May 2026 highlighted how cyber threats are expanding beyond isolated breaches into attacks on software ecosystems, AI platforms, operational technology, and trusted infrastructure. Over the past month, threat actors targeted open-source supply chains, manufacturing operations, and industrial systems while governments accelerated efforts to strengthen cyber resilience and Zero Trust adoption across critical infrastructure sectors.

Several of the month’s largest stories reinforced a growing shift in cyber operations. Attackers are increasingly abusing trusted identities, developer environments, and software distribution channels, while AI is rapidly accelerating vulnerability discovery, exploit development, and attack customization across the software ecosystem.

Supply Chain Attacks Continue to Escalate

One of the most significant stories this month involved the Shai-Hulud supply chain campaign, which compromised hundreds of npm packages connected to the TanStack ecosystem. The attack impacted organizations including OpenAI, Mistral, and UiPath after attackers targeted GitHub credentials and CI/CD environments.

The situation escalated further when actors linked to the campaign publicly released the worm’s source code online and encouraged copycat attacks. Researchers warned the release could trigger a wave of new software supply chain compromises across open-source ecosystems.

The campaign reinforced that software supply chain security is increasingly an identity and access control problem. Zero Trust controls such as continuous verification, least-privilege access, short-lived credentials, and segmentation between developer and production environments can help limit the spread of attacks once developer accounts or CI/CD systems are compromised.

AI Is Scaling Cyber Operations

AI is rapidly becoming an operational tool for cybercriminals. Google researchers warned that threat actors are building infrastructure designed to bypass AI platform safeguards and automate malicious activity at scale.

Researchers observed attackers using automated account creation, proxy systems, and middleware to maintain anonymous access to premium AI models. Security teams also reported threat actors using AI systems to accelerate phishing, malware development, and vulnerability research.

Separate reporting found attackers using AI coding assistants from OpenAI and Anthropic to adapt publicly available offensive tools during campaigns targeting Mexican government organizations and a regional water utility. The incidents demonstrate how AI can accelerate attack customization and lower the barrier to entry for cyber operations.

At the same time, AI vulnerability discovery adoption continues growing. Mozilla reported using Anthropic’s Mythos AI model to identify hundreds of vulnerabilities in Firefox, including bugs that had remained undiscovered for more than two decades. Mozilla said the AI-assisted effort helped accelerate more than 270 security fixes in a single month, highlighting how quickly AI-driven vulnerability discovery is advancing and how dramatically it could compress patching and exploit timelines across the software ecosystem. OpenAI also launched initiatives focused on AI-driven vulnerability discovery and patching, similar to Anthropic’s Mythos. 

Researchers also disclosed four “Claw Chain” vulnerabilities in the OpenClaw AI agent framework that could be chained together to steal credentials, escalate privileges, escape sandbox protections, and establish persistent backdoor access on compromised systems. The flaws highlighted growing security concerns around autonomous AI agents that connect large language models to local files, SaaS applications, developer tools, and enterprise environments with broad permissions and limited isolation controls.

The Verizon DBIR Highlights the Rise of AI-Driven Insider Risk

Verizon’s 2026 Data Breach Investigations Report highlighted how quickly AI usage is reshaping enterprise security risk. The report found that 45% of employees are now regular users of AI services on corporate devices, up from just 15% last year. At the same time, 67% of users accessing AI tools on corporate systems are doing so through non-corporate accounts, significantly increasing visibility and governance challenges.

The report also found that “shadow AI” has rapidly emerged as a major insider risk issue. Shadow AI is now the third most common non-malicious insider action observed in Verizon’s DLP dataset, while AI-related policy violations increased fourfold over the past year. Researchers noted that 3.2% of all DLP policy violations involved research and technical documentation being uploaded into unauthorized AI systems.

The DBIR also reinforced the growing speed of modern cyber operations. Vulnerability exploitation is now the most common initial access vector for breaches at 31%, reflecting how quickly attackers are moving from vulnerability discovery to active exploitation. Combined with rapidly expanding AI adoption, the findings highlight the growing need for stronger identity controls, visibility, and Zero Trust enforcement across enterprise and operational environments.

Critical Infrastructure Still Faces Basic Security Failures

Several incidents this month reinforced a long-running OT security problem. Many critical infrastructure systems remain exposed through weak credentials, insecure remote access, and internet-facing services.

Suspected Iranian actors reportedly breached automatic tank gauges at US gas stations after the systems were found online without password protection. Attackers manipulated fuel level readings, though no physical disruption was reported.

The same operational risks appeared in manufacturing. Jaguar Land Rover reported that annual profits fell more than 99%, dropping from £2.5 billion to just £14 million after a cyberattack disrupted factories and internal systems for weeks. The company said revenues fell more than 20% to £22.9 billion as production shutdowns, supply chain disruption, and reduced vehicle availability continued impacting operations through the autumn. Foxconn also reportedly experienced ransomware-related disruption at several North American facilities, with attackers claiming to have stolen sensitive manufacturing and customer data tied to major technology companies.

Governments Expand Focus on AI and Infrastructure Security

Governments are increasingly treating AI systems and digital infrastructure as national security priorities.

Recent reporting revealed growing debate within the US government over how AI models should be evaluated and regulated, including proposals involving intelligence community oversight of AI systems.

Government agencies are also shifting from breach prevention toward operational resilience planning. CISA’s CI Fortify initiative urged infrastructure operators to prepare for disconnected operations, degraded communications, compromised OT environments, and third-party outages during geopolitical conflict scenarios. The guidance assumes organizations may need to continue operating safely even when internet connectivity, vendors, or external systems are unavailable.

The broader 2026 interagency Zero Trust for OT guidance from CISA, DOE, DoW, FBI, and DOS reinforces the same shift. The agencies specifically emphasized continuous identity verification, secure supply chains, asset visibility, segmentation, and resilient access controls designed for legacy and safety-critical OT environments. The guidance reflects a growing consensus that Zero Trust is no longer optional for critical infrastructure operators and that security architectures must continue enforcing policy even during outages or disconnected operations.