evolution: Consistent with prior synthesis.
Keyvanhardani (independent replication researcher)
Published an open-source outside-in replication of Anthropic's Mythos Preview / Project Glasswing on GitHub, implementing an eight-phase sink-guided pipeline using Claude Opus 4.7 at approximately $1 per run, framed as an OSS self-scan and coordinated disclosure scaffold.
Evolution: Consistent with prior synthesis; the GitHub repository remains the primary accessibility concern.
Bruce Schneier
Published commentary on Anthropic's Mythos Preview and Project Glasswing in April 2026, representing significant engagement from the security research commentariat with Anthropic's capability disclosure.
Evolution: Consistent with prior synthesis.
Microsoft (MDASH team + regulatory stance)
Multi-agent vulnerability discovery system MDASH independently found 16 Windows vulnerabilities including 4 critical RCE flaws; Microsoft's Security Blog documents MDASH as topping leading industry benchmarks for defensive AI vulnerability discovery. Microsoft has separately and explicitly called for frontier AI models to be subject to government cyber testing.
Evolution: Consistent with prior synthesis; Pulse2 coverage of MDASH provides additional secondary confirmation of the benchmark results.
StepSecurity
Published 'Five Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough,' framing Mini Shai-Hulud and TrapDoor as part of a systemic converging wave rather than isolated incidents and arguing that layered defense across the full dependency chain is required.
Evolution: New voice this pass; provides the most direct framing of TrapDoor and Mini Shai-Hulud as concurrent phenomena.
Darktrace
Published analysis framing supply chain attacks as a structural problem in an era of automation and implicit trust, positioning the attack surface as rooted in systems that extend trust by default rather than verifying at each layer.
Evolution: New voice this pass.
Oligo Security
Flagged the hidden downstream risks that npm supply chain compromises create for AI agents—specifically naming OpenAI Codex as an example of an AI system whose security posture is directly dependent on upstream package integrity.
Evolution: New voice this pass; provides the most direct connection between the supply chain attack surface and AI agent deployment pipelines.
Rubrik
Published 'Every AI Frontier Model is Now a Cyber Threat. So What Can You Do About It?'—framing frontier AI models themselves as a threat category requiring enterprise-level defensive response, not merely a tool for offense or defense.
Evolution: New voice this pass.
Security Boulevard
Published 'Beyond Moore's Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities,' amplifying and contextualizing the AISI doubling-rate finding within a broader argument that AI-enabled cyber capability growth outpaces historical technology acceleration curves.
Evolution: New voice this pass.
IANS Research
Frames Project Glasswing as 'exposing the next challenge for vulnerability management,' positioning the Mythos capability disclosure as requiring institutional security programs to reconsider how they detect and respond to autonomous exploit chaining.
Evolution: Consistent with prior synthesis.
Internet Governance Project
Frames Project Glasswing as reshaping 'the institutional economics of bugs'—arguing that autonomous AI exploit discovery alters the cost and incentive structures governing vulnerability research, disclosure, and patching at a systemic level.
Evolution: Consistent with prior synthesis; published April 16, 2026, predating the Mini Shai-Hulud attack.
METR
Published a Frontier Risk Report covering February to March 2026 assessing autonomous AI capabilities and frontier risk trajectories in the period immediately preceding the major May 2026 incidents. The report is confirmed published on Substack and circulating across LinkedIn and Threads, but specific findings have not yet been extracted into this record.
Evolution: Report confirmed published and circulating this pass; specific findings remain unextracted.
Palo Alto Networks
Published a 'Defender's Guide to Frontier AI Impact on Cybersecurity,' positioning the major security vendor as providing defensive framing for organizations navigating AI-augmented threat environments.
Evolution: Consistent with prior synthesis.
Lowenstein Sandler LLP
Legal analysis frames frontier AI models as requiring a 'recalibration of risk for a faster threat environment,' positioning AI cybersecurity readiness as a legal and compliance imperative beyond purely technical response.
Evolution: Consistent with prior synthesis.
LiteLLM
Published a security update specifically addressing the Mistral AI PyPI supply chain attack, providing an affected-ecosystem perspective on the downstream impact of the mistralai package compromise.
Evolution: Consistent with prior synthesis.
Cloud Security Alliance (CSA)
Characterized Claude Mythos as crossing an 'autonomous offensive threshold' in a research note; separately cited the AI-generated zero-day in a CISO briefing. CSA Labs has now also published a formal research note specifically on TeamPCP titled 'CI/CD Security Tool Supply Chain Compromise,' providing institutional technical attribution of the attack methodology.
Evolution: Extended from Mythos/zero-day commentary to a formal technical characterization of the TeamPCP attack vector via the new CSA Labs research note.
UK AI Safety Institute (AISI)
Published primary-source blog formalizing data on the doubling of autonomous AI cyber capability, with the specific reported figure being approximately every 4.5 months.
Evolution: Consistent with prior synthesis; Security Boulevard's 'Beyond Moore's Law' piece amplifies this finding.
Berkeley RDI / ExploitGym researchers
Published the ExploitGym benchmark on arxiv evaluating whether AI agents can turn known security vulnerabilities into real attacks, providing an independent academic framework for measuring AI-assisted exploit development capability.
Evolution: Consistent with prior synthesis.
US DoD / CSIAC
Published formal technical response report 'Counter-AI Offensive Tools and Techniques,' signaling that AI-native offensive capabilities now warrant organized institutional response at the national defense level.
Evolution: Consistent with prior synthesis.
Samuel Ajiboyede
Raises the regulatory question of whether governments should mandate reciprocal access to offensive AI models or fund sovereign capabilities like AISI, framing this as a policy design choice rather than a settled answer.
Evolution: Consistent with prior synthesis.
Grant Harvey (The Neuron)
Frames AI cybersecurity as a genuine two-sided escalation where autonomous capabilities power both offense and defense; emphasizes AI's advantage in tracing user flows to identify trust-assumption flaws; cautiously optimistic that defensive multi-agent verification can scale.
Evolution: Consistent with prior synthesis.
Jack Clark (Import AI)
Uses fast16.sys as a cautionary historical metaphor to argue the most dangerous AI-enabled cyberweapons will be subtle and degradation-focused; frames proliferation as analogous to how a superintelligence might prevent competitors from developing comparable capabilities.
Evolution: Consistent with prior synthesis.
Zvi Mowshowitz (AI commentary, Substack)
Dedicated a Substack post to Claude Mythos and Project Glasswing cybersecurity findings, signaling active engagement from the AI safety and policy commentary community with the offensive-capability disclosure.
Evolution: Consistent with prior synthesis.
NBC News / mainstream media
Frames the Mythos restricted access as driven by the model's dangerous capabilities ('Why Anthropic won't release its new Mythos AI model to the public'), translating the Glasswing story from technical security reporting into consumer-facing AI safety narrative.
Evolution: Consistent with prior synthesis.
AgentGraph
Argues that the MCP/AI skills ecosystem recreates the npm supply chain vulnerability problem at a faster pace, with unverified community packages receiving implicit trust from AI agents.
Evolution: Consistent with prior synthesis.
RupeeMindset
Argues the structural asymmetry favoring offense is economic, not merely technical: defensive costs scale poorly while offensive AI costs favor attackers, and AI deepens rather than resolves this gap.
Evolution: Consistent with prior synthesis.
Tensions
- The open-source Mythos replication at ~$1/run using Claude Opus 4.7 [34] directly challenges Anthropic's rationale for not releasing Mythos publicly [33]: if the exploit-chaining methodology is replicable cheaply as an open-source tool, gated access to the original model may not meaningfully contain the capability proliferation it was designed to prevent. [34][33][74][32]
- Microsoft's explicit call for government cyber testing of frontier AI models [37] sits in tension with OpenAI's self-regulatory gated access model [38]: one approach relies on state-imposed testing mandates as the oversight mechanism, the other on industry-designed vetting programs—implying fundamentally different theories of accountability for offensive-capable AI. [37][38][127]
- Microsoft's MDASH results and Grant Harvey's framing suggest defensive AI can scale to meet offensive AI [93][86]; RupeeMindset counters that defensive cost structures are prohibitively higher than offensive ones, and AI deepens rather than resolves that asymmetry [126]—a structural economics argument that MDASH's capability demonstration does not address. [93][86][126]
- Anthropic's Project Glasswing finding—documented in primary-source reports from both Anthropic's red team and the Cloudflare Blog—that Mythos finds exploit chains earlier frontier models missed [74][32] sharpens the gap with Microsoft MDASH's defensive benchmark: MDASH was optimized for finding individual vulnerabilities [86], not countering chained exploit sequences, leaving open whether defensive AI architecture is keeping pace with the specific chaining capability being demonstrated on offense. [74][32][86][102]
- OpenAI's Trusted Access for Cyber program gives vetted external researchers access to both the general GPT-5.5 and the specialized GPT-5.5-Cyber [38], while Anthropic has not released Mythos publicly at all [33]—two distinct theories of how AI labs should handle offensive-capable models: controlled external access versus full restriction. No common industry standard has yet resolved this fault line. [38][33]
- Mistral AI confirms the breach but declines to say what data was taken [11], while TeamPCP publicly threatens to leak the data if no buyer is found [10]—an information asymmetry where the attacker discloses more about breach scope than the victim. Hints of a prior Mistral SDK disclosure [70] add a further dimension: whether Mistral had advance awareness of a vulnerability that TeamPCP subsequently exploited. [60][10][11][8][9][70]
- OpenAI's disclosure that no customer data or production systems were compromised [5] sits in tension with the practical impact of code-signing certificate revocation: macOS users who do not update by June 12 will find OpenAI apps non-functional—a direct consumer disruption that complicates the 'limited blast radius' framing even absent data exfiltration. [5]
- Samuel Ajiboyede frames the policy choice as mandating reciprocal access to offensive AI models versus funding sovereign capabilities like AISI [120]—approaches implying fundamentally different theories of defense—while Microsoft's government testing call [37] introduces a third model (state-imposed testing without state-owned capability) that neither Ajiboyede pole fully addresses. [120][102][37]
- The dual-use optimism in Harvey's framing [93] and Clark's degradation-focused alarm [121] face a concrete test: Mini Shai-Hulud's CI/CD compromise method and the AI-assisted 2FA zero-day both exploit trust-assumption logic rather than memory errors [18][1], and the now-documented TrapDoor attack [13][14] adds a simultaneous cross-registry instance of the same template—suggesting Clark's 'invisible degradation' model may already be operational at infrastructure scale rather than purely at the scientific-data layer. [93][121][18][19][1][13][14]
- StepSecurity's 'five supply chain attacks in 48 hours' framing [15] and TrapDoor's simultaneous cross-registry targeting [13][14] challenge incident-specific policy responses: Microsoft's call for government testing of offensive AI models [37] and Oligo Security's focus on AI agent downstream risk [17] both address narrow aspects of a threat surface that appears to be expanding faster than any single regulatory or technical countermeasure can bound. [15][13][14][37][17]
Sources
- [1] The npm supply chain attack that hit TanStack, Mistral AI, and UiPath on May 11 didn't involve stolen credentials.42 Tan... — reactive:ai-offensive-cyber (2026-05-14)
- [2] 314 npm packages compromised in the Shai-Hulud supply chain attack. — reactive:ai-offensive-cyber (2026-05-19)
- [3] @IntCyberDigest The list keeps growing: OpenAI, Mistral, UiPath, Guardrails AI, SAP. All hit through the same npm supply... — reactive:ai-offensive-cyber (2026-05-15)
- [4] 170 npm packages compromised in one coordinated supply chain attack — OpenAI, Mistral AI, even the European Commission g... — reactive:ai-security-nexus (2026-05-23)
- [5] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
- [6] [SECURITY] Supply chain compromise in mistralai 2.4.6 ... - GitHub — reactive:ai-offensive-cyber
- [7] Security Update: Mistral AI PyPI Supply Chain Attack - LiteLLM — reactive:ai-offensive-cyber
- [8] TeamPCP hackers advertise Mistral AI code repos for sale — reactive:ai-offensive-cyber
- [9] TeamPCP Hackers Put Mistral AI Source Code Up for Sale at $25,000 — reactive:ai-offensive-cyber
- [10] [2026-05-18] TeamPCP threatens to leak Mistral AI's code if no one ... — reactive:ai-offensive-cyber
- [11] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved | TechRadar — reactive:ai-offensive-cyber
- [12] TeamPCP: CI/CD Security Tool Supply Chain Compromise — reactive:ai-offensive-cyber
- [13] TrapDoor supply chain attack hit 34+ packages across npm, PyPI, and https://t.co/rIAvxdhxV6, stealing wallets, SSH keys,... — reactive:ai-offensive-cyber (2026-05-24)
- [14] A coordinated supply chain attack called "TrapDoor" just hit npm, PyPI, and Crates. io simultaneously, 34 malicious pack... — reactive:ai-offensive-cyber (2026-05-24)
- [15] 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not ... — reactive:ai-offensive-cyber
- [16] Supply-Chain Attacks in an Era of Automation and Implicit Trust — reactive:ai-offensive-cyber
- [17] NPM Supply Chain Attacks Expose Hidden Risks for AI Agents Like OpenAI Codex — reactive:ai-offensive-cyber
- [18] Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Google Cloud Blog — reactive:ai-offensive-cyber
- [19] AI built the first zero-day exploit targeting 2FA. Google GTIG intercepted it before mass deployment. APT45, UNC2814, Ru... — reactive:ai-offensive-cyber (2026-05-16)
- [20] Google reports first known AI-assisted zero-day exploit in the wild — reactive:ai-offensive-cyber (2026-05-12)
- [21] First 2026 AI zero-day REVEALED Google just disrupted ... — reactive:ai-offensive-cyber
- [22] RT @davidbombal: First 2026 AI zero-day REVEALED — reactive:ai-offensive-cyber (2026-05-24)
- [23] RT @davidbombal: First 2026 AI zero-day REVEALED — reactive:ai-offensive-cyber (2026-05-24)
- [24] Cyber Ceiling Broken: AISI's Actual Measurement Reveals Mythos' Capabilities Surging Towards ASI with 4.5 - Month Doubling Rate — reactive:ai-offensive-cyber
- [25] Beyond Moore's Law: The Hyper-Acceleration of Autonomous AI ... — reactive:ai-offensive-cyber
- [26] Frontier Risk Report (February to March 2026) - METR — reactive:ai-offensive-cyber
- [27] Sung Kim (@sung.kim.mw) on Threads — reactive:ai-offensive-cyber
- [28] Frontier Risk Report (February to March 2026) | Stephen Pimentel — reactive:ai-offensive-cyber
- [29] Anthropic's 'Project Glasswing' Exposes the Next Challenge for ... — reactive:ai-offensive-cyber
- [30] AI, Project Glasswing, and the Changing Institutional Economics of Bugs - Internet Governance Project — reactive:ai-offensive-cyber
- [31] On Anthropic's Mythos Preview and Project Glasswing — reactive:claude-mythos-capability-regulation
- [32] Project Glasswing: what Mythos showed us - The Cloudflare Blog — reactive:ai-offensive-cyber
- [33] Why Anthropic won't release its new Mythos AI model to the public — reactive:ai-offensive-cyber
- [34] GitHub - Keyvanhardani/mythos-research: Outside-in replication of Anthropic's Mythos Preview / Project Glasswing — open-source agentic vulnerability-discovery scaffold on Claude Opus 4.7. Eight-phase sink-guided pipeline, ~$1/run, OSS self-scan and coordinated disclosure. · GitHub — reactive:ai-offensive-cyber
- [35] How Claude Mythos and GPT 5.5 Are Finding Zero-Day Exploits — reactive:ai-offensive-cyber
- [36] Every AI Frontier Model is Now a Cyber Threat. So What Can You Do About It? — reactive:ai-offensive-cyber
- [37] AI Frontier Models Should Be... | VitalLaw.com — reactive:ai-offensive-cyber
- [38] Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber — OpenAI Blog (2026-05-07)
- [39] OpenAI prepares GPT-5.5-Cyber for trusted security researchers - Techzine Global — reactive:frontier-ai-cyber-capabilities
- [40] OpenAI opens GPT-5.5-Cyber to vetted security researchers — reactive:ai-offensive-cyber
- [41] OpenAI Launches GPT-5.4-Cyber To Expand The Trusted Access ... — reactive:ai-offensive-cyber
- [42] Access to GPT-5.4-Cyber is granted exclusively to vetted ... - Instagram — reactive:ai-offensive-cyber
- [43] GPT-5.5-Cyber AI for Cybersecurity Red Team Use - LinkedIn — reactive:ai-offensive-cyber
- [44] OpenAI GPT-5.5-Cyber Ignites Security Race — reactive:ai-offensive-cyber
- [45] 🚨 OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack — reactive:ai-security-nexus (2026-05-16)
- [46] OpenAI confirms breach in TanStack supply chain cyberattack. — reactive:ai-security-nexus (2026-05-15)
- [47] 🚨 OpenAI just confirmed a real supply-chain attack. — reactive:ai-offensive-cyber (2026-05-15)
- [48] OpenAI recommends updating desktop agents, after the supply chain attack compromising nearly 170 npm packages; by TeamPC... — reactive:ai-offensive-cyber (2026-05-15)
- [49] CISO Daily Briefing: Google's TIG confirmed the first criminal AI-generated zero-day exploit — AI-native threat actors a... — reactive:ai-offensive-cyber (2026-05-16)
- [50] AI ZERO-DAY IN THE WILD COURTESY OF GOOGLE THREAT INTEL — reactive:ai-offensive-cyber (2026-05-14)
- [51] A criminal group has used AI to discover and weaponize a 0-day vulnerability, marking a major escalation in offensive cy... — reactive:ai-offensive-cyber (2026-05-21)
- [52] Google Detects First AI-Generated Zero-Day Exploit - SecurityWeek — reactive:ai-offensive-cyber
- [53] Google spotted an AI-developed zero-day before attackers could use it | CyberScoop — reactive:ai-offensive-cyber
- [54] Google Researchers Detect First AI-Built Zero-Day Exploit in Cyberattack - Bloomberg — reactive:ai-offensive-cyber
- [55] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
- [56] Mistral AI and TanStack npm packages were compromised in a supply chain attack named 'Mini Shai-Hulud.' GitHub creds, CI... — reactive:ai-offensive-cyber (2026-05-17)
- [57] TeamPCP claims it breached @MistralAI and stole 5GB of data across 450 repositories, while Mistral confirms impact from ... — reactive:ai-offensive-cyber (2026-05-14)
- [58] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai-Hulud Attack — reactive:ai-offensive-cyber
- [59] TeamPCP Monetizes Shai-Hulud Fallout: Mistral AI Source Code — reactive:ai-offensive-cyber
- [60] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved — reactive:ai-offensive-cyber
- [61] TeamPCP hackers advertise Mistral AI code repos for sale | Simon J ... — reactive:ai-offensive-cyber
- [62] ‼️ Mistral AI allegedly breached: ~5GB of internal source code ... — reactive:ai-offensive-cyber
- [63] Alleged Mistral AI Breach Exposes Internal Repositories and Source ... — reactive:ai-offensive-cyber
- [64] TeamPCP is advertising alleged access to Mistral AI repositories ... — reactive:ai-offensive-cyber
- [65] Hackers Steal 450 Repos from Mistral AI for $25,000 - LinkedIn — reactive:ai-offensive-cyber
- [66] TeamPCP hackers advertise Mistral AI code repos for sale - Reddit — reactive:ai-offensive-cyber
- [67] Mistral AI breached in TanStack-linked attack? 450 repos exposed — reactive:ai-offensive-cyber
- [68] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
- [69] Security advisories | Mistral Docs — reactive:ai-offensive-cyber
- [70] The alleged breach comes just days after Mistral disclosed that ... — reactive:ai-offensive-cyber
- [71] Mistral AI Breach: A $25,000 Ransom That Exposes Billion-Dollar ... — reactive:ai-offensive-cyber
- [72] Mistral AI SDK, TanStack Router hit in npm software supply chain attack | CSO Online — reactive:ai-offensive-cyber
- [73] Project Glasswing: Securing critical software for the AI era - Anthropic — reactive:frontier-ai-cyber-capabilities
- [74] Assessing Claude Mythos Preview's cybersecurity capabilities — reactive:frontier-ai-cyber-capabilities
- [75] Anthropic Glasswing & Claude Mythos Explained for GovCon — reactive:ai-offensive-cyber
- [76] Project Glasswing: what Mythos showed us | Subhash Dasyam — reactive:ai-offensive-cyber
- [77] Claude Mythos Cracks All Security, Project Glasswing, and the New ... — reactive:ai-offensive-cyber
- [78] Cloudflare says Anthropic's Mythos Preview finds exploit chains that earlier frontier models missed — reactive:ai-offensive-cyber
- [79] Cloudflare just explained why Mythos is so important (and it is not ... — reactive:ai-offensive-cyber
- [80] Cloudflare Tests AI's Ability to Find and Exploit Vulnerabilities — reactive:ai-offensive-cyber
- [81] Cloudflare's approach to building safe AI agents with narrow scope ... — reactive:ai-offensive-cyber
- [82] 🤖Anthropic’s Mythos AI can now chain bugs into working exploits, according to Cloudflare. — reactive:ai-offensive-cyber (2026-05-19)
- [83] Cloudflare tests Mythos against 50+ repositories, highlights its ability ... — reactive:ai-offensive-cyber
- [84] Cloudflare Tests Mythos AI on 50 Repositories, Finds Vulnerabilities — reactive:ai-offensive-cyber
- [85] (PDF) An Outside-In Replication of Project Glasswing Mythos ... — reactive:ai-offensive-cyber
- [86] Defense at AI speed: Microsoft's new multi-model agentic security ... — reactive:ai-offensive-cyber
- [87] Microsoft's MDASH AI Security System Finds 16 Windows Vulnerabilities — reactive:ai-offensive-cyber
- [88] Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday — reactive:ai-offensive-cyber
- [89] MDASH Vulnerability Discovery - AI Security System | Saudi Shopper — reactive:ai-offensive-cyber
- [90] Microsoft MDASH finds Windows security flaws with AI | ETIH EdTech News — EdTech Innovation Hub — reactive:ai-offensive-cyber
- [91] 16 New Windows Vulnerabilities Discovered By Microsoft's AI ... — reactive:ai-offensive-cyber
- [92] Microsoft unveils MDASH, its AI agent-driven security platform — and it's already spotted a host of new Windows flaws | TechRadar — reactive:ai-offensive-cyber
- [93] 😿 AI hackers found a new lane — The Neuron (2026-05-17)
- [94] Microsoft: AI-Powered Security System MDASH Tops Industry Benchmark — reactive:ai-offensive-cyber
- [95] Frontier Risk Report (February to March 2026) - METR — reactive:ai-offensive-cyber
- [96] Defender's Guide to the Frontier AI Impact on Cybersecurity — reactive:ai-offensive-cyber
- [97] Frontier AI Models and Cybersecurity Readiness: Recalibrating Risk for a Faster Threat Environment | Lowenstein Sandler LLP — reactive:ai-offensive-cyber
- [98] Claude Mythos and the AI Autonomous Offensive Threshold — reactive:frontier-ai-cyber-capabilities
- [99] Using AI for Offensive Security | CSA — reactive:ai-offensive-cyber
- [100] CISO Daily Briefing – May 16, 2026 – Lab Space — reactive:ai-offensive-cyber
- [101] Recent evaluations from the UK AI Security Institute (AISI) highlight the accelerating pace of autonomous AI cyber capab... — reactive:ai-offensive-cyber (2026-05-14)
- [102] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
- [103] AI cyber capability is speeding past earlier projections - Help Net Security — reactive:ai-offensive-cyber
- [104] Cyber & Autonomous Systems | AISI Work Category — reactive:ai-offensive-cyber
- [105] "How fast is autonomous AI cyber capability advancing?", AISI Work ... — reactive:ai-offensive-cyber
- [106] Autonomous AI Cyber Capability Doubles Every Few Months — reactive:ai-offensive-cyber
- [107] [2605.11086] ExploitGym: Can AI Agents Turn Security Vulnerabilities into Real Attacks? — reactive:ai-offensive-cyber
- [108] Center for Responsible, Decentralized Intelligence at Berkeley — reactive:ai-offensive-cyber
- [109] AI-Powered Paper Summarization about the arXiv paper 2605.11086v1 — reactive:ai-offensive-cyber
- [110] Can AI Agents Turn Security Vulnerabilities into Real Attacks? — reactive:ai-offensive-cyber
- [111] Can AI agents turn security vulnerabilities into real attacks? This is ... — reactive:ai-offensive-cyber
- [112] CyberGym: A Real-World Benchmark for Testing AI Agents ... - Reddit — reactive:ai-offensive-cyber
- [113] Read CSIAC's technical response report, "Counter-AI Offensive Tools and Techniques." — reactive:ai-offensive-cyber (2026-05-20)
- [114] Read CSIAC's technical response report, "Counter-AI Offensive ... — reactive:ai-offensive-cyber
- [115] DoD Modernization Exchange 2026: Ping Identity’s Kelvin Brewer on applying least privilege access to AI tools — reactive:ai-offensive-cyber
- [116] Counter-AI Offensive Tools and Techniques - CSIAC - dtic.mil — reactive:ai-offensive-cyber
- [117] [PDF] Counter-AI Offensive Tools and Techniques - CSIAC — reactive:ai-offensive-cyber
- [118] Do you work in software or data analysis? CSIAC ... — reactive:ai-offensive-cyber
- [119] Cyber Security & Information Systems Information Analysis Center — reactive:ai-offensive-cyber
- [120] Should regulators mandate reciprocal access to offensive models or fund sovereign capabilities like UK's AISI? — reactive:ai-offensive-cyber (2026-05-20)
- [121] Import AI 457: AI stuxnet; cursed Muon optimizer; and positive alignment — Import AI (2026-05-18)
- [122] Decades-old pre-Stuxnet cyber sabotage tool breaks cover, NSA listed it as 'nothing to see here' — fast16 targeted nuclear reactors, dam design, and other high-precision civil engineering software years before Stuxnet broke cover | Tom's Hardware — reactive:ai-offensive-cyber
- [123] Ethical Hacking — reactive:ai-offensive-cyber
- [124] Claude Mythos #2: Cybersecurity and Project Glasswing — reactive:ai-offensive-cyber
- [125] The supply chain attack surface for AI skills/MCPs is the same problem npm had in 2018, just moving faster. Unverified c... — reactive:ai-offensive-cyber (2026-05-19)
- [126] @TheEconomist The real vulnerability isn't just "trusted firms" leaking tools—it's the asymmetric economics. Defensive c... — reactive:ai-offensive-cyber (2026-05-15)
- [127] [PDF] Letter to White House: Guidance on Oversight of AI Models — reactive:ai-security-nexus
- [128] Google thwarts effort hacker group use AI 'mass exploitation event' — reactive:ai-offensive-cyber
- [129] Mass Supply Chain Attack Hits TanStack, Mistral AI NPM and PyPI Packages — reactive:ai-offensive-cyber (2026-05-13)
- [130] 🚨 node-ipc compromised (3M+ downloads) — reactive:ai-offensive-cyber (2026-05-14)
- [131] NEWS | A new NPM supply chain attack is now targeting the AI ecosystem, hitting packages tied to Mistral AI, OpenSearch,... — reactive:ai-offensive-cyber (2026-05-14)
- [132] Mass supply-chain attack slams npm and PyPi, with downstream impact affecting Mistral AI and others, as latest Mini Shai... — reactive:ai-offensive-cyber (2026-05-14)
- [133] A supply chain worm just hit over 169 npm packages and multiple PyPI packages. The affected ecosystems include TanStack,... — reactive:ai-offensive-cyber (2026-05-15)
- [134] U.S., China announce deals after Trump-Xi summit - CNBC — reactive:ai-offensive-cyber
- [135] Trump-Xi 2026 Summit - CSIS — reactive:ai-offensive-cyber
- [136] Summit stabilizes U.S.-China relations at critical moment for two great powers — reactive:ai-offensive-cyber
- [137] Wow. Someone pulled off the first known supply chain attack designed to steal credentials from an AI coding assistant. A... — reactive:ai-offensive-cyber (2026-05-21)
- [138] This exact supply chain attack proves the point I made yesterday. AI tools and extensions make it stupidly easy to pull ... — reactive:ai-offensive-cyber (2026-05-21)
- [139] First 2026 AI zero-day REVEALED — reactive:ai-offensive-cyber (2026-05-23)
- [140] AI Finding Zero-Day Vulnerabilities and Chaining Exploits - YouTube — reactive:ai-offensive-cyber