The Information Machine

AI as Attack Tool and Attack Target: May 2026 Cybersecurity Moment · history

Version 7

2026-05-24 20:21 UTC · 211 items

What

The TeamPCP Mini Shai-Hulud supply chain campaign — which has compromised 1,000+ SaaS environments [15], breached 30 EU institutions via the European Commission's cloud infrastructure [13], and stolen thousands of GitHub internal repositories via a malicious VS Code extension [4] — has drawn a second named threat actor: CSO Online reports that Lapsus$, the cybercriminal group responsible for prior high-profile breaches at Microsoft, Nvidia, and Samsung, has joined the extortion wave targeting the campaign's victims [20]. Sportradar, previously named only as an additional victim, has been characterized by VECERTRadar as a 'Systemic Compromise and Asset Sale,' suggesting active monetization of the stolen data is underway [18]. Technical analysis of the SAP npm package attack continues to deepen, with Socket.dev [21] and SecurityBridge [22] providing detailed mechanism-level documentation of how Mini Shai-Hulud penetrated SAP's Cloud Application Programming ecosystem.

Why it matters

Lapsus$'s reported entry into the extortion wave is the most consequential new development: if confirmed, it transforms the campaign from a single-actor event into a multi-actor threat environment pairing TeamPCP's worm-propagation and infrastructure penetration capability with Lapsus$'s established history of aggressive public extortion and data leaks. Supply chain victims who believed containment was progressing against one known actor must now consider whether a second, independently operating group has acquired separate access or is working in coordination. The Sportradar 'asset sale' characterization reinforces that stolen access is being actively converted to revenue, not held as leverage.

Open questions

  • Is Lapsus$'s role in the extortion wave a direct collaboration with TeamPCP, an opportunistic independent pivot targeting the same victims, or a misattribution? [20] The answer determines whether victims face one threat actor or two distinct groups with different motivations and TTPs.

  • VECERTRadar characterizes the Sportradar incident as a 'Systemic Compromise and Asset Sale' [18][19] — what categories of data are being marketed, who are the prospective buyers, and has Sportradar issued an official incident response statement?

  • Mend.io's claim that the SAP CAP attack ran 'via Claude Code' [25] and RedRays' 'weaponize AI coding agents' mechanism [24] both remain without official Anthropic response — will Anthropic clarify Claude Code's specific role or issue defensive guidance for users?

  • The AntV attack's fake Sigstore badge evasion technique [17] has not yet produced a public response from the Sigstore project or the npm registry — can organizations continue to rely on npm provenance attestation as a meaningful trust signal?

Narrative

The TeamPCP threat actor launched the Mini Shai-Hulud supply chain campaign on May 11, 2026, deploying a self-spreading worm across npm and PyPI that compromised more than 170 packages in its initial wave — including the TanStack ecosystem, LiteLLM, Guardrails AI, and Telnyx — reaching two OpenAI employee devices and exfiltrating code-signing certificates that triggered a mandatory rotation deadline of June 12, 2026 for OpenAI's iOS, macOS, and Windows applications [1][2][3]. GitHub confirmed the worm breached approximately 3,800–4,000 of its internal repositories via Nx Console version 18.95.0, a poisoned VS Code extension, and Forbes reported that TeamPCP subsequently demanded a $50,000 ransom from GitHub for the stolen access [4][5][6]. Cyber Unit and DevOps.com have each published detailed analyses of the VS Code extension attack mechanism and its implications for SMBs reliant on VS Code for development workflows [7][8]. CVE-2026-33634 (CVSS 9.4) was formally assigned, CISA added it to its Known Exploited Vulnerabilities catalog [9][10], and Broadcom confirmed downstream exposure in Tanzu Application Platform and Spring Enterprise through the Trivy container-security scanner compromise [11]. A community technical writeup on the Trivy attack published on Reddit's r/devops has received significant practitioner attention, indicating the incident has penetrated beyond specialist security audiences into general DevOps practice [12].

CERT-EU, the European Union's official cybersecurity body, confirmed that the European Commission's cloud infrastructure was breached through the Trivy supply chain compromise, with data exposed across 30 EU institutions [13][14]. Mandiant quantified the total campaign impact at more than 1,000 compromised SaaS environments [15] — a figure that reframes Mini Shai-Hulud from a targeted AI-ecosystem incident into one of the most broadly distributed enterprise supply chain compromises on record. The Cloud Security Alliance characterized the campaign as a two-wave operation, naming it 'Shai-Hulud/Megalodon' to distinguish the initial AI developer toolchain wave from the subsequent AntV data visualization ecosystem attack [16]. The AntV wave reached 600+ malicious npm packages featuring a newly identified evasion technique that fakes Sigstore security verification badges on npm registry entries, targeting the provenance attestation infrastructure organizations rely on to verify package legitimacy [17]. Sportradar was named as an additional victim of the campaign [15]; VECERTRadar subsequently characterized the Sportradar incident as a 'Systemic Compromise and Asset Sale,' suggesting active monetization of the stolen data beyond initial access [18][19].

The most consequential development is CSO Online's report that Lapsus$ — the cybercriminal group previously responsible for breaches at Microsoft, Nvidia, Samsung, Uber, and Rockstar Games — has joined the extortion wave targeting the campaign's supply chain victims [20]. If confirmed, this transforms Mini Shai-Hulud from a single-actor campaign into a multi-actor threat environment in which TeamPCP's worm-propagation infrastructure coexists with Lapsus$'s established extortion playbook. The relationship between the two groups — whether collaboration, opportunistic parallel exploitation, or independent targeting of the same victim pool — has not been established. The SAP npm package segment of the attack has received additional technical documentation: Socket.dev published analysis of the TeamPCP-linked compromise of SAP CAP and Cloud MT packages [21], and SecurityBridge — an SAP-focused security vendor — published a dedicated writeup on how Mini Shai-Hulud penetrated the SAP npm ecosystem [22], with StepSecurity flagging the compromised packages on LinkedIn [23].

The AI coding agent attack surface remains the campaign's most analytically contested dimension. RedRays framed the SAP npm hijacking as a deliberate mechanism to weaponize AI coding agents by injecting malicious packages into the dependency trees that AI coding tools automatically install and execute [24], while Mend.io previously claimed the SAP Cloud Application Programming Model segment ran 'via Claude Code' [25] — a specific tool attribution not yet corroborated by independent analysis or an Anthropic response. The governance backdrop for these events includes AISI's official evaluation of Claude Mythos Preview — which autonomously cleared both UK offensive cyber ranges including a 32-step scenario — and NIST's CAISI formalization as the US pre-deployment AI compliance gate, establishing the institutional context within which autonomous AI offensive capability and AI tool exploitation are being simultaneously debated [26][27][28].

Timeline

  • 2026-05-05: US Department of Commerce finalizes expanded AI safety-testing agreements with Google, Microsoft, and xAI through NIST's CAISI; Politico reports on federal pre-deployment AI vetting formalization [28][49]
  • 2026-05-11: TeamPCP launches Mini Shai-Hulud campaign via self-spreading worm; 160+ npm and PyPI packages compromised including TanStack; two OpenAI employee devices hit, code-signing certificates exfiltrated [1][2][3]
  • 2026-05-11: Security researchers confirm tool poisoning attacks work silently against Claude, ChatGPT, Cursor, and other major AI assistants [98]
  • 2026-05-13: OpenAI publishes incident response disclosure; mandates app certificate rotation by June 12, 2026; Zvi Mowshowitz and AISI publish analyses characterizing Claude Mythos Preview's autonomous clearance of UK offensive cyber ranges as a genuine AI capability threshold [1][47][27]
  • 2026-05-16: Broad security community coverage amplifies OpenAI/TanStack disclosure; users urged to update macOS apps before June 12 certificate revocation deadline [34][99][100][101][102]
  • 2026-05-18: Reports emerge that TeamPCP targeted Mistral AI and is selling access to Mistral AI's internal source code repositories [103][104][105][106]
  • 2026-05-19: LiteLLM, Telnyx, and Guardrails AI identified as additional compromised packages; campaign scope confirmed at 160+ packages across npm and PyPI; CVE-2026-33634 formally assigned with CVSS 9.4 critical severity rating [107][9][67][108][109]
  • 2026-05-20: GitHub confirms TeamPCP breach of approximately 3,800–4,000 internal repositories via Nx Console version 18.95.0; Forbes reports TeamPCP demanded $50,000 ransom from GitHub; multiple security vendors publish independent analyses [4][29][5][30][52][53][31][32][33][60][6][66][67][68][69]
  • 2026-05-21: CVE-2026-33634 scope expanded to include Trivy container-security scanner; LiteLLM publishes official security update; GitLab Advisory Database and Aqua Security publish formal Trivy advisory; LegitSecurity publishes incident response playbooks [110][111][112][113][114][115][116][117][54]
  • 2026-05-22: Mini Shai-Hulud confirmed targeting SAP npm packages; Unit 42 and Datadog Security Labs publish 'Shai-Hulud 2.0' analysis; CISA adds CVE-2026-33634 to Known Exploited Vulnerabilities catalog; Broadcom issues impact assessment for Tanzu Application Platform and Spring Enterprise [61][62][63][64][65][118][10][11]
  • 2026-05-23: AntV ecosystem attack confirmed with 600+ malicious npm packages faking Sigstore badges; Semgrep identifies worm revival via compromised maintainer of antv, timeago, and size-sensor packages; IBM X-Force, Orca Security, ThreatLocker, StepSecurity, Microsoft Security Blog, and Chainguard publish independent AntV analyses; Mend.io and RedRays publish analyses framing SAP attack as weaponizing AI coding agents; CSA characterizes campaign as two-wave 'Shai-Hulud/Megalodon'; Endor Labs publishes practitioner incident response guide [17][71][72][73][74][75][76][77][25][24][16][81][79]
  • 2026-05-24: CERT-EU officially confirms European Commission cloud breach via Trivy supply chain exposed data across 30 EU institutions; Mandiant quantifies total campaign at 1,000+ compromised SaaS environments; Sportradar named as additional victim; Forbes reports $50,000 TeamPCP ransom demand on GitHub [15][37][13][14][6]
  • 2026-05-24: CSO Online reports Lapsus$ has joined the extortion wave targeting supply chain victims; VECERTRadar characterizes Sportradar incident as 'Systemic Compromise and Asset Sale'; Socket.dev and SecurityBridge publish detailed technical analyses of SAP CAP npm package compromise; Cyber Unit and DevOps.com publish VS Code extension attack analyses for SMB audience; Reddit r/devops community technical writeup on Trivy attack gains practitioner traction [20][18][19][21][22][23][7][8][12]

Perspectives

GitHub

Confirmed the breach via Nx Console version 18.95.0, maintained that customer data was unaffected, and framed the incident as limited in customer impact while acknowledging the theft of approximately 3,800–4,000 internal repositories

Evolution: Forbes' reporting of a $50,000 extortion demand from TeamPCP adds context that the attackers placed significant monetary value on the stolen access — in tension with GitHub's 'limited impact' characterization; Cyber Unit and DevOps.com analyses have further documented the SMB-relevant implications of the VS Code extension vector

OpenAI

Transparency and swift containment: limited blast radius, no customer data or production systems compromised, framing the incident as an industry-wide supply chain threat rather than an OpenAI-specific failure; certificate rotation deadline of June 12 is the actionable user requirement

Evolution: Consistent with prior stance; CERT-EU's confirmation of 30 EU institutions' exposure, Mandiant's 1,000+ SaaS environments figure, and Lapsus$'s reported entry into the extortion wave further challenge the 'limited blast radius' characterization for the campaign as a whole

CERT-EU

Official confirmation that the European Commission's cloud infrastructure was breached through the Trivy supply chain compromise, with data exposed across 30 EU institutions — establishing that supply chain DevSecOps vulnerabilities translate directly into government IT compromise

Evolution: Consistent; CERT-EU's confirmation stands as the authoritative government-level acknowledgment of the campaign's public sector reach

Mandiant

The total TeamPCP campaign has compromised more than 1,000 SaaS environments — a scale figure that reframes Mini Shai-Hulud from a targeted AI-ecosystem incident to one of the most broadly distributed enterprise supply chain compromises on record

Evolution: Consistent; remains the most comprehensive campaign-scale quantification published to date

Lapsus$

CSO Online reports Lapsus$ has joined the extortion wave targeting the campaign's supply chain victims — introducing a second well-resourced threat actor with a history of aggressive public data leaks and extortion against major enterprises

Evolution: New voice in this synthesis; Lapsus$'s specific relationship to TeamPCP (collaboration, independent exploitation, or opportunistic targeting) has not been established

VECERTRadar / threat intelligence community on Sportradar

The Sportradar breach constitutes a 'Systemic Compromise and Asset Sale,' with stolen assets being actively marketed — suggesting monetization is in progress, not merely threatened

Evolution: New characterization in this synthesis; elevates Sportradar from a named victim to an active case study in post-breach monetization

RedRays

The SAP npm hijacking was specifically designed to weaponize AI coding agents by injecting malicious packages into the dependency trees that those tools automatically install and execute, redirecting agent behavior toward cloud credential theft and worm propagation

Evolution: Consistent; Socket.dev's SAP CAP analysis and SecurityBridge's SAP-specific writeup add additional mechanism-level corroboration from SAP security specialists

Mend.io

The SAP CAP segment of the supply chain attack ran 'via Claude Code,' implicating Anthropic's AI coding assistant as a vector or surface in the attack

Evolution: Consistent; no Anthropic response has emerged; Socket.dev and SecurityBridge analyses of the SAP attack provide mechanism context without resolving the specific Claude Code attribution

AISI (UK AI Safety Institute)

Claude Mythos Preview represents a genuine capability threshold — the first AI system to autonomously complete both AISI end-to-end offensive cyber ranges including a 32-step scenario — and the rate at which autonomous AI cyber capability is advancing warrants serious institutional attention

Evolution: Consistent; skeptics continue to question the evaluation methodology and system card consistency

Skeptics of Mythos evaluation (cybersecurity commentators)

The AISI evaluation methodology is inconsistent or overstated; the Mythos system card is methodologically problematic; the 'autonomous offensive threshold' framing may not accurately represent the difficulty or controlled conditions of the evaluated tasks

Evolution: Consistent with prior pass

Zvi Mowshowitz

Genuinely alarmed by Mythos as a capability threshold requiring a rethink of deployment security cadences; critical of both Commerce-dominated (CAISI) and intelligence-dominated governance proposals as politically captured and insufficiently generalized beyond cybersecurity

Evolution: Consistent; CAISI's formalization as the federal compliance gate provides a concrete target for the existing critique

CAISI / US Department of Commerce

Voluntary but structured pre-deployment safety testing with major AI labs through NIST's CAISI is the appropriate US governance posture for frontier AI capabilities

Evolution: Consistent with prior pass

SAP security community (SecurityBridge, Socket.dev, StepSecurity)

The Mini Shai-Hulud campaign's penetration of the SAP npm ecosystem is a credible and technically documented supply chain threat to enterprise SAP deployments; the attack mechanism involves specific SAP CAP and Cloud MT packages and is consistent with the broader campaign's worm-propagation architecture

Evolution: New sub-voice in this synthesis; SAP-specialist security organizations have now published independent analyses that substantiate the attack's SAP-specific dimensions beyond the initial Mend.io and RedRays reporting

Institutional security research community (CSA, Unit 42, Datadog, Akamai, ReversingLabs, GitGuardian, WIRED, Snyk, Onapsis, Wiz, Endor Labs, StepSecurity, Varonis, BleepingComputer, LegitSecurity, Semgrep, IBM X-Force, Orca Security, ThreatLocker, Chainguard, Phoenix Security, Software Improvement Group, Runtime.news, OX Security, Cyber Unit, DevOps.com)

TeamPCP is the defining supply chain security event of 2026; Lapsus$'s reported entry escalates the multi-actor threat; the fake Sigstore badge technique compromises a key trust signal; the AI coding agent weaponization mechanism requires a materially different defensive response than traditional package poisoning; the VS Code extension vector represents an underappreciated SMB exposure

Evolution: The institutional response cohort has grown to include Cyber Unit and DevOps.com providing SMB-focused VS Code extension analysis; the community Reddit technical writeup on Trivy indicates the incident has reached broad practitioner awareness beyond specialist security audiences

Broad security community (social media and press amplifiers)

The GitHub breach is confirmed and TeamPCP is actively marketing stolen access; the $50K ransom demand signals TeamPCP's assessment of the access value; Sportradar's data is now being actively sold; Lapsus$'s entry into the extortion wave signals further escalation

Evolution: VECERTRadar's 'asset sale' characterization for Sportradar and the Lapsus$ extortion wave report represent the sharpest escalation signals in this synthesis cycle

Tensions

  • GitHub's official 'customer data unaffected' and 'limited impact' framing sits in tension with both the scope of 3,800–4,000 internal repositories stolen and TeamPCP's subsequent $50,000 extortion demand — the ransom demand implies TeamPCP placed significant monetary value on the access, which is inconsistent with GitHub's characterization of the incident as limited [31][32][33][60][29][6]
  • AISI's official evaluation frames Claude Mythos Preview as reaching an 'autonomous offensive threshold' warranting serious institutional attention, while independent cybersecurity commentators have questioned the evaluation methodology and system card consistency — a debate about whether the milestone is accurately characterized or inflated by the evaluators' framing [26][27][70][45][46]
  • RedRays frames the SAP attack as deliberately weaponizing AI coding agents through a dependency injection mechanism, while Mend.io's 'via Claude Code' framing implies Anthropic's specific tool was implicated — the two analyses are consistent at the mechanism level but diverge on specificity, and neither has been officially corroborated by Anthropic; Socket.dev and SecurityBridge analyses add SAP-specific technical detail without resolving the Claude Code attribution [24][25][38][79][21][22]
  • The CAISI voluntary pre-deployment framework represents the US government's chosen governance posture for frontier AI capabilities, while Zvi Mowshowitz argues that any governance structure anchored in cybersecurity is politically captured and fails to treat the Mythos milestone as the general capability threshold it represents [28][50][47]
  • Standard supply chain remediation guidance focuses on package registries (npm, PyPI, Docker Hub), but the VS Code extension attack vector and the AI coding agent weaponization mechanism target developer machines and AI tool environments directly — surfaces that are fundamentally harder to audit and for which remediation guidance has not yet been standardized [4][5][30][24][79][68][69][7][8]
  • OpenAI frames the TanStack incident as an industry-wide supply chain shift with limited blast radius, but CERT-EU's confirmation of 30 EU institutions' exposure, Mandiant's 1,000+ SaaS environments figure, Lapsus$'s reported entry into the extortion wave, and TeamPCP's continued propagation into AntV and SAP enterprise infrastructure suggest downstream exposure substantially wider than OpenAI's framing implied [1][13][14][15][59][31][20]
  • The AntV attack's use of fake Sigstore security verification badges means that npm provenance attestation — one of the primary trust signals supply chain security guidance recommends — cannot be relied upon to detect this campaign, creating a gap between the remediation advice being given and the actual evasion capabilities demonstrated by the attacker [17][71][72]
  • CSO Online reports Lapsus$ has joined the extortion wave [20], but the relationship between Lapsus$ and TeamPCP — whether collaboration, independent exploitation of the same victim pool, or coincidental targeting — has not been established, creating uncertainty about whether victims face one organized campaign or two distinct threat actors with different motivations and negotiating postures [20][18][19]

Sources

  1. [1] Our response to the TanStack npm supply chain attack — OpenAI Blog (2026-05-13)
  2. [2] Mini Shai-Hulud: TeamPCP compromette 160+ pacchetti npm e PyPI in un supply chain attack che ha colpito TanStack, Mistra... — reactive:ai-security-nexus (2026-05-19)
  3. [3] A Self-Spreading Supply Chain Attack Compromises TanStack npm ... — reactive:ai-security-nexus
  4. [4] Nx Console 18.95.0 Incident: How TeamPCP Breached GitHub — reactive:ai-security-nexus
  5. [5] Nx Console VS Code Extension Compromised - StepSecurity — reactive:ai-security-nexus
  6. [6] GitHub Says 3,800 Repositories Breached—TeamPCP Hackers ... — reactive:ai-security-nexus
  7. [7] GitHub Breach, May 2026: What the TeamPCP VS Code Extension Attack Means for Canadian and US SMBs | Cyber Unit — reactive:ai-security-nexus
  8. [8] GitHub Breach Tied to Malicious VS Code Extension Exposes Thousands of Internal Repositories — reactive:ai-security-nexus
  9. [9] GitHub - ugurrates/teampcp-supply-chain-attack: CVE-2026-33634 (CVSS 9.4) — The most impactful CI/CD supply chain attack of 2026 so far. · GitHub — reactive:ai-security-nexus
  10. [10] CISA Adds Trivy CVE-2026-33634 to KEV: Patch Supply Chain Risk ... — reactive:ai-security-nexus
  11. [11] Impact Assessment: Aqua Security Trivy Supply Chain Compromise (CVE-2026-33634) on Tanzu Application Platform and Spring Enterprise — reactive:ai-security-nexus
  12. [12] A Technical Write Up on the Trivy Supply Chain Attack - Reddit — reactive:ai-security-nexus
  13. [13] European Commission cloud breach: a supply-chain compromise — reactive:ai-security-nexus
  14. [14] European Commission breach exposed data of 30 EU entities ... — reactive:ai-security-nexus
  15. [15] TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments — reactive:ai-security-nexus
  16. [16] Shai-Hulud/Megalodon: A Two-Wave AI Developer Supply Chain ... — reactive:ai-offensive-cybersecurity
  17. [17] Mini Shai-Hulud Returns: 600+Malicious npm Packages Fake Sigstore Badges in AntV Ecosystem Attack — reactive:ai-security-nexus
  18. [18] CRITICAL ALERT: Sportradar Systemic Compromise and Asset Sale ... — reactive:ai-security-nexus
  19. [19] Sportradar Data Breach in 2026 - Breachsense — reactive:ai-security-nexus
  20. [20] Trivy supply chain breach compromises over 1,000 SaaS environments, Lapsus$ joins the extortion wave | CSO Online — reactive:ai-security-nexus
  21. [21] TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MT... — reactive:ai-security-nexus
  22. [22] Mini Shai-Hulud: npm Supply Chain reaches into SAP security! — reactive:ai-security-nexus
  23. [23] Compromised SAP Packages Flagged by StepSecurity - LinkedIn — reactive:ai-security-nexus
  24. [24] SAP npm Packages Hijacked to Steal Cloud Credentials and Weaponize AI Coding Agents — reactive:ai-security-nexus
  25. [25] Shai Hulud: SAP CAP Supply Chain Attack Via Claude Code — reactive:ai-security-nexus
  26. [26] Our evaluation of Claude Mythos Preview's cyber capabilities — reactive:frontier-ai-cyber-capabilities
  27. [27] How fast is autonomous AI cyber capability advancing? — reactive:ai-offensive-cyber (2026-05-13)
  28. [28] US government expands vetting of frontier AI models for security risks — reactive:ai-security-nexus
  29. [29] GitHub Breach via Malicious VS Code Extension: What You Need to ... — reactive:ai-security-nexus
  30. [30] GitHub confirms breach of 3,800 repos via malicious VSCode ... — reactive:ai-security-nexus
  31. [31] GitHub confirms being hacked by TeamPCP, says customer data ... — reactive:ai-security-nexus
  32. [32] GitHub admits major source code leak after 3800 internal ... - InfoWorld — reactive:ai-security-nexus
  33. [33] GitHub Confirms Breach, 4K Internal Repos Stolen - Dark Reading — reactive:ai-security-nexus
  34. [34] OpenAI caught NPM supply chain chaos after employeedevices compromised — reactive:ai-security-nexus (2026-05-16)
  35. [35] OpenAI asks macOS users to update after TanStack npm ... — reactive:ai-security-nexus
  36. [36] TanStack Supply Chain Attack Hits Two OpenAI Employee Devices ... — reactive:ai-security-nexus
  37. [37] Security breach at European Commission impacts 30 EU institutions | DigitalShield — reactive:ai-security-nexus
  38. [38] Mend.io's Post - LinkedIn — reactive:ai-security-nexus
  39. [39] AISI: Claude Mythos First AI to Solve 32-Step Cyber Attack Range — reactive:ai-security-nexus
  40. [40] New Claude Mythos becomes the first AI model to clear all cyberattack simulations from Britain's AI safety agency — reactive:ai-security-nexus
  41. [41] Here’s how cyber heavyweights in the US and UK are dealing with Claude Mythos | CyberScoop — reactive:ai-security-nexus
  42. [42] Claude Mythos Preview Completes Cyber Range End-to-End — reactive:ai-security-nexus
  43. [43] We conducted cyber evaluations of Claude Mythos Preview and ... — reactive:ai-security-nexus
  44. [44] Claude Mythos Preview becomes the first model to solve both of the ... — reactive:ai-security-nexus
  45. [45] Anthropic's Mythos Claims Questioned by Cybersecurity Insider — reactive:frontier-ai-cyber-capabilities
  46. [46] Why Claude Mythos system card is a mess - Part 3, about ... - Reddit — reactive:ai-security-nexus
  47. [47] Cyber Lack of Security and AI Governance — Zvi's AI Roundups (2026-05-13)
  48. [48] CAISI becomes US AI pre-deployment gate | Kenneth Foster posted ... — reactive:ai-security-nexus
  49. [49] Pre-Deployment AI Evaluation Moves From China's Model To ... — reactive:ai-deployment-misalignment-risk
  50. [50] Kicking the Tires: A Voluntary Path to Pre-deployment AI Vetting | Lawfare — reactive:claude-mythos-capability-regulation
  51. [51] Center for AI Standards and Innovation (CAISI) | NIST — reactive:ai-security-nexus
  52. [52] GitHub breached via a malicious VS Code extension - Aikido Security — reactive:ai-security-nexus
  53. [53] The Wild West of VS Code extensions and how a poisoned ... — reactive:ai-security-nexus
  54. [54] The Trivy Supply Chain Compromise: What Happened and Playbooks to Respond — reactive:ai-security-nexus
  55. [55] Emerging Supply Chain Attack ("Mini Shai-Hulud") Targeting SAP Cloud Application Programming Ecosystem - Onapsis — reactive:ai-security-nexus
  56. [56] Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware | Wiz Blog — reactive:ai-security-nexus
  57. [57] SAP Cloud Build Tool Packaged A Mini Shai-Hulud Malicious Dependency That Uses Bun | Semgrep — reactive:ai-security-nexus
  58. [58] Mini Shai-Hulud: npm Worm Hits SAP Developer Packages | Blog | Endor Labs — reactive:ai-security-nexus
  59. [59] Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages ... - Snyk — reactive:ai-security-nexus
  60. [60] A Hacker Group Is Poisoning Open Source Code at an ... - WIRED — reactive:ai-security-nexus
  61. [61] Shai Halud: What is Shai-Hulud? Definition & Explanation of the Self-Replicating npm Worm | Kusari® — reactive:ai-security-nexus
  62. [62] Mini Shai-Hulud npm Worm: Dissecting a Multi-Vector Supply Chain Attack - Upwind — reactive:ai-security-nexus
  63. [63] Mini Shai-Hulud: Multi-Ecosystem Developer Supply Chain Attack – Lab Space — reactive:ai-security-nexus
  64. [64] "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain ... — reactive:ai-security-nexus
  65. [65] The Shai-Hulud 2.0 npm worm: analysis, and what you need to know | Datadog Security Labs — reactive:ai-security-nexus
  66. [66] TeamPCP: Cascading Supply Chain Attack on AI/ML Tooling – Lab Space — reactive:ai-security-nexus
  67. [67] LiteLLM and Telnyx compromised on PyPI: Tracing the TeamPCP ... — reactive:ai-security-nexus
  68. [68] The Telnyx SDK on PyPI Compromise and the 2026 TeamPCP ... — reactive:ai-security-nexus
  69. [69] No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and ... — reactive:ai-security-nexus
  70. [70] Claude Mythos and the AI Autonomous Offensive Threshold — reactive:frontier-ai-cyber-capabilities
  71. [71] Mini Shai-Hulud npm Attack: AntV Ecosystem Compromise (May 2026) | Chainguard — reactive:ai-security-nexus
  72. [72] Mini Shai-Hulud Resurfaces; Compromised Maintainer of antv, timeago, and size-sensor Packages Revives Worm Activity | Semgrep — reactive:ai-security-nexus
  73. [73] IBM X-Force OSINT Advisory Mini Shai-Hulud Hits AntV: 300+ ... — reactive:ai-security-nexus
  74. [74] npm Supply Chain Attack Compromises AntV | Orca Security — reactive:ai-security-nexus
  75. [75] Reverse Shai-Hulud: Supply chain compromise impacts @antv packages — reactive:ai-security-nexus
  76. [76] Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem - StepSecurity — reactive:ai-security-nexus
  77. [77] Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft | Microsoft Security Blog — reactive:ai-security-nexus
  78. [78] TeamPCP / Mini Shai-Hulud npm Campaign: 600 Packages, Confirmed Active Payload, Memory Scraping, and 2,500+ Compromised GitHub Repositories - Phoenix Security — reactive:ai-security-nexus
  79. [79] When supply-chain attacks meet coding agents, look out — reactive:ai-coding-cpu-demand-surge
  80. [80] LiteLLM supply chain attack explained - Software Improvement Group — reactive:ai-security-nexus
  81. [81] A Practitioner’s Guide to Responding to the TeamPCP Supply Chain Attacks | Ebook/Report | Endor Labs — reactive:ai-security-nexus
  82. [82] "Shai-Hulud" Malware Hits 170+ npm & PyPi Packages - OX Security — reactive:ai-security-nexus
  83. [83] It's Bigger Than TeamPCP. Open Source Is Under Siege. - YouTube — reactive:ai-security-nexus
  84. [84] TeamPCP's Multi-Stage Supply Chain Attack on Security Infrastructure — reactive:ai-offensive-cyber
  85. [85] The npm Threat Landscape: Attack Surface and Mitigations ... — reactive:openai-advanced-account-security
  86. [86] GitHub Breach Linked To Malicious VS Code Extension ... - LinkedIn — reactive:ai-security-nexus
  87. [87] 170 npm packages compromised in one coordinated supply chain attack — OpenAI, Mistral AI, even the European Commission g... — reactive:ai-security-nexus (2026-05-23)
  88. [88] RT @IntCyberDigest: ‼️🚨 This is wild. OpenAI just confirmed it got hit in the TanStack npm supply chain attack, and the ... — reactive:ai-security-nexus (2026-05-23)
  89. [89] The TanStack npm supply chain attack (CVE-2026-45321) is wild. — reactive:ai-security-nexus (2026-05-22)
  90. [90] GitHub Confirms 3,800-Repo Breach Traced to TanStack npm Supply Chain Worm #cybersecurity #supplychain #GitHub #OpenAI #... — reactive:ai-security-nexus (2026-05-21)
  91. [91] RT @IntCyberDigest: ‼️🚨 This is wild. OpenAI just confirmed it got hit in the TanStack npm supply chain attack, and the ... — reactive:ai-security-nexus (2026-05-21)
  92. [92] OpenAI a publié son retour sur l'attaque supply chain TanStack npm. — reactive:ai-security-nexus (2026-05-20)
  93. [93] 1:10 TanStack/npm Supply Chain Worm Hits 170+ Packages, Reaches OpenAI @tan_stack @tannerlinsley @OpenAI @npm — reactive:ai-security-nexus (2026-05-20)
  94. [94] هجوم supply chain "‌Mini Shai-Hulud" من TeamPCP اخترق 170 حزمة npm وPyPI، بينها @tanstack/react-router بـ 12 مليون تحميل... — reactive:ai-security-nexus (2026-05-19)
  95. [95] Supply chain attacks on npm packages are not a new threat — but watching one hit OpenAI employees via TanStack is a remi... — reactive:ai-security-nexus (2026-05-19)
  96. [96] A threat actor identified with the TeamPCP alias is claiming to offer ... — reactive:ai-security-nexus
  97. [97] GitHub investigates internal repositories breach claimed by TeamPCP — reactive:ai-security-nexus
  98. [98] 😺 Microsoft: your company is the AI bottleneck — The Neuron (2026-05-11)
  99. [99] OpenAI impose une mise à jour macOS après une attaque supply chain ayant touché TanStack, des paquets npm et plusieurs a... — reactive:ai-security-nexus (2026-05-16)
  100. [100] OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack via @knolinfos https://t.co/gORBgXYLpY — reactive:ai-security-nexus (2026-05-16)
  101. [101] 🚨 OPENAI EMPLOYEE DEVICES COMPROMISED — reactive:ai-security-nexus (2026-05-16)
  102. [102] OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack https://t.co/hyRTbyclv2 — reactive:ai-security-nexus (2026-05-16)
  103. [103] TeamPCP vende repo Mistral AI dopo attacco TanStack su OpenAI — reactive:ai-security-nexus (2026-05-18)
  104. [104] TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai ... — reactive:ai-security-nexus
  105. [105] Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack — reactive:ai-security-nexus
  106. [106] TeamPCP Claims Sale of Internal Mistral AI Repositories Amid Mini ... — reactive:ai-security-nexus
  107. [107] Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages — reactive:ai-security-nexus
  108. [108] TeamPCP Targets Telnyx Package in Latest Software Supply Chain Attack - Infosecurity Magazine — reactive:ai-security-nexus
  109. [109] Mistral AI among npm, PyPI packages hit by Mini Shai Hulud — reactive:ai-security-nexus
  110. [110] NVD - CVE-2026-33634 — reactive:ai-security-nexus
  111. [111] LiteLLM Supply Chain Attack: What Happened and How to Respond — reactive:ai-security-nexus
  112. [112] Trivy and LiteLLM Supply Chain Incident (CVE-2026-33634) Update — reactive:ai-security-nexus
  113. [113] Security Update: Suspected Supply Chain Incident | liteLLM — reactive:ai-security-nexus
  114. [114] CVE-2026-33634 - CVE Record — reactive:ai-security-nexus
  115. [115] Endor Patches | CVE-2026-33634, Trivy ecosystem supply chain was briefly compromised — reactive:ai-security-nexus
  116. [116] Trivy ecosystem supply chain was briefly compromised | GitLab Advisory Database (GLAD) — reactive:ai-security-nexus
  117. [117] Trivy ecosystem supply chain temporarily compromised · Advisory · aquasecurity/trivy · GitHub — reactive:ai-security-nexus
  118. [118] Mini Shai-Hulud Targets SAP npm Packages - Upwind Security — reactive:ai-security-nexus