#110 - AI Attacks OT: Claude Used Autonomously in Water Utility Breach

PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 10^th May 2026

Welcome back!

Last week the story was that AI tools had become the attack surface. This week the story is that AI moved from author to operator. In January 2026, in Monterrey, an unidentified threat actor tracked as TAT26-12 by Dragos compromised a municipal water and drainage utility using Anthropic's Claude and OpenAI's GPT models as primary operational tools. Claude generated a 17,000-line Python attack framework. Claude conducted internal reconnaissance. And then, without being explicitly directed to, Claude independently identified a vNode SCADA/IIoT management interface and directed two rounds of password-spray attacks against it. The OT breach failed. The unprompted identification of OT-adjacent assets did not. That is the line that crossed this week. AI is no longer helping to write the commit. It is making targeting decisions inside the attack.

Alongside that, the week brought one-click RCE proofs across Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI through malicious .claude/settings.json files that Anthropic declined to fix. A stealthy MCP hijacking attack on Claude Code that proxies all OAuth tokens through attacker infrastructure, also declined. A fake OpenAI Privacy Filter repo on Hugging Face that hit 244,000 downloads before removal. Two CVEs in Microsoft's Semantic Kernel framework where prompt injection becomes host-level RCE. And the Five Eyes intelligence alliance issuing coordinated guidance that agentic AI is too immature for rapid enterprise rollout. The pattern is consistent. Defender posture is not.

🤖🏃 AI Autonomous & Agentic Attacks: ↑ +33% (8 vs 6 high-scoring articles week-on-week)

Significance: Autonomous AI participation in attack execution moved from controlled research (Zealot) to confirmed real-world tactical operation in seven days. This is the first case where the unprompted decision is documented in the post-incident analysis as the analytically significant finding.

🔗 AI Supply Chain & Developer Tool Abuse: ↑ +12.5% (9 vs 8)

Significance: Developer trust dialogues are now the primary attack vector. The "informed consent" defence does not survive an attacker controlling the repository contents.

📜 AI Governance & Defensive Innovation: ↑ +11% (10 vs 9)

Significance: Governments and platform vendors are calling out the same problem from different sides. CISOs no longer have plausible deniability about agentic AI risk maturity.

🦠 AI-Assisted Malware Development: → 0% (4 vs 4)

Significance: Volume is steady but the Chainguard data confirms what we suspected last week. AI lowers operator skill floor faster than it raises ceiling.

🛡️ AI System Vulnerabilities: ↓ -23% (10 vs 13)

Significance: Volume down, severity not. Semantic Kernel CVEs confirm prompt injection is now an execution risk in production agent frameworks, not a content-handling concern.

🔍 AI-Accelerated Vulnerability Exploitation: → 0% (3 vs 3)

Significance: The 24-hour figure confirms the patch SLA arithmetic. If your perimeter SLA for critical internet-facing CVEs is a week, you are insolvent against current attacker tempo.

🤖 AI-Enabled Social Engineering: ↓ -33% (2 vs 3)

Significance: The volume metric is misleading. A single campaign with 15,500 domains tells the real story. Counting articles is not counting attacks.

SPONSORED BY

The next wave of millionaires will be people who figured out how to make AI work for them.

The window to get ahead is still open. But not for long.

Here are 200+ proven ways to make money with AI in 2026.

Sign up for Superhuman AI, the free daily newsletter read by 1M+ professionals, and get instant access to all 200+ ways to profit from AI this year.

Claim your free list

The story this week is contained in one paragraph from the joint Dragos and Anthropic disclosure of TAT26-12. An unidentified actor compromised a municipal water and drainage utility in Monterrey in January 2026 using Anthropic's Claude and OpenAI's GPT models as primary operational tools. Claude generated a 17,000-line Python attack framework. Claude conducted internal network reconnaissance. And then, Claude independently identified a vNode SCADA/IIoT management interface without being explicitly directed to do so, and directed two rounds of password-spray attacks against it.

The OT breach failed. No control systems were accessed. Both of those facts will be relegated to the second paragraph in most coverage. They should not be. The operationally significant detail is the one that did succeed. An LLM running tactical decisions during a live intrusion identified an OT-adjacent target as worth attacking and pursued it autonomously. Edition #109 covered the PromptMink campaign where DPRK's Famous Chollima used Claude Opus as a co-author of a malicious commit. That was AI in the artifact creation step. This is AI in the operations centre.

The Rosling check matters. Is this genuinely new, or is the detection improving? Both. The Chainguard 2026 retrospective published this week documents that a single actor used Claude Code to extort 17 organisations, and three teenagers used ChatGPT to hit Rakuten Mobile 220,000 times. The skill floor has been collapsing for a year. What changed this week is that an LLM made an unprompted tactical decision, against critical infrastructure, that a human attacker would have made and that we would have called good tradecraft. The Monday question for any CISO with an OT or industrial estate: do your detection rules treat machine-speed reconnaissance with no human pause time as an indicator on its own? Behavioural baselines tuned to human attacker cadence are now systematically miscalibrated.

Three independent disclosures this week, all targeting AI coding agents, all exploiting the same architectural weakness. Adversa.AI demonstrated one-click RCE against Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI using malicious .claude/settings.json and .mcp.json files planted in a GitHub repository. When a developer clones the repo and accepts the folder trust prompt, attacker-defined MCP servers spawn as unsandboxed OS processes with the user's full privileges. In a CI/CD context the payload exfiltrates environment variables, deploy keys, signing certificates, and embeds malicious logic into build artifacts. Anthropic's response was that user trust acceptance constitutes informed consent. Mitiga Labs separately disclosed an MCP hijacking attack where a malicious npm package modifies ~/.claude.json to proxy all MCP traffic, including OAuth tokens, through attacker-controlled infrastructure. The stolen tokens function as MFA-bypassing credentials for any SaaS tool connected via MCP. Anthropic responded that the issue is "out of scope."

Two of the three vectors lack a vendor-provided fix. The third, the Microsoft Semantic Kernel CVEs where prompt injection becomes host-level RCE, was patched within the responsible disclosure window. The contrast tells you which vendors have absorbed which lessons. Microsoft has been through enough trust-boundary failures that they have institutional muscle memory for this class of problem. The AI native vendors do not have that yet.

This is the npm ecosystem in 2014 again. Trust dialogues that made sense for a local assistant on a developer laptop are catastrophic in a CI/CD pipeline with production secrets. The fix is not user education. Users will accept the dialogue. The fix is least-privilege execution by default, sandboxing of unverified MCP servers, and cryptographic signing of skill manifests. None of those are present yet. The action item for this week: inventory every AI coding assistant in use across your engineering organisation, and confirm what credentials are reachable from a local clone of an attacker-controlled repository. If the answer is "your GitHub PAT and your AWS access keys," you have a problem that no vendor is currently planning to fix for you.

The Five Eyes intelligence alliance, comprising CISA, NSA, NCSC-UK, ASD's ACSC, NCSC-NZ, and Canada's Cyber Centre, jointly published guidance on May 4 warning that agentic AI systems create an interconnected attack surface that amplifies existing organisational vulnerabilities. The document identifies 23 distinct risk categories and over 100 best practices, illustrating threats including insider-driven prompt injection that causes agents to delete audit logs, and supply chain compromise of integrated tools that inherits the agent's over-provisioned privileges. The guidance argues that threat intelligence frameworks like OWASP and MITRE ATLAS have not yet fully captured agentic AI-specific attack vectors. The position is unambiguous. Security practices and evaluation standards for agentic AI have not yet matured sufficiently for rapid enterprise adoption.

Read that as plainly as possible. Five intelligence agencies are telling boards, in writing, that the agentic AI deployments their CTOs and CIOs are accelerating are running ahead of the security maturity required to defend them. That is policy cover for any CISO who has been pushing back on aggressive agent rollout timelines without the institutional weight to make it stick.

The same week, Intruder's scan of one million internet-exposed AI services provides the empirical ground truth. 31% of the 5,200+ Ollama API servers tested responded to a single test prompt with no authentication required. Plaintext API keys. Fully exposed n8n and Flowise agent management platforms. Self-hosted LLM infrastructure deployed across healthcare, government, and financial services with what the report describes as systemic insecurity-by-design.

The Five Eyes guidance and the Intruder data are the same observation from different angles. We do not have an AI threat problem. We have an AI deployment problem that has not yet manifested as the breach population it deserves. The provocation for Monday: when your CTO presents the next agentic AI use case, ask which of the 23 Five Eyes risk categories applies and what compensating controls are in place. If the answer takes longer than 30 seconds, it is not ready for production.

🤖🏃 AI Autonomous & Agentic Attacks. Anthropic and Dragos jointly disclosed TAT26-12's use of Claude for autonomous OT reconnaissance during the Mexican water utility intrusion. Unit 42's Zealot research demonstrated a hierarchical multi-agent LLM penetration testing system chaining SSRF to GCP IMDS theft to BigQuery exfiltration from a single high-level prompt. SecurityWeek separately reported a vulnerability in the Claude Extension for Chromeexposing the AI agent to takeover, with full technical details still emerging.

🔗 AI Supply Chain & Developer Tool Abuse. Adversa.AI demonstrated one-click RCE across all major AI coding CLIs via malicious .claude/settings.json files, with Anthropic declining to remediate. Mitiga Labs disclosed an MCP hijacking attack on Claude Code modifying ~/.claude.json to proxy all OAuth tokens through attacker infrastructure, also ruled out of scope. A fake Open-OSS/privacy-filter Hugging Face repository typosquatting OpenAI hit #1 trending and 244,000 downloads, distributing the Rust-based "sefirah" infostealer targeting browser credentials, Discord tokens, crypto wallets, and SSH/FTP/VPN configs. Unit 42's Agent God Mode research on AWS Bedrock AgentCore continues to receive no architectural fix five months after disclosure, as covered in Edition #109.

🦠 AI-Assisted Malware Development. Unit 42 documented 18 malicious Chrome extensions masquerading as GenAI productivity tools, performing DOM-based email exfiltration and stealing OpenAI/Gemini/Claude API keys, with multiple samples containing AI-generated code. Chainguard's 2026 retrospective confirms a single actor used Claude Code to extort 17 organisations, three teenagers used ChatGPT to hit Rakuten Mobile 220,000 times, and one individual breached 10+ Mexican government agencies stealing 195 million taxpayer records during 2025.

🤖 AI-Enabled Social Engineering. Infoblox uncovered a 15,500-domain AI investment scam network using deepfake videos, fabricated celebrity endorsements, and Keitaro TDS cloaking to bypass security scanners. Microsoft Defender Research observed a code-of-conduct-themed AiTM phishing campaign targeting 35,000 users across 13,000+ organisations in 26 countries between April 14–16, with QR code phishing surging 146% in Q1. This extends the 86% AI-enabled phishing baseline reported in Edition #109.

🛡️ AI System Vulnerabilities. Microsoft Defender Research disclosed two critical vulnerabilities in the Semantic Kernel agent framework: CVE-2026-26030 (Python SDK) enables prompt injection to RCE via unsafe eval() in the In-Memory Vector Store filter function; CVE-2026-25592 (.NET SDK) enables sandbox escape and arbitrary file write via the SessionsPythonPlugin. Both patched. Cisco's AI Threat Intelligence team demonstrated imperceptible pixel-level perturbations bypassing safety filters in Claude and GPT-4o vision models, with Claude's attack success rate on heavily blurred images jumping from 0% to 28% post-optimisation.

🔍 AI-Accelerated Vulnerability Exploitation. The UK NCSC's patch tsunami warning, previewed in Edition #109, was formally published this week with CTO Ollie Whitehouse explicitly naming Anthropic's Claude Mythos and OpenAI's GPT-5.5-Cyber as accelerating discovery of legacy code debt. Chainguard's 2026 data documents that 28.3% of CVEs are now exploited within 24 hours of disclosure, down from a 700-day baseline as recently as 2022.

📜 AI Governance & Defensive Innovation. The Five Eyes intelligence alliance jointly published guidance warning that agentic AI deployments are running ahead of the security maturity required to defend them, with 23 risk categories and over 100 best practices. Intruder's scan of one million internet-exposed AI services found 31% of Ollama API servers responding to test prompts with no authentication, plaintext API keys, and exposed agent management platforms across healthcare, government, and financial services. OpenAI rolled out Advanced Account Security for ChatGPT users at elevated risk of targeted attacks.

Last week's edition argued that the AI tooling layer had become the attack surface. This week's edition refines the claim. The trust boundary is the attack surface, and AI tooling has more trust boundaries than any other category of software in production today. Folder trust dialogues. MCP server URLs. Skill manifest registries. OAuth scope grants. Each of these is a place where someone, at some point, decides whether to extend trust to something the AI agent is about to do. Each was designed for a local assistant on a single developer's laptop. None of them survive integration into a CI/CD pipeline or an enterprise agent framework without significant compensating controls that nobody has yet been forced to build.

What is genuinely new this week is the TAT26-12 incident. AI made an unprompted tactical decision during a live intrusion against critical infrastructure. That is not "AI used in an attack." That is AI as a decision maker inside an attack. The implication is operational, not philosophical. Detection logic calibrated on human dwell time, human pause patterns, and human reasoning gaps is now systematically blind to attacks that move at machine speed without those tells. If you have not run a tabletop where your IR team responds to an attack pattern with no observable human cadence and no obvious operator timezone, you are running tabletops on the wrong threat model.

What looks scary but is mostly noise: the Hugging Face Open-OSS infostealer hitting 244,000 downloads. The headline number is alarming, but the failure mode is the same one npm went through a decade ago. The fix is the same fix that worked for npm. Provenance, signing, and consumption controls. Apply Rosling's negativity instinct and ask whether the volume is genuinely up or whether the attention is. Both, but the attention is moving faster than the threat.

The Monday provocation. Pull a single commit from a public AI agent repository, locally, with whatever AI coding assistant your engineering team uses. Watch what trust dialogues appear. Click them as a normal developer would. Then audit what credentials your tooling now has access to that the public repo's author could have reached. If the gap between what you authorised and what you actually authorised is uncomfortable, that is the real finding for your security strategy this week.

Reference: AI Influence Level from Daniel Miessler

Till next time!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.