The Information Machine

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment · history

Version 11

2026-05-28 02:17 UTC · 558 items

What

The Mini Shai-Hulud supply chain campaign has reached its most consequential confirmed scope: CISA issued a formal advisory on the axios npm compromise [1] — a transitive dependency for hundreds of millions of projects — while SANS ISC's fifth TeamPCP update documents first confirmed victim disclosures and narrows axios attribution [5]. A separate TrapDoor campaign simultaneously hit 34+ packages across npm, PyPI, and crates.io [11]. A critical, trivially exploitable vulnerability in Starlette — the ASGI framework underpinning MCP servers (325 million weekly downloads) — now imperils the AI agent infrastructure layer directly [13]. Microsoft has patched four Copilot CVEs [14][15] following Simon Willison's prompt injection disclosure [16], and Google's Threat Intelligence Group has confirmed the first criminal AI-generated zero-day, targeting a 2FA trust assumption [18][19].

Why it matters

Three attack surfaces — software supply chains, MCP server infrastructure, and AI product internals — are now under simultaneous, confirmed active exploitation. No isolated defensive perimeter exists: the developer tooling, AI frameworks, and AI-powered products that accelerate development have become co-equal attack vectors. Meanwhile, AI is generating offensive capability at an institutionally documented doubling rate while also overwhelming the human infrastructure defending open-source software.

Open questions

  • The CISA axios advisory is dated April 2026 [1] — predating TeamPCP's May 11 launch — yet SANS ISC Update 005 tracks 'axios attribution narrowing' within the TeamPCP campaign [5]: are these the same axios compromise, and is TeamPCP responsible for the earlier April attack?

  • Do Microsoft's four Copilot CVE patches (CVE-2026-26129, CVE-2026-26164, CVE-2026-33111, CVE-2026-26137) [14][15] fully close the structural OneDrive pre-authenticated link exfiltration path documented by Simon Willison [16], or do architectural prompt injection risks remain?

  • Has the critical Starlette/ASGI vulnerability [13] been exploited in the wild against production MCP server deployments, and which threat actor is responsible?

  • Does CAISI's voluntary framework evaluate models that labs withhold from deployment — leaving frontier capabilities like Claude Mythos outside public oversight [31][32] — and does AISI's 4.7-month autonomous capability doubling rate [25] alter the framework's risk thresholds?

Narrative

The Mini Shai-Hulud supply chain campaign, launched by TeamPCP on May 11, 2026, has reached its most consequential confirmed scope. CISA issued a formal advisory on the axios npm supply chain compromise [1] — axios is a transitive dependency across hundreds of millions of JavaScript projects — and multiple security vendors including Orca Security, Huntress, Tenable, and Microsoft have published axios-specific analyses confirming the compromise [2][3][4]. SANS ISC's fifth TeamPCP campaign update reports first confirmed victim disclosures and an axios attribution that is actively narrowing [5], though the CISA advisory's April 2026 date predates TeamPCP's May 11 launch, creating unresolved ambiguity about whether these represent a single incident or two related ones. The broader campaign scope includes GitHub's theft of 3,800–4,000 internal repositories via a poisoned Nx Console VS Code extension [6][7], CERT-EU's confirmation of a European Commission breach across 30 EU institutions via the Trivy container scanner [8], Mandiant's estimate of 1,000+ compromised SaaS environments [9], and Mistral AI's acknowledgment of 450 repositories being advertised for sale at $25,000 [10]. A separate coordinated campaign, TrapDoor, simultaneously attacked 34+ packages across npm, PyPI, and crates.io to steal wallets and SSH keys [11][12] — signaling that multiple independent actors are now running parallel supply chain operations.

Two AI-specific attack surfaces have crystallized beyond the supply chain layer. A critical, trivially exploitable vulnerability in Starlette — the ASGI framework underlying FastAPI and the MCP servers that connect AI agents to databases, email, and calendar accounts — affects an estimated 325 million weekly downloads [13]. Successful exploitation yields access to all credentials stored by MCP servers, making this a structural vulnerability in the agentic AI stack rather than an isolated application flaw. Microsoft issued patches for at least four Copilot CVEs — CVE-2026-26129, CVE-2026-26164, CVE-2026-33111 (information disclosure), and CVE-2026-26137 (SSRF) [14][15] — following Simon Willison's documentation of data exfiltration in shipping Copilot Cowork via prompt injection [16]. Willison separately reported a systemic side effect of widespread AI security tooling: the curl project is receiving AI-assisted security reports at 4–5 times the 2024 rate, with each requiring high-priority treatment, creating unsustainable maintainer burnout despite no increase in actual finding severity [17].

AI systems are now functioning as attack tools at a newly confirmed level. Google's Threat Intelligence Group intercepted the first confirmed criminal AI-generated zero-day, targeting a hardcoded trust assumption in two-factor authentication logic — a class of path-tracing flaw that AI identifies by modeling user flows through systems rather than scanning for memory corruption [18][19][20]. Claude Mythos Preview, confirmed by AISI as the first AI system to autonomously complete both UK offensive cyber ranges [21][22], has been independently validated by Cloudflare across 50+ repositories, finding it capable of chaining bugs into working exploits that earlier frontier models missed [23][24]. AISI has quantified this trajectory as autonomous AI cyber capability doubling approximately every 4.7 months [25]. On the defensive side, Microsoft's MDASH multi-agent security system independently discovered 16 Windows vulnerabilities, including four critical remote-code execution flaws patched in a subsequent Patch Tuesday [26][27], demonstrating that the same capability is available to defenders.

The governance and capability disclosure dimensions have expanded in parallel. Anthropic's Project Glasswing pairs Mythos's offensive capabilities with a structured disclosure and coordinated remediation program [28], while OpenAI has expanded its Trusted Access for Cyber program to include GPT-5.5 and a specialized GPT-5.5-Cyber variant restricted to vetted security defenders [29]. METR's Frontier Risk Report for February–March 2026 provides independent quantification of frontier model risk trajectories [30]. The debate over NIST's CAISI voluntary framework — whether it evaluates frontier capability or only publicly released models — persists, with AuthMind arguing that Anthropic's decision to withhold Mythos means the most capable AI cyber systems operate outside any public audit [31][32], and AISI's 4.7-month doubling rate making that oversight gap progressively more significant. A Jane Street challenge on the Alignment Forum demonstrated that SVD analysis of model weight differences can crack hidden LLM backdoors [33], adding a weight-level methodology to the emerging field of AI supply chain integrity verification.

Timeline

  • 2026-04-20: CISA issues formal advisory on the axios npm supply chain compromise, predating TeamPCP's May 11 launch [1]
  • 2026-05-05: NIST's CAISI formalized as US pre-deployment AI compliance gate through expanded safety-testing agreements with Google, Microsoft, and xAI [32]
  • 2026-05-07: OpenAI expands Trusted Access for Cyber program to include GPT-5.5 and GPT-5.5-Cyber for vetted security defenders [29]
  • 2026-05-11: TeamPCP launches Mini Shai-Hulud; 160+ npm and PyPI packages compromised; two OpenAI employee devices breached with code-signing certificates exfiltrated [38][60][61]
  • 2026-05-11: Google GTIG intercepts the first confirmed criminal AI-generated zero-day exploit, targeting a 2FA hardcoded trust assumption before mass deployment [18][19][40]
  • 2026-05-12: Microsoft announces MDASH multi-agent security system, which discovered 16 Windows vulnerabilities including 4 critical RCE flaws [27][26]
  • 2026-05-13: AISI evaluates Claude Mythos Preview as first AI to autonomously complete both UK offensive cyber ranges; OpenAI mandates certificate rotation by June 12 [38][22][21]
  • 2026-05-18: TeamPCP advertises Mistral AI source code (450 repos) for sale at $25,000; Mistral confirms impact [62][10][63]
  • 2026-05-19: CVE-2026-33634 assigned (CVSS 9.4); Cloudflare publishes Project Glasswing findings confirming Mythos chains bugs into working exploits across 50+ repositories [64][23][24]
  • 2026-05-20: GitHub confirms theft of approximately 3,800–4,000 internal repos via poisoned Nx Console VS Code extension; Forbes reports $50,000 ransom demand [6][7][36]
  • 2026-05-22: CISA adds CVE-2026-33634 to Known Exploited Vulnerabilities catalog; Broadcom confirms downstream exposure in Tanzu Application Platform and Spring Enterprise [65][66]
  • 2026-05-23: AntV ecosystem attack confirmed with 600+ packages faking Sigstore badges; CSA names campaign 'Shai-Hulud/Megalodon'; Jane Street LLM backdoor challenge demonstrates SVD weight analysis as a viable backdoor-cracking method [53][54][33]
  • 2026-05-24: CERT-EU confirms European Commission breach across 30 EU institutions via Trivy; Mandiant quantifies 1,000+ SaaS compromises; TrapDoor supply chain attack hits 34+ packages across npm, PyPI, and crates.io [8][9][11][12]
  • 2026-05-25: Socket.dev identifies phishing of npm author 'Qix' as initial access vector; TanStack publishes postmortem; SANS ISC Update 005 reports first confirmed victim disclosures and narrows axios attribution [49][67][5]
  • 2026-05-26: Starlette/ASGI critical vulnerability disclosed (325M weekly downloads, MCP servers affected); Microsoft patches four Copilot CVEs; Simon Willison documents Copilot Cowork exfiltration and AI report flood at curl (4–5x 2024 volume) [13][14][15][16][17]

Perspectives

GitHub

Confirmed theft of 3,800–4,000 internal repositories via poisoned VS Code extension while maintaining that customer data was unaffected and impact was limited to internal code

Evolution: WIRED's characterization of GitHub as 'just the latest victim' of a serial TeamPCP campaign directly contests GitHub's incident-specific containment framing; no revision from GitHub

OpenAI

Framed Mini Shai-Hulud as industry-wide with limited blast radius; has since positioned GPT-5.5-Cyber as a controlled defensive resource for vetted security professionals, reframing AI's dual-use cyber potential

Evolution: The Trusted Access for Cyber expansion signals OpenAI moving from incident response to proactive AI-for-defense positioning, even as CERT-EU and Mandiant scale figures challenge the 'limited blast radius' characterization

Google GTIG

Confirmed and intercepted the first criminal AI-generated zero-day targeting 2FA trust assumptions before mass deployment, framing AI as enabling a qualitatively new class of logic-flaw discovery

Evolution: New voice this pass; the confirmed first AI zero-day in the wild marks a capability threshold distinct from supply chain compromise, establishing Google as the authoritative reporter of this escalation

Cloudflare

Validated Claude Mythos Preview against 50+ production-like repositories, confirming it chains bugs into working exploits that earlier frontier models missed; frames Project Glasswing's structured disclosure model as the appropriate response

Evolution: New voice this pass; Cloudflare's independent validation elevates Mythos's capabilities from AISI-evaluated to industry-confirmed, providing the most concrete public description of what Mythos does in practice

Simon Willison

Documents concrete exfiltration vulnerabilities in shipping Copilot Cowork (OneDrive link leakage via prompt injection) and AI-generated security reports flooding curl maintainers at 4–5x 2024 volume — framing AI as creating attack surfaces and degrading open-source defense infrastructure simultaneously

Evolution: Expanded this pass to include the curl maintainer burnout report, showing AI is not just creating new attack surfaces but also undermining the human infrastructure that defends open-source software

AISI (UK AI Safety Institute)

Claude Mythos is the first AI system to autonomously complete both UK offensive cyber ranges; autonomous AI cyber capability is now doubling approximately every 4.7 months, warranting urgent institutional governance attention

Evolution: The 4.7-month doubling rate measurement is new this pass, adding quantitative precision to AISI's earlier qualitative 'genuine threshold' characterization

AuthMind + Turing Institute CETAS

Anthropic's decision to withhold Mythos from deployment signals that voluntary frameworks like CAISI may evaluate a curated subset of AI capability rather than frontier systems, leaving the most dangerous models outside public audit

Evolution: The Cloudflare Mythos validation and AISI's 4.7-month doubling rate reinforce the governance gap argument — the capabilities being confirmed by independent parties are precisely those CAISI cannot evaluate if Mythos remains withheld

Security research community (Socket.dev, Huntress, SANS ISC)

Provide the most technically granular public record: Socket.dev's Qix phishing attribution as initial access and TrapDoor analysis documenting a second distinct actor; Huntress's axios compromise documentation; SANS ISC's first victim confirmations

Evolution: TrapDoor analysis has expanded this community's scope from single-campaign tracking to multi-actor supply chain monitoring, and SANS ISC Update 005's first victim disclosures add concrete damage evidence

Tensions

  • GitHub's 'customer data unaffected, limited impact' framing sits in direct tension with WIRED's characterization of GitHub as 'just the latest victim' of a serial TeamPCP campaign, implying systematic targeting rather than opportunistic compromise [6][35][37][7]
  • The axios npm compromise has a CISA advisory dated April 2026 — predating TeamPCP's May 11 launch — yet SANS ISC's fifth TeamPCP campaign update tracks 'axios attribution narrowing' within the TeamPCP campaign, creating unresolved ambiguity about whether these are the same incident or two related ones [1][5][52][3]
  • The AntV attack's fake Sigstore security verification badges mean npm provenance attestation — a primary trust signal in standard supply chain guidance — cannot detect this campaign, creating a gap between remediation advice being given and attacker evasion capabilities demonstrated; neither Sigstore nor the npm registry has issued a public response [53][54][55]
  • AISI's 'genuine capability threshold' characterization of Mythos is contested by independent commentators questioning evaluation methodology, while Cloudflare's independent validation of exploit-chaining across 50+ repositories strengthens AISI's position [21][22][23][24][56][57]
  • CAISI's voluntary pre-deployment framework, defended by the Foundation for American Innovation as a pragmatic first step, is challenged by AuthMind's argument that withheld models like Mythos escape public oversight — a gap made more urgent by AISI's 4.7-month autonomous capability doubling rate [32][48][31][25]
  • Mend.io's specific 'via Claude Code' attribution of the SAP attack to Anthropic's tool versus RedRays' generic 'AI coding agents' framing remains unresolved without an Anthropic response; the Starlette MCP vulnerability and Copilot CVEs demonstrate that agentic AI attack surfaces are structural across vendors, complicating single-vendor attribution [58][59][13][14]

Sources

  1. [1] ​​Supply Chain Compromise Impacts Axios Node Package Manager​ | CISA — reactive:openai-advanced-account-security
  2. [2] Axios Supply Chain Attack: Analysis & Fix | Orca Security — reactive:openai-advanced-account-security
  3. [3] Supply Chain Compromise of axios npm Package - Huntress — reactive:ai-offensive-cyber
  4. [4] Supply chain attack on Axios npm package - Tenable — reactive:ai-offensive-cyber
  5. [5] TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows — reactive:ai-security-nexus
  6. [6] Nx Console 18.95.0 Incident: How TeamPCP Breached GitHub — reactive:ai-security-nexus
  7. [7] GitHub just confirmed that attackers stole about 3,800 internal repositories after a poisoned VS Code extension compromi… — Rohan Paul Twitter (2026-05-20)
  8. [8] European Commission cloud breach: a supply-chain compromise — reactive:ai-security-nexus
  9. [9] TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments — reactive:ai-security-nexus
  10. [10] Hackers threaten to leak Mistral files online — AI giant confirms breach, but not what data is involved | TechRadar — reactive:ai-offensive-cyber
  11. [11] TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages... — reactive:ai-offensive-cyber
  12. [12] A coordinated supply chain attack called "TrapDoor" just hit npm, PyPI, and Crates. io simultaneously, 34 malicious pack... — reactive:ai-offensive-cyber (2026-05-24)
  13. [13] Millions of AI agents imperiled by critical vulnerability in open source package — Ars Technica AI (2026-05-26)
  14. [14] Microsoft 365 Copilot Information Disclosure CVEs (CVE-2026-26129, CVE-2026-26164, CVE-2026-33111) | PointGuard AI — reactive:ai-security-nexus
  15. [15] CVE-2026-26137: Microsoft 365 Copilot SSRF Vulnerability — reactive:ai-security-nexus
  16. [16] Microsoft Copilot Cowork Exfiltrates Files — Simon Willison (2026-05-26)
  17. [17] The pressure — Simon Willison (2026-05-26)
  18. [18] Google Researchers Detect First AI-Built Zero-Day Exploit in Cyberattack - Bloomberg — reactive:ai-offensive-cyber
  19. [19] Google Detects First AI-Generated Zero-Day Exploit - SecurityWeek — reactive:ai-offensive-cyber
  20. [20] 😿 AI hackers found a new lane — The Neuron (2026-05-17)
  21. [21] Our evaluation of Claude Mythos Preview's cyber capabilities — reactive:frontier-ai-cyber-capabilities
  22. [22] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
  23. [23] Project Glasswing: what Mythos showed us - The Cloudflare Blog — reactive:ai-offensive-cyber
  24. [24] Cloudflare says Anthropic's Mythos Preview finds exploit chains that earlier frontier models missed — reactive:ai-offensive-cyber
  25. [25] AISI: autonomous AI cyber capability now doubling every 4.7 months — reactive:ai-offensive-cyber
  26. [26] Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday — reactive:ai-offensive-cyber
  27. [27] Defense at AI speed: Microsoft's new multi-model agentic security ... — reactive:ai-offensive-cyber
  28. [28] Project Glasswing: Securing critical software for the AI era - Anthropic — reactive:frontier-ai-cyber-capabilities
  29. [29] Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber — OpenAI Blog (2026-05-07)
  30. [30] Frontier Risk Report (February to March 2026) - METR — reactive:ai-offensive-cyber
  31. [31] When a Lab Withholds Its Best Model: What the Claude Mythos System Card Signals for Cybersecurity — reactive:ai-security-nexus
  32. [32] US government expands vetting of frontier AI models for security risks — reactive:ai-security-nexus
  33. [33] Looking for backdoors in Jane Street LLMs — Alignment Forum (2026-05-23)
  34. [34] GitHub Breach via Malicious VS Code Extension: What You Need to ... — reactive:ai-security-nexus
  35. [35] Nx Console VS Code Extension Compromised - StepSecurity — reactive:ai-security-nexus
  36. [36] GitHub Says 3,800 Repositories Breached—TeamPCP Hackers ... — reactive:ai-security-nexus
  37. [37] GitHub is just the latest victim of TeamPCP, a gang that has ... — reactive:ai-security-nexus
  38. [38] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
  39. [39] GPT-5.5 System Card — OpenAI Blog (2026-04-23)
  40. [40] Google spotted an AI-developed zero-day before attackers could use it | CyberScoop — reactive:ai-offensive-cyber
  41. [41] AI built the first zero-day exploit targeting 2FA. Google GTIG intercepted it before mass deployment. APT45, UNC2814, Ru... — reactive:ai-offensive-cyber (2026-05-16)
  42. [42] CISO Daily Briefing: Google's TIG confirmed the first criminal AI-generated zero-day exploit — AI-native threat actors a... — reactive:ai-offensive-cyber (2026-05-16)
  43. [43] Cloudflare just explained why Mythos is so important (and it is not ... — reactive:ai-offensive-cyber
  44. [44] Project Glasswing: what Mythos showed us | Subhash Dasyam — reactive:ai-offensive-cyber
  45. [45] Cloudflare tests Mythos against 50+ repositories, highlights its ability ... — reactive:ai-offensive-cyber
  46. [46] Autonomous AI Cyber Capability Doubles Every Few Months — reactive:ai-offensive-cyber
  47. [47] Claude Mythos: What Does Anthropic's New Model Mean for the ... — reactive:ai-security-nexus
  48. [48] Kicking the Tires: A Voluntary Path to Pre-Deployment AI Vetting | The Foundation for American Innovation — reactive:ai-security-nexus
  49. [49] npm Author Qix Compromised via Phishing Email in Major Suppl... — reactive:ai-security-nexus
  50. [50] TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MT... — reactive:ai-security-nexus
  51. [51] Bun-Based Stealer Hits SAP CAP npm Packages | Snyk — reactive:ai-security-nexus
  52. [52] axios npm Compromise: The Ultimate Supply Chain Scaries — reactive:openai-advanced-account-security
  53. [53] Mini Shai-Hulud Returns: 600+Malicious npm Packages Fake Sigstore Badges in AntV Ecosystem Attack — reactive:ai-security-nexus
  54. [54] Shai-Hulud/Megalodon: A Two-Wave AI Developer Supply Chain ... — reactive:ai-offensive-cybersecurity
  55. [55] Mini Shai-Hulud npm Attack: AntV Ecosystem Compromise (May 2026) | Chainguard — reactive:ai-security-nexus
  56. [56] Anthropic's Mythos Claims Questioned by Cybersecurity Insider — reactive:frontier-ai-cyber-capabilities
  57. [57] Why Claude Mythos system card is a mess - Part 3, about ... - Reddit — reactive:ai-security-nexus
  58. [58] Shai Hulud: SAP CAP Supply Chain Attack Via Claude Code — reactive:ai-security-nexus
  59. [59] SAP npm Packages Hijacked to Steal Cloud Credentials and Weaponize AI Coding Agents — reactive:ai-security-nexus
  60. [60] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
  61. [61] A Self-Spreading Supply Chain Attack Compromises TanStack npm ... — reactive:ai-security-nexus
  62. [62] TeamPCP vende repo Mistral AI dopo attacco TanStack su OpenAI — reactive:ai-security-nexus (2026-05-18)
  63. [63] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai ... — reactive:ai-security-nexus
  64. [64] GitHub - ugurrates/teampcp-supply-chain-attack: CVE-2026-33634 (CVSS 9.4) — The most impactful CI/CD supply chain attack of 2026 so far. · GitHub — reactive:ai-security-nexus
  65. [65] CISA Adds Trivy CVE-2026-33634 to KEV: Patch Supply Chain Risk ... — reactive:ai-security-nexus
  66. [66] Impact Assessment: Aqua Security Trivy Supply Chain Compromise (CVE-2026-33634) on Tanzu Application Platform and Spring Enterprise — reactive:ai-security-nexus
  67. [67] Postmortem: TanStack npm supply-chain compromise — reactive:ai-security-nexus