For years, the cybersecurity conversation about AI was speculative. Researchers warned it could lower the barrier for attackers. Pen test firms demoed LLM-generated phishing emails. Thought pieces predicted AI-powered attacks were coming.
In 2026, they're here. And they're rewriting how every stage of an attack works — from discovery to exploitation to evasion.
The EDR Evasion Toolkit
In June 2026, Sophos published an analysis of a ransomware toolkit built using AI-assisted development workflows. The attacker used Cursor and Claude Opus 4.5 agents to iterate on malware modules against EDR products, coordinating roles across several agents: one set direction, others handled EDR testing, OPSEC hardening, documentation, and VM deployment.
The attack loop:
- Write an EDR evasion module.
- Test it in an isolated lab against Sophos, CrowdStrike, and Windows Defender.
- If it fails, describe the failure to the AI.
- The AI rewrites the module based on what it learned.
- Repeat.
The attacker claimed the modules eventually bypassed nearly every EDR solution tested — though Sophos noted its own telemetry didn't fully bear that claim out, and the discrepancy is unexplained (possibly the AI over-reporting its own success). The agents also mined published bypass techniques from security research blogs, mapped them to MITRE ATT&CK, and built out test environments to validate results.
It's worth being precise about what this was and wasn't: Sophos was explicit that this was not an autonomously reasoning system running unsupervised. It described the workflow as "a structured engineering test cycle that included human review and iteration" at every step. The genuine shift here isn't a fully autonomous attacker — it's the speed and cheapness of the build-test-refine loop, which lets a single operator iterate dozens of variants faster than a traditional malware dev shop ever could.
The First AI-Discovered Zero-Day
Google's Threat Intelligence Group confirmed the first zero-day exploit believed to be developed with AI. The target was a popular open-source web administration tool. The vulnerability: a 2FA bypass caused by a hardcoded trust assumption — a semantic logic flaw, not memory corruption or input validation.
GTIG identified the AI origin through: abundant educational docstrings, a hallucinated CVSS score, and textbook Pythonic structure characteristic of LLM-generated code. The key technical insight: frontier LLMs excel at finding semantic logic flaws that static analysis and fuzzers miss, because they can reason about developer intent rather than pattern-matching for known vulnerability classes. Google worked with the vendor to patch the flaw before the planned mass-exploitation campaign launched.
Autonomous Malware: PROMPTSPY
ESET first identified PROMPTSPY, an Android backdoor that queries an LLM (Google's Gemini API) to interpret the on-screen UI and get step-by-step instructions for pinning itself in the recent-apps list — a persistence trick that normally has to be hand-scripted per device manufacturer. GTIG's follow-up analysis found the backdoor's use of AI went further: an agent module that reads live device state and generates precise tap/gesture commands in real time, letting it adapt across devices without hardcoded logic. Unlike traditional malware that follows predetermined logic, PROMPTSPY reads the environment, reasons about what it finds, and decides what to do next.
Supply Chain Attacks on AI Infrastructure
npm supply-chain campaigns turned their sights on AI developer tooling in early 2026. The "SANDWORM_MODE" campaign, spread through typosquatted npm packages, planted rogue MCP servers into AI coding assistants like Claude Code, Cursor, and Windsurf — the injected servers registered innocent-looking tools whose descriptions contained hidden prompt-injection instructions telling the AI to silently read and exfiltrate SSH keys, AWS credentials, and other secrets.
Around the same time, the threat group TeamPCP compromised the CI/CD pipeline of Trivy (a widely used security scanner), then used stolen credentials to cascade into PyPI: two backdoored releases of LiteLLM (the open-source LLM gateway) shipped a multi-stage credential stealer, and a similar payload later hit the Telnyx package. This is the same supply-chain attack pattern that has plagued traditional software for years — just reaching into a newer, less mature ecosystem, and in this case exploiting the very security tools meant to prevent it.
The Langflow AI framework (CVE-2026-33017) also fell to an unauthenticated RCE that let attackers inject arbitrary Python into a public flow-build endpoint, exfiltrating database connections, cloud credentials, and environment configs. Exploitation began within about 20 hours of disclosure, and it was added to the CISA KEV catalog.
The Scale
Hadrian Security cataloged 70+ open-source AI pentest tools as of March 2026, most launched in the prior 18 months. The critical difference: these tools operate in parallel across an entire attack surface — they don't context-switch, lose findings, or deprioritize targets. The marginal cost of executing a known attack chain against a known target is trending toward zero.
State-sponsored actors are industrializing this. APT45 (North Korea) was observed sending thousands of automated prompts to iteratively analyze CVEs and validate PoCs. China-nexus actors experimented with datasets of 85,000+ real-world vulnerability cases to prime models for expert-level code analysis.
What Defenders Should Do
The fundamentals haven't changed — they just need consistent application:
- Patch promptly. Most exploited vulns had patches available. The Ghost CMS SQL injection (CVE-2026-26980) hit 700+ sites; patches existed.
- MFA everywhere. Doesn't prevent server exploitation, but makes stolen credentials — the most common initial access vector — significantly less useful.
- Network segmentation. Limits lateral movement when one system is compromised.
- Audit dependencies — including your security tools. The Trivy → LiteLLM chain shows that scanners and CI actions are now targets too, not just app dependencies. Pin versions, don't trust mutable tags, and use Dependabot or Snyk; keep WordPress plugins and themes updated.
- Treat AI coding assistants as part of your attack surface. Audit MCP server configs and tool descriptions the same way you'd audit a new dependency — SANDWORM_MODE proved that's now a live exfiltration path.
- Monitor for anomalies. Unusual outbound connections, logins from unexpected locations — you don't need a SOC to catch the basics.
Bottom Line
AI hasn't created a new category of cyberattack. It's compressed the timeline between vulnerability and exploitation, lowered the skill floor, and made attack chains adaptive. But it's also worth resisting the more dramatic framing: even in the most AI-heavy case documented this year, the attacker was still driving, reviewing, and correcting the loop by hand — AI made the loop faster, not autonomous. The defensive fundamentals still work — patch, segment, authenticate, monitor. The hardest targets aren't the most expensive defenses, but the most consistently applied ones.
Sources: Google Threat Intelligence Group, Sophos, ESET, Socket, Sysdig, Snyk, Arete, Hadrian Security, SANS, CISA, NetEye, Cofense, Sonatype.
Top comments (0)