May 2026: The Month the AI Security Window Closed From Months to Weeks

A Senteri Briefing

Update — 9 June 2026. This briefing was written as a record of May, and it stands as written. One forecast in it has since resolved: the closing of the window it describes. On 9 June, Anthropic shipped Claude Fable 5 — the first publicly available Mythos-class model, with high-risk cybersecurity and biology queries rerouted to a weaker model — and alongside it Claude Mythos 5, the same training with some guardrails removed, for vetted Glasswing partners. The briefing's opening framed this as a seven-week collapse from "too dangerous to release" to broad availability; the actual span was about nine weeks, and the public model arrived as the safety-aligned Fable rather than Mythos itself. The thesis held: the window closed faster than any expert forecast, on nothing but its own logic. The text below is left as it was written in May, unaltered except for two date corrections noted in the sources.

The single number that describes May 2026 better than any other is seven. That is how many weeks passed between Anthropic announcing that its most capable frontier model, Claude Mythos, was too dangerous to release publicly — and announcing it would reach all customers anyway. Alex Stamos had estimated six months for that kind of capability to become broadly available. Palo Alto Networks said three to five. Reality took seven weeks. That gap between expert forecast and observed speed is not a footnote. It is the shape of the entire month, and it is the thing every defender should internalize before reading anything else here.

This is a briefing, not an inventory. May produced dozens of incidents; most were variations on a few underlying shifts. What follows is only the threads that carry a thesis — the ones that, taken together, describe a structural change rather than a busy news cycle. Each is self-contained: you do not need to follow a link or read another report to understand it. The pattern is the point.

The AI Zero-Day Is No Longer Theoretical

For two years the industry discussed AI-discovered zero-days as a future problem. On 11 May 2026, Google's Threat Intelligence Group (GTIG) reported the first documented case of an attacker using one in the wild — not in a lab, not in an academic paper, but staged for a planned mass-exploitation campaign. The exploit was a Python script that bypassed two-factor authentication in a widely deployed open-source web administration tool by abusing a logic flaw in the login flow: a trust assumption developers had embedded that let an attacker with valid credentials skip the 2FA check entirely. GTIG attributed authorship to a large language model based on tells in the code — tutorial-style "educational" comments no experienced operator would write, and a CVSS severity score the model invented rather than pulled from any real database. The vendor patched before the campaign launched.

The thesis here is narrow and precise, and it matters more than the headline. AI is not inventing new classes of attack. As Palo Alto's Lee Klarich put it, frontier models so far find new attacks, not new attack techniques. That is the limited good news — defenders can prepare for known categories. The bad news is the category these models excel at: semantic and logic flaws, the divergence between what a developer intended and what they actually implemented. GTIG's own description of the bug was that it looked functionally correct to traditional scanners but was strategically broken from a security standpoint. Static analysis tools pass right over that class of error. They have been effectively invisible for decades. An LLM reasoning about developer intent sees them. That is the real shift: not a new weapon, but a floodlight on a whole class of vulnerability that was always there and never findable at scale.

The capability was confirmed by its defensive twin in the same window. depthfirst's autonomous AI analysis system found an 18-year-old critical heap-overflow in NGINX's rewrite module — software that runs roughly a third of the world's websites, audited by thousands of engineers since 2008 — in about six hours of scanning. Disclosed publicly on 13 May as NGINX Rift (CVE-2026-42945, CVSS 9.2), it saw confirmed active exploitation within days. Same technology, same window, opposite chairs at the table. As Illumio's chief executive framed the month: AI has erased the lag between when a vulnerability is discovered and when it can be exploited. Attackers and defenders now both move at machine speed.

Glassworm: The Operation That Was the Real Background of the Month

On 26 May at 14:00:00 UTC, CrowdStrike, Google, and the Shadowserver Foundation severed all four command-and-control channels of the Glassworm botnet simultaneously — the Solana blockchain, BitTorrent's distributed hash table, Google Calendar event titles, and commercial VPS servers. One second of execution; months of preparation. Simultaneity was the whole game: Glassworm's operators had built deliberately redundant, takedown-resistant infrastructure (C2 addresses encoded in immutable Solana transaction memo fields, configuration data keyed to the BitTorrent DHT), so hitting one channel would simply let them rebuild from the others. All four had to fall at once.

What the takedown revealed is the thesis. Glassworm had been operating since at least early 2025, systematically compromising developers through every channel they use to distribute software — malicious VS Code and OpenVSX extensions that stole crypto wallets and developer credentials, then poisoned GitHub repositories and npm packages, turning infected machines into criminal proxy nodes. Throughout May the security community had been writing up individual supply-chain incidents as if each were a discrete event. The takedown showed that a meaningful share of them were limbs of one sustained, months-long operation that nobody had connected in real time.

That is the lesson worth carrying forward: the software supply chain in 2026 is not an attack vector, it is criminal infrastructure. Discrete incidents that look unrelated this month routinely turn out, a month later, to have shared a common operator. Treat clusters of supply-chain compromises as probably connected until proven otherwise — that is now the correct prior, not paranoia.

TeamPCP: From Campaign to Operating Model

The clearest illustration of supply-chain-as-infrastructure is TeamPCP, the threat actor behind the Mini Shai-Hulud worm campaign (the name, like the rest of its infrastructure, drawn from the sandworms of Dune). Across late April and May, TeamPCP moved through the dependency layers of modern software like someone walking through unlocked rooms. A 48-hour window on 29–30 April reached roughly 1,800 developer repositories across npm, PyPI, and Packagist/Composer simultaneously — the first time both major registries were hit in a single coordinated operation. A 11 May wave compromised TanStack, publishing 84 malicious versions across 42 packages, and — a genuine first — those malicious packages carried valid SLSA Build Level 3 provenance attestations. The integrity control meant to certify a package was trustworthy certified the malware instead. The same chain reached OpenAI and Mistral AI. It culminated in a GitHub breach via a poisoned Nx Console extension that was live on the marketplace for minutes and ended with thousands of internal repositories exfiltrated.

The mechanism is the thesis. Endor Labs summarized it in one line: each attack yielded credentials that unlocked the next target. TeamPCP is not a hacking group in the traditional sense — it is an operating model: automated generation of access, monetization through partnerships and extortion, decentralized infrastructure, and, in mid-May, a deliberate decision to publish the worm's full source code publicly with a bounty for whoever could run the largest attack with it. A model like that survives any attempt to neutralize it, because it depends on neither specific people nor specific infrastructure. You cannot arrest an operating model. The defensive implication is that provenance and attestation, the controls the industry spent years building toward, are necessary but no longer sufficient — a valid signature now tells you a build pipeline ran, not that the result is safe.

Vulnpocalypse: Discovery Has Detached From Remediation

The word the industry coined for May is vulnpocalypse, and it names a structural asymmetry, not a single bad month. Palo Alto Networks, one of the few organizations with early access to frontier cyber models, scanned more than 130 of its own products and found 75 legitimate vulnerabilities in roughly five weeks — against a normal baseline of about five per month, a sevenfold jump, with none previously exploited. Microsoft's agentic bug-hunting system MDASH found 16 of the vulnerabilities in a single record-setting Patch Tuesday. Mozilla shipped 423 Firefox fixes in one cycle, nearly twenty times its monthly average, with one frontier model alone accounting for 271 of them. Klarich's framing was blunt: they are re-scanning everything from scratch because the models are better than they realized — and they estimate a three-to-five-month window before the same capability reaches attackers.

Here is why this is structural and not transient. AI accelerates discovery dramatically and almost for free. Remediationremains bound by humans, processes, and organizational inertia — the same constraints it has always had. NIST has already acknowledged it cannot keep pace with the National Vulnerability Database backlog. Mandiant's M-Trends 2026 documented a negative median time-to-exploit — attackers arriving before the patch ships. CERT-In responded with a regulatory 12-hour patching window. IBM and Red Hat announced a multi-billion-dollar program to industrialize patching at scale. All of these are responses to the same gap, and the gap widens every time discovery gets cheaper while fixing stays expensive. Vulnpocalypse is not the name of a month. It is the name of a curve.

AI Infrastructure Is Now the Front Line, Not Just the Weapon

The final thread reframes where the risk lives. Through May, the tools and platforms that run AI became targets in their own right — not infrastructure that supports attacks, but the objective itself. The local AI inference stack drew sustained fire: llama.cpp, the foundation under Ollama, LM Studio, and dozens of other tools, accumulated five CVEs in five months, including an unauthenticated critical-severity flaw. A widely deployed AI bot framework racked up 34 CVEs in half a year across hundreds of thousands of exposed instances. Browser extensions, profile-photo upload paths, and token-rotation assumptions all turned out to be exploitable entry points into AI tooling.

The month closed on the sharpest signal of the shift: the first known npm package designed specifically to steal files from an AI assistant's working directory — malware that targets not the user of an AI but the data the AI manages. That is the thesis in one artifact. The attack surface is moving up the stack, from the human operator to the autonomous agent and the workspace it controls. As AI systems take on more agency — reading files, executing tasks, holding credentials and context — they become the highest-value target precisely because of what they can reach. Defenders who still model AI tools as productivity software rather than as privileged infrastructure are defending the wrong perimeter.

What to Carry Out of May

Three observations will stay true through the rest of 2026 regardless of what any given month brings.

AI finds the flaws scanners never could. It is not inventing new attack techniques — it is seeing the logic and semantic errors, the gaps between intent and implementation, that structural tools are blind to by design. That class of vulnerability has been sitting in production code for decades. It is findable now, by both sides.

The supply chain is infrastructure, not a vector. Treat clusters of seemingly separate supply-chain incidents as probably connected. Glassworm proved that the discrete events of one month can be the visible surface of a single operation that began far earlier. Provenance proves a pipeline ran, not that the output is safe.

The window is weeks, not months. Mythos went from "too dangerous to release" to "available to all customers" in seven weeks. The AI zero-day is already in the wild. The distance between capabilities held by a vetted few and capabilities available to everyone collapsed in May faster than anyone forecast — and there is no structural reason to expect it to reopen. Plan for the gap between offensive capability and broad availability to be measured in weeks. Every defensive timeline built on the assumption of months is already behind.

Sources

The AI zero-day (GTIG) and NGINX Rift

• Google Threat Intelligence Group, "Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access" (11 May 2026): https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access
• F5 / depthfirst coordinated disclosure, NGINX Rift (CVE-2026-42945): https://securityaffairs.com/192132/hacking/nginx-rift-an-18-year-old-flaw-in-the-worlds-most-deployed-web-server-just-came-to-light.html
• iTnews, "F5 patches 18-year-old AI-found 'Rift' vulnerability in NGINX": https://www.itnews.com.au/news/f5-patches-18-year-old-ai-found-rift-vulnerability-in-nginx-web-server-625881
• Date correction (errata): the briefing as first published dated NGINX Rift to 8 May; the public disclosure date is 13 May 2026 (responsibly disclosed to F5 on 18 April). Corrected above.

Glassworm takedown

• CrowdStrike, "Inside CrowdStrike's Takedown of a Developer-Targeting Botnet": https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/
• BleepingComputer, "Glassworm botnet disrupted after resilient C2 infrastructure takedown": https://www.bleepingcomputer.com/news/security/glassworm-botnet-disrupted-after-resilient-c2-infrastructure-takedown/
• The Register, "CrowdStrike, Google shatter Glassworm botnet": https://www.theregister.com/cyber-crime/2026/05/27/crowdstrike-google-shatter-glassworm-botnet/
• Date correction (errata): the briefing as first published dated Glassworm's start to October 2025; CrowdStrike's attribution is "since at least early 2025." Corrected above.

TeamPCP / Mini Shai-Hulud

• Tenable, "Mini Shai-Hulud Supply Chain Attack (CVE-2026-45321) FAQ": https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions
• Cloud Security Alliance, "Mini Shai-Hulud: Multi-Ecosystem Developer Supply Chain Attack": https://labs.cloudsecurityalliance.org/research/csa-research-note-mini-shai-hulud-multi-ecosystem-supply-cha/
• ThreatLocker, "TeamPCP supply chain attack hits TanStack": https://www.threatlocker.com/blog/teampcp-supply-chain-attack-hits-tanstack

Vulnpocalypse

• Palo Alto Networks (Lee Klarich), "Expanding the Ecosystem for Autonomous Defense": https://www.paloaltonetworks.com/blog/2026/05/expanding-ecosystem-autonomous-defense/
• Axios, "Palo Alto Networks says Mythos, GPT-5.5 found 85 bugs in weeks": https://www.axios.com/2026/05/13/palo-alto-networks-mythos-gpt-cybersecurity
• SecurityWeek, "Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code": https://www.securityweek.com/microsoft-palo-alto-networks-find-many-vulnerabilities-by-using-ai-on-their-own-code/

The seven-week window (Claude Mythos rollout) — and its 9 June resolution

• Fortune (10 April 2026), "What Anthropic's too-dangerous-to-release AI model means for its upcoming IPO": https://www.fortune.com/2026/04/10/anthropic-too-dangerous-to-release-ai-model-means-for-its-upcoming-ipo
• Fortune (9 June 2026), "Anthropic releases its first Mythos-class model to the public": https://fortune.com/2026/06/09/anthropic-releases-its-first-mythos-model-to-the-public/
• TechCrunch (9 June 2026), "Anthropic released Claude Fable 5, its most powerful model publicly": https://techcrunch.com/2026/06/09/anthropic-released-claude-fable-5-its-most-powerful-model-publicly-days-after-warning-ai-is-getting-too-dangerous/