| Foresiet Security Intelligence |
| | Monthly Threat Report | | May 2026 |
Six AI Security Incidents.
One Month. The Supply Chain Broke.
A self-replicating worm tore through npm and PyPI, a poisoned editor extension was live for eighteen minutes, and GitHub lost 3,800 internal repositories — all in a single chain. Here is everything that happened in AI cybersecurity in May 2026, with a full attack path for each incident.
Foresiet Security Intelligence Desk · May 2026 Edition · 19 min read |
May 2026 will be remembered as the month the AI developer toolchain itself became the primary attack surface. A single threat actor — TeamPCP — ran a nine-day campaign that started as a worm in open-source packages, escalated through a poisoned code-editor extension, and ended inside GitHub’s own infrastructure. In parallel, Google’s threat team disclosed the first zero-day exploit it believes was developed with AI, and Meta discovered that an AI-assisted account-recovery tool had been quietly hijacking Instagram accounts for six weeks. | 6 AI security incidents in May 2026 |
| 3,800 GitHub internal repos exfiltrated |
| 18 Minutes the poisoned extension was live |
| 1st AI-developed zero-day caught in the wild |
|
| Verified incidents · May 2026 The six incidents
Incidents 1 through 4 are four linked stages of a single campaign; we break them out because each stage is a distinct, reusable attack pattern with its own defensive lesson. MITRE ATT&CK technique references are included throughout. | 1. Mini Shai-Hulud — Self-Replicating Worm Across npm and PyPI May 11–12, 2026 · Actor: TeamPCP (UNC6780) · CVE-2026-45321 (CVSS 9.6) · Critical
On May 11, TeamPCP deployed a self-propagating worm — named “Mini Shai-Hulud” after the sandworm in Dune — across npm and PyPI. Within roughly five hours it published over 400 malicious versions across more than 170 packages, including libraries from TanStack, the official Mistral AI Python client, Guardrails AI, OpenSearch, and UiPath (combined download history over 518 million). The payload harvested AWS keys, Vault secrets, GitHub tokens, npm tokens, Kubernetes and 1Password tokens — and injected persistence into VS Code and Claude Code config files.
Why it matters: The AI developer ecosystem was specifically in the blast radius — AI developers concentrate high-value credentials in a handful of workstation tools. CISA added CVE-2026-45321 to its Known Exploited Vulnerabilities catalog on May 27. | Attack Path — Cross-Ecosystem Worm Propagation | 1 | Initial access via OIDC token theft in CI/CD Hijacked OIDC tokens in publishing pipelines that used overly permissive, broadly scoped tokens. T1199 · T1552 | 2 | Malicious versions published with valid provenance 400+ trojanized versions across 170+ packages, reportedly carrying valid build-provenance attestations. T1195.002 | 3 | Multi-target credential harvest on install Swept for cloud, CI/CD, and AI-tool credentials; injected persistence into VS Code and Claude Code. T1552.001 · T1078 | 4 | Triple-channel exfiltration and self-propagation Exfiltrated over HTTPS, the GitHub API, and DNS tunneling; reused stolen tokens to spread further. T1041 · T1071.004 | 5 | Worm source open-sourced to seed variants On May 12, the code was published with a forum prize for the largest derivative attack. T1588 |
|
Sources: The Hacker News, Tenable (CVE-2026-45321 FAQ), Expel, Orca Security. |
| 2. Nx Console Extension Poisoning — 18 Minutes, 2.2M Installs May 18, 2026 · nrwl.angular-console v18.95.0 · CVE-2026-48027 (CVSS 9.3) · Critical
A GitHub contributor token stolen in the worm wave reached the publishing credentials for Nx Console, a VS Code extension with 2.2M+ installs. At 12:30 UTC a malicious v18.95.0 hit the Marketplace; the Nx team removed it at 12:48 UTC — an 18-minute window. Because extensions auto-update, any developer who opened a workspace during that window was compromised automatically. The payload was hidden in a dangling orphan commit inside the official nrwl/nx repository — trusted by most enterprise scanners.
Why it matters: The attack window no longer needs to be long. Auto-updating tooling means an 18-minute exposure reaches millions of machines. The payload explicitly harvested Claude Code configs alongside cloud and CI/CD credentials. | Attack Path — Trusted Extension as Amplifier | 1 | Stolen contributor token reused from Stage 1 A token harvested by the worm reached Nx Console’s marketplace publishing credentials. T1078 | 2 | Payload staged inside the legitimate repo A malicious orphan commit in the official nrwl/nx repo defeated scanners that allow-list the project. T1195.001 | 3 | Trojanized v18.95.0 published Backdoored build went live at 12:30 UTC, impersonating MCP-server functionality. T1554 | 4 | Auto-update delivers backdoor, zero user action Opening a workspace during the window triggered execution — no manual install. T1059 | 5 | Secrets exfiltrated, including SSH keys Double-encrypted output pushed to a public repo over HTTPS, GitHub API, and DNS tunneling. T1041 |
|
Sources: CISA Alert (CVE-2026-48027), StepSecurity, Sophos, The Hacker News. |
| 3. GitHub Internal Breach — 3,800 Repositories Exfiltrated May 18–20, 2026 · Also hit: OpenAI, Mistral AI, European Commission · Critical
On May 19, GitHub disclosed that credentials harvested in the Nx Console attack were used to access its internal infrastructure, exfiltrating approximately 3,800 internal repositories. At least one GitHub employee was hit during the 18-minute window; the attacker used SSH keys from that device to clone internal repos. GitHub found no evidence customer-hosted code was affected. The same credentials reached OpenAI (forcing a macOS signing-certificate revocation), Mistral AI, and the European Commission.
Why it matters: This is the payoff stage of a chain where each step fed the next. None of the techniques was novel — the assembly was. CVE-2026-48027 entered CISA’s KEV catalog on May 27, with a federal remediation deadline of June 10. | Attack Path — Workstation to Internal Repos | 1 | GitHub employee device compromised via auto-update Ran within normal user permissions, avoiding privilege escalation to stay below EDR thresholds. T1195.002 · T1078 | 2 | SSH keys and tokens harvested Output double-encrypted and pushed to an attacker-controlled public repository. T1552.004 | 3 | SSH keys used to clone internal repos ~3,800 internal repositories cloned — GitHub’s own codebase and tooling. T1021.004 | 4 | Parallel access to OpenAI, Mistral, EU Commission Same harvest gave simultaneous cross-org access from one credential set. T1199 | 5 | Detection, containment, disclosure Endpoint isolated, secrets rotated, clean Nx versions (18.100.0+) shipped. Response |
|
Sources: Help Net Security, ThreatLocker, ArmorCode, Infosecurity Magazine. |
| 4. Mistral AI Source-Code Theft — 450 Repositories for Sale May 12–15, 2026 · Actor: TeamPCP · IP theft via supply chain · High
Stemming from the same TanStack compromise, TeamPCP claimed ~5 GB of internal source code across nearly 450 Mistral AI repositories and listed them for $25,000, threatening a free leak within a week. Mistral confirmed a codebase-management system was temporarily compromised on May 12 and that some SDK packages were briefly contaminated, but disputed the scope — stating attackers accessed only certain non-core repositories and that hosted services, user data, and research environments were not affected. No samples were published, leaving the full scope unverified.
Why it matters: A frontier-model lab’s training and benchmarking code is now directly monetizable through ordinary dependency compromise. Treat build and codebase-management systems as model-security controls, not just IT. | Attack Path — Supply Chain to IP Exfiltration | 1 | SDK packages contaminated via TanStack Dev environments exposed through stolen CI/CD credentials and legitimate workflows. T1195.002 | 2 | Codebase management system compromised Temporary May 12 access, limited to certain non-core repositories per Mistral. T1078 | 3 | Repositories cloned and staged ~5 GB across ~450 repos tied to training, fine-tuning, and inference experiments. T1213 | 4 | Listed for sale with leak deadline $25K to one buyer, buy-back offered, public-leak threat. Scope disputed by Mistral. T1657 |
|
Sources: BleepingComputer, TechNadu, Hackread, OECD.AI Incident DB. |
| 5. First AI-Developed Zero-Day Caught Before Mass Exploitation May 11, 2026 (disclosure) · Source: Google Threat Intelligence Group · High
In its May 11 AI Threat Tracker, Google’s Threat Intelligence Group reported that, for the first time, it identified a threat actor using a zero-day exploit it believes was developed with AI. The criminal actor planned a mass-exploitation event; Google’s proactive counter-discovery may have prevented its use. The report also documented AI-augmented polymorphic malware linked to suspected Russia-nexus actors and an autonomous-leaning family GTIG calls PROMPTSPY, and named TeamPCP (UNC6780) as targeting AI environments for initial access.
Why it matters: The barrier to producing working exploits — including zero-days — is dropping as model coding capability rises. The same capability powers defenders, but the disclosure confirms AI-assisted exploit development has crossed into observed criminal practice. | Attack Path — AI-Assisted Exploit Development | 1 | Obfuscated, premium model access obtained Anonymized access via middleware and automated registration, cycling trial accounts. T1588 | 2 | AI used for reverse engineering and vuln research Models act as force multipliers, lowering skill and time to a working primitive. T1587.004 | 3 | AI-generated zero-day exploit produced Intended for a mass-exploitation event — the first such case GTIG has identified. T1203 | 4 | Proactive counter-discovery disrupts deployment Google’s pre-emptive research may have prevented the mass-exploitation event. Defensive |
|
Source: Google Threat Intelligence Group — GTIG AI Threat Tracker (May 11, 2026). |
| 6. Meta Instagram AI Account-Recovery Tool Abused — 20,225 Accounts Active Apr 17 – early Jun; discovered May 31, 2026 · AI tool logic flaw · High
Meta disclosed that a vulnerability in “High Touch Support” (HTS), an AI-assisted Instagram account-recovery system, was exploited to perform unauthorized password resets. The flaw: the tool did not verify that the email supplied during recovery actually belonged to the target account, so an attacker could have a reset link delivered to their own inbox — and take over any account without 2FA. Exploitation began around April 17; Meta discovered it on May 31, pulled the tool, cancelled outstanding links, and forced affected accounts into a checkpoint. Reported impact: 20,225 accounts.
Why it matters: The AI framing matters less than the access-control failure beneath it — a high-impact reset capability with no hard ownership check at the data layer, the same class of failure as an over-permissioned agent. It ran roughly six weeks undetected. | Attack Path — AI Support Tool to Account Takeover | 1 | AI recovery tool wired to password reset HTS could issue reset links based on a user-supplied email — a high-impact capability. T1078 | 2 | Missing email-ownership verification A bug skipped the check that the email matched the account’s registered address. T1556 | 3 | Reset links delivered to attacker inboxes Accounts without 2FA were taken over directly; 2FA-protected accounts were not. T1098 | 4 | Six weeks undetected, then contained Discovered May 31; HTS pulled, links invalidated, accounts forced to re-verify. Response |
|
Sources: BleepingComputer, Security Affairs, TechRadar (Maine AG filing). |
| The connecting thread One actor, one chain
Incidents 1 through 4 were sequential stages of a single nine-day TeamPCP campaign, where each stage used credentials and access stolen in the stage before. 1. Mini Shai-Hulud worm (May 11) Collection layer. 170+ packages poisoned; credentials harvested across the ecosystem. | | ▼ a stolen token reaches Nx Console publishing | 2. Nx Console poisoning (May 18) Amplification layer. One token weaponizes an extension with 2.2M installs in 18 minutes. | | ▼ SSH keys from a GitHub employee’s device | 3. GitHub internal breach (May 19) Payload layer. 3,800 internal repos cloned; OpenAI, Mistral AI, EU Commission also reached. | | ▼ parallel branch from the same credential harvest | 4. Mistral AI code theft (May 12–15) Monetization branch. ~450 repos claimed; $25K extortion with a public-leak deadline. |
|
| The techniques were not novel. The assembly was. A credential-collection stage produced exactly the credential type an amplification stage needed — to reach exactly the targets the actor wanted. |
| The data Assessed risk by incident Higher scores reflect larger blast radius, confirmed exfiltration, and novelty. Foresiet’s analytical assessment (0–100). | GitHub internal breach 96 | | | Mini Shai-Hulud worm 92 | | | Nx Console poisoning 90 | | | Mistral AI code theft 78 | | | AI-developed zero-day 75 | | | Meta Instagram HTS 70 | |
|
| What the month tells us Four structural patterns Toolchain is the attack surface Packages, extensions, and CI/CD were the entry points — not perimeters. AI tools were named in payloads. |
| Chaining beats novelty Each technique was established; the damage came from sequencing them so each stage fed the next. |
| Exposure windows are collapsing 18 minutes reached millions of auto-updating machines. Detection speed beats perimeter hardening. |
| AI is both weapon and target Offensive AI produced a real zero-day; AI labs, platforms, and support tools were themselves victims. |
|
| What to do about it The prevention playbook Immediate — 0–14 days Stop the bleeding 1. Audit lockfiles and extensions for the compromised packages and Nx Console v18.95.0; confirm clean versions. 2. Rotate every credential a developer workstation or CI runner could reach — GitHub, npm, AWS, Vault, Kubernetes, SSH, 1Password, and AI model/API keys. 3. Enforce 2FA on accounts tied to high-impact recovery flows; require a hard ownership check before any reset. 4. Hunt DNS logs for tunneling exfiltration — anomalous high-entropy subdomain queries. |
Near-term — 15–60 days Close the structural gaps 5. Scope OIDC publishing tokens to short-lived, least-privilege; pin which workflows can publish. 6. Add a review gate for editor-extension and dependency updates so a short malicious window cannot auto-propagate. 7. Treat build and codebase-management systems as model-security controls — monitor, review access, segment. 8. Inventory and govern AI-assisted internal tools; require human authorization for irreversible actions. |
Strategic — 90+ days Build durable AI-supply-chain security 9. Design for assumed provider-side compromise: SBOMs, provenance verification that resists forged attestations, short-lived secrets, runtime behavioral monitoring. 10. Subscribe to AI-specific threat intelligence and shorten your patch clock — AI is compressing the vulnerability-to-weaponization window. |
| Threat-to-control mapping Each incident mapped to the primary control that would have prevented or mitigated it. | Incident | Primary control | | Mini Shai-Hulud worm | Short-lived, least-privilege OIDC tokens | | Nx Console poisoning | Review gate on extension auto-updates | | GitHub internal breach | Workstation secret hygiene + key rotation | | Mistral AI code theft | Codebase-mgmt monitoring + SCA | | AI-developed zero-day | AI threat intel + faster patch clock | | Meta Instagram HTS abuse | Hard email-ownership check + 2FA |
| The supply chain is now an AI security problem. In one month, a single actor turned trusted packages, a trusted extension, and a trusted CI pipeline into the entry points for a breach that reached GitHub, OpenAI, Mistral AI, and the European Commission. Exploitation of the Nx and TanStack CVEs is ongoing, and the credentials harvested in May are still circulating. Start with the immediate tier — treat it as emergency response. |
| About Foresiet Intelligence that gets ahead of the threat
Foresiet is a digital risk protection company built around a single idea: the earlier you see a threat, the cheaper it is to stop. Our platform combines continuous dark-web monitoring, attack-surface management, supply-chain risk assessment, brand protection, and takedown services into one integrated view — so the kind of campaign documented in this report is visible to you while it is still forming, not after the credentials are already circulating.
This monthly AI & Cyber Threat Report is part of how we share that visibility with the wider community. Every incident above is compiled from public disclosures and vendor post-mortems. Risk scores reflect Foresiet’s own analytical assessment, and where an attacker’s claims are unverified — notably the scope of the Mistral AI theft — that is stated explicitly.
Want this intelligence mapped to your own attack surface? Foresiet’s team can show you where your organization, your brand, and your supply chain are exposed across the open, deep, and dark web — and help you close the gap before it is exploited. | | |
|
