AI × Security

This month’s Patch Tuesday stands out for its sheer volume. Microsoft addressed over 200 CVEs in its products and components, contributing to a combined total exceeding 500 when including Chromium and third-party fixes. This represents the largest single-month release in recent years. 

The numbers reflect more than just accumulated technical debt. They illustrate how the discovery process itself has accelerated. Tools capable of systematically analyzing large codebases now surface issues at a pace that traditional manual auditing cannot match. Many of these flaws likely existed undetected for years; the patches address them now because the detection capability caught up.

This situation mirrors Anthropic’s recent release of Claude Fable 5. Anthropic developed a highly capable underlying model but deployed a public version (Fable) with layered classifiers. These classifiers detect and reroute queries related to cybersecurity, biology, chemistry, or related high-risk areas to a less specialized fallback model. The full-capability version remains restricted to vetted users, such as qualified defenders and infrastructure operators.

The approach acknowledges a core asymmetry: the same capabilities that strengthen defense—finding subtle bugs, reasoning through complex systems, generating test cases—can also accelerate offensive work if broadly available. By gating full access, the deployment attempts to tilt the balance toward those operating under structured accountability rather than unrestricted experimentation.

Patch Tuesday embodies the defensive side of this dynamic. Organizations receive the patches because discovery tools, including advanced AI systems, identified the issues. Yet the volume creates its own pressures: enterprises must prioritize, test, and deploy at scale while facing tight windows before exploitation attempts increase. The same wave of discovery that produces these patches also shortens the effective time defenders have to respond.

In AI security contexts, this creates recurring questions. Models that excel at code analysis improve patching velocity and can support red-team exercises or hardening efforts. However, without controls, they lower barriers for those seeking to weaponize findings. Fable’s design—full power for limited trusted parties, constrained access for the public—represents one operational response to that tension. It prioritizes measurable risk reduction over uniform openness.

For security practitioners, the takeaway remains practical. Record Patch Tuesdays are not anomalies but signals of an environment where vulnerability surface area meets improved detection. Prioritization frameworks, rapid testing pipelines, and segmented deployment strategies become essential. The tools driving discovery will continue advancing; the discipline required to apply the resulting patches must advance in parallel. 

The parallel between massive CVE batches and controlled model releases highlights the same underlying reality: capability growth demands deliberate boundaries if the net outcome is to favor secure systems over widespread exploitation.

Security researchers and social media monitors reported a notable breach over the weekend involving official Instagram accounts tied to the Obama White House and the Chief Master Sergeant of the United States Space Force. Attackers temporarily altered the profiles with pro Iranian imagery and statements before access was restored.

The incidents appear linked to detailed guides that spread rapidly on Telegram. These instructions demonstrated methods to manipulate Metas AI support assistant chatbot into initiating unauthorized password resets. By exploiting the conversational interface of the support tool attackers reportedly bypassed standard verification steps and gained control of the targeted accounts.

This event highlights emerging risks at the intersection of artificial intelligence and platform security. Automated support systems designed for user convenience can introduce novel attack surfaces when adversaries craft prompts that mimic legitimate requests or confuse the models safeguards. In this case the AI assistant seemingly processed deceptive inputs as valid account recovery actions allowing intruders to seize control without traditional credential theft or phishing links.

Experts note that such chatbot manipulation tactics could scale quickly especially against high visibility accounts. Official profiles representing government entities or public figures often hold significant symbolic value making them prime targets for information operations or propaganda efforts. The pro Iranian messaging suggests possible state affiliated actors or aligned hacktivist groups seeking to amplify geopolitical narratives through compromised channels.

Meta has not issued a detailed public statement on the precise vulnerability but platform teams typically respond to such incidents by reinforcing AI guardrails reviewing support workflows and notifying affected users. The episodes serve as a reminder that as companies integrate generative AI more deeply into customer service and moderation pipelines robust adversarial testing becomes essential.

For organizations and individuals managing important social media presence the breach underscores several practical defenses. Enabling advanced account protections such as hardware based authentication minimizing reliance on automated recovery flows and monitoring for unusual activity can reduce exposure. On the broader industry level this incident may accelerate scrutiny of large language models used in sensitive operational contexts where errors in intent detection carry real world consequences.

As AI powered tools proliferate in security adjacent roles balancing usability with resilience against prompt injection and social engineering hybrids will remain a critical challenge for technology providers.

In a landmark development that underscores both the promise and peril of frontier AI in cybersecurity, Anthropic has revealed that its unreleased Claude Mythos Preview model identified more than 10,000 high or critical severity vulnerabilities across systemically important software within just one month of Project Glasswing launch.

Project Glasswing, Anthropic collaborative defensive initiative, provides limited early access to the powerful Claude Mythos Preview model to approximately 50 trusted partners. These include maintainers of critical open source projects, cloud providers, and financial institutions. The goal is to leverage advanced AI to harden the software backbone of the internet before malicious actors can weaponize similar capabilities.

Scale of Discoveries Stuns the Industry

According to Anthropic initial update on Project Glasswing published May 22, 2026, the model has flagged thousands of issues in partners codebases. Many partners reported more than a 10x increase in bug discovery rates compared to previous methods.

In scans of over 1,000 open source projects that underpin global infrastructure, Mythos Preview surfaced an estimated 6,202 high or critical severity vulnerability candidates. Independent triage of a subset confirmed 1,094 as high or critical severity true positives out of 1,726 validated issues. Only a fraction, around 97, have been fully patched upstream so far, with 88 advisories issued.

Notable examples include a critical flaw in the wolfSSL cryptography library (CVE 2026 5194, CVSS 9.1), which could enable certificate forgery and impersonation of trusted services. The model not only detected it but also constructed a working exploit.

Other findings highlight the model ability to unearth long dormant flaws. In earlier evaluations, Mythos Preview identified vulnerabilities in every major operating system and web browser, including a 27 year old bug in OpenBSD and sophisticated multi vulnerability browser exploit chains capable of escaping sandboxes.

The Discovery Patching Gap Emerges as the New Bottleneck

Anthropic openly acknowledges the core challenge. The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity.

Open source maintainers are already overwhelmed. Some have requested slower disclosure rates to cope with the volume. Traditional 90 day coordinated vulnerability disclosure timelines are straining under the flood of AI generated findings. Many of these require significant human effort to verify, patch, and deploy.

This mirrors broader industry trends. Mozilla used the model to identify and address 271 vulnerabilities in Firefox 150, over ten times more than in a prior release. Major vendors like Microsoft, Oracle, and Palo Alto Networks are issuing larger than usual patch volumes.

Dual Edged Sword for Cybersecurity

While Mythos Preview excels at defensive applications, such as helping one partner bank detect and block a 1.5 million fraudulent wire transfer, its offensive potential is unmistakable. The model autonomously develops sophisticated exploits, including ROP chains and sandbox escapes, often with minimal human guidance.

This has prompted Anthropic to keep Mythos class models under tight control for now. The company has launched tools like Claude Security for enterprise customers and a Cyber Verification Program for legitimate red teaming and research.

What Comes Next?

Security leaders should treat this as a wake up call. Recommendations from Anthropic and industry observers include the following:

1. Shortening patch cycles and streamlining deployment. 
2. Prioritizing foundational controls such as MFA, hardened configurations, and logging. 
3. Proactively scanning internal codebases with available AI tools. 
4. Investing in triage and verification capacity to handle AI scale discovery.

As models with Mythos level capabilities proliferate, the advantage will shift decisively to organizations that integrate AI deeply into their defensive workflows. Those relying on traditional methods risk falling dangerously behind.

The era of machine speed vulnerability discovery is here. The race to patch and harden at scale has only just begun.

BurnTheBoat will continue monitoring Project Glasswing developments and their implications for the broader ecosystem.

GitHub disclosed on May 19-20, 2026, that attackers stole data from ~3,800 internal repositories after compromising an employee’s machine through a malicious Nx Console VS Code extension.

Attack Summary

On May 18, a fake maintainer uploaded poisoned version v18.95.0 of Nx Console (2.2M+ installs) to the VS Code Marketplace. The extension was live for about 18 minutes before removal. It stole GitHub tokens, npm credentials, AWS keys, SSH keys, and more.The attack stemmed from the earlier Mini Shai-Hulud campaign that compromised a legitimate Nx developer’s credentials via the TanStack package ecosystem. Threat group TeamPCP claimed responsibility and attempted to sell the stolen data.

Why This Matters for AI Security

AI development heavily relies on VS Code, monorepos, and open-source tools, exactly the attack surface exploited here. With sensitive assets like model weights, training data, and GPU cluster credentials at stake, supply chain attacks on developer tooling pose outsized risk to AI organizations.This incident follows similar compromises targeting AI companies through the same vectors in 2024-2025. Attackers are increasingly using AI to accelerate malware creation and social engineering, while defenders struggle with the pace of tool dependencies.

Key Takeaways

• Audit and restrict VS Code extensions, even popular ones can be compromised.
• Rotate all secrets immediately (GitHub, cloud providers, credential managers).
• Enforce multi-approval for package/extension publishing.
• Treat developer workstation and supply chain security as core parts of AI threat models.

Organizations building AI systems should treat this as a loud warning: the next breach could expose proprietary models or training infrastructure. GitHub and Nx have both improved controls, but vigilance across the ecosystem is essential.

OpEd by Steve

The days of quarterly Patch Tuesdays feeling like a manageable fire drill are ending. Microsoft’s new multi-model agentic scanning harness – codenamed MDASH – just demonstrated that AI can systematically unearth complex, exploitable vulnerabilities at a scale and speed that outpaces traditional human-led auditing. In the May 2026 Patch Tuesday alone, MDASH helped discover 16 vulnerabilities in Windows networking and authentication components, including four critical remote code execution (RCE) flaws. 

This isn’t another incremental AI scanner hyped in a lab. MDASH is a production-grade, agentic system orchestrating more than 100 specialized AI agents across an ensemble of frontier and distilled models. It handles end-to-end workflows: preparing codebases, scanning for candidates, debating exploitability, deduplicating findings, and even proving bugs with triggering inputs. On internal tests, it achieved near-perfect recall on historical vulnerabilities in components like tcpip.sys and clfs.sys, zero false positives on a deliberately bugged private driver, and topped the CyberGym benchmark at 88.45%. 

From Reactive Patching to Continuous Discovery

Traditional vulnerability management has long been a cat-and-mouse game. Vendors ship code, researchers (or attackers) find flaws, patches follow, often months later. MDASH flips this dynamic. By treating vulnerability discovery as an automated, scalable engineering process rather than sporadic human heroism, it compresses the time between introduction of a bug and its detection from months or years to weeks or days.

For Microsoft’s own ecosystem, this means larger, more proactive Patch Tuesdays. The company itself has signaled that releases will grow structurally as AI-driven findings accelerate. 
For the broader industry, it signals the end of “good enough” security hygiene. If one vendor can deploy agentic systems that approximate professional offensive researchers on massive, proprietary codebases, customers and regulators will soon demand comparable rigor everywhere.

he patching landscape will change in several profound ways:

• Speed becomes table stakes. Vulnerabilities won’t wait for the next scheduled release cycle. Organizations will expect rapid, automated remediation pipelines, potentially shifting toward continuous security updates or virtual patching layers for high-risk components.
• Depth of analysis increases. Agentic systems excel at reasoning through complex interactions (kernel invariants, lock ordering, trust boundaries) that static analyzers or simple fuzzers miss. Shallow bugs will vanish quickly; the remaining ones will be subtler, architectural, or logic-based.
• Proof and validation raise the bar. MDASH doesn’t just flag potential issues -it debates them internally and generates proofs. This reduces noise and builds confidence, but it also means vendors can no longer dismiss reports with “not exploitable” hand-waving without strong evidence.
• Attack surface scrutiny intensifies. Third-party libraries, drivers, and dependencies -long the weak links—will face the same relentless scanning. Supply chain security moves from SBOM checklists to live, AI-audited verification.

What Software Vendors Must Do to Stay Current

Staying competitive in this new era won’t be optional for vendors who want enterprise trust (and contracts). Here’s what’s required:

1. Invest in AI-Native Security Pipelines: Adopt or build agentic scanning harnesses tailored to your codebases. Relying solely on open-source scanners or occasional manual audits will leave you exposed. Integrate multi-model ensembles with domain-specific plugins for your architectures.
2. Embrace Continuous Scanning and Remediation: Shift from release-gated security to always-on discovery. This demands mature DevSecOps practices, automated patch generation/validation, and rapid deployment mechanisms. Your CI/CD must include AI auditors as first-class citizens.
3. Prioritize Code Provenance and Modularity: Complex, monolithic codebases are harder to scan effectively. Favor modular designs with clear boundaries, which AI agents can reason about more reliably. Maintain high-quality indices, threat models, and historical commit data to feed these systems.
4. Collaborate and Share Intelligence: Microsoft is offering limited private previews of MDASH. Engage early. Broader industry efforts-shared benchmarks, standardized agent plugins, collaborative datasets of historical CVEs will accelerate everyone’s capabilities while raising the baseline.
5. Prepare for Transparency and Accountability: As AI findings become routine, expect greater scrutiny. Customers and regulators will ask: “What AI tools did you use to validate this release?” Be ready with metrics on recall, false positive rates, and remediation velocity.
6. Upskill Teams for Human-AI Collaboration: The best outcomes come from offensive researchers guiding and extending AI agents, not replacing them. Invest in talent that can craft effective prompts, domain plugins, and validation oracles.

The Bigger Picture: Defense at AI Speed

MDASH underscores a critical truth: in the AI era, the advantage belongs to the system, not any single model. A lone frontier LLM might hallucinate or miss context; a well-orchestrated harness of specialized agents, debate cycles, and proof engines delivers production results.

For security practitioners, this is exhilarating. We move closer to finding and fixing bugs before adversaries exploit them. For vendors, it’s a wake-up call. Those who treat security as a checkbox will fall behind. Those who integrate agentic AI into their core development and response processes will build more resilient products, and earn greater customer confidence. The patching treadmill isn’t slowing down; it’s accelerating into a continuous, intelligent race. Microsoft has set a new pace with MDASH. The question for the industry is simple: will you keep up, or watch your vulnerabilities pile up? The era of AI-augmented defense is here. Adapt or become the next headline.

For the first time, Google’s Threat Intelligence Group has confirmed a real-world case of hackers using AI to discover and weaponize a zero-day vulnerability — catching the attack before it could be used to bypass two-factor authentication on a widely deployed web management tool.

What tipped them off:

• The attack was designed to let an unauthorized user skip past two-factor authentication entirely. Google worked directly with the affected company to neutralize it before damage was done.
• Investigators flagged the exploit based on tells that human-written attack code rarely shows: unusually clean, polished structure, extensive explanatory notes, and a fabricated severity score — a calling card that pointed squarely to AI authorship.
• GTIG’s John Hultquist described the discovery as just the surface of a much deeper problem. Anthropic’s Rob Bair framed the window defenders have left even more starkly — warning the advantage is measured in months, not years.
• Google’s broader threat report catalogued additional AI-assisted attacks, including tools that allow AI to remotely commandeer devices, and AI-generated malicious code and prompt injections traced to operators in North Korea and Russia.

Why it is important: We’ve seen glimpses of what AI can do on the defensive side of cybersecurity. The problem is that offensive capabilities are closing the gap faster than most institutions are prepared for. The next wave of AI model releases won’t just push the frontier for researchers and enterprises — it’ll hand a meaningful upgrade to attackers too. For the vast majority of systems still operating without modern security infrastructure, that’s not a distant risk. It’s an incoming one.

For many teachers, Canvas isn’t just a platform — it’s where an entire year’s worth of lesson plans lives. Assignments, curricula, discussion threads, grade books. All of it. Which makes what happened this week particularly devastating: a cybercrime group held one of American education’s most critical platforms hostage, and thousands of schools found out mid-semester that their digital backbone was gone.

Canvas parent company Instructure is reeling from an ongoing data extortion attack that disrupted classes and coursework at school districts and universities across the country, after the cybercrime group ShinyHunters defaced the platform’s login page with a ransom demand threatening to leak data on 275 million students and faculty across nearly 9,000 institutions. Instructure’s response was to take Canvas offline entirely.

How we got here:

• ShinyHunters first claimed a breach on May 1. Instructure’s Chief Information Security Officer declared the incident contained the very next day. It wasn’t.
• By May 6, Instructure acknowledged stolen data that included names, email addresses, student ID numbers, and messages between users — though the company said no passwords, dates of birth, government IDs, or financial information were compromised.
• On May 7, students and faculty across dozens of schools logged in to find a ransom demand where the Canvas homepage used to be. ShinyHunters claims the haul includes several billion private messages between students and teachers. Instructure pulled the plug and replaced the login portal with a message calling it “scheduled maintenance” — a characterization that drew immediate criticism from security researchers.
• The ransom deadline started at May 6, was pushed to May 12, and the extortion message directed affected schools to negotiate their own payments directly with the hackers — independent of whatever Instructure decides to do.

The pattern security experts are pointing to: This wasn’t a one-off. Cloudskope CEO Dipan Mann says this is at least the third time in eight months that ShinyHunters has breached Instructure’s environment. In September 2025, thousands of internal University of Pennsylvania files — donor records, internal memos, confidential materials — leaked through what investigators later determined was partly a Canvas-mediated access path. Penn was named as the victim; Instructure was framed as a bystander. Mann argues that framing was wrong then and looks catastrophically wrong now.

“The September 2025 Penn breach was the proof of concept,” Mann wrote. “The May 1 incident was the production run. The May 7 recompromise was ShinyHunters demonstrating publicly that the May 2 ‘containment’ did not happen.”

A source close to the investigation confirmed that several universities have already approached the group about paying. Notably, ShinyHunters quietly removed Instructure from its public leak site — a move these groups typically only make after receiving payment or entering active negotiations.

The timing couldn’t be worse. Countless schools are in the middle of final exams. ShinyHunters is not a single-target operation — Google-owned Mandiant’s CTO Charles Carmakal confirmed that “multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns” are active right now. Recent victims include ADT, Medtronic, Rockstar Games, McGraw Hill, 7-Eleven, and Carnival.

Canvas is back online as of May 8, with Instructure saying hackers exploited a vulnerability tied to Free-for-Teacher accounts — the same entry point used in the prior week’s breach. The company has temporarily shut down those accounts while it works to resolve the underlying issue, and says it is directly contacting affected organizations.

For the teachers who built an entire school year inside Canvas, “we’re working on it” is a hard thing to hear in May.

Canvas stores an enormous amount of sensitive behavioral and academic data — exactly the kind of structured, large-scale dataset that makes education platforms an increasingly attractive target for threat actors looking to train or fine-tune AI models on real human interaction patterns.

The White House has released a memo formally accusing Chinese AI companies of running “industrial-scale” distillation operations against American frontier labs — a significant escalation arriving just weeks before Trump’s planned summit with Xi Jinping in Beijing.

What’s going on:

• Distillation means training smaller models on the outputs of mor powerful ones. The memo, authored by Kratsios, alleges China is doing this systematically through thousands of fraudulent API accounts and jailbreak exploits.
• Anthropic had already privately called out DeepSeek, Moonshot, and MiniMax for distillation back in February. This memo takes those allegations public and enshrines them as federal policy.
• The Chinese embassy pushed back hard, branding the accusations as baseless — a response that sets an awkward tone ahead of the May 14–15 Beijing summit.
• A House Foreign Affairs bill that passed its first vote this week would pressure the administration to place distillation offenders on the U.S. export blacklist.

Why it matters: Dario Amodei has publicly positioned China as roughly 6–12 months behind leading U.S. labs. The Kratsios memo challenges the narrative around how that gap is being closed — framing Chinese AI progress less as homegrown innovation and more as a product of systematic data extraction. The real question is how much of DeepSeek’s and Kimi’s trajectory actually traces back to distillation, versus genuine research breakthroughs. That distinction carries enormous implications for how the U.S. responds — and how seriously to take the threat.