This Week’s Pattern: AI Is Now Both the Weapon and the Target.
Two things happened this week that have never happened at scale in the same week before. A state-aligned threat actor was confirmed to be using commercial AI platforms — ChatGPT, Gemini — as active operational infrastructure for cyberattacks. And a malicious npm package was discovered engineered specifically to steal files from the Claude AI user directory — targeting the developers most likely to have AI platform credentials worth stealing.
The attack surface has split in two. AI is the weapon: GreyVibe is using LLMs to generate lures, adapt malware, and accelerate their kill chain in real time. AI is also the target: attackers are now hunting AI platform credentials the way they once hunted AWS keys and GitHub tokens. Enterprises deploying AI agents are caught in the middle — their developers are the attack surface for both vectors simultaneously.
Behind those headlines: GitHub confirmed 4,000 internal repos stolen. ShinyHunters claimed 48 million records across Carnival and Charter via social engineering. Multi-turn attacks broke every tested frontier model. And Verizon’s DBIR confirmed exploitation now accounts for 31% of initial access — up from 20% — as AI-assisted tooling compresses the exploitation window to hours. Here are the ten incidents that matter.
AI-Powered Offense
1 — GreyVibe: Russia-Linked Hackers Weaponize ChatGPT and Gemini at Operational Scale
A Russia-linked threat cluster tracked as GreyVibe has been systematically targeting Ukrainian entities using AI-generated lures and custom malware tooling. Researchers confirmed the group uses ChatGPT and Gemini as active operational infrastructure — not occasional aids, but structured components of their kill chain. GreyVibe generates convincing spear-phishing lures tailored to each target’s role, produces obfuscated malware variants at scale, and adapts tooling in real time as defenders update signatures. The group’s infrastructure shows evidence of automated prompt workflows: a systematic AI-augmented attack pipeline.
The phrase “AI democratizes attack capability” has been a prediction for three years. GreyVibe makes it a confirmed operational reality. When a state-aligned group generates bespoke phishing lures and fresh malware variants per target — updating them as EDR signatures catch the previous version — the assumption that your detection tooling “has signatures for this” fails by design. The offense is generative. Static signatures cannot pace an adversary that regenerates its toolkit continuously.
The commercial AI angle is significant. GreyVibe is using the same ChatGPT and Gemini accounts available to your developers. Content filtering at the model layer has demonstrably not prevented this. The constraint on AI-assisted attacks is now operational skill and targeting intelligence, not platform access.
Most Advanced AI Security How RuntimeAI Stops This
Signature-based detection loses to generative attacks. Behaviour-based enforcement does not — because attacker actions remain constrained regardless of how novel the tool:
- Discovery — behavioural baseline, not signature catalog: RuntimeAI’s Flow Enforcer builds per-workload behavioural baselines — what processes run, what networks they reach, what credentials they use. A novel AI-generated malware variant still deviates from workload baseline when it executes. The signature doesn’t matter; the behaviour does.
- Behavioural enforcement — execution context restrictions: KYA and Flow Enforcer constrain what any process — known or unknown — can execute, call, and access. An AI-generated payload cannot reach production credentials or pivot to adjacent systems without presenting a valid KYA identity for each step.
- Flow / egress control — AI inference endpoint gating: Outbound calls to AI inference endpoints not on the enterprise allowlist are blocked. A GreyVibe-style attacker attempting to run prompt workflows from inside victim infrastructure against a public AI API hits the egress policy — the generative loop is severed.
- Immutable audit trail — novel attack sequence detection: Audit Black Box records every action across the environment. AI-generated attacks produce novel execution sequences that stand out against behavioural history even without a matching signature, giving analysts the full sequence for containment and forensics.
The offense is generative. The defense has to be structural — RuntimeAI builds structure at the control plane level, not the tool level.
Supply Chain
2 — Malicious npm Package Engineered to Steal Files From Claude AI User Directory
Cybersecurity researchers discovered a malicious npm package engineered to exfiltrate files specifically from the Claude AI user configuration directory — targeting developer machines running Claude-based tools. Published as a plausible AI development utility, it was a credible install for the exact developers most likely to hold Claude API credentials. Once installed, it silently harvested Claude session files, API key configurations, and local memory artifacts, then exfiltrated them to an attacker-controlled endpoint. This is a new targeting pattern: supply chain attacks designed to harvest AI platform credentials, not generic developer secrets.
A stolen Claude API key provides access not just to inference — it provides access to agents, memory stores, connected tools, and every workflow those agents have been authorized to process. An AI platform credential is a skeleton key for every workflow the platform has been granted access to. The attacker who harvests Claude credentials inherits the agents’ full access scope and any enterprise data they can reach.
The targeting specificity is the tell: this package was written to look for the Claude directory specifically. This is the beginning of AI credential targeting as a deliberate attack category, separate from cloud key theft and browser credential harvesting.
Most Advanced AI Security Zero Trust · Defence in Depth
- Discovery — package provenance inventory: RuntimeAI’s NHI Security tracks every package pulled into developer environments with source, hash, and publisher signature. A new npm package not in the enterprise-approved registry is flagged before the first developer runs it — not after credentials are exfiltrated.
- Behavioural enforcement — developer workload sandboxing: KYA-issued developer identities constrain what npm postinstall hooks can access. AI platform credential stores, session files, and memory artifacts are protected from package installer processes — the payload has nothing useful to exfiltrate from inside the sandbox.
- Flow / egress control — credential file access restrictions: Flow Enforcer prevents processes spawned by package installers from reading AI platform configuration directories or calling non-allowlisted exfiltration endpoints. The stolen session token never reaches the attacker’s server.
- Immutable audit trail — package-install-time logging: Every package installation, postinstall hook execution, and resulting file access is recorded in the Audit Black Box. When the malicious package is identified, “which developers installed it and what did it touch” is answered in minutes.
AI platform credentials are now high-value targets. RuntimeAI ensures that even if a malicious package reaches a developer machine, the credentials it was built to steal are not accessible to it.
3 — AI Software Supply Chain Threats Escalate: JFrog Warns Pace Exceeds Enterprise Security Readiness
JFrog’s research warns that AI-driven development is accelerating software supply chain threats faster than organizations can secure them. AI coding assistants generate dependency pulls and build scripts with no security review visibility — creating what JFrog calls a “shadow dependency layer.” 1 in 12 AI-generated code suggestions references packages that either don’t exist (creating typosquatting targets for attackers) or carry known vulnerabilities the model’s training data predates. The gap between “what got installed” and “what was reviewed” is widening faster than any manual process can close.
AI coding assistants are not just autocomplete tools. They are de facto dependency managers operating without the governance controls that human dependency management has accumulated over a decade of supply chain incidents. The AI-generated shadow dependency layer is the new shadow IT — untracked, unreviewed, and expanding with every AI coding session.
Most Advanced AI Security Zero Trust · Defence in Depth
- Discovery — AI-generated dependency scanning: RuntimeAI’s NHI Security inventories every dependency in the codebase — including those introduced via AI code suggestions — against the enterprise-approved registry. The shadow dependency layer becomes visible before it becomes a vulnerability.
- Behavioural enforcement — CI/CD dependency gate: Flow Enforcer enforces a policy gate at the CI/CD pipeline: packages not in the last approved dependency manifest require explicit security review before build completion. AI-suggested packages that slip through local review hit the policy gate in the pipeline.
- Flow / egress control — package install destination restriction: Developer workstation egress policy restricts package installations to allowlisted registry mirrors that have been scanned. Typosquatted packages that don’t exist in the approved mirror cannot be pulled regardless of what an AI coding assistant suggested.
- Immutable audit trail — dependency provenance logging: Every dependency installed, every build artifact produced, and the full dependency tree at each build is recorded in the Audit Black Box. When a compromised package is discovered, the blast radius assessment — which builds included it, which deployments carry it — is immediate.
AI writes code faster than humans review it. RuntimeAI ensures supply chain controls operate at AI speed, not human review speed.
Code Integrity
4 — GitHub Confirms Breach: 4,000 Internal Repositories Stolen by TeamPCP
GitHub confirmed that threat actor TeamPCP exfiltrated approximately 4,000 internal repositories. Internal repos at the platform hosting the world’s software supply chain represent categorically different risk than an ordinary corporate breach. Any secrets, tokens, signing keys, or vulnerability disclosures in those repos are now in attacker hands. GitHub Actions runner configurations in the stolen repos could enable downstream CI/CD attacks against millions of dependent projects — compounding this week’s supply chain theme: the delivery pipeline for global software just had 4,000 of its own internal repos taken.
When GitHub’s own internal repos leak, the question is not “what did attackers get.” The question is “what was in those repos that attackers can now use to compromise downstream targets.” Secrets. Undisclosed vulnerabilities. CI/CD runner configurations. Service account tokens. Any of these, extracted from 4,000 repos, could fuel a multi-year downstream attack campaign that looks like normal CI activity.
TeamPCP’s known targeting pattern prioritizes repos with downstream distribution value — where a single compromised signing key or Actions secret yields access to thousands of dependent projects. This is not opportunistic.
Most Advanced AI Security Why RuntimeAI Customers Are Protected
- Discovery — continuous secrets scanning across all repos: RuntimeAI’s NHI Security continuously scans every code repository for embedded secrets, tokens, and credentials. A GitHub breach yields the repo contents but not live credentials — because none are present to find. Secrets are detected and rotated before they can be exfiltrated.
- Behavioural enforcement — CI/CD identity pinning: Every CI/CD runner, GitHub Actions workflow, and automated pipeline is issued a KYA scoped credential with a declared purpose and expiry. Stolen runner tokens cannot escalate beyond the original declared scope — no lateral movement from “CI runner” to “production database.”
- Flow / egress control — Actions exfiltration prevention: Flow Enforcer monitors outbound traffic from CI/CD pipelines and blocks calls to non-allowlisted external destinations. Attacker-inserted Actions steps attempting to exfiltrate build artifacts are stopped at the network boundary.
- Immutable audit trail — repo-access and build provenance log: Every repository access, clone, API call, and build artifact is logged with the requesting identity and timestamp. When GitHub confirms a breach, RuntimeAI customers immediately determine whether any of their repos were among the 4,000, without waiting for GitHub’s disclosure timeline.
Your code repository is not just your IP. It is the key to your entire delivery pipeline. Govern what it can reach.
AI Model Vulnerability
5 — Multi-Turn Attacks Expose Ongoing Weaknesses Across Every Tested Frontier AI Model
A Cisco study found frontier AI models remain systematically vulnerable to multi-turn adversarial attacks — structured conversations probing for policy gaps across multiple exchanges rather than single-shot jailbreaks. Models that reject a direct harmful prompt in turn one will often comply when the same request is embedded in a plausible six-turn context-building conversation. Every tested frontier model showed measurable susceptibility at some point in the multi-turn attack sequence. The attack surface is the model’s contextual memory across a session, which can be manipulated to shift what it considers acceptable output over seemingly innocuous exchanges.
Multi-turn attacks are the adversarial technique that model alignment has consistently underweighted because they are expensive to simulate at training time. Building a realistic multi-turn attack requires profiling a specific model’s response patterns across many exchanges — something now automatable with the same AI tooling GreyVibe is using offensively. Every enterprise AI agent that processes user inputs across a session is a potential multi-turn attack surface.
Model-level content filtering is insufficient as a sole control. An agent that passes every red-team test in isolation may still be exploitable through a patient multi-turn conversation that any motivated user can construct.
Most Advanced AI Security How RuntimeAI Stops This
- Discovery — session-level anomaly profiling: RuntimeAI’s KYA module builds behavioural profiles for every agent interaction pattern, including multi-turn conversation sequences. Conversations exhibiting the context-building pattern characteristic of multi-turn attacks are flagged for review before the final turn extracts harmful output.
- Behavioural enforcement — output-independent policy enforcement: Flow Enforcer enforces what an agent is permitted to do regardless of what the model says it should do. Even if a multi-turn attack convinces the model to comply, the resulting tool call is validated against the agent’s declared scope before execution — the model’s output is not the final control boundary.
- Flow / egress control — session context limits: Policy enforces maximum conversation depth for agents with sensitive access scope. Sessions exhibiting extended context-building patterns with escalating specificity are automatically terminated — removing the conversational runway multi-turn attacks require.
- Immutable audit trail — full conversation provenance: Every conversation turn, including all inputs and model outputs, is recorded in the Audit Black Box. When a multi-turn attack is suspected, the complete sequence is available for forensic reconstruction, demonstrating exactly how the attack unfolded.
Model alignment is the first line of defense. Runtime enforcement is what keeps you safe when it fails — and the Cisco research confirms it will fail.
Data Breaches
6 — Carnival Cruise Data Breach: 6 Million Customers’ PII Exposed by ShinyHunters
Carnival Corporation, the world’s largest cruise operator, confirmed a data breach affecting nearly 6 million customers, claimed by ShinyHunters. Exposed data includes full names, addresses, passport numbers, booking histories, and financial account information. ShinyHunters used credential theft and API abuse against customer-facing systems to access the passenger database. The breach exposes Carnival to GDPR liability for European passengers, CCPA obligations for US residents, and the expected wave of booking-themed phishing campaigns targeting the 6 million affected individuals.
ShinyHunters’ operational pattern this week is instructive: Carnival (6M) and Charter (42M, incident #7) were both accessed via the human layer — credential theft and social engineering — rather than technical vulnerability exploitation. The most effective attack vector against large consumer data holders is not their technology stack. It is the governance of every identity with access to it.
Most Advanced AI Security Why RuntimeAI Customers Are Protected
- Discovery — customer data access inventory: RuntimeAI’s NHI Security and KYA maintain a continuous map of every identity — human and non-human — with access to customer PII databases, including the API services ShinyHunters exploited. Every access path is known before it is abused.
- Behavioural enforcement — anomalous bulk access detection: Flow Enforcer monitors access patterns to customer data stores. Bulk extraction of 6 million records via a legitimately authenticated API caller deviates sharply from baseline access patterns and triggers automatic suspension pending investigation.
- Flow / egress control — PII export restrictions: PII Shield enforces that customer data fields (passport numbers, financial data) cannot be exported in bulk through any API endpoint without explicit policy authorization. API abuse that extracts PII at scale is blocked at the data layer, not logged after the fact.
- Immutable audit trail — regulatory evidence chain: Every access to customer PII is recorded with full identity, timestamp, and data scope in the Audit Black Box. For GDPR and CCPA notification obligations, the breach scope is cryptographically provable, not reconstructed from log fragments.
Consumer PII databases are permanently on ShinyHunters’ target list. RuntimeAI ensures access to that data is governed, monitored, and documented at a level that makes bulk extraction both detectable and preventable.
7 — ShinyHunters Claims 42 Million Records Stolen from Charter Communications via Vishing
ShinyHunters alleged the theft of 42 million customer records from Charter Communications through a vishing attack that compromised an employee with privileged database access. Charter confirmed a cybersecurity incident. The vishing vector bypassed Charter’s technical controls entirely by targeting the human layer: an employee was socially engineered into providing their credentials over the phone. The same group claimed both this and the Carnival incident this week — suggesting a coordinated campaign against major consumer data holders using social engineering as the consistent initial access vector.
Vishing bypasses every technical control simultaneously: MFA, network segmentation, endpoint detection, and DLP all become irrelevant once a legitimate credential holder provides credentials voluntarily. The only compensating control that survives a vishing attack is one enforced at the data layer, independent of the credential used to access it.
Most Advanced AI Security Zero Trust, Layer by Layer
- Discovery — privileged access scope mapping: RuntimeAI’s KYA module continuously maps which identities hold privileged access to customer data stores, with minimum required scope documented. An employee whose role requires reading 1,000 records at a time does not hold credentials that can extract 42 million.
- Behavioural enforcement — anomalous session detection: A vishing attack produces a session legitimate at the authentication layer but anomalous behaviourally — the compromised employee suddenly accessing record volumes far outside their baseline. KYA detects the deviation and triggers step-up verification before the extraction completes.
- Flow / egress control — bulk export restrictions: PII Shield enforces hard limits on per-session record extraction volume, even for authenticated privileged users. 42 million records cannot be exported in a single session without separately-authenticated explicit policy authorization.
- Immutable audit trail — session behaviour reconstruction: Every query, export, and data access during the compromised session is recorded with full context in the Audit Black Box. The forensic reconstruction of a vishing-enabled breach is immediate and complete, not dependent on surviving log fragments.
Vishing will continue to work against enterprises that rely on perimeter and credential controls as their primary data protection. RuntimeAI enforces at the data layer, where the credential the attacker obtained becomes irrelevant.
AI Agent Governance
8 — AI Agents Are Shifting Identity Security Budget Dynamics — New Omdia Research
New Omdia research confirms AI agents are the fastest-growing category of non-human identity in enterprise environments — and the category with the least governance coverage. AI assistants, IDE plugins, and agentic workflows quietly accumulate OAuth grants, service account bindings, and API credentials as deployed. Security teams with mature controls for human identities are discovering those controls don’t extend to agents that impersonate their humans, inherit their access, and operate at machine speed. Budget is beginning to shift toward AI-specific identity controls, but the governance gap is already years wide.
The Carnival and Charter breaches show what happens when human credentials are compromised — agent credential compromise has a wider blast radius because agents operate continuously, at machine speed, across every integration they have been granted. The Omdia finding that budget is “beginning to shift” means the industry is catching up to a problem accumulating for two years. Enterprises waiting for the budget cycle are already carrying years of ungoverned agent access exploitable today.
Most Advanced AI Security Why RuntimeAI Customers Are Protected
- Discovery — continuous agent identity enumeration: NHI Security and KYA continuously enumerate every AI agent — by team, tool, access scope, and the human whose credentials it inherited. Shadow agents that were never formally registered appear as the highest-priority items in the governance queue.
- Behavioural enforcement — scoped credentials, not inherited ones: RuntimeAI issues each agent a KYA credential with the minimum scope required for its declared purpose. Agents receive narrow, time-bounded, purpose-specific credentials — not broad human permissions that can be exploited if the agent is compromised.
- Flow / egress control — agent-to-resource policy enforcement: Flow Enforcer governs which agent can talk to which resource, with which payload, at what rate. A compromised or rogue agent cannot reach outside its declared scope regardless of what credentials it presents.
- Immutable audit trail — every agent action attributable: Audit Black Box records every decision, tool call, and API request made by every agent — attributed to the agent’s identity and its human authorizer. “We know exactly what the agent did and on whose authority” is the answer, not an estimate.
The identity perimeter of the enterprise now includes every AI agent it runs. RuntimeAI is the control plane for that perimeter — available today, not after the next budget cycle.
Competitor Watch
9 — Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents During Development
Microsoft open-sourced RAMPART — a red-teaming framework for testing AI agent security — and Clarity, a design-time tool for evaluating AI agent architecture against security properties. Both operate exclusively pre-deployment: RAMPART enables adversarial testing of agent tool-call sequences before production release; Clarity provides a framework for reasoning about agent permission scope at design time. The release is Microsoft’s first major public acknowledgment that AI agent security requires dedicated tooling beyond existing security products. Neither tool addresses runtime governance or behavioral enforcement in production environments.
Microsoft open-sourcing agent security tooling is a market signal: the world’s largest enterprise software vendor is publicly conceding that AI agent security is a distinct problem space. Their prior posture treated AI safety as primarily a model-alignment concern. The open-source release acknowledges that framing was insufficient.
Both tools are pre-deployment only. An agent that passes every RAMPART test before launch is still unprotected once deployed into a dynamic production environment where permission scopes drift, integrations are added, and adversaries conduct the multi-turn attacks documented this week. Design-time security properties do not remain valid at runtime.
Most Advanced AI Security Why RuntimeAI Customers Are Protected
- Discovery — continuous runtime inventory vs. pre-deployment snapshot: RAMPART tests what you know about the agent at build time. RuntimeAI discovers what the agent actually does in production — including new tool combinations and access paths that appear after deployment and after any testing cycle has concluded.
- Behavioural enforcement — live policy vs. static test: Clarity helps design agents with better security properties. RuntimeAI enforces those properties at every execution — catching the multi-turn attack that arrived after the last design review, not before.
- Flow / egress control — production traffic enforcement: RAMPART cannot model every adversarial input a deployed agent will receive. Flow Enforcer operates on every real input in real time, constraining what any input can cause the agent to do regardless of how it bypasses the model’s content filters.
- Immutable audit trail — production evidence vs. test reports: RAMPART produces pre-deployment test reports. Audit Black Box produces production evidence — cryptographically signed records of every agent action admissible in regulatory proceedings and available for continuous improvement beyond what any pre-deployment test can cover.
Pre-deployment testing is where AI agent security begins. Runtime enforcement is where it operates — and where enterprise security buyers are now budgeting.
Industry
10 — Verizon DBIR 2026: Exploit Volume Hits 31% of Initial Access — CERT-In Mandates 12-Hour Patching
The Verizon 2026 DBIR reports that vulnerability exploitation now accounts for 31% of initial access vectors in breaches — up from 20% the prior year. Median time to exploit after CVE publication continues to compress. CERT-In issued emergency guidance requiring 12-hour patching for internet-facing critical vulnerabilities, citing AI-assisted attack automation as the primary driver behind shrinking exploitation windows. Enterprises that fared best had compensating controls: zero-trust architecture and behavioral detection that caught attackers who arrived through unpatched vulnerabilities.
CERT-In’s 12-hour patching mandate reflects political pressure to respond — but most enterprise teams cannot achieve 12-hour patching for internet-facing systems without unacceptable operational disruption. The only sustainable response is to change what “unpatched” means — ensuring an unpatched vulnerability cannot reach the data and systems that actually matter. That is a zero-trust architecture problem, not a patch velocity problem.
Most Advanced AI Security Zero Trust · Defence in Depth
- Discovery — exploitability context per CVE: RuntimeAI’s Cloud Security module enriches every CVE with exploitability context — is the vulnerable service reachable externally, and what data can it access? An unpatched CVE in an isolated internal service carries different risk from the same CVE in an internet-facing service with database credentials. Patch prioritization reflects actual risk, not just CVSS score.
- Behavioural enforcement — assume-breach containment: KYA-issued credentials for every workload mean exploiting a vulnerability grants access to a contained execution environment, not the full enterprise. The blast radius is bounded to the compromised workload’s KYA credential scope.
- Flow / egress control — lateral movement prevention: Flow Enforcer’s per-workload egress policy means an attacker exploiting a public-facing vulnerability cannot pivot to internal services without presenting a valid KYA identity for each hop. Stolen scoped credentials cannot be used for lateral movement beyond their declared scope.
- Immutable audit trail — exploitation detection in real time: Audit Black Box records anomalous access patterns the moment exploitation occurs — before an attacker can cover their tracks. Behavioral anomalies from exploitation are detected without requiring a known CVE signature.
The vulnerability glut is structural and will not be resolved by mandate. RuntimeAI makes it operationally manageable by changing what successful exploitation actually yields for an attacker.
GreyVibe is using ChatGPT and Gemini to generate attacks. A malicious npm package was written specifically to steal Claude AI credentials. GitHub lost 4,000 repos that could fuel AI-assisted downstream attacks. Multi-turn attacks broke every tested frontier model. ShinyHunters hit 48 million records via credential theft and social engineering — the exact vectors that enterprise AI agents amplify when they inherit human credentials without governance.
The common thread: AI has entered both sides of the attack-defense equation simultaneously, and enterprises that treat AI security as a model-safety problem are missing the operational security problem already being actively exploited. GreyVibe doesn’t need to jailbreak a model to use AI offensively. The npm attacker doesn’t need to compromise a model to steal AI credentials. ShinyHunters doesn’t need AI at all — they just need the ungoverned access that AI agent deployments are creating.
RuntimeAI’s approach: continuous inventory of every AI agent and its access scope, behavioral enforcement at the control plane level regardless of what model output says, and immutable forensic records that make every agent action attributable. AI security is not a model problem. It is a governance problem — and it is being exploited right now.
Get the Weekly Digest
Ten AI security incidents per week, each with the RuntimeAI Take. No fluff, no vendor pitches — just what happened, why it matters, and what to enforce against next.