AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment
Synthesis history
24 versions, newest first.
-
Version 24 2026-07-02 18:27 UTC · 651 items
Brave documented indirect prompt injection in Perplexity Comet [^37605], giving the AI browser attack class — previously a research demonstration against unnamed systems — a specific named commercial product. Industry s…
-
Version 23 2026-07-01 08:17 UTC · 644 items
The substantively new item this pass is the June 30 Ars Technica report on a 'false reality' attack class against AI browsers [^37039], which extends the structural guardrail critique to a new product category: research…
-
Version 22 2026-06-27 08:20 UTC · 639 items
The Five Eyes advisory received broad mainstream amplification (CBS News, CNN, Democracy Now, Australian TV) but new coverage items carry no claims or quotes beyond what was already established at launch. The substantiv…
-
Version 21 2026-06-26 02:25 UTC · 634 items
New items are primarily additional media coverage of the Five Eyes warning and OpenAI Daybreak, with no substantive new claims beyond those captured at launch. The main addition is the official NSA press release (33818)…
-
Version 20 2026-06-24 18:21 UTC · 623 items
The Five Eyes alliance issued a public warning on June 23 that AI models capable of severe attacks could arrive within months [^33122] — the first official intelligence-community statement in this thread, added as a new…
-
Version 19 2026-06-23 08:15 UTC · 615 items
OpenAI's Daybreak launch on June 22 is the major new development: GPT-5.5-Cyber achieves 85.6% on CyberGym — the highest single-model score measured and above Mythos 5 — with Trusted Access for Cyber agreements across s…
-
Version 18 2026-06-18 08:13 UTC · 610 items
Item 30137 adds a maximum-critical Copilot vulnerability disclosed June 16 allowing 2FA code theft via prompt injection, with Ars Technica framing prompt injection as structurally unfixable — the most substantive new de…
-
Version 17 2026-06-15 02:36 UTC · 604 items
All nine new items (28681–28689) are secondary coverage of the Google Outsider Enterprise lawsuit already documented as item 28098 in the prior synthesis — no new claims, facts, or perspectives emerged. The Gemini phish…
-
Version 16 2026-06-13 19:03 UTC · 595 items
The Outsider Enterprise lawsuit [^28098] adds a concrete operational case of Gemini being weaponized for phishing-as-a-service at scale — 300 templates, 2.5M texts, 9,000 fake sites — directly illustrating the attacker …
-
Version 15 2026-06-11 18:16 UTC · 590 items
The Cloud Security Alliance's gap analysis [^28004] partially answers the previously open question about MITRE ATLAS agentic coverage — it confirms ATLAS also lacks coverage for autonomous agentic orchestration, not jus…
-
Version 14 2026-06-10 08:12 UTC · 585 items
This pass adds documentation confirming three distinct SafeBreach Gemini bypasses — voice/audio injection [^27221] alongside the previously noted calendar-invite [^27222] and WhatsApp [^24407] techniques — updating the …
-
Version 13 2026-06-09 02:26 UTC · 568 items
Five significant additions this pass: Anthropic's FRT empirical report on 832 banned attackers documenting a 1.7-fold increase in medium-to-high risk actors and identifying a MITRE ATT&CK gap for agentic orchestration […
-
Version 12 2026-06-03 02:31 UTC · 563 items
Three significant new incidents this pass: the Meta AI support chatbot exploited for Instagram account takeovers via direct request with no technical skill required [^23237][^23242]; a developer deliberately embedding a…
-
Version 11 2026-05-28 02:17 UTC · 558 items
The axios npm compromise has moved from 'potential expansion' to confirmed, with a CISA advisory and multiple vendor analyses [^3823][^5903][^15192][^21680], though a new ambiguity has emerged: the CISA advisory is date…
-
Version 10 2026-05-26 18:23 UTC · 248 items
The most substantive new development is Simon Willison's May 26 documentation of a concrete data exfiltration vulnerability in shipping Microsoft Copilot Cowork via prompt injection [^21198] — the most direct evidence t…
-
Version 9 2026-05-25 08:42 UTC · 234 items
The most significant new development is Huntress's documentation of an axios npm compromise [^5451] — axios is among the most downloaded JavaScript libraries in history, and if confirmed as part of Mini Shai-Hulud, it w…
-
Version 8 2026-05-25 03:19 UTC · 229 items
The most significant new development is Socket.dev's identification of a phishing attack against npm author 'Qix' as the campaign's initial access vector [^18868] — the first concrete attribution of how Mini Shai-Hulud …
-
Version 7 2026-05-24 20:21 UTC · 211 items
The dominant new development is CSO Online's report that Lapsus$ has joined the extortion wave targeting the campaign's supply chain victims [^17393], introducing a second named threat actor and raising unresolved quest…
-
Version 6 2026-05-24 09:28 UTC · 202 items
The dominant new developments are: CERT-EU's official confirmation that the European Commission breach exposed data across 30 EU institutions [^15923][^15924], resolving the prior pass's open question about EU confirmat…
-
Version 5 2026-05-24 03:40 UTC · 171 items
The dominant new developments in this pass are: Nx Console version 18.95.0 specifically identified as the GitHub breach vector (previously described only as 'poisoned VS Code extensions') [^13298][^13300][^13301]; CISA'…
-
Version 4 2026-05-23 04:02 UTC · 74 items
The dominant change in this pass is the confirmation of the GitHub breach: what was an unverified social-media claim in the prior synthesis is now confirmed by GitHub, The Record, Dark Reading, InfoWorld, and others — w…
-
Version 3 2026-05-22 19:50 UTC · 51 items
The most significant additions are three named AI infrastructure victims beyond OpenAI and Mistral AI — LiteLLM, Telnyx, and Guardrails AI [^9230][^9232][^9235] — and the formal assignment of CVE-2026-33634 at CVSS 9.4,…
-
Version 2 2026-05-21 09:23 UTC · 30 items
The most significant new development is the identification of the threat actor as TeamPCP and the expanded scope of the Mini Shai-Hulud campaign: 160+ npm and PyPI packages were compromised (not just TanStack), and Mist…
-
Version 1 2026-05-17 20:04 UTC · 3 items
Three interlocking developments in May 2026 are forcing a reckoning with AI as both an offensive weapon and a vulnerable target. • Claude Mythos Preview became the first AI model to autonomously clear both UK AISI end-t…