Jordan: For the first time ever, a threat actor used AI to develop a working zero-day exploit and deploy it in the wild. That's not a prediction. That's not a research paper. That happened. Welcome to a different threat landscape.

Alex: This is Cleartext for Tuesday, May 12, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we're covering the AI-developed zero-day that just changed attacker capability assumptions, a supply chain worm hitting AI and dev tool packages you're probably running right now, Instructure paying ransom to ShinyHunters while Congress opens an investigation, GM's record-breaking CCPA penalty that every data monetization program should be reading carefully, major layoffs at Cloudflare and Arctic Wolf, a nearly two-year dwell time inside a UK water utility, a second severe Linux kernel privilege escalation in two weeks, and a new industry coalition trying to fill the federal cybersecurity vacuum. A lot of ground. Let's get into it.

Alex: Start with the big one. Google's Threat Intelligence Group confirmed the first known instance of AI being used in the wild to develop a zero-day exploit — specifically a 2FA bypass targeting a popular open-source web administration tool. This wasn't a nation-state. It was financially motivated cybercrime actors. And Google caught it before mass exploitation occurred. Jordan, you've been sitting with this one overnight. What's the actual significance here?

Jordan: The significance is capability compression. The conventional wisdom has been that developing a working zero-day requires deep expertise, time, and resources — which effectively limited that capability to well-funded threat actors. Nation-states, sophisticated APTs. What this confirms is that AI is collapsing that barrier for financially motivated criminals. We've been saying AI would democratize offensive capability for two years. Now we have the evidence.

Alex: And the board-level translation is this: your threat model has been built on assumptions about attacker timelines and resources that are no longer valid. The gap between a sophisticated adversary and a competent criminal group just got a lot smaller. Google caught this one. You may not catch the next one before mass exploitation.

Jordan: The 2FA component is worth sitting with too. Organizations that have been treating MFA as a near-complete control for account compromise need to revisit that assumption. If attackers are using AI to find novel bypasses in authentication infrastructure, the risk calculus on identity security just shifted.

Alex: The honest ask for CISOs right now is to go back to your threat model assumptions and explicitly ask: which of these are predicated on attacker capability timelines that AI may have already invalidated? That's the exercise.

Jordan: Pivot to supply chain, because Mini Shai-Hulud is the other story demanding immediate attention. The TeamPCP threat actor — same group behind the Checkmarx Jenkins plugin compromise — has now compromised hundreds of npm and PyPI packages from TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI. The malicious packages contain obfuscated JavaScript that profiles the execution environment and steals credentials.

Alex: If you have development teams, and you do, this requires an immediate check. Software composition analysis controls, package integrity verification — if you don't have those in place, you're essentially trusting that everything in your dependency tree is clean. This campaign demonstrates it isn't. The TeamPCP pattern is also telling. This is the same actor, methodical, targeting the tooling developers trust most.

Jordan: The AI package targeting is deliberate. Mistral AI, Guardrails AI — these are tools organizations are actively integrating right now as part of AI adoption. Attackers go where the new deployments are. Your AI build pipelines are a fresh attack surface and not everyone has caught up on securing them.

Alex: Moving to Instructure and the Canvas breach. This one has multiple dimensions. ShinyHunters stole 3.65 terabytes of data from 8,800-plus school systems across two separate incidents. Instructure paid ransom and reached an agreement involving so-called return and destruction of the data. Congress has now announced a formal investigation.

Jordan: Let's be direct about the data destruction claim. There is no reliable mechanism to verify that stolen data has been destroyed. Every ransom payment made on the basis of that assurance is a bet, not a guarantee. The fact that Instructure is now framing this as an agreement doesn't change the underlying reality.

Alex: From a board discussion standpoint, this is a case study to bring into your next tabletop. The congressional investigation is significant because it signals that ransom payment decisions are becoming a matter of legislative scrutiny, not just regulatory reporting. CISOs and general counsel need to be aligned now on what your organization's payment posture is, under what legal framework, and who has authority to make that call.

Jordan: If you're using Canvas across your organization for learning management or any third-party dependency, this is also a supply chain due diligence question. 8,800 affected institutions means downstream exposure across a very wide ecosystem.

Alex: The GM settlement deserves attention because it's the largest CCPA penalty in the law's history — $12.75 million. The allegation is straightforward: GM sold driver location and behavioral data to brokers without meaningful consent while publicly claiming otherwise. They made approximately $20 million on the data sales. The economics of that trade-off are now visible.

Jordan: Revenue minus settlement equals eight million dollars, and that's before legal costs, reputational damage, and the regulatory scrutiny that follows. The enforcement signal here is important. California is willing to go to the largest fine in CCPA history. That posture will influence other state AGs.

Alex: Any CISO whose organization monetizes telemetry data — connected vehicles, IoT devices, wearables, smart infrastructure — needs to conduct a full audit of what's being collected, how it's being shared, whether consent flows are actually defensible, and whether the revenue justification survives the regulatory risk calculus. This is a business conversation, not just a compliance checkbox.

Jordan: On the vendor landscape. Cloudflare cut 1,100 people — roughly 20 percent of staff. Arctic Wolf cut 250. Both framed it as AI-driven restructuring. CISOs who depend on either of these vendors should be asking two specific questions: what service tiers or support functions were cut, and does your contract guarantee service levels regardless of internal headcount decisions?

Alex: Vendor concentration risk is real. When a security vendor cuts a fifth of its workforce and calls it an efficiency play, you need to pressure-test that narrative against your actual service experience over the next quarter. Put it in your vendor review calendar.

Jordan: South Staffordshire Water. Cl0p maintained persistence inside that network for nearly two years. ICO fined them £963,900 and cited missing MFA, unpatched systems, and inadequate monitoring. For any CISO managing critical infrastructure, read the ICO's findings as a regulatory checklist, because that is exactly how your regulator will evaluate you after an incident.

Alex: The dwell time is the number that should keep you up at night. Not the breach itself — the nearly two years of undetected access. That's a detection and monitoring failure, and regulators in the UK and increasingly in the US are treating detection capability as a compliance expectation, not just a best practice.

Jordan: Dirty Frag. Second severe Linux kernel privilege escalation vulnerability in two weeks, found in the same code area as Copy Fail. Local privilege escalation to full administrative control. May be under limited exploitation now. Production patches are rolling out.

Alex: The pattern here matters as much as the individual vulnerability. Two serious bugs in the same kernel subsystem in two weeks suggests a code quality problem in that area, not random bad luck. Prioritize patching across your Linux server estate, cloud workloads, and container infrastructure. If you're running anything with untrusted local users — shared systems, developer environments — treat this as urgent.

Jordan: And finally, the Alliance for Critical Infrastructure — a new industry coalition aimed at reshaping how the US plans for major cybersecurity crises. Formed explicitly in response to reduced federal engagement on cybersecurity.

Alex: The honest read is that industry is attempting to institutionalize coordination that used to live in federal agencies. Whether that produces real crisis planning capability or becomes a lobbying vehicle depends entirely on its governance structure and operational commitments. CISOs in energy, water, finance, and healthcare should watch whether this coalition produces substantive crisis planning frameworks or press releases.

Alex: The week's theme is acceleration across every axis. AI accelerating attacker capability. AI reshaping vendor workforces. Regulatory enforcement accelerating on data privacy. Threat actors accelerating their exploitation of new attack surfaces like AI packages. The comfortable assumption that defenders have adequate time to respond to any of these shifts is the assumption most in need of scrutiny right now.

Jordan: The AI zero-day story is the one I'll be watching develop. Google stopped this instance. The vulnerability was disclosed responsibly. But the underlying dynamic — criminals using AI to find and weaponize vulnerabilities at scale — doesn't go away. The next one may not be caught pre-exploitation. Your detection and response capabilities need to be calibrated for that possibility.

Alex: That's Cleartext for Tuesday, May 12. Show notes and links to every story we covered today are at cleartext.fm. We'll be back tomorrow. Stay sharp.