Jordan: This week, AI stopped being a thing we worry about in the abstract. It became the actual threat. The actual weapon. And the actual attack surface — all in the same seven days.

Alex: Welcome to Cleartext. I'm Alex Chen. It's Saturday, May 16th, and this is your Week in Review — the episode for every CISO who was heads-down all week and needs to know what actually mattered before Monday morning. If you missed the daily episodes, we've got you. Here's what we're covering today: the week that AI offense went operational, a supply chain attack that hit AI toolchains at scale, critical infrastructure vulnerabilities that demand immediate action, and the governance frameworks trying to keep pace with all of it. A lot happened. Let's make sense of it.

Jordan: Let's start where we have to start, which is the AI capability story, because it sets the context for almost everything else this week. On Tuesday, two independent research teams published findings showing that Anthropic's Claude Mythos Preview and OpenAI's GPT-5.5 didn't just improve on autonomous cyber capability benchmarks — they broke them. Blew past every trend line researchers were tracking. And the uncomfortable part isn't just the number. It's that the researchers themselves don't know if this is a one-time jump or the new baseline. The House Homeland Security Committee pulled Anthropic in for a closed briefing. When Congress goes closed-door on a model's cyber risks, that tells you something.

Alex: And here's the thing that should land for every CISO in our audience: this isn't a research problem anymore. The same week those studies dropped, Google confirmed the first known instance of threat actors — not nation-states, cybercriminals — using AI to discover and weaponize a zero-day in the wild. A 2FA bypass. Deployed for mass exploitation. That's the moment everyone in this industry has been both predicting and quietly hoping wouldn't arrive so soon. It arrived.

Jordan: What makes that Google disclosure so significant isn't just the technical fact of it. It's the democratization signal. Nation-state actors having advanced capabilities — that's been true for years. We build around that. But when cybercrime groups can use AI to find and weaponize a zero-day against authentication infrastructure? Your threat model just changed. The timeline between vulnerability existence and weaponized exploit just compressed dramatically, and your vulnerability management SLAs were written for a different world.

Alex: Which connects directly to Patch Tuesday this week, because Microsoft patched 138 vulnerabilities — including 30 critical — and notably, 16 of those Windows flaws were found by Microsoft's own MDASH AI system. Let that sink in: AI is now finding bugs at a rate that's pushing patch volumes to near-record levels industry-wide. Apple, Google, Mozilla, Oracle — all near-record updates this month. The AI finding vulnerabilities story cuts both ways. Defenders are using it too. But the velocity problem is real. Your teams are being asked to triage and patch faster than the human capacity to do it.

Jordan: And then there's the BitLocker zero-day that came out of Pwn2Own Berlin this week. A bypass of default Windows 11 BitLocker encryption. Microsoft says it's investigating, and we don't have the mechanism yet. But default BitLocker is the data-at-rest story that most enterprises are telling their boards. If you're relying on that as your primary control for device theft or physical access scenarios, you need compensating controls now. Don't wait for the patch.

Alex: Let's move to the supply chain theme, because this week was genuinely alarming on that front, and the stories connect in ways that matter. The headline is the Mini Shai-Hulud worm — a campaign by a threat actor called TeamPCP that compromised 172 npm and PyPI packages. We're talking TanStack, Mistral AI, OpenSearch, Guardrails AI. The worm steals AWS keys, SSH keys, GitHub personal access tokens, password manager data — and here's the detail that should keep you up at night — it specifically targets AI agent MCP server auth tokens. And it persists after you remove the package. It installs hooks in Claude Code and other AI agent configurations. Removing the package doesn't clean the infection.

Jordan: And then node-ipc got hit separately this week. Same vector, different campaign. A widely-used inter-process communication package, credential-stealing malware injected into three versions. RubyGems suspended new account sign-ups because of a parallel malicious package campaign running at the same time. This wasn't a coincidence of timing. The attacker community has concluded that developer toolchains are the highest-yield target in the enterprise right now.

Alex: The confirmation of that is the OpenAI disclosure. Two of their own employees had devices compromised through the TanStack supply chain attack. OpenAI — an AI-native organization with presumably strong security culture — still had developer endpoints fall to this. They rotated code-signing certificates, they say no user data or production systems were affected. But the point for our audience is: if it happened to them, your developer population is not immune. Package provenance lockdown, dependency pinning, automated scanning — these aren't nice-to-haves anymore.

Jordan: While we're on breaches, Foxconn confirmed that Nitrogen ransomware hit their North American factories this week. Eight terabytes of data, eleven million files, disrupted manufacturing operations. The twist for CISOs at companies that use Foxconn — and that's Apple, Google, Nvidia, a significant portion of the tech industry — is that the group claims the stolen data belongs to Foxconn's top customers. That's your IP, your designs, your supply chain documentation. You didn't get breached directly. But your data did.

Alex: Six hundred ransomware attacks on manufacturers so far in 2026. That's not a Foxconn story. That's an operational technology and third-party risk story. The question your board is going to ask is: what would we know, and how fast, if one of our top ten contract manufacturers got hit? If you don't have a crisp answer to that, now is the time to build one.

Jordan: Turla is also worth flagging this week, even though it may feel like a nation-state problem for someone else. The Russian FSB-linked group has evolved its Kazuar backdoor into a modular peer-to-peer botnet — designed specifically for stealth and persistence. CISA is attributing this to Center 16 of the FSB. If you're in government contracting, defense, critical infrastructure, or any sector adjacent to those — your threat model for this actor just got updated. Modular and P2P means it's harder to detect, harder to eradicate, and designed to stay.

Alex: Let's hit the governance layer, because there were meaningful developments there too. The Cisco SVP story from RSAC was blunt in a way that's useful. Anthony Grieco said flat out: rogue AI agent incidents are happening regularly across their customer base. And the failure pattern is specific — authentication passes, but agents access data they were never scoped to touch. The authorization problem in agentic AI is real and it's happening now. Eighty-five percent of enterprises are running agent pilots. Five percent are in production. That eighty-point trust gap exists because the IAM architecture for non-human identities at machine speed doesn't exist yet in most organizations.

Jordan: The G7 released an SBOM for AI framework this week, seven key data clusters for AI supply chain transparency. Timely, given everything we just described. It's not binding. But G7 guidance has a way of becoming regulatory baseline faster than most CISOs expect. If you're not already thinking about AI SBOM requirements in your procurement contracts, start now. This week gave you a very concrete reason why.

Alex: And the Instructure story is the cautionary tale of the week. Canvas — the learning management platform used by thousands of schools — paid ShinyHunters a ransom after a breach exposed children's educational data. The House Homeland Security Committee sent a formal inquiry letter the same day. Security experts are pointing out the obvious: ransomware groups routinely break their data destruction promises. You pay, you get a receipt, and the data is still on their infrastructure. Instructure now has the breach, the ransom payment, the Congressional attention, and the liability exposure — all simultaneously. The ransom didn't buy them out of any of it.

Jordan: Brief word on the market, because the dollars this week tell you something. OpenAI launched Daybreak — a cybersecurity initiative partnering with Cloudflare, Cisco, and CrowdStrike to use frontier models for vulnerability detection and patch validation. The AI companies are now entering the security market directly, not just as tools but as vendors. Akamai paid two hundred and five million for LayerX to extend zero trust into the browser, specifically to govern ungoverned GenAI usage. Exaforce raised a hundred and twenty-five million Series B at a seven hundred and twenty-five million valuation — three years old. Investment in security startups is outpacing M&A by over a billion dollars in Q1 alone. Capital is chasing the AI-speed threat problem. Whether the products are ready to solve it is the question CISOs have to answer for themselves.

Alex: Two urgent action items before we go to the summary. Cisco SD-WAN: CVE-2026-20182, CVSS ten point zero, authentication bypass, actively exploited, CISA KEV, two-day remediation deadline. This is the second maximum-severity Cisco SD-WAN zero-day exploited this year. If you run Cisco Catalyst SD-WAN on-prem or in cloud, you patch this weekend. Full stop. Exchange Server: CVE-2026-42897, actively exploited, no permanent patch available. Microsoft has temporary mitigations. Exchange Online is not affected. On-prem Exchange 2016, 2019, and Subscription Edition are. Apply the mitigations now.

Jordan: So what was this week? If you had to name it. I'd say this was the week the AI threat model became empirical. We've had theoretical concerns about AI-enabled attacks for years. This week we got: benchmark-breaking autonomous capability confirmed by two independent studies, the first confirmed AI-developed zero-day exploit deployed in the wild, a supply chain worm that specifically targets AI agent auth tokens, and a Congressional briefing on a model's cyber risks. That's not theoretical anymore. That's the threat landscape as it actually exists.

Alex: From a CISO standpoint, the defining characteristic of this week is the compression of every timeline you've built your program around. Patch windows, detection windows, response windows — AI on offense compresses all of them. And AI on defense is the answer, but only if you're investing in it deliberately. The CISOs who walk into their board meetings next week with a clear-eyed view of that asymmetry — and a plan to address it — are going to be ahead of this. The ones who are still treating AI as a future-state concern are behind it.

Jordan: Going into next week, watch for follow-on attribution on the 2FA zero-day exploit. Watch for Congressional action following the Anthropic briefing — that could move fast. And watch your developer endpoints. The supply chain attack wave is not over.

Alex: That's the week. The daily show returns Monday. If you want show notes, links to every story we discussed, and our full archive, head to cleartext.fm. We'll see you Monday morning.