AI Weakly #02 — AI moved decisively into the attacker's toolkit
AI Weakly is the weekly newsletter for those who make decisions on AI and security without time to waste. Every Tuesday: the facts that matter without the noise.
Issue #2
Top Story —
This week, AI moved decisively into the attacker's toolkit. Google confirmed the first 2FA bypass zero-day developed using AI for mass exploitation in the wild. At the same time, attackers compromised Mistral AI source code, OpenAI employee devices, and impersonated OpenAI's privacy filter to push malware to 244,000 users. The defensive narrative ("AI will help us find more bugs") and the offensive reality ("AI is finding bugs faster than you can patch") are now happening in parallel — and the offensive side has fewer regulatory and ethical brakes. The asymmetric advantage that AI was supposed to give defenders is being neutralized in real time.
Weakly Digest —
01 — First AI-generated 2FA bypass zero-day exploited in the wild
🔴 Threat intel — paradigm shift
Google disclosed that unknown threat actors used AI to develop a zero-day 2FA bypass for mass exploitation. This is the first confirmed wild use of AI for malicious vulnerability discovery and exploit generation reaching scale.
Editor's note: This is the moment a lot of us were warning about. Not "AI might help attackers someday" — it just did, against 2FA, the control we've been telling everyone to enable. Two consequences: time-to-exploit for new CVEs is going to compress dramatically, and 2FA implementations need a serious review for non-standard bypass paths. The cat-and-mouse just got faster on both sides.
Read on The Hacker News
02 — Cisco SD-WAN CVE-2026-20182 — CVSS 10.0, CISA KEV, active exploitation
🔴 Critical patch
A maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller is being actively exploited to gain administrative access. CISA added it to KEV with a May 17 deadline for federal agencies. The flaw affects peering authentication in both Controller and Manager components.
Editor's note: SD-WAN controllers are the new perimeter for most enterprises. An unauthenticated CVSS 10 on something this central means lateral movement to anything the SD-WAN touches — which in a distributed BPO or retail org is essentially everything. If your federal agency timeline is May 17, treat that as a generous benchmark for the private sector too.
Read on The Hacker News
03 — Mistral AI source code allegedly stolen, on sale on the dark web
🟣 AI supply chain
TeamPCP claims to have stolen Mistral AI source code and is attempting to sell it. The same week, malicious packages impersonating Mistral AI, Guardrails AI, and TanStack hit npm and PyPI as part of the Mini Shai-Hulud worm campaign.
Editor's note: When the IP of the model itself becomes the prize, the security posture of AI vendors becomes part of your supply chain risk profile. If your enterprise is using Mistral via API, this doesn't immediately affect you — but if you've been planning to self-host an open Mistral, your threat model just got more interesting. Also: model weights aren't just IP, they're potentially trojan-able.
Read on BleepingComputer
04 — Fake OpenAI Privacy Filter on Hugging Face — 244,000 downloads before detection
🟣 AI supply chain
A typosquatting repository impersonating OpenAI's Privacy Filter trended to #1 on Hugging Face and was downloaded 244,000 times before being identified as a Rust-based info-stealer targeting Windows. The attack used HF's trending feature to amplify reach.
Editor's note: Hugging Face has become the npm of AI models, which means it inherits npm's problems. The "244k downloads before detection" number is the headline, but the real lesson is that ML model procurement has the same supply chain risk as any open-source dependency — and most enterprise security teams aren't reviewing model repositories the way they review code packages. Time to add HF repos to your SBOM and dependency review process.
Read on The Hacker News
05 — OpenAI confirms breach in TanStack supply chain attack
🟢 Incident response done right
OpenAI disclosed that two employee devices were compromised in the broader TanStack supply chain attack affecting hundreds of npm and PyPI packages. The company rotated code-signing certificates for its applications as a preventive measure.
Editor's note: The positive story of the week — not the breach itself, but how OpenAI handled it. Public disclosure, certificate rotation, no spin. This is what mature incident response looks like, and it matters because attackers are increasingly going after AI vendor employees as a path to high-value targets. If your security team hasn't done a tabletop exercise for "what happens when our LLM provider gets breached," now is the moment.
Read on BleepingComputer
Also worth reading —
18-year-old NGINX RCE (CVE-2026-42945) actively exploited — patch even if you think you're not running it.
Tycoon2FA evolves to abuse Microsoft 365 device-code flows — bypasses traditional 2FA controls.
"Dirty Frag" Linux kernel privilege escalation showing limited exploitation across major distros.
Pwn2Own Berlin 2026 demonstrated 15 zero-days on Windows 11, Exchange, and RHEL — patches coming, plan compensating controls.