AI Zero-Day in the Wild and Mini Shai-Hulud Worm Hits OpenAI

PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 17^th May 2026

Welcome back!

Last week the story was AI as operator. Claude making unprompted tactical decisions during the Monterrey water utility intrusion. This week the story is AI as exploit author. On 11 May, Google Threat Intelligence Group published its AI Threat Tracker and disclosed the first confirmed case of a zero-day vulnerability discovered and weaponised with AI assistance in the wild. A Python 2FA bypass against an unnamed open-source web admin tool. The LLM tells were there. Hallucinated CVSS scores in the code. Pedagogical docstrings. The vulnerability class, semantic logic flaws, is one AI is genuinely good at finding.

That alone would be the story of the week. It is not. The same seven days produced the Mini Shai-Hulud worm, a self-propagating supply chain compromise tearing through the AI ecosystem itself. Mistral AI, Guardrails AI, TanStack, UiPath. OpenAI confirmed two employee devices infected and macOS signing certificates exposed. CVE-2026-45321 at CVSS 9.6, the first npm worm shipping validly SLSA Build Level 3 attested malicious packages with persistence hooks left in Claude Code installations.

The AI ecosystem is simultaneously the weapon and the target. Last week's question was whether your detection logic survived machine speed. This week's question is whether your AI vendor's dependency tree does.

🛡️ AI System Vulnerabilities: ↓ -40% (6 vs 10 high-scoring articles week-on-week)

📜 AI Governance & Defensive Innovation: ↓ -40% (6 vs 10)

🔍 AI-Accelerated Vulnerability Exploitation: ↑ +67% (5 vs 3)

🔗 AI Supply Chain & Developer Tool Abuse: ↓ -44% (5 vs 9)

🦠 AI-Assisted Malware Development: → 0% (4 vs 4)

🤖🏃 AI Autonomous & Agentic Attacks: ↓ -75% (2 vs 8)

🤖 AI-Enabled Social Engineering: ↓ -50% (1 vs 2)

SPONSORED BY

Viktor is an AI coworker that connects to your tools and ships real work. Ask Viktor to pull a report, build a client dashboard, or source 200 leads matching your ICP. Most teams hand over half their ops within a week.

Add Viktor to Slack for free.

On 11 May, Google Threat Intelligence Group published its AI Threat Tracker, and the headline finding is the one that will move your patching cadence. An unnamed cybercrime cluster used a large language model to discover and weaponise a zero-day vulnerability against an open-source web administration tool. The exploit is a Python script that bypasses two-factor authentication via a semantic logic flaw, a hard-coded trust assumption the AI was good enough to find but not good enough to hide its fingerprints in. The code contained pedagogical docstrings and a hallucinated CVSS score, the kind of artifacts that survive when an attacker accepts an LLM's output without scrubbing it.

The Google report is broader than the headline coverage. China-nexus UNC2814 running persona-driven jailbreaks for embedded device research. North Korea's APT45 using AI to recursively analyse CVEs at scale. Russia-nexus actors deploying AI-generated decoy code inside CANFAIL and LONGSTREAM to defeat behavioural detection. The PromptSpy Android backdoor calling the Gemini API to navigate device UIs and capture biometrics without a human in the loop.

Apply Rosling's negativity instinct first. The 2FA bypass was disrupted before mass exploitation. The vendor patched. So is this genuinely new, or did Google's detection improve? Both. What changed is not that AI can write exploits. That has been demonstrable in lab conditions for a year. What changed is that a cybercrime actor used an LLM-assisted exploit in a planned mass exploitation operation against a real internet-facing target, and Google saw it in the wild. Edition #110 noted that 28.3% of CVEs are now exploited within 24 hours of disclosure. The GTIG findings explain how the upstream end of that pipeline is being compressed. If your patch SLA for internet-facing critical CVEs is north of 48 hours, you are running on borrowed time against a class of attacker the data now confirms exists.

TeamPCP's Mini Shai-Hulud worm is the most consequential supply chain compromise of 2026 to date, and it landed on the AI ecosystem with unusual precision. On 11 May the actor compromised more than 170 npm and PyPI packages including Mistral AI, Guardrails AI, TanStack, UiPath, and OpenSearch via a chained GitHub Actions attack: pull_request_target abuse, cache poisoning across the fork trust boundary, and runtime memory extraction of OIDC tokens. 84 malicious artifacts shipped with valid SLSA Build Level 3 provenance attestations. The malware steals developer credentials, cloud secrets, AI tool API keys, CI tokens, and crypto wallets. It self-propagates by minting fresh npm publish tokens via the OIDC federation it just compromised. CVE-2026-45321, CVSS 9.6.

The downstream impact is what matters. OpenAI confirmed two employee devices infected, unauthorised access to internal source code repositories, and exposure of the signing certificates used to authenticate OpenAI macOS applications. Mistral AI confirmed a temporary compromise of one codebase management system, and TeamPCP put the stolen source code up for sale. The Python variant carries a geofenced destructive payload with a one-in-six chance of executing rm -rf on systems in Israel or Iran. Intentional, capability-driven operation, not opportunistic cybercrime.

Two things matter for security leaders this week. First, SLSA Build Level 3 attestation is not what your build pipeline is treating it as. When the attacker controls the OIDC token exchange, the provenance signal becomes cover, not assurance. Anyone running policy-as-code that gates on attestation needs to revisit whether the policy adds defence-in-depth or creates a false summit. Second, Guardrails AI was compromised. The package designed to filter model output, the layer many teams trust to prevent prompt injection escalation, was carrying credential-stealing payloads. The premise that your AI safety tooling is itself safe is one of the assumptions an attacker noticed before you did. Inventory your AI dependency surface this week, and treat Mistral AI, Guardrails AI, and any TanStack-derived package as guilty until proven clean.

Microsoft used the same week to publish MDASH, a multi-model agentic scanning harness that autonomously identified 16 Windows vulnerabilities fixed in May Patch Tuesday. Two are critical RCEs. CVE-2026-33824 at CVSS 9.8 is a double-free in ikeext.dll exploitable via crafted IKEv2 packets. CVE-2026-33827 at 8.1 is a race condition in tcpip.sys reachable via crafted IPv6 packets on IPSec-enabled nodes. MDASH orchestrates more than 100 specialised agents across multiple model types to discover, debate, and prove exploitable bugs. The defensive equivalent of what GTIG just documented attackers doing. Both sides are now running agentic vulnerability discovery at industrial scale. The window between an attacker's AI finding a flaw and the vendor's AI finding the same flaw will become the new patch SLA conversation.

Microsoft also published parallel data from Defender for Cloud that should reset the deployment-side conversation. 15% of internet-exposed remote MCP servers allow unauthenticated access to sensitive internal data. Mage AI's default Helm chart deployment was actively exploited in the wild. AutoGen Studio and kagent both surfaced as exploited misconfigurations enabling unauthenticated RCE and Azure OpenAI key theft. More than half of cloud-native AI workload exploitations now trace to misconfiguration rather than zero-day. The empirical number missing from last week's Five Eyes guidance has arrived, and it points the same direction. The Monday provocation: pull a list of MCP servers your engineering teams have stood up, and confirm how many are reachable from the public internet with no authentication. If you cannot answer that by lunch on Tuesday, your visibility on this layer is below where it needs to be.

🦠 AI-Assisted Malware Development. Google Threat Intelligence Group confirms the first AI-developed zero-day in the wild, alongside Chinese APT27/APT45/UNC2814 use of AI for vulnerability research, the PromptSpy Android backdoor leveraging Gemini APIs for autonomous device interaction, and Russia-nexus AI-generated decoy code in CANFAIL and LONGSTREAM. SecurityWeek and BleepingComputer confirm the 2FA bypass exploit code carried LLM tells.

🔗 AI Supply Chain & Developer Tool Abuse. TeamPCP's Mini Shai-Hulud worm compromised 170+ npm/PyPI packages including Mistral AI and Guardrails AI, producing the first npm worm with valid SLSA Build Level 3 attestation. OpenAI confirmed two employee devices infected and macOS signing certificates exposed. Ontinue identified an ongoing malvertising campaign serving fake Claude Code installers that abuse Chromium's IElevator2 COM interface to bypass App-Bound Encryption. A typosquatted OpenAI Privacy Filter on Hugging Face hit 244,000 downloads via Silver Fox infrastructure linked to ValleyRAT.

🛡️ AI System Vulnerabilities. Mini Shai-Hulud established persistence hooks in Claude Code and VS Code installations on infected developer machines, with CVE-2026-45321 (CVSS 9.6) carrying a geofenced destructive payload for Israel and Iran locales.

🔍 AI-Accelerated Vulnerability Exploitation. GTIG's first-known AI-developed zero-day was a Python 2FA bypass against an open-source web admin tool, targeting a semantic logic flaw, the vulnerability class AI excels at finding. Microsoft's MDASH agentic scanning harness autonomously identified 16 Windows flaws patched in 13 May Patch Tuesday, including CVE-2026-33824 (CVSS 9.8 RCE) and CVE-2026-33827 (CVSS 8.1 race condition).

🤖🏃 AI Autonomous & Agentic Attacks. Microsoft Threat Intelligence released aggregated Defender for Cloud findings on AI app misconfigurations: actively exploited Mage AI Helm chart deployments, 15% of remote MCP servers allowing unauthenticated access, and confirmed Azure OpenAI API key theft via internet-facing AutoGen Studio and kagent instances on Kubernetes.

📜 AI Governance & Defensive Innovation. Microsoft's MDASH is the first publicly disclosed defender-side multi-agent vulnerability discovery system operating at production scale. Defender for Cloud telemetry confirms more than half of cloud-native AI workload exploitations trace to misconfiguration rather than zero-day, providing the empirical baseline missing from last week's Five Eyes advisory.

🤖 AI-Enabled Social Engineering. Malwarebytes documented a UK deepfake sextortion campaign harvesting public school photos to generate CSAM, with one confirmed UK secondary school incident producing 150 IWF-classified images. The IWF reports AI-generated CSAM more than doubled YoY through November 2025.

The urgent priority is CVE-2026-45321 and the broader Mini Shai-Hulud exposure. Anyone with Mistral AI, Guardrails AI, or TanStack-derived packages in production must rotate every credential reachable from a build agent that pulled the affected versions between 11 and 14 May. The two MDASH-discovered Windows RCEs are reminders that the next zero-day in your environment may already be in AI-discovered patch notes you have not read yet.

Last week argued that the trust boundary is the attack surface. This week extends it. The trust signal is also the attack surface. SLSA Build Level 3 attestation was supposed to be the answer to npm-era supply chain compromise. TeamPCP shipped 84 validly attested malicious packages this week. The signal you have been training your build pipelines to honour is the signal the attacker now controls. The same week, a cybercrime actor shipped an LLM-built zero-day with the LLM's authorial fingerprints intact, and Google caught it because the attacker did not scrub the artifacts. That is luck, not detection. The next campaign will scrub.

What is genuinely new this week. AI has now appeared at every step of the kill chain in coverage from a single tier-one threat intelligence source in a single seven-day window. Vulnerability discovery (GTIG zero-day). Exploit weaponisation (the Python 2FA bypass). Supply chain compromise targeting AI dependencies themselves (Mini Shai-Hulud). Persistence in AI developer tooling (Claude Code hooks). Defender response at industrial scale (Microsoft MDASH). The pattern was visible in fragments before. This is the first week the fragments form a complete picture.

What looks scary but is mostly noise. The hallucinated CVSS score in the GTIG zero-day code is being read in some coverage as evidence that AI-built exploits will reliably leak fingerprints. They will not. Read this week's GTIG finding as the floor of attacker sophistication, not the ceiling.

The Monday provocation. Pull your AI dependency surface this week. Every npm and PyPI package your engineering teams use to build AI features. Every signed binary that touches a CI/CD pipeline. Confirm which credentials were reachable to a build agent that pulled a Mini Shai-Hulud version between 11 and 14 May. Then ask the harder question. If your assurance model has been "SLSA Build Level 3 attestation," what is your assurance model now that the attestation pipeline has been demonstrably compromised? If the answer is the same, you have not absorbed this week's news yet.

Reference: AI Influence Level from Daniel Miessler

Till next time!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.