The Information Machine

AI-Enabled Offensive Cyberattacks Escalate · history

Version 9

2026-05-25 08:39 UTC · 291 items

What

Six weeks of AI-enabled offensive cyber activity in 2026 are now understood as part of a longer-running supply chain surge, not an isolated spike. Zscaler ThreatLabz documents supply chain attacks rising sharply in March 2026 [1], and a DreamFactory analysis titled 'Five Supply Chain Attacks in Twelve Days' frames March 2026 as the moment open-source trust broke [2] — establishing that TeamPCP's 'Mini Shai-Hulud' (314+ npm/PyPI packages, victims including OpenAI, Mistral AI, and the European Commission [4][5]) and the separate 'TrapDoor' attack (34+ packages across npm, PyPI, and Crates.io [12][13]) are escalations of a trend already underway. Simultaneously, Google confirmed the first criminal AI-generated zero-day [17], and Anthropic's Project Glasswing — with Mythos finding exploit chains earlier frontier models missed — has attracted growing enterprise security vendor commentary from XM Cyber [26], Picus Security [27], and LTIMindtree [28] on how organizations should respond.

Why it matters

The March-to-May 2026 arc — five attacks in twelve days in March, five in forty-eight hours by May — shows an acceleration in attack tempo that individual incident responses cannot absorb. The compression of this timeline, combined with multiple independent threat actors converging on the same CI/CD trust-assumption vulnerabilities across different package ecosystems, suggests the supply chain attack surface has become a stable, repeatable template rather than a novel tactic. Project Glasswing's growing enterprise commentary signals that capability disclosure debates are moving from lab-level abstraction to operational readiness questions at the security program level.

Open questions

  • Does the March 2026 supply chain surge documented by Zscaler ThreatLabz [1] and DreamFactory [2] include precursor activity attributable to TeamPCP or TrapDoor [12], or were those March incidents distinct actors establishing the attack template that others then replicated in May?

  • Who operates TrapDoor [12][13][14], and is it affiliated with TeamPCP or an independent threat group — does simultaneous targeting of npm, PyPI, and Crates.io represent coordinated escalation or independent parallel convergence on the same attack surface?

  • Will TeamPCP follow through on the public leak threat against Mistral AI [11]? Mistral has confirmed the breach but has not disclosed what data was involved [8], and the specific compromise of mistralai 2.4.6 remains documented without a public remediation scope [32].

  • Picus Security frames Project Glasswing as a 'paradox' [27] — the defensive initiative creates a capability disclosure that, when replicated openly at ~$1/run [29], may accelerate offensive access rather than contain it. Has Anthropic or any Glasswing testing partner responded to this framing directly?

Narrative

Beginning in March 2026, supply chain attacks against open-source package ecosystems surged at a pace that broke existing incident-response assumptions. Zscaler's ThreatLabz team documented the surge across the month [1], and a DreamFactory analysis cataloguing 'Five Supply Chain Attacks in Twelve Days' frames March 2026 as the inflection point at which open-source package trust was systematically undermined [2]. By May 11, 2026, when TeamPCP's 'Mini Shai-Hulud' attack began exploiting GitHub Actions publishing machinery to push malicious versions of 42 TanStack repositories without credential theft [3], it was executing against a trust-assumption vulnerability that the March wave had already demonstrated was viable at scale. The attack expanded to 314+ npm and PyPI packages by May 19 [4][5], with confirmed victims including OpenAI, Mistral AI, the European Commission, UiPath, Guardrails AI, and SAP [6]. OpenAI's post-incident disclosure documented two employee devices compromised, code-signing certificates for iOS, macOS, and Windows apps exfiltrated, and a June 12 revocation deadline [7]. Mistral AI confirmed the breach but declined to disclose what data was taken [8]; TeamPCP escalated through a $25,000 sale listing [9][10] to an explicit threat to publish the data if no buyer emerged [11].

A second, entirely distinct supply chain attack — 'TrapDoor' — was simultaneously documented hitting 34+ packages across npm, PyPI, and Crates.io, stealing wallet credentials and SSH keys [12][13][14]. Socket.dev's primary-source analysis of TrapDoor establishes it as structurally separate from Mini Shai-Hulud while targeting the same CI/CD trust-assumption layer [12]. StepSecurity's 'Five Supply Chain Attacks in 48 Hours' analysis frames TrapDoor and Mini Shai-Hulud as part of a systemic wave [15]; the acceleration from March's twelve-day window to May's forty-eight-hour window represents compression of attack tempo across a single attack surface. Oligo Security specifically flagged that npm supply chain compromises create hidden downstream risks for AI agents like OpenAI Codex whose security posture depends on upstream package integrity [16], connecting the supply chain threat directly to AI-native deployment pipelines.

On the same day Mini Shai-Hulud began, Google's Threat Intelligence Group intercepted what it characterized as the first criminal AI-generated zero-day — a hardcoded trust assumption in a two-factor authentication flow, discovered and weaponized using AI before mass deployment [17]. Attribution reporting names APT45 and UNC2814 with North Korean infrastructure [18][19]. The UK AI Safety Institute published primary-source data documenting autonomous AI cyber capability doubling at approximately every 4.5 months [20], and Security Boulevard's 'Beyond Moore's Law' analysis framed this trajectory as outpacing historical technology acceleration curves [21].

Anthropics's Project Glasswing — which engages external organizations to test Claude Mythos against real-world codebases — was publicly disclosed in April 2026 [22][23], predating the Mini Shai-Hulud attack by over three weeks. Cloudflare documented Mythos chaining exploits in ways earlier frontier models missed when run against 50+ repositories [24]; Anthropic has not released Mythos publicly [25]. Enterprise security vendors have begun publishing operational guidance: XM Cyber frames Glasswing findings as requiring immediate preparation adjustments [26], and Picus Security characterizes the initiative as a 'paradox' — arguing that the defensive transparency Glasswing creates may accelerate offensive capability proliferation faster than it builds defensive readiness [27]. LTIMindtree published a PDF analysis of Claude Mythos and Project Glasswing for enterprise IT services audiences [28]. An open-source outside-in replication by Keyvanhardani, implementing an eight-phase sink-guided pipeline using Claude Opus 4.7 at approximately $1 per run [29], gives the Picus Security paradox argument concrete material form: the methodology is now publicly available regardless of whether Anthropic releases the original model. Microsoft called for government cyber testing of frontier AI models [30]; OpenAI's 'Trusted Access for Cyber' program gives vetted defenders access to GPT-5.5 and GPT-5.5-Cyber [31]; and Anthropic's full restriction, OpenAI's gated external access, and Microsoft's internal MDASH deployment persist as three competing deployment philosophies without resolution into any common standard.

Timeline

  • pre-2010: fast16.sys virus deployed, selectively corrupting floating-point results in nuclear physics and precision engineering software — establishing an early template for targeted scientific sabotage through invisible degradation rather than overt disruption [125][126][127]
  • 2026-02/03: METR assesses frontier AI risks during February–March 2026, producing findings published in the Frontier Risk Report [95]
  • 2026-03: Supply chain attacks against open-source package ecosystems surge; Zscaler ThreatLabz documents the March 2026 surge; DreamFactory analysis catalogues five supply chain attacks in twelve days, framing March 2026 as the inflection point at which open-source package trust broke [1][2]
  • 2026-04-16: Internet Governance Project publishes 'AI, Project Glasswing, and the Changing Institutional Economics of Bugs,' providing early substantive public analysis of Glasswing — weeks before the Mini Shai-Hulud attack [23]
  • 2026-04-19: IANS Research publishes that Project Glasswing 'Exposes the Next Challenge for Vulnerability Management'; Bruce Schneier publishes commentary on Anthropic's Mythos Preview and Project Glasswing [22][74]
  • 2026-05-07: OpenAI publishes 'Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber' on the OpenAI Blog, establishing a formal program granting vetted security defenders access to GPT-5.5 and the specialized GPT-5.5-Cyber model — predating the Mini Shai-Hulud attack by four days [31][33][34][35][36][37][38]
  • 2026-05-11: TeamPCP's Mini Shai-Hulud supply chain attack begins: 42 TanStack GitHub repositories compromised via GitHub Actions publishing machinery, 84 malicious npm package versions published without credential theft; Google GTIG detects the first known AI-generated zero-day exploit targeting a 2FA trust assumption and intercepts it before mass deployment [3][17][19][48][132][46][47]
  • 2026-05-12: Microsoft publishes the Security Blog post announcing MDASH, its multi-model agentic security system, which has already found 16 Windows vulnerabilities including 4 critical RCE flaws and tops leading industry benchmarks [85][86][87][91][93]
  • 2026-05-13: OpenAI publishes its official post-incident disclosure specifying two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, June 12 revocation deadline set, and no customer data or production systems affected; UK AISI publishes primary-source blog documenting autonomous AI cyber capability doubling at approximately every 4.5 months [7][133][106][20]
  • 2026-05-14: Attack scope confirmed across Mistral AI, OpenAI, UiPath, and OpenSearch npm packages; TeamPCP claims 5GB Mistral breach across 450 repositories; node-ipc (3M+ downloads) separately compromised [134][135][52][136]
  • 2026-05-15: Attack scale reaches 169+ npm and PyPI packages; OpenAI, Mistral AI, the European Commission, UiPath, Guardrails AI, and SAP all named as affected via the same supply chain vector [39][40][137][6][42][5]
  • 2026-05-16: Cloud Security Alliance CISO briefing cites the AI-generated zero-day; attribution reporting names APT45 and UNC2814 with North Korean infrastructure [18][43][104]
  • 2026-05-17: Attack formally named 'Mini Shai-Hulud'; Mistral AI and TanStack npm/PyPI packages confirmed as central targets [51]
  • 2026-05-18: TeamPCP threatens to leak Mistral AI's code publicly if no buyer is found; DarkWebInformer documents the ~5GB exfiltration claim across social channels [11][57][138][139][140]
  • 2026-05-19: Total compromised packages reaches 314+ npm/PyPI; Cloudflare tests Mythos against 50+ repositories within Project Glasswing, documenting its ability to chain exploits; METR Frontier Risk Report covering February–March 2026 published and begins circulating [50][4][129][76][78][81][24][95][96][97][98]
  • 2026-05-20: US DoD CSIAC publishes formal technical response report 'Counter-AI Offensive Tools and Techniques'; Microsoft calls for government cyber testing of frontier AI models [117][124][120][121][30]
  • 2026-05-21: Security community characterizes the AI-assisted zero-day as a major escalation milestone marking the emergence of AI-native threat actors [45][141][142]
  • 2026-05-22: TeamPCP lists Mistral AI source code for sale at $25,000 across multiple channels; Mistral AI officially confirms the breach but declines to disclose what data was taken; CSO Online reports on the Mistral AI SDK and TanStack Router npm supply chain attack [9][10][53][54][63][8][58][59][60][61][68]
  • 2026-05-23: Anthropic's Project Glasswing confirmed as Anthropic-owned initiative; Cloudflare Blog publishes primary-source account; NBC News reports Anthropic won't release Mythos publicly; Bloomberg, CNBC, SecurityWeek, and CyberScoop report Google's AI zero-day; the AI zero-day story goes viral on social media [69][24][70][25][48][132][46][47][17][143][128][82][144]
  • 2026-05-24: Keyvanhardani publishes open-source Mythos replication on GitHub; mistralai Python client version 2.4.6 specifically documented as compromised; LiteLLM publishes security update; 'TrapDoor' supply chain attack documented by Socket.dev hitting 34+ packages across npm, PyPI, and Crates.io simultaneously, stealing wallets and SSH keys; StepSecurity documents five supply chain attacks in 48 hours as a converging wave; CSA Labs publishes formal research note on TeamPCP's CI/CD attack methodology [29][32][101][65][66][67][12][13][14][15][62][31][33]

Perspectives

OpenAI

Published the most detailed primary-source incident disclosure of any confirmed breach victim — two employee devices compromised, code-signing certificates for iOS/macOS/Windows apps exfiltrated, June 12 revocation deadline, no customer data or production systems affected — framing the incident as a 'broader shift' toward supply chain targeting. Separately confirmed, via an official blog post predating the Mini Shai-Hulud attack, a formal 'Trusted Access for Cyber' program giving vetted security defenders access to GPT-5.5 and GPT-5.5-Cyber for vulnerability research and critical infrastructure protection.

Evolution: Consistent with prior synthesis; GPT-5.5-Cyber program remains confirmed via official blog post published May 7, 2026, four days before the attack.

Google Threat Intelligence Group (GTIG)

Confirmed the first criminal AI-assisted zero-day exploit targeting a 2FA trust assumption; attribution reporting names APT45 and UNC2814 with North Korean infrastructure; GTIG intercepted the exploit before mass deployment. The Google Cloud Blog primary-source post documents adversaries using AI for vulnerability exploitation, augmented operations, and initial access — framing the zero-day as one instance of a systematic shift rather than an isolated incident.

Evolution: Consistent with prior synthesis; mainstream amplification of the story via content creators and social media has broadened public reach.

TeamPCP (threat group)

Operators of Mini Shai-Hulud; have escalated from breach-and-claim through active sale listing ($25,000) to an explicit leak threat stating they will publish Mistral AI data publicly if no buyer is found. CSA Labs' formal research note provides institutional technical attribution of the group's CI/CD attack vector.

Evolution: Consistent; escalation arc is documented but no new phases have materialized since the leak threat.

TrapDoor (threat actor)

Operators of a second, distinct supply chain attack — separate from TeamPCP — hitting 34+ packages across npm, PyPI, and Crates.io simultaneously, stealing wallet credentials and SSH keys. Socket.dev's primary-source analysis is now available. No attribution or identity has been established.

Evolution: Socket.dev's primary-source analysis [12] provides the most detailed technical characterization of TrapDoor available; prior synthesis cited this attack via secondary references [13][14].

Mistral AI

Officially confirmed the breach but has not disclosed what data is involved; remains silent on whether TeamPCP's 5GB/450-repository claim accurately characterizes the scope. The specific compromise of mistralai Python client version 2.4.6 is documented in a GitHub security issue independent of Mistral's own disclosures.

Evolution: Consistent with prior synthesis.

Anthropic (Project Glasswing)

Project Glasswing is Anthropic's own defensive security initiative, confirmed via anthropic.com/glasswing and a red team capability assessment at red.anthropic.com; the project was publicly disclosed in April 2026 and engages external organizations to test Claude Mythos against real-world codebases. Mythos discovers exploit chains earlier frontier models missed. Controlled access is a deliberate safety decision — Anthropic has not released Mythos publicly.

Evolution: Consistent with prior synthesis. Growing enterprise vendor commentary (XM Cyber, Picus Security, LTIMindtree) signals the capability disclosure is moving from security research discourse into operational enterprise security planning.

Cloudflare (Glasswing testing partner)

Participated in Project Glasswing as a testing partner; the Cloudflare Blog published a primary-source account documenting that Mythos chains exploits in ways earlier frontier models missed when run against 50+ repositories. Advocates for narrow-scope AI agent design to limit blast radius from autonomous exploitation.

Evolution: Consistent with prior synthesis; Reddit discussion of Cloudflare's findings [75] reflects ongoing community amplification.

Zscaler ThreatLabz

Documents supply chain attacks surging during March 2026, providing institutional security vendor confirmation that the May 2026 wave is part of a trend established at least two months earlier rather than a sudden escalation.

Evolution: New voice this pass; provides the most direct institutional framing of March 2026 as the supply chain surge baseline.

DreamFactory

Published 'Five Supply Chain Attacks in Twelve Days: How March 2026 Broke Open-Source Trust and What Comes Next,' framing March 2026 as the inflection point at which open-source package trust was systematically broken — contextualizing May's attacks as acceleration, not initiation.

Evolution: New voice this pass; the 'twelve days in March' framing directly precedes and reframes StepSecurity's 'forty-eight hours in May' framing as a compression of tempo rather than a fresh wave.

XM Cyber

Published 'Project Glasswing, Mythos Findings, and Getting Ready for Your...' — framing the Glasswing capability disclosure as a call to operational readiness rather than a debate about Anthropic's deployment decisions, positioning the question as what security programs need to do to prepare.

Evolution: New voice this pass.

Picus Security

Frames Project Glasswing as a 'paradox' — the defensive initiative that discloses Mythos's exploit-chaining capabilities may accelerate offensive proliferation faster than it builds defensive readiness, particularly given open-source replications of the methodology.

Evolution: New voice this pass; the 'paradox' framing is the most direct challenge to Anthropic's Glasswing rationale from an enterprise security vendor.

LTIMindtree

Published a PDF analysis of Claude Mythos and Project Glasswing for enterprise IT services audiences, signaling that the capability disclosure has reached the enterprise technology services sector as a planning and advisory item.

Evolution: New voice this pass.

Keyvanhardani (independent replication researcher)

Published an open-source outside-in replication of Anthropic's Mythos Preview / Project Glasswing on GitHub, implementing an eight-phase sink-guided pipeline using Claude Opus 4.7 at approximately $1 per run, framed as an OSS self-scan and coordinated disclosure scaffold.

Evolution: Consistent with prior synthesis; the GitHub repository remains the primary accessibility concern, and Picus Security's paradox framing directly references the implications of such replications.

StepSecurity

Published 'Five Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not Enough,' framing Mini Shai-Hulud and TrapDoor as part of a systemic converging wave rather than isolated incidents and arguing that layered defense across the full dependency chain is required.

Evolution: Consistent with prior synthesis; now contextualized by Zscaler and DreamFactory as acceleration of a March 2026 surge rather than a standalone event.

Darktrace

Published analysis framing supply chain attacks as a structural problem in an era of automation and implicit trust, positioning the attack surface as rooted in systems that extend trust by default rather than verifying at each layer.

Evolution: Consistent with prior synthesis.

Oligo Security

Flagged the hidden downstream risks that npm supply chain compromises create for AI agents — specifically naming OpenAI Codex as an example of an AI system whose security posture is directly dependent on upstream package integrity.

Evolution: Consistent with prior synthesis.

Bruce Schneier

Published commentary on Anthropic's Mythos Preview and Project Glasswing in April 2026, representing significant engagement from the security research commentariat with Anthropic's capability disclosure.

Evolution: Consistent with prior synthesis.

Microsoft (MDASH team + regulatory stance)

Multi-agent vulnerability discovery system MDASH independently found 16 Windows vulnerabilities including 4 critical RCE flaws; Microsoft's Security Blog documents MDASH as topping leading industry benchmarks for defensive AI vulnerability discovery. Microsoft has separately and explicitly called for frontier AI models to be subject to government cyber testing.

Evolution: Consistent with prior synthesis.

Rubrik

Published 'Every AI Frontier Model is Now a Cyber Threat. So What Can You Do About It?' — framing frontier AI models themselves as a threat category requiring enterprise-level defensive response, not merely a tool for offense or defense.

Evolution: Consistent with prior synthesis.

Security Boulevard

Published 'Beyond Moore's Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities,' amplifying and contextualizing the AISI doubling-rate finding within a broader argument that AI-enabled cyber capability growth outpaces historical technology acceleration curves.

Evolution: Consistent with prior synthesis.

IANS Research

Frames Project Glasswing as 'exposing the next challenge for vulnerability management,' positioning the Mythos capability disclosure as requiring institutional security programs to reconsider how they detect and respond to autonomous exploit chaining.

Evolution: Consistent with prior synthesis.

Internet Governance Project

Frames Project Glasswing as reshaping 'the institutional economics of bugs' — arguing that autonomous AI exploit discovery alters the cost and incentive structures governing vulnerability research, disclosure, and patching at a systemic level.

Evolution: Consistent with prior synthesis; published April 16, 2026, predating the Mini Shai-Hulud attack.

METR

Published a Frontier Risk Report covering February to March 2026 assessing autonomous AI capabilities and frontier risk trajectories in the period immediately preceding the major May 2026 incidents. The report is confirmed published on Substack and circulating across LinkedIn and Threads, but specific findings have not yet been extracted into this record.

Evolution: Report confirmed published and circulating in prior pass; specific findings remain unextracted.

Palo Alto Networks

Published a 'Defender's Guide to Frontier AI Impact on Cybersecurity,' positioning the major security vendor as providing defensive framing for organizations navigating AI-augmented threat environments.

Evolution: Consistent with prior synthesis.

Lowenstein Sandler LLP

Legal analysis frames frontier AI models as requiring a 'recalibration of risk for a faster threat environment,' positioning AI cybersecurity readiness as a legal and compliance imperative beyond purely technical response.

Evolution: Consistent with prior synthesis.

LiteLLM

Published a security update specifically addressing the Mistral AI PyPI supply chain attack, providing an affected-ecosystem perspective on the downstream impact of the mistralai package compromise.

Evolution: Consistent with prior synthesis.

Cloud Security Alliance (CSA)

Characterized Claude Mythos as crossing an 'autonomous offensive threshold' in a research note; separately cited the AI-generated zero-day in a CISO briefing. CSA Labs also published a formal research note specifically on TeamPCP titled 'CI/CD Security Tool Supply Chain Compromise,' providing institutional technical attribution of the attack methodology.

Evolution: Consistent with prior synthesis.

UK AI Safety Institute (AISI)

Published primary-source blog formalizing data on the doubling of autonomous AI cyber capability, with the specific reported figure being approximately every 4.5 months.

Evolution: Consistent with prior synthesis.

Berkeley RDI / ExploitGym researchers

Published the ExploitGym benchmark on arxiv evaluating whether AI agents can turn known security vulnerabilities into real attacks, providing an independent academic framework for measuring AI-assisted exploit development capability.

Evolution: Consistent with prior synthesis.

US DoD / CSIAC

Published formal technical response report 'Counter-AI Offensive Tools and Techniques,' signaling that AI-native offensive capabilities now warrant organized institutional response at the national defense level.

Evolution: Consistent with prior synthesis.

Samuel Ajiboyede

Raises the regulatory question of whether governments should mandate reciprocal access to offensive AI models or fund sovereign capabilities like AISI, framing this as a policy design choice rather than a settled answer.

Evolution: Consistent with prior synthesis.

Grant Harvey (The Neuron)

Frames AI cybersecurity as a genuine two-sided escalation where autonomous capabilities power both offense and defense; emphasizes AI's advantage in tracing user flows to identify trust-assumption flaws; cautiously optimistic that defensive multi-agent verification can scale.

Evolution: Consistent with prior synthesis.

Jack Clark (Import AI)

Uses fast16.sys as a cautionary historical metaphor to argue the most dangerous AI-enabled cyberweapons will be subtle and degradation-focused; frames proliferation as analogous to how a superintelligence might prevent competitors from developing comparable capabilities.

Evolution: Consistent with prior synthesis.

Zvi Mowshowitz (AI commentary, Substack)

Dedicated a Substack post to Claude Mythos and Project Glasswing cybersecurity findings, signaling active engagement from the AI safety and policy commentary community with the offensive-capability disclosure.

Evolution: Consistent with prior synthesis.

NBC News / mainstream media

Frames the Mythos restricted access as driven by the model's dangerous capabilities ('Why Anthropic won't release its new Mythos AI model to the public'), translating the Glasswing story from technical security reporting into consumer-facing AI safety narrative.

Evolution: Consistent with prior synthesis.

AgentGraph

Argues that the MCP/AI skills ecosystem recreates the npm supply chain vulnerability problem at a faster pace, with unverified community packages receiving implicit trust from AI agents.

Evolution: Consistent with prior synthesis.

RupeeMindset

Argues the structural asymmetry favoring offense is economic, not merely technical: defensive costs scale poorly while offensive AI costs favor attackers, and AI deepens rather than resolves this gap.

Evolution: Consistent with prior synthesis.

Tensions

  • The open-source Mythos replication at ~$1/run using Claude Opus 4.7 [29] directly challenges Anthropic's rationale for not releasing Mythos publicly [25]; Picus Security's 'paradox' framing [27] now gives this tension explicit enterprise-vendor articulation: if the exploit-chaining methodology is replicable cheaply and publicly, gated access to the original model may not meaningfully contain the capability proliferation it was designed to prevent. [29][25][70][24][27]
  • Microsoft's explicit call for government cyber testing of frontier AI models [30] sits in tension with OpenAI's self-regulatory gated access model [31]: one approach relies on state-imposed testing mandates as the oversight mechanism, the other on industry-designed vetting programs — implying fundamentally different theories of accountability for offensive-capable AI. [30][31][131]
  • Microsoft's MDASH results and Grant Harvey's framing suggest defensive AI can scale to meet offensive AI [92][85]; RupeeMindset counters that defensive cost structures are prohibitively higher than offensive ones, and AI deepens rather than resolves that asymmetry [130] — a structural economics argument that MDASH's capability demonstration does not address. [92][85][130]
  • Anthropic's Project Glasswing finding — documented in primary-source reports from both Anthropic's red team and the Cloudflare Blog — that Mythos finds exploit chains earlier frontier models missed [70][24] sharpens the gap with Microsoft MDASH's defensive benchmark: MDASH was optimized for finding individual vulnerabilities [85], not countering chained exploit sequences, leaving open whether defensive AI architecture is keeping pace with the specific chaining capability being demonstrated on offense. [70][24][85][106]
  • OpenAI's Trusted Access for Cyber program gives vetted external researchers access to both the general GPT-5.5 and the specialized GPT-5.5-Cyber [31], while Anthropic has not released Mythos publicly at all [25] — two distinct theories of how AI labs should handle offensive-capable models: controlled external access versus full restriction. No common industry standard has yet resolved this fault line. [31][25]
  • Mistral AI confirms the breach but declines to say what data was taken [8], while TeamPCP publicly threatens to leak the data if no buyer is found [11] — an information asymmetry where the attacker discloses more about breach scope than the victim. Hints of a prior Mistral SDK disclosure [66] add a further dimension: whether Mistral had advance awareness of a vulnerability that TeamPCP subsequently exploited. [55][11][8][9][10][66]
  • OpenAI's disclosure that no customer data or production systems were compromised [7] sits in tension with the practical impact of code-signing certificate revocation: macOS users who do not update by June 12 will find OpenAI apps non-functional — a direct consumer disruption that complicates the 'limited blast radius' framing even absent data exfiltration. [7]
  • Samuel Ajiboyede frames the policy choice as mandating reciprocal access to offensive AI models versus funding sovereign capabilities like AISI [124] — approaches implying fundamentally different theories of defense — while Microsoft's government testing call [30] introduces a third model (state-imposed testing without state-owned capability) that neither Ajiboyede pole fully addresses. [124][106][30]
  • DreamFactory's framing of March 2026 as 'five attacks in twelve days' [2] and StepSecurity's 'five attacks in forty-eight hours' for May [15] together show tempo compression over the same attack surface — but whether this acceleration is driven by AI-enabled tooling or simply by multiple independent actors discovering the same CI/CD trust-assumption template is unresolved, and the answer determines whether the AISI's 4.5-month capability doubling rate [20] is explanatory or coincidental. [2][15][20][1]
  • The dual-use optimism in Harvey's framing [92] and Clark's degradation-focused alarm [125] face a concrete test: Mini Shai-Hulud's CI/CD compromise method and the AI-assisted 2FA zero-day both exploit trust-assumption logic rather than memory errors [17][3], and the now-documented TrapDoor attack [12][13][14] adds a simultaneous cross-registry instance of the same template — suggesting Clark's 'invisible degradation' model may already be operational at infrastructure scale rather than purely at the scientific-data layer. [92][125][17][18][3][12][13][14]

Sources

  1. [1] Supply Chain Attacks Surge in March 2026 | ThreatLabz — reactive:ai-offensive-cyber
  2. [2] Five Supply Chain Attacks in Twelve Days: How March 2026 Broke Open-Source Trust and What Comes Next — reactive:ai-offensive-cyber
  3. [3] The npm supply chain attack that hit TanStack, Mistral AI, and UiPath on May 11 didn't involve stolen credentials.42 Tan... — reactive:ai-offensive-cyber (2026-05-14)
  4. [4] 314 npm packages compromised in the Shai-Hulud supply chain attack. — reactive:ai-offensive-cyber (2026-05-19)
  5. [5] 170 npm packages compromised in one coordinated supply chain attack — OpenAI, Mistral AI, even the European Commission g... — reactive:ai-security-nexus (2026-05-23)
  6. [6] @IntCyberDigest The list keeps growing: OpenAI, Mistral, UiPath, Guardrails AI, SAP. All hit through the same npm supply... — reactive:ai-offensive-cyber (2026-05-15)
  7. [7] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
  8. [8] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved | TechRadar — reactive:ai-offensive-cyber
  9. [9] TeamPCP hackers advertise Mistral AI code repos for sale — reactive:ai-offensive-cyber
  10. [10] TeamPCP Hackers Put Mistral AI Source Code Up for Sale at $25,000 — reactive:ai-offensive-cyber
  11. [11] [2026-05-18] TeamPCP threatens to leak Mistral AI's code if no one ... — reactive:ai-offensive-cyber
  12. [12] TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages... — reactive:ai-offensive-cyber
  13. [13] TrapDoor supply chain attack hit 34+ packages across npm, PyPI, and https://t.co/rIAvxdhxV6, stealing wallets, SSH keys,... — reactive:ai-offensive-cyber (2026-05-24)
  14. [14] A coordinated supply chain attack called "TrapDoor" just hit npm, PyPI, and Crates. io simultaneously, 34 malicious pack... — reactive:ai-offensive-cyber (2026-05-24)
  15. [15] 5 Supply Chain Attacks in 48 Hours: Why Securing One Layer Is Not ... — reactive:ai-offensive-cyber
  16. [16] NPM Supply Chain Attacks Expose Hidden Risks for AI Agents Like OpenAI Codex — reactive:ai-offensive-cyber
  17. [17] Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Google Cloud Blog — reactive:ai-offensive-cyber
  18. [18] AI built the first zero-day exploit targeting 2FA. Google GTIG intercepted it before mass deployment. APT45, UNC2814, Ru... — reactive:ai-offensive-cyber (2026-05-16)
  19. [19] Google reports first known AI-assisted zero-day exploit in the wild — reactive:ai-offensive-cyber (2026-05-12)
  20. [20] Cyber Ceiling Broken: AISI's Actual Measurement Reveals Mythos' Capabilities Surging Towards ASI with 4.5 - Month Doubling Rate — reactive:ai-offensive-cyber
  21. [21] Beyond Moore's Law: The Hyper-Acceleration of Autonomous AI ... — reactive:ai-offensive-cyber
  22. [22] Anthropic's 'Project Glasswing' Exposes the Next Challenge for ... — reactive:ai-offensive-cyber
  23. [23] AI, Project Glasswing, and the Changing Institutional Economics of Bugs - Internet Governance Project — reactive:ai-offensive-cyber
  24. [24] Project Glasswing: what Mythos showed us - The Cloudflare Blog — reactive:ai-offensive-cyber
  25. [25] Why Anthropic won't release its new Mythos AI model to the public — reactive:ai-offensive-cyber
  26. [26] Project Glasswing, Mythos Findings, and Getting Ready for Your ... — reactive:openai-advanced-account-security
  27. [27] What Is Project Glasswing? Anthropic's AI Misuse Research Initiative ... — reactive:claude-mythos-capability-regulation
  28. [28] [PDF] Claude Mythos and Project Glasswing | LTM — reactive:ai-offensive-cyber
  29. [29] GitHub - Keyvanhardani/mythos-research: Outside-in replication of Anthropic's Mythos Preview / Project Glasswing — open-source agentic vulnerability-discovery scaffold on Claude Opus 4.7. Eight-phase sink-guided pipeline, ~$1/run, OSS self-scan and coordinated disclosure. · GitHub — reactive:ai-offensive-cyber
  30. [30] AI Frontier Models Should Be... | VitalLaw.com — reactive:ai-offensive-cyber
  31. [31] Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber — OpenAI Blog (2026-05-07)
  32. [32] [SECURITY] Supply chain compromise in mistralai 2.4.6 ... - GitHub — reactive:ai-offensive-cyber
  33. [33] OpenAI prepares GPT-5.5-Cyber for trusted security researchers - Techzine Global — reactive:frontier-ai-cyber-capabilities
  34. [34] OpenAI opens GPT-5.5-Cyber to vetted security researchers — reactive:ai-offensive-cyber
  35. [35] OpenAI Launches GPT-5.4-Cyber To Expand The Trusted Access ... — reactive:ai-offensive-cyber
  36. [36] Access to GPT-5.4-Cyber is granted exclusively to vetted ... - Instagram — reactive:ai-offensive-cyber
  37. [37] GPT-5.5-Cyber AI for Cybersecurity Red Team Use - LinkedIn — reactive:ai-offensive-cyber
  38. [38] OpenAI GPT-5.5-Cyber Ignites Security Race — reactive:ai-offensive-cyber
  39. [39] 🚨 OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack — reactive:ai-security-nexus (2026-05-16)
  40. [40] OpenAI confirms breach in TanStack supply chain cyberattack. — reactive:ai-security-nexus (2026-05-15)
  41. [41] 🚨 OpenAI just confirmed a real supply-chain attack. — reactive:ai-offensive-cyber (2026-05-15)
  42. [42] OpenAI recommends updating desktop agents, after the supply chain attack compromising nearly 170 npm packages; by TeamPC... — reactive:ai-offensive-cyber (2026-05-15)
  43. [43] CISO Daily Briefing: Google's TIG confirmed the first criminal AI-generated zero-day exploit — AI-native threat actors a... — reactive:ai-offensive-cyber (2026-05-16)
  44. [44] AI ZERO-DAY IN THE WILD COURTESY OF GOOGLE THREAT INTEL — reactive:ai-offensive-cyber (2026-05-14)
  45. [45] A criminal group has used AI to discover and weaponize a 0-day vulnerability, marking a major escalation in offensive cy... — reactive:ai-offensive-cyber (2026-05-21)
  46. [46] Google Detects First AI-Generated Zero-Day Exploit - SecurityWeek — reactive:ai-offensive-cyber
  47. [47] Google spotted an AI-developed zero-day before attackers could use it | CyberScoop — reactive:ai-offensive-cyber
  48. [48] Google Researchers Detect First AI-Built Zero-Day Exploit in Cyberattack - Bloomberg — reactive:ai-offensive-cyber
  49. [49] First 2026 AI zero-day REVEALED Google just disrupted ... — reactive:ai-offensive-cyber
  50. [50] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
  51. [51] Mistral AI and TanStack npm packages were compromised in a supply chain attack named 'Mini Shai-Hulud.' GitHub creds, CI... — reactive:ai-offensive-cyber (2026-05-17)
  52. [52] TeamPCP claims it breached @MistralAI and stole 5GB of data across 450 repositories, while Mistral confirms impact from ... — reactive:ai-offensive-cyber (2026-05-14)
  53. [53] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai-Hulud Attack — reactive:ai-offensive-cyber
  54. [54] TeamPCP Monetizes Shai-Hulud Fallout: Mistral AI Source Code — reactive:ai-offensive-cyber
  55. [55] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved — reactive:ai-offensive-cyber
  56. [56] TeamPCP hackers advertise Mistral AI code repos for sale | Simon J ... — reactive:ai-offensive-cyber
  57. [57] ‼️ Mistral AI allegedly breached: ~5GB of internal source code ... — reactive:ai-offensive-cyber
  58. [58] Alleged Mistral AI Breach Exposes Internal Repositories and Source ... — reactive:ai-offensive-cyber
  59. [59] TeamPCP is advertising alleged access to Mistral AI repositories ... — reactive:ai-offensive-cyber
  60. [60] Hackers Steal 450 Repos from Mistral AI for $25,000 - LinkedIn — reactive:ai-offensive-cyber
  61. [61] TeamPCP hackers advertise Mistral AI code repos for sale - Reddit — reactive:ai-offensive-cyber
  62. [62] TeamPCP: CI/CD Security Tool Supply Chain Compromise — reactive:ai-offensive-cyber
  63. [63] Mistral AI breached in TanStack-linked attack? 450 repos exposed — reactive:ai-offensive-cyber
  64. [64] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
  65. [65] Security advisories | Mistral Docs — reactive:ai-offensive-cyber
  66. [66] The alleged breach comes just days after Mistral disclosed that ... — reactive:ai-offensive-cyber
  67. [67] Mistral AI Breach: A $25,000 Ransom That Exposes Billion-Dollar ... — reactive:ai-offensive-cyber
  68. [68] Mistral AI SDK, TanStack Router hit in npm software supply chain attack | CSO Online — reactive:ai-offensive-cyber
  69. [69] Project Glasswing: Securing critical software for the AI era - Anthropic — reactive:frontier-ai-cyber-capabilities
  70. [70] Assessing Claude Mythos Preview's cybersecurity capabilities — reactive:frontier-ai-cyber-capabilities
  71. [71] Anthropic Glasswing & Claude Mythos Explained for GovCon — reactive:ai-offensive-cyber
  72. [72] Project Glasswing: what Mythos showed us | Subhash Dasyam — reactive:ai-offensive-cyber
  73. [73] Claude Mythos Cracks All Security, Project Glasswing, and the New ... — reactive:ai-offensive-cyber
  74. [74] On Anthropic's Mythos Preview and Project Glasswing — reactive:claude-mythos-capability-regulation
  75. [75] Cloudflare just published what they found after running Anthropic's ... — reactive:ai-offensive-cyber
  76. [76] Cloudflare says Anthropic's Mythos Preview finds exploit chains that earlier frontier models missed — reactive:ai-offensive-cyber
  77. [77] Cloudflare just explained why Mythos is so important (and it is not ... — reactive:ai-offensive-cyber
  78. [78] Cloudflare Tests AI's Ability to Find and Exploit Vulnerabilities — reactive:ai-offensive-cyber
  79. [79] Cloudflare's approach to building safe AI agents with narrow scope ... — reactive:ai-offensive-cyber
  80. [80] 🤖Anthropic’s Mythos AI can now chain bugs into working exploits, according to Cloudflare. — reactive:ai-offensive-cyber (2026-05-19)
  81. [81] Cloudflare tests Mythos against 50+ repositories, highlights its ability ... — reactive:ai-offensive-cyber
  82. [82] Cloudflare Tests Mythos AI on 50 Repositories, Finds Vulnerabilities — reactive:ai-offensive-cyber
  83. [83] (PDF) An Outside-In Replication of Project Glasswing Mythos ... — reactive:ai-offensive-cyber
  84. [84] Supply-Chain Attacks in an Era of Automation and Implicit Trust — reactive:ai-offensive-cyber
  85. [85] Defense at AI speed: Microsoft's new multi-model agentic security ... — reactive:ai-offensive-cyber
  86. [86] Microsoft's MDASH AI Security System Finds 16 Windows Vulnerabilities — reactive:ai-offensive-cyber
  87. [87] Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday — reactive:ai-offensive-cyber
  88. [88] MDASH Vulnerability Discovery - AI Security System | Saudi Shopper — reactive:ai-offensive-cyber
  89. [89] Microsoft MDASH finds Windows security flaws with AI | ETIH EdTech News — EdTech Innovation Hub — reactive:ai-offensive-cyber
  90. [90] 16 New Windows Vulnerabilities Discovered By Microsoft's AI ... — reactive:ai-offensive-cyber
  91. [91] Microsoft unveils MDASH, its AI agent-driven security platform — and it's already spotted a host of new Windows flaws | TechRadar — reactive:ai-offensive-cyber
  92. [92] 😿 AI hackers found a new lane — The Neuron (2026-05-17)
  93. [93] Microsoft: AI-Powered Security System MDASH Tops Industry Benchmark — reactive:ai-offensive-cyber
  94. [94] Every AI Frontier Model is Now a Cyber Threat. So What Can You Do About It? — reactive:ai-offensive-cyber
  95. [95] Frontier Risk Report (February to March 2026) - METR — reactive:ai-offensive-cyber
  96. [96] Frontier Risk Report (February to March 2026) - METR — reactive:ai-offensive-cyber
  97. [97] Sung Kim (@sung.kim.mw) on Threads — reactive:ai-offensive-cyber
  98. [98] Frontier Risk Report (February to March 2026) | Stephen Pimentel — reactive:ai-offensive-cyber
  99. [99] Defender's Guide to the Frontier AI Impact on Cybersecurity — reactive:ai-offensive-cyber
  100. [100] Frontier AI Models and Cybersecurity Readiness: Recalibrating Risk for a Faster Threat Environment | Lowenstein Sandler LLP — reactive:ai-offensive-cyber
  101. [101] Security Update: Mistral AI PyPI Supply Chain Attack - LiteLLM — reactive:ai-offensive-cyber
  102. [102] Claude Mythos and the AI Autonomous Offensive Threshold — reactive:frontier-ai-cyber-capabilities
  103. [103] Using AI for Offensive Security | CSA — reactive:ai-offensive-cyber
  104. [104] CISO Daily Briefing – May 16, 2026 – Lab Space — reactive:ai-offensive-cyber
  105. [105] Recent evaluations from the UK AI Security Institute (AISI) highlight the accelerating pace of autonomous AI cyber capab... — reactive:ai-offensive-cyber (2026-05-14)
  106. [106] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
  107. [107] AI cyber capability is speeding past earlier projections - Help Net Security — reactive:ai-offensive-cyber
  108. [108] Cyber & Autonomous Systems | AISI Work Category — reactive:ai-offensive-cyber
  109. [109] "How fast is autonomous AI cyber capability advancing?", AISI Work ... — reactive:ai-offensive-cyber
  110. [110] Autonomous AI Cyber Capability Doubles Every Few Months — reactive:ai-offensive-cyber
  111. [111] [2605.11086] ExploitGym: Can AI Agents Turn Security Vulnerabilities into Real Attacks? — reactive:ai-offensive-cyber
  112. [112] Center for Responsible, Decentralized Intelligence at Berkeley — reactive:ai-offensive-cyber
  113. [113] AI-Powered Paper Summarization about the arXiv paper 2605.11086v1 — reactive:ai-offensive-cyber
  114. [114] Can AI Agents Turn Security Vulnerabilities into Real Attacks? — reactive:ai-offensive-cyber
  115. [115] Can AI agents turn security vulnerabilities into real attacks? This is ... — reactive:ai-offensive-cyber
  116. [116] CyberGym: A Real-World Benchmark for Testing AI Agents ... - Reddit — reactive:ai-offensive-cyber
  117. [117] Read CSIAC's technical response report, "Counter-AI Offensive Tools and Techniques." — reactive:ai-offensive-cyber (2026-05-20)
  118. [118] Read CSIAC's technical response report, "Counter-AI Offensive ... — reactive:ai-offensive-cyber
  119. [119] DoD Modernization Exchange 2026: Ping Identity’s Kelvin Brewer on applying least privilege access to AI tools — reactive:ai-offensive-cyber
  120. [120] Counter-AI Offensive Tools and Techniques - CSIAC - dtic.mil — reactive:ai-offensive-cyber
  121. [121] [PDF] Counter-AI Offensive Tools and Techniques - CSIAC — reactive:ai-offensive-cyber
  122. [122] Do you work in software or data analysis? CSIAC ... — reactive:ai-offensive-cyber
  123. [123] Cyber Security & Information Systems Information Analysis Center — reactive:ai-offensive-cyber
  124. [124] Should regulators mandate reciprocal access to offensive models or fund sovereign capabilities like UK's AISI? — reactive:ai-offensive-cyber (2026-05-20)
  125. [125] Import AI 457: AI stuxnet; cursed Muon optimizer; and positive alignment — Import AI (2026-05-18)
  126. [126] Decades-old pre-Stuxnet cyber sabotage tool breaks cover, NSA listed it as 'nothing to see here' — fast16 targeted nuclear reactors, dam design, and other high-precision civil engineering software years before Stuxnet broke cover | Tom's Hardware — reactive:ai-offensive-cyber
  127. [127] Ethical Hacking — reactive:ai-offensive-cyber
  128. [128] Claude Mythos #2: Cybersecurity and Project Glasswing — reactive:ai-offensive-cyber
  129. [129] The supply chain attack surface for AI skills/MCPs is the same problem npm had in 2018, just moving faster. Unverified c... — reactive:ai-offensive-cyber (2026-05-19)
  130. [130] @TheEconomist The real vulnerability isn't just "trusted firms" leaking tools—it's the asymmetric economics. Defensive c... — reactive:ai-offensive-cyber (2026-05-15)
  131. [131] [PDF] Letter to White House: Guidance on Oversight of AI Models — reactive:ai-security-nexus
  132. [132] Google thwarts effort hacker group use AI 'mass exploitation event' — reactive:ai-offensive-cyber
  133. [133] Mass Supply Chain Attack Hits TanStack, Mistral AI NPM and PyPI Packages — reactive:ai-offensive-cyber (2026-05-13)
  134. [134] 🚨 node-ipc compromised (3M+ downloads) — reactive:ai-offensive-cyber (2026-05-14)
  135. [135] NEWS | A new NPM supply chain attack is now targeting the AI ecosystem, hitting packages tied to Mistral AI, OpenSearch,... — reactive:ai-offensive-cyber (2026-05-14)
  136. [136] Mass supply-chain attack slams npm and PyPi, with downstream impact affecting Mistral AI and others, as latest Mini Shai... — reactive:ai-offensive-cyber (2026-05-14)
  137. [137] A supply chain worm just hit over 169 npm packages and multiple PyPI packages. The affected ecosystems include TanStack,... — reactive:ai-offensive-cyber (2026-05-15)
  138. [138] U.S., China announce deals after Trump-Xi summit - CNBC — reactive:ai-offensive-cyber
  139. [139] Trump-Xi 2026 Summit - CSIS — reactive:ai-offensive-cyber
  140. [140] Summit stabilizes U.S.-China relations at critical moment for two great powers — reactive:ai-offensive-cyber
  141. [141] Wow. Someone pulled off the first known supply chain attack designed to steal credentials from an AI coding assistant. A... — reactive:ai-offensive-cyber (2026-05-21)
  142. [142] This exact supply chain attack proves the point I made yesterday. AI tools and extensions make it stupidly easy to pull ... — reactive:ai-offensive-cyber (2026-05-21)
  143. [143] First 2026 AI zero-day REVEALED — reactive:ai-offensive-cyber (2026-05-23)
  144. [144] AI Finding Zero-Day Vulnerabilities and Chaining Exploits - YouTube — reactive:ai-offensive-cyber