AI-Enabled Offensive Cyberattacks Escalate · history
Version 9
2026-05-25 08:39 UTC · 291 items
What
Six weeks of AI-enabled offensive cyber activity in 2026 are now understood as part of a longer-running supply chain surge, not an isolated spike. Zscaler ThreatLabz documents supply chain attacks rising sharply in March 2026 [1], and a DreamFactory analysis titled 'Five Supply Chain Attacks in Twelve Days' frames March 2026 as the moment open-source trust broke [2] — establishing that TeamPCP's 'Mini Shai-Hulud' (314+ npm/PyPI packages, victims including OpenAI, Mistral AI, and the European Commission [4][5]) and the separate 'TrapDoor' attack (34+ packages across npm, PyPI, and Crates.io [12][13]) are escalations of a trend already underway. Simultaneously, Google confirmed the first criminal AI-generated zero-day [17], and Anthropic's Project Glasswing — with Mythos finding exploit chains earlier frontier models missed — has attracted growing enterprise security vendor commentary from XM Cyber [26], Picus Security [27], and LTIMindtree [28] on how organizations should respond.
Why it matters
The March-to-May 2026 arc — five attacks in twelve days in March, five in forty-eight hours by May — shows an acceleration in attack tempo that individual incident responses cannot absorb. The compression of this timeline, combined with multiple independent threat actors converging on the same CI/CD trust-assumption vulnerabilities across different package ecosystems, suggests the supply chain attack surface has become a stable, repeatable template rather than a novel tactic. Project Glasswing's growing enterprise commentary signals that capability disclosure debates are moving from lab-level abstraction to operational readiness questions at the security program level.
Open questions
Does the March 2026 supply chain surge documented by Zscaler ThreatLabz [1] and DreamFactory [2] include precursor activity attributable to TeamPCP or TrapDoor [12], or were those March incidents distinct actors establishing the attack template that others then replicated in May?
Who operates TrapDoor [12][13][14], and is it affiliated with TeamPCP or an independent threat group — does simultaneous targeting of npm, PyPI, and Crates.io represent coordinated escalation or independent parallel convergence on the same attack surface?
Will TeamPCP follow through on the public leak threat against Mistral AI [11]? Mistral has confirmed the breach but has not disclosed what data was involved [8], and the specific compromise of mistralai 2.4.6 remains documented without a public remediation scope [32].
Picus Security frames Project Glasswing as a 'paradox' [27] — the defensive initiative creates a capability disclosure that, when replicated openly at ~$1/run [29], may accelerate offensive access rather than contain it. Has Anthropic or any Glasswing testing partner responded to this framing directly?
Narrative
Beginning in March 2026, supply chain attacks against open-source package ecosystems surged at a pace that broke existing incident-response assumptions. Zscaler's ThreatLabz team documented the surge across the month [1], and a DreamFactory analysis cataloguing 'Five Supply Chain Attacks in Twelve Days' frames March 2026 as the inflection point at which open-source package trust was systematically undermined [2]. By May 11, 2026, when TeamPCP's 'Mini Shai-Hulud' attack began exploiting GitHub Actions publishing machinery to push malicious versions of 42 TanStack repositories without credential theft [3], it was executing against a trust-assumption vulnerability that the March wave had already demonstrated was viable at scale. The attack expanded to 314+ npm and PyPI packages by May 19 [4][5], with confirmed victims including OpenAI, Mistral AI, the European Commission, UiPath, Guardrails AI, and SAP [6]. OpenAI's post-incident disclosure documented two employee devices compromised, code-signing certificates for iOS, macOS, and Windows apps exfiltrated, and a June 12 revocation deadline [7]. Mistral AI confirmed the breach but declined to disclose what data was taken [8]; TeamPCP escalated through a $25,000 sale listing [9][10] to an explicit threat to publish the data if no buyer emerged [11].
A second, entirely distinct supply chain attack — 'TrapDoor' — was simultaneously documented hitting 34+ packages across npm, PyPI, and Crates.io, stealing wallet credentials and SSH keys [12][13][14]. Socket.dev's primary-source analysis of TrapDoor establishes it as structurally separate from Mini Shai-Hulud while targeting the same CI/CD trust-assumption layer [12]. StepSecurity's 'Five Supply Chain Attacks in 48 Hours' analysis frames TrapDoor and Mini Shai-Hulud as part of a systemic wave [15]; the acceleration from March's twelve-day window to May's forty-eight-hour window represents compression of attack tempo across a single attack surface. Oligo Security specifically flagged that npm supply chain compromises create hidden downstream risks for AI agents like OpenAI Codex whose security posture depends on upstream package integrity [16], connecting the supply chain threat directly to AI-native deployment pipelines.
On the same day Mini Shai-Hulud began, Google's Threat Intelligence Group intercepted what it characterized as the first criminal AI-generated zero-day — a hardcoded trust assumption in a two-factor authentication flow, discovered and weaponized using AI before mass deployment [17]. Attribution reporting names APT45 and UNC2814 with North Korean infrastructure [18][19]. The UK AI Safety Institute published primary-source data documenting autonomous AI cyber capability doubling at approximately every 4.5 months [20], and Security Boulevard's 'Beyond Moore's Law' analysis framed this trajectory as outpacing historical technology acceleration curves [21].
Anthropics's Project Glasswing — which engages external organizations to test Claude Mythos against real-world codebases — was publicly disclosed in April 2026 [22][23], predating the Mini Shai-Hulud attack by over three weeks. Cloudflare documented Mythos chaining exploits in ways earlier frontier models missed when run against 50+ repositories [24]; Anthropic has not released Mythos publicly [25]. Enterprise security vendors have begun publishing operational guidance: XM Cyber frames Glasswing findings as requiring immediate preparation adjustments [26], and Picus Security characterizes the initiative as a 'paradox' — arguing that the defensive transparency Glasswing creates may accelerate offensive capability proliferation faster than it builds defensive readiness [27]. LTIMindtree published a PDF analysis of Claude Mythos and Project Glasswing for enterprise IT services audiences [28]. An open-source outside-in replication by Keyvanhardani, implementing an eight-phase sink-guided pipeline using Claude Opus 4.7 at approximately $1 per run [29], gives the Picus Security paradox argument concrete material form: the methodology is now publicly available regardless of whether Anthropic releases the original model. Microsoft called for government cyber testing of frontier AI models [30]; OpenAI's 'Trusted Access for Cyber' program gives vetted defenders access to GPT-5.5 and GPT-5.5-Cyber [31]; and Anthropic's full restriction, OpenAI's gated external access, and Microsoft's internal MDASH deployment persist as three competing deployment philosophies without resolution into any common standard.
Timeline
- pre-2010: fast16.sys virus deployed, selectively corrupting floating-point results in nuclear physics and precision engineering software — establishing an early template for targeted scientific sabotage through invisible degradation rather than overt disruption [125][126][127]
- 2026-02/03: METR assesses frontier AI risks during February–March 2026, producing findings published in the Frontier Risk Report [95]
- 2026-03: Supply chain attacks against open-source package ecosystems surge; Zscaler ThreatLabz documents the March 2026 surge; DreamFactory analysis catalogues five supply chain attacks in twelve days, framing March 2026 as the inflection point at which open-source package trust broke [1][2]
- 2026-04-16: Internet Governance Project publishes 'AI, Project Glasswing, and the Changing Institutional Economics of Bugs,' providing early substantive public analysis of Glasswing — weeks before the Mini Shai-Hulud attack [23]
- 2026-04-19: IANS Research publishes that Project Glasswing 'Exposes the Next Challenge for Vulnerability Management'; Bruce Schneier publishes commentary on Anthropic's Mythos Preview and Project Glasswing [22][74]
- 2026-05-07: OpenAI publishes 'Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber' on the OpenAI Blog, establishing a formal program granting vetted security defenders access to GPT-5.5 and the specialized GPT-5.5-Cyber model — predating the Mini Shai-Hulud attack by four days [31][33][34][35][36][37][38]
- 2026-05-11: TeamPCP's Mini Shai-Hulud supply chain attack begins: 42 TanStack GitHub repositories compromised via GitHub Actions publishing machinery, 84 malicious npm package versions published without credential theft; Google GTIG detects the first known AI-generated zero-day exploit targeting a 2FA trust assumption and intercepts it before mass deployment [3][17][19][48][132][46][47]
- 2026-05-12: Microsoft publishes the Security Blog post announcing MDASH, its multi-model agentic security system, which has already found 16 Windows vulnerabilities including 4 critical RCE flaws and tops leading industry benchmarks [85][86][87][91][93]
- 2026-05-13: OpenAI publishes its official post-incident disclosure specifying two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, June 12 revocation deadline set, and no customer data or production systems affected; UK AISI publishes primary-source blog documenting autonomous AI cyber capability doubling at approximately every 4.5 months [7][133][106][20]
- 2026-05-14: Attack scope confirmed across Mistral AI, OpenAI, UiPath, and OpenSearch npm packages; TeamPCP claims 5GB Mistral breach across 450 repositories; node-ipc (3M+ downloads) separately compromised [134][135][52][136]
- 2026-05-15: Attack scale reaches 169+ npm and PyPI packages; OpenAI, Mistral AI, the European Commission, UiPath, Guardrails AI, and SAP all named as affected via the same supply chain vector [39][40][137][6][42][5]
- 2026-05-16: Cloud Security Alliance CISO briefing cites the AI-generated zero-day; attribution reporting names APT45 and UNC2814 with North Korean infrastructure [18][43][104]
- 2026-05-17: Attack formally named 'Mini Shai-Hulud'; Mistral AI and TanStack npm/PyPI packages confirmed as central targets [51]
- 2026-05-18: TeamPCP threatens to leak Mistral AI's code publicly if no buyer is found; DarkWebInformer documents the ~5GB exfiltration claim across social channels [11][57][138][139][140]
- 2026-05-19: Total compromised packages reaches 314+ npm/PyPI; Cloudflare tests Mythos against 50+ repositories within Project Glasswing, documenting its ability to chain exploits; METR Frontier Risk Report covering February–March 2026 published and begins circulating [50][4][129][76][78][81][24][95][96][97][98]
- 2026-05-20: US DoD CSIAC publishes formal technical response report 'Counter-AI Offensive Tools and Techniques'; Microsoft calls for government cyber testing of frontier AI models [117][124][120][121][30]
- 2026-05-21: Security community characterizes the AI-assisted zero-day as a major escalation milestone marking the emergence of AI-native threat actors [45][141][142]
- 2026-05-22: TeamPCP lists Mistral AI source code for sale at $25,000 across multiple channels; Mistral AI officially confirms the breach but declines to disclose what data was taken; CSO Online reports on the Mistral AI SDK and TanStack Router npm supply chain attack [9][10][53][54][63][8][58][59][60][61][68]
- 2026-05-23: Anthropic's Project Glasswing confirmed as Anthropic-owned initiative; Cloudflare Blog publishes primary-source account; NBC News reports Anthropic won't release Mythos publicly; Bloomberg, CNBC, SecurityWeek, and CyberScoop report Google's AI zero-day; the AI zero-day story goes viral on social media [69][24][70][25][48][132][46][47][17][143][128][82][144]
- 2026-05-24: Keyvanhardani publishes open-source Mythos replication on GitHub; mistralai Python client version 2.4.6 specifically documented as compromised; LiteLLM publishes security update; 'TrapDoor' supply chain attack documented by Socket.dev hitting 34+ packages across npm, PyPI, and Crates.io simultaneously, stealing wallets and SSH keys; StepSecurity documents five supply chain attacks in 48 hours as a converging wave; CSA Labs publishes formal research note on TeamPCP's CI/CD attack methodology [29][32][101][65][66][67][12][13][14][15][62][31][33]
Perspectives
OpenAI
Published the most detailed primary-source incident disclosure of any confirmed breach victim — two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, June 12 revocation deadline, no customer data or production systems affected — framing the incident as a 'broader shift' toward supply chain targeting. Separately confirmed, via an official blog post predating the Mini Shai-Hulud attack, a formal 'Trusted Access for Cyber' program giving vetted security defenders access to GPT-5.5 and GPT-5.5-Cyber for vulnerability research and critical infrastructure protection.
Evolution: Consistent with prior synthesis; GPT-5.5-Cyber program remains confirmed via official blog post published May 7, 2026, four days before the attack.
Google Threat Intelligence Group (GTIG)
Confirmed the first criminal AI-assisted zero-day exploit targeting a 2FA trust assumption; attribution reporting names APT45 and UNC2814 with North Korean infrastructure; GTIG intercepted the exploit before mass deployment. The Google Cloud Blog primary-source post documents adversaries using AI for vulnerability exploitation, augmented operations, and initial access — framing the zero-day as one instance of a systematic shift rather than an isolated incident.
Evolution: Consistent with prior synthesis; mainstream amplification of the story via content creators and social media has broadened public reach.
TeamPCP (threat group)
Operators of Mini Shai-Hulud; have escalated from breach-and-claim through active sale listing ($25,000) to an explicit leak threat stating they will publish Mistral AI data publicly if no buyer is found. CSA Labs' formal research note provides institutional technical attribution of the group's CI/CD attack vector.
Evolution: Consistent; escalation arc is documented but no new phases have materialized since the leak threat.
TrapDoor (threat actor)
Operators of a second, distinct supply chain attack — separate from TeamPCP — hitting 34+ packages across npm, PyPI, and Crates.io simultaneously, stealing wallet credentials and SSH keys. Socket.dev's primary-source analysis is now available. No attribution or identity has been established.
Evolution: Socket.dev's primary-source analysis [12] provides the most detailed technical characterization of TrapDoor available; prior synthesis cited this attack via secondary references [13][14].
Mistral AI
Officially confirmed the breach but has not disclosed what data is involved; remains silent on whether TeamPCP's 5GB/450-repository claim accurately characterizes the scope. The specific compromise of mistralai Python client version 2.4.6 is documented in a GitHub security issue independent of Mistral's own disclosures.
Evolution: Consistent with prior synthesis.
Anthropic (Project Glasswing)
Project Glasswing is Anthropic's own defensive security initiative, confirmed via anthropic.com/glasswing and a red team capability assessment at red.anthropic.com; the project was publicly disclosed in April 2026 and engages external organizations to test Claude Mythos against real-world codebases. Mythos discovers exploit chains earlier frontier models missed. Controlled access is a deliberate safety decision — Anthropic has not released Mythos publicly.
Evolution: Consistent with prior synthesis. Growing enterprise vendor commentary (XM Cyber, Picus Security, LTIMindtree) signals the capability disclosure is moving from security research discourse into operational enterprise security planning.
Cloudflare (Glasswing testing partner)
Participated in Project Glasswing as a testing partner; the Cloudflare Blog published a primary-source account documenting that Mythos chains exploits in ways earlier frontier models missed when run against 50+ repositories. Advocates for narrow-scope AI agent design to limit blast radius from autonomous exploitation.
Evolution: Consistent with prior synthesis; Reddit discussion of Cloudflare's findings [75] reflects ongoing community amplification.
Zscaler ThreatLabz
Documents supply chain attacks surging during March 2026, providing institutional security vendor confirmation that the May 2026 wave is part of a trend established at least two months earlier rather than a sudden escalation.
Evolution: New voice this pass; provides the most direct institutional framing of March 2026 as the supply chain surge baseline.
DreamFactory
Published 'Five Supply Chain Attacks in Twelve Days: How March 2026 Broke Open-Source Trust and What Comes Next,' framing March 2026 as the inflection point at which open-source package trust was systematically broken — contextualizing May's attacks as acceleration, not initiation.
Evolution: New voice this pass; the 'twelve days in March' framing directly precedes and reframes StepSecurity's 'forty-eight hours in May' framing as a compression of tempo rather than a fresh wave.
XM Cyber
Published 'Project Glasswing, Mythos Findings, and Getting Ready for Your...' — framing the Glasswing capability disclosure as a call to operational readiness rather than a debate about Anthropic's deployment decisions, positioning the question as what security programs need to do to prepare.
Evolution: New voice this pass.
Picus Security
Frames Project Glasswing as a 'paradox' — the defensive initiative that discloses Mythos's exploit-chaining capabilities may accelerate offensive proliferation faster than it builds defensive readiness, particularly given open-source replications of the methodology.
Evolution: New voice this pass; the 'paradox' framing is the most direct challenge to Anthropic's Glasswing rationale from an enterprise security vendor.
LTIMindtree
Published a PDF analysis of Claude Mythos and Project Glasswing for enterprise IT services audiences, signaling that the capability disclosure has reached the enterprise technology services sector as a planning and advisory item.
Evolution: New voice this pass.
Keyvanhardani (independent replication researcher)
Published an open-source outside-in replication of Anthropic's Mythos Preview / Project Glasswing on GitHub, implementing an eight-phase sink-guided pipeline using Claude Opus 4.7 at approximately $1 per run, framed as an OSS self-scan and coordinated disclosure scaffold.
Evolution: Consistent with prior synthesis; the GitHub repository remains the primary accessibility concern, and Picus Security's paradox framing directly references the implications of such replications.
StepSecurity
Published 'Five Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough,' framing Mini Shai-Hulud and TrapDoor as part of a systemic converging wave rather than isolated incidents and arguing that layered defense across the full dependency chain is required.
Evolution: Consistent with prior synthesis; now contextualized by Zscaler and DreamFactory as acceleration of a March 2026 surge rather than a standalone event.
Darktrace
Published analysis framing supply chain attacks as a structural problem in an era of automation and implicit trust, positioning the attack surface as rooted in systems that extend trust by default rather than verifying at each layer.
Evolution: Consistent with prior synthesis.
Oligo Security
Flagged the hidden downstream risks that npm supply chain compromises create for AI agents — specifically naming OpenAI Codex as an example of an AI system whose security posture is directly dependent on upstream package integrity.
Evolution: Consistent with prior synthesis.
Bruce Schneier
Published commentary on Anthropic's Mythos Preview and Project Glasswing in April 2026, representing significant engagement from the security research commentariat with Anthropic's capability disclosure.
Evolution: Consistent with prior synthesis.
Microsoft (MDASH team + regulatory stance)
Multi-agent vulnerability discovery system MDASH independently found 16 Windows vulnerabilities including 4 critical RCE flaws; Microsoft's Security Blog documents MDASH as topping leading industry benchmarks for defensive AI vulnerability discovery. Microsoft has separately and explicitly called for frontier AI models to be subject to government cyber testing.
Evolution: Consistent with prior synthesis.
Rubrik
Published 'Every AI Frontier Model is Now a Cyber Threat. So What Can You Do About It?' — framing frontier AI models themselves as a threat category requiring enterprise-level defensive response, not merely a tool for offense or defense.
Evolution: Consistent with prior synthesis.
Security Boulevard
Published 'Beyond Moore's Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities,' amplifying and contextualizing the AISI doubling-rate finding within a broader argument that AI-enabled cyber capability growth outpaces historical technology acceleration curves.
Evolution: Consistent with prior synthesis.
IANS Research
Frames Project Glasswing as 'exposing the next challenge for vulnerability management,' positioning the Mythos capability disclosure as requiring institutional security programs to reconsider how they detect and respond to autonomous exploit chaining.
Evolution: Consistent with prior synthesis.
Internet Governance Project
Frames Project Glasswing as reshaping 'the institutional economics of bugs' — arguing that autonomous AI exploit discovery alters the cost and incentive structures governing vulnerability research, disclosure, and patching at a systemic level.
Evolution: Consistent with prior synthesis; published April 16, 2026, predating the Mini Shai-Hulud attack.
METR
Published a Frontier Risk Report covering February to March 2026 assessing autonomous AI capabilities and frontier risk trajectories in the period immediately preceding the major May 2026 incidents. The report is confirmed published on Substack and circulating across LinkedIn and Threads, but specific findings have not yet been extracted into this record.
Evolution: Report confirmed published and circulating in prior pass; specific findings remain unextracted.
Palo Alto Networks
Published a 'Defender's Guide to Frontier AI Impact on Cybersecurity,' positioning the major security vendor as providing defensive framing for organizations navigating AI-augmented threat environments.
Evolution: Consistent with prior synthesis.
Lowenstein Sandler LLP
Legal analysis frames frontier AI models as requiring a 'recalibration of risk for a faster threat environment,' positioning AI cybersecurity readiness as a legal and compliance imperative beyond purely technical response.
Evolution: Consistent with prior synthesis.
LiteLLM
Published a security update specifically addressing the Mistral AI PyPI supply chain attack, providing an affected-ecosystem perspective on the downstream impact of the mistralai package compromise.
Evolution: Consistent with prior synthesis.
Cloud Security Alliance (CSA)
Characterized Claude Mythos as crossing an 'autonomous offensive threshold' in a research note; separately cited the AI-generated zero-day in a CISO briefing. CSA Labs also published a formal research note specifically on TeamPCP titled 'CI/CD Security Tool Supply Chain Compromise,' providing institutional technical attribution of the attack methodology.
Evolution: Consistent with prior synthesis.
UK AI Safety Institute (AISI)
Published primary-source blog formalizing data on the doubling of autonomous AI cyber capability, with the specific reported figure being approximately every 4.5 months.
Evolution: Consistent with prior synthesis.
Berkeley RDI / ExploitGym researchers
Published the ExploitGym benchmark on arxiv evaluating whether AI agents can turn known security vulnerabilities into real attacks, providing an independent academic framework for measuring AI-assisted exploit development capability.
Evolution: Consistent with prior synthesis.
US DoD / CSIAC
Published formal technical response report 'Counter-AI Offensive Tools and Techniques,' signaling that AI-native offensive capabilities now warrant organized institutional response at the national defense level.
Evolution: Consistent with prior synthesis.
Samuel Ajiboyede
Raises the regulatory question of whether governments should mandate reciprocal access to offensive AI models or fund sovereign capabilities like AISI, framing this as a policy design choice rather than a settled answer.
Evolution: Consistent with prior synthesis.
Grant Harvey (The Neuron)
Frames AI cybersecurity as a genuine two-sided escalation where autonomous capabilities power both offense and defense; emphasizes AI's advantage in tracing user flows to identify trust-assumption flaws; cautiously optimistic that defensive multi-agent verification can scale.
Evolution: Consistent with prior synthesis.
Jack Clark (Import AI)
Uses fast16.sys as a cautionary historical metaphor to argue the most dangerous AI-enabled cyberweapons will be subtle and degradation-focused; frames proliferation as analogous to how a superintelligence might prevent competitors from developing comparable capabilities.
Evolution: Consistent with prior synthesis.
Zvi Mowshowitz (AI commentary, Substack)
Dedicated a Substack post to Claude Mythos and Project Glasswing cybersecurity findings, signaling active engagement from the AI safety and policy commentary community with the offensive-capability disclosure.
Evolution: Consistent with prior synthesis.
NBC News / mainstream media
Frames the Mythos restricted access as driven by the model's dangerous capabilities ('Why Anthropic won't release its new Mythos AI model to the public'), translating the Glasswing story from technical security reporting into consumer-facing AI safety narrative.
Evolution: Consistent with prior synthesis.
AgentGraph
Argues that the MCP/AI skills ecosystem recreates the npm supply chain vulnerability problem at a faster pace, with unverified community packages receiving implicit trust from AI agents.
Evolution: Consistent with prior synthesis.
RupeeMindset
Argues the structural asymmetry favoring offense is economic, not merely technical: defensive costs scale poorly while offensive AI costs favor attackers, and AI deepens rather than resolves this gap.
Evolution: Consistent with prior synthesis.
Tensions
- The open-source Mythos replication at ~$1/run using Claude Opus 4.7 [29] directly challenges Anthropic's rationale for not releasing Mythos publicly [25]; Picus Security's 'paradox' framing [27] now gives this tension explicit enterprise-vendor articulation: if the exploit-chaining methodology is replicable cheaply and publicly, gated access to the original model may not meaningfully contain the capability proliferation it was designed to prevent. [29][25][70][24][27]
- Microsoft's explicit call for government cyber testing of frontier AI models [30] sits in tension with OpenAI's self-regulatory gated access model [31]: one approach relies on state-imposed testing mandates as the oversight mechanism, the other on industry-designed vetting programs — implying fundamentally different theories of accountability for offensive-capable AI. [30][31][131]
- Microsoft's MDASH results and Grant Harvey's framing suggest defensive AI can scale to meet offensive AI [92][85]; RupeeMindset counters that defensive cost structures are prohibitively higher than offensive ones, and AI deepens rather than resolves that asymmetry [130] — a structural economics argument that MDASH's capability demonstration does not address. [92][85][130]
- Anthropic's Project Glasswing finding — documented in primary-source reports from both Anthropic's red team and the Cloudflare Blog — that Mythos finds exploit chains earlier frontier models missed [70][24] sharpens the gap with Microsoft MDASH's defensive benchmark: MDASH was optimized for finding individual vulnerabilities [85], not countering chained exploit sequences, leaving open whether defensive AI architecture is keeping pace with the specific chaining capability being demonstrated on offense. [70][24][85][106]
- OpenAI's Trusted Access for Cyber program gives vetted external researchers access to both the general GPT-5.5 and the specialized GPT-5.5-Cyber [31], while Anthropic has not released Mythos publicly at all [25] — two distinct theories of how AI labs should handle offensive-capable models: controlled external access versus full restriction. No common industry standard has yet resolved this fault line. [31][25]
- Mistral AI confirms the breach but declines to say what data was taken [8], while TeamPCP publicly threatens to leak the data if no buyer is found [11] — an information asymmetry where the attacker discloses more about breach scope than the victim. Hints of a prior Mistral SDK disclosure [66] add a further dimension: whether Mistral had advance awareness of a vulnerability that TeamPCP subsequently exploited. [55][11][8][9][10][66]
- OpenAI's disclosure that no customer data or production systems were compromised [7] sits in tension with the practical impact of code-signing certificate revocation: macOS users who do not update by June 12 will find OpenAI apps non-functional — a direct consumer disruption that complicates the 'limited blast radius' framing even absent data exfiltration. [7]
- Samuel Ajiboyede frames the policy choice as mandating reciprocal access to offensive AI models versus funding sovereign capabilities like AISI [124] — approaches implying fundamentally different theories of defense — while Microsoft's government testing call [30] introduces a third model (state-imposed testing without state-owned capability) that neither Ajiboyede pole fully addresses. [124][106][30]
- DreamFactory's framing of March 2026 as 'five attacks in twelve days' [2] and StepSecurity's 'five attacks in forty-eight hours' for May [15] together show tempo compression over the same attack surface — but whether this acceleration is driven by AI-enabled tooling or simply by multiple independent actors discovering the same CI/CD trust-assumption template is unresolved, and the answer determines whether the AISI's 4.5-month capability doubling rate [20] is explanatory or coincidental. [2][15][20][1]
- The dual-use optimism in Harvey's framing [92] and Clark's degradation-focused alarm [125] face a concrete test: Mini Shai-Hulud's CI/CD compromise method and the AI-assisted 2FA zero-day both exploit trust-assumption logic rather than memory errors [17][3], and the now-documented TrapDoor attack [12][13][14] adds a simultaneous cross-registry instance of the same template — suggesting Clark's 'invisible degradation' model may already be operational at infrastructure scale rather than purely at the scientific-data layer. [92][125][17][18][3][12][13][14]
Sources
- [1] Supply Chain Attacks Surge in March 2026 | ThreatLabz — reactive:ai-offensive-cyber
- [2] Five Supply Chain Attacks in Twelve Days: How March 2026 Broke Open-Source Trust and What Comes Next — reactive:ai-offensive-cyber
- [3] The npm supply chain attack that hit TanStack, Mistral AI, and UiPath on May 11 didn't involve stolen credentials.42 Tan... — reactive:ai-offensive-cyber (2026-05-14)
- [4] 314 npm packages compromised in the Shai-Hulud supply chain attack. — reactive:ai-offensive-cyber (2026-05-19)
- [5] 170 npm packages compromised in one coordinated supply chain attack — OpenAI, Mistral AI, even the European Commission g... — reactive:ai-security-nexus (2026-05-23)
- [6] @IntCyberDigest The list keeps growing: OpenAI, Mistral, UiPath, Guardrails AI, SAP. All hit through the same npm supply... — reactive:ai-offensive-cyber (2026-05-15)
- [7] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
- [8] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved | TechRadar — reactive:ai-offensive-cyber
- [9] TeamPCP hackers advertise Mistral AI code repos for sale — reactive:ai-offensive-cyber
- [10] TeamPCP Hackers Put Mistral AI Source Code Up for Sale at $25,000 — reactive:ai-offensive-cyber
- [11] [2026-05-18] TeamPCP threatens to leak Mistral AI's code if no one ... — reactive:ai-offensive-cyber
- [12] TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages... — reactive:ai-offensive-cyber
- [13] TrapDoor supply chain attack hit 34+ packages across npm, PyPI, and https://t.co/rIAvxdhxV6, stealing wallets, SSH keys,... — reactive:ai-offensive-cyber (2026-05-24)
- [14] A coordinated supply chain attack called "TrapDoor" just hit npm, PyPI, and Crates. io simultaneously, 34 malicious pack... — reactive:ai-offensive-cyber (2026-05-24)
- [15] 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not ... — reactive:ai-offensive-cyber
- [16] NPM Supply Chain Attacks Expose Hidden Risks for AI Agents Like OpenAI Codex — reactive:ai-offensive-cyber
- [17] Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Google Cloud Blog — reactive:ai-offensive-cyber
- [18] AI built the first zero-day exploit targeting 2FA. Google GTIG intercepted it before mass deployment. APT45, UNC2814, Ru... — reactive:ai-offensive-cyber (2026-05-16)
- [19] Google reports first known AI-assisted zero-day exploit in the wild — reactive:ai-offensive-cyber (2026-05-12)
- [20] Cyber Ceiling Broken: AISI's Actual Measurement Reveals Mythos' Capabilities Surging Towards ASI with 4.5 - Month Doubling Rate — reactive:ai-offensive-cyber
- [21] Beyond Moore's Law: The Hyper-Acceleration of Autonomous AI ... — reactive:ai-offensive-cyber
- [22] Anthropic's 'Project Glasswing' Exposes the Next Challenge for ... — reactive:ai-offensive-cyber
- [23] AI, Project Glasswing, and the Changing Institutional Economics of Bugs - Internet Governance Project — reactive:ai-offensive-cyber
- [24] Project Glasswing: what Mythos showed us - The Cloudflare Blog — reactive:ai-offensive-cyber
- [25] Why Anthropic won't release its new Mythos AI model to the public — reactive:ai-offensive-cyber
- [26] Project Glasswing, Mythos Findings, and Getting Ready for Your ... — reactive:openai-advanced-account-security
- [27] What Is Project Glasswing? Anthropic's AI Misuse Research Initiative ... — reactive:claude-mythos-capability-regulation
- [28] [PDF] Claude Mythos and Project Glasswing | LTM — reactive:ai-offensive-cyber
- [29] GitHub - Keyvanhardani/mythos-research: Outside-in replication of Anthropic's Mythos Preview / Project Glasswing — open-source agentic vulnerability-discovery scaffold on Claude Opus 4.7. Eight-phase sink-guided pipeline, ~$1/run, OSS self-scan and coordinated disclosure. · GitHub — reactive:ai-offensive-cyber
- [30] AI Frontier Models Should Be... | VitalLaw.com — reactive:ai-offensive-cyber
- [31] Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber — OpenAI Blog (2026-05-07)
- [32] [SECURITY] Supply chain compromise in mistralai 2.4.6 ... - GitHub — reactive:ai-offensive-cyber
- [33] OpenAI prepares GPT-5.5-Cyber for trusted security researchers - Techzine Global — reactive:frontier-ai-cyber-capabilities
- [34] OpenAI opens GPT-5.5-Cyber to vetted security researchers — reactive:ai-offensive-cyber
- [35] OpenAI Launches GPT-5.4-Cyber To Expand The Trusted Access ... — reactive:ai-offensive-cyber
- [36] Access to GPT-5.4-Cyber is granted exclusively to vetted ... - Instagram — reactive:ai-offensive-cyber
- [37] GPT-5.5-Cyber AI for Cybersecurity Red Team Use - LinkedIn — reactive:ai-offensive-cyber
- [38] OpenAI GPT-5.5-Cyber Ignites Security Race — reactive:ai-offensive-cyber
- [39] 🚨 OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack — reactive:ai-security-nexus (2026-05-16)
- [40] OpenAI confirms breach in TanStack supply chain cyberattack. — reactive:ai-security-nexus (2026-05-15)
- [41] 🚨 OpenAI just confirmed a real supply-chain attack. — reactive:ai-offensive-cyber (2026-05-15)
- [42] OpenAI recommends updating desktop agents, after the supply chain attack compromising nearly 170 npm packages; by TeamPC... — reactive:ai-offensive-cyber (2026-05-15)
- [43] CISO Daily Briefing: Google's TIG confirmed the first criminal AI-generated zero-day exploit — AI-native threat actors a... — reactive:ai-offensive-cyber (2026-05-16)
- [44] AI ZERO-DAY IN THE WILD COURTESY OF GOOGLE THREAT INTEL — reactive:ai-offensive-cyber (2026-05-14)
- [45] A criminal group has used AI to discover and weaponize a 0-day vulnerability, marking a major escalation in offensive cy... — reactive:ai-offensive-cyber (2026-05-21)
- [46] Google Detects First AI-Generated Zero-Day Exploit - SecurityWeek — reactive:ai-offensive-cyber
- [47] Google spotted an AI-developed zero-day before attackers could use it | CyberScoop — reactive:ai-offensive-cyber
- [48] Google Researchers Detect First AI-Built Zero-Day Exploit in Cyberattack - Bloomberg — reactive:ai-offensive-cyber
- [49] First 2026 AI zero-day REVEALED Google just disrupted ... — reactive:ai-offensive-cyber
- [50] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
- [51] Mistral AI and TanStack npm packages were compromised in a supply chain attack named 'Mini Shai-Hulud.' GitHub creds, CI... — reactive:ai-offensive-cyber (2026-05-17)
- [52] TeamPCP claims it breached @MistralAI and stole 5GB of data across 450 repositories, while Mistral confirms impact from ... — reactive:ai-offensive-cyber (2026-05-14)
- [53] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai-Hulud Attack — reactive:ai-offensive-cyber
- [54] TeamPCP Monetizes Shai-Hulud Fallout: Mistral AI Source Code — reactive:ai-offensive-cyber
- [55] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved — reactive:ai-offensive-cyber
- [56] TeamPCP hackers advertise Mistral AI code repos for sale | Simon J ... — reactive:ai-offensive-cyber
- [57] ‼️ Mistral AI allegedly breached: ~5GB of internal source code ... — reactive:ai-offensive-cyber
- [58] Alleged Mistral AI Breach Exposes Internal Repositories and Source ... — reactive:ai-offensive-cyber
- [59] TeamPCP is advertising alleged access to Mistral AI repositories ... — reactive:ai-offensive-cyber
- [60] Hackers Steal 450 Repos from Mistral AI for $25,000 - LinkedIn — reactive:ai-offensive-cyber
- [61] TeamPCP hackers advertise Mistral AI code repos for sale - Reddit — reactive:ai-offensive-cyber
- [62] TeamPCP: CI/CD Security Tool Supply Chain Compromise — reactive:ai-offensive-cyber
- [63] Mistral AI breached in TanStack-linked attack? 450 repos exposed — reactive:ai-offensive-cyber
- [64] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
- [65] Security advisories | Mistral Docs — reactive:ai-offensive-cyber
- [66] The alleged breach comes just days after Mistral disclosed that ... — reactive:ai-offensive-cyber
- [67] Mistral AI Breach: A $25,000 Ransom That Exposes Billion-Dollar ... — reactive:ai-offensive-cyber
- [68] Mistral AI SDK, TanStack Router hit in npm software supply chain attack | CSO Online — reactive:ai-offensive-cyber
- [69] Project Glasswing: Securing critical software for the AI era - Anthropic — reactive:frontier-ai-cyber-capabilities
- [70] Assessing Claude Mythos Preview's cybersecurity capabilities — reactive:frontier-ai-cyber-capabilities
- [71] Anthropic Glasswing & Claude Mythos Explained for GovCon — reactive:ai-offensive-cyber
- [72] Project Glasswing: what Mythos showed us | Subhash Dasyam — reactive:ai-offensive-cyber
- [73] Claude Mythos Cracks All Security, Project Glasswing, and the New ... — reactive:ai-offensive-cyber
- [74] On Anthropic's Mythos Preview and Project Glasswing — reactive:claude-mythos-capability-regulation
- [75] Cloudflare just published what they found after running Anthropic's ... — reactive:ai-offensive-cyber
- [76] Cloudflare says Anthropic's Mythos Preview finds exploit chains that earlier frontier models missed — reactive:ai-offensive-cyber
- [77] Cloudflare just explained why Mythos is so important (and it is not ... — reactive:ai-offensive-cyber
- [78] Cloudflare Tests AI's Ability to Find and Exploit Vulnerabilities — reactive:ai-offensive-cyber
- [79] Cloudflare's approach to building safe AI agents with narrow scope ... — reactive:ai-offensive-cyber
- [80] 🤖Anthropic’s Mythos AI can now chain bugs into working exploits, according to Cloudflare. — reactive:ai-offensive-cyber (2026-05-19)
- [81] Cloudflare tests Mythos against 50+ repositories, highlights its ability ... — reactive:ai-offensive-cyber
- [82] Cloudflare Tests Mythos AI on 50 Repositories, Finds Vulnerabilities — reactive:ai-offensive-cyber
- [83] (PDF) An Outside-In Replication of Project Glasswing Mythos ... — reactive:ai-offensive-cyber
- [84] Supply-Chain Attacks in an Era of Automation and Implicit Trust — reactive:ai-offensive-cyber
- [85] Defense at AI speed: Microsoft's new multi-model agentic security ... — reactive:ai-offensive-cyber
- [86] Microsoft's MDASH AI Security System Finds 16 Windows Vulnerabilities — reactive:ai-offensive-cyber
- [87] Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday — reactive:ai-offensive-cyber
- [88] MDASH Vulnerability Discovery - AI Security System | Saudi Shopper — reactive:ai-offensive-cyber
- [89] Microsoft MDASH finds Windows security flaws with AI | ETIH EdTech News — EdTech Innovation Hub — reactive:ai-offensive-cyber
- [90] 16 New Windows Vulnerabilities Discovered By Microsoft's AI ... — reactive:ai-offensive-cyber
- [91] Microsoft unveils MDASH, its AI agent-driven security platform — and it's already spotted a host of new Windows flaws | TechRadar — reactive:ai-offensive-cyber
- [92] 😿 AI hackers found a new lane — The Neuron (2026-05-17)
- [93] Microsoft: AI-Powered Security System MDASH Tops Industry Benchmark — reactive:ai-offensive-cyber
- [94] Every AI Frontier Model is Now a Cyber Threat. So What Can You Do About It? — reactive:ai-offensive-cyber
- [95] Frontier Risk Report (February to March 2026) - METR — reactive:ai-offensive-cyber
- [96] Frontier Risk Report (February to March 2026) - METR — reactive:ai-offensive-cyber
- [97] Sung Kim (@sung.kim.mw) on Threads — reactive:ai-offensive-cyber
- [98] Frontier Risk Report (February to March 2026) | Stephen Pimentel — reactive:ai-offensive-cyber
- [99] Defender's Guide to the Frontier AI Impact on Cybersecurity — reactive:ai-offensive-cyber
- [100] Frontier AI Models and Cybersecurity Readiness: Recalibrating Risk for a Faster Threat Environment | Lowenstein Sandler LLP — reactive:ai-offensive-cyber
- [101] Security Update: Mistral AI PyPI Supply Chain Attack - LiteLLM — reactive:ai-offensive-cyber
- [102] Claude Mythos and the AI Autonomous Offensive Threshold — reactive:frontier-ai-cyber-capabilities
- [103] Using AI for Offensive Security | CSA — reactive:ai-offensive-cyber
- [104] CISO Daily Briefing – May 16, 2026 – Lab Space — reactive:ai-offensive-cyber
- [105] Recent evaluations from the UK AI Security Institute (AISI) highlight the accelerating pace of autonomous AI cyber capab... — reactive:ai-offensive-cyber (2026-05-14)
- [106] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
- [107] AI cyber capability is speeding past earlier projections - Help Net Security — reactive:ai-offensive-cyber
- [108] Cyber & Autonomous Systems | AISI Work Category — reactive:ai-offensive-cyber
- [109] "How fast is autonomous AI cyber capability advancing?", AISI Work ... — reactive:ai-offensive-cyber
- [110] Autonomous AI Cyber Capability Doubles Every Few Months — reactive:ai-offensive-cyber
- [111] [2605.11086] ExploitGym: Can AI Agents Turn Security Vulnerabilities into Real Attacks? — reactive:ai-offensive-cyber
- [112] Center for Responsible, Decentralized Intelligence at Berkeley — reactive:ai-offensive-cyber
- [113] AI-Powered Paper Summarization about the arXiv paper 2605.11086v1 — reactive:ai-offensive-cyber
- [114] Can AI Agents Turn Security Vulnerabilities into Real Attacks? — reactive:ai-offensive-cyber
- [115] Can AI agents turn security vulnerabilities into real attacks? This is ... — reactive:ai-offensive-cyber
- [116] CyberGym: A Real-World Benchmark for Testing AI Agents ... - Reddit — reactive:ai-offensive-cyber
- [117] Read CSIAC's technical response report, "Counter-AI Offensive Tools and Techniques." — reactive:ai-offensive-cyber (2026-05-20)
- [118] Read CSIAC's technical response report, "Counter-AI Offensive ... — reactive:ai-offensive-cyber
- [119] DoD Modernization Exchange 2026: Ping Identity’s Kelvin Brewer on applying least privilege access to AI tools — reactive:ai-offensive-cyber
- [120] Counter-AI Offensive Tools and Techniques - CSIAC - dtic.mil — reactive:ai-offensive-cyber
- [121] [PDF] Counter-AI Offensive Tools and Techniques - CSIAC — reactive:ai-offensive-cyber
- [122] Do you work in software or data analysis? CSIAC ... — reactive:ai-offensive-cyber
- [123] Cyber Security & Information Systems Information Analysis Center — reactive:ai-offensive-cyber
- [124] Should regulators mandate reciprocal access to offensive models or fund sovereign capabilities like UK's AISI? — reactive:ai-offensive-cyber (2026-05-20)
- [125] Import AI 457: AI stuxnet; cursed Muon optimizer; and positive alignment — Import AI (2026-05-18)
- [126] Decades-old pre-Stuxnet cyber sabotage tool breaks cover, NSA listed it as 'nothing to see here' — fast16 targeted nuclear reactors, dam design, and other high-precision civil engineering software years before Stuxnet broke cover | Tom's Hardware — reactive:ai-offensive-cyber
- [127] Ethical Hacking — reactive:ai-offensive-cyber
- [128] Claude Mythos #2: Cybersecurity and Project Glasswing — reactive:ai-offensive-cyber
- [129] The supply chain attack surface for AI skills/MCPs is the same problem npm had in 2018, just moving faster. Unverified c... — reactive:ai-offensive-cyber (2026-05-19)
- [130] @TheEconomist The real vulnerability isn't just "trusted firms" leaking tools—it's the asymmetric economics. Defensive c... — reactive:ai-offensive-cyber (2026-05-15)
- [131] [PDF] Letter to White House: Guidance on Oversight of AI Models — reactive:ai-security-nexus
- [132] Google thwarts effort hacker group use AI 'mass exploitation event' — reactive:ai-offensive-cyber
- [133] Mass Supply Chain Attack Hits TanStack, Mistral AI NPM and PyPI Packages — reactive:ai-offensive-cyber (2026-05-13)
- [134] 🚨 node-ipc compromised (3M+ downloads) — reactive:ai-offensive-cyber (2026-05-14)
- [135] NEWS | A new NPM supply chain attack is now targeting the AI ecosystem, hitting packages tied to Mistral AI, OpenSearch,... — reactive:ai-offensive-cyber (2026-05-14)
- [136] Mass supply-chain attack slams npm and PyPi, with downstream impact affecting Mistral AI and others, as latest Mini Shai... — reactive:ai-offensive-cyber (2026-05-14)
- [137] A supply chain worm just hit over 169 npm packages and multiple PyPI packages. The affected ecosystems include TanStack,... — reactive:ai-offensive-cyber (2026-05-15)
- [138] U.S., China announce deals after Trump-Xi summit - CNBC — reactive:ai-offensive-cyber
- [139] Trump-Xi 2026 Summit - CSIS — reactive:ai-offensive-cyber
- [140] Summit stabilizes U.S.-China relations at critical moment for two great powers — reactive:ai-offensive-cyber
- [141] Wow. Someone pulled off the first known supply chain attack designed to steal credentials from an AI coding assistant. A... — reactive:ai-offensive-cyber (2026-05-21)
- [142] This exact supply chain attack proves the point I made yesterday. AI tools and extensions make it stupidly easy to pull ... — reactive:ai-offensive-cyber (2026-05-21)
- [143] First 2026 AI zero-day REVEALED — reactive:ai-offensive-cyber (2026-05-23)
- [144] AI Finding Zero-Day Vulnerabilities and Chaining Exploits - YouTube — reactive:ai-offensive-cyber