For years, the cybersecurity conversation about AI was speculative. Researchers warned it could lower the barrier for attackers. Pen test firms demoed LLM-generated phishing emails. Thought pieces predicted AI-powered attacks were coming.

In 2026, they arrived. Real incidents from the first half of the year show AI reshaping how attacks work at nearly every stage — discovery, exploitation, and evasion.

This isn't a trend piece. It's a breakdown of what's actually documented so far, and what it means for the people running websites, shops, and online businesses.


From Prompt to Payload: What Actually Changed

The shift isn't that attackers discovered AI. It's that AI is compressing the time between learning an attack technique and deploying it in production — though, as the case below shows, not always as cleanly as the headlines suggest.

The EDR Evasion Toolkit — With a Catch

In June 2026, Sophos published an analysis of a ransomware-linked toolkit built with AI-assisted development. The threat actor used Cursor (an AI-native IDE) and Claude Opus agents to iterate on modules designed to evade endpoint detection and response (EDR) software — the security tools most businesses rely on to catch threats.

The workflow, roughly:

  1. Write an EDR evasion module.
  2. Test it in an isolated lab against Sophos, CrowdStrike, and Microsoft Defender.
  3. If it fails, feed the result back to the AI agents.
  4. The agents revise the module.
  5. Repeat — nearly 80 modules covering 70+ evasion techniques, with other agents mining public security research and mapping techniques to MITRE ATT&CK.

Here's the important nuance most coverage of this story skates past: the toolkit's own internal documentation claimed the modules became almost universally successful after enough iterations. Sophos checked that claim against the actual test data and found it wasn't supported — the researchers' working theory is that this was an LLM hallucination baked into the tooling's self-reporting, not a real result. Sophos was also explicit that this wasn't an autonomously reasoning model running the show; it was a structured, human-reviewed engineering cycle that AI made faster, not a hands-off AI operation.

The realistic takeaway isn't "AI now defeats every EDR product." It's narrower and still concerning: AI agents meaningfully speed up the build-test-refine loop that used to require a skilled malware developer's full attention, and they can search and apply published research at a pace no human team matches. That's a real drop in the skill and time barrier — it just isn't the same thing as a proven, universal bypass.

The First AI-Discovered Zero-Day

Google's Threat Intelligence Group (GTIG) confirmed the first known case of a zero-day exploit believed to be developed with AI assistance — disclosed on May 11, 2026.

The target was a popular open-source web administration tool. The vulnerability was a 2FA bypass rooted in a hardcoded trust assumption in the login logic — a semantic logic flaw, not a memory-corruption bug. These are exactly the kinds of flaws traditional scanners and fuzzers tend to miss, because catching them requires reasoning about what a developer intended rather than pattern-matching known vulnerability classes.

GTIG identified the likely AI authorship through telltale signs in the exploit code: excessive educational docstrings, a hallucinated CVSS score, and an unusually clean, textbook Python structure. The attack was disrupted before the planned mass-exploitation event, and the vendor patched the flaw through coordinated disclosure. The signal is still clear: AI isn't just helping attackers execute known exploits — it's starting to find new ones.

Autonomous Attack Chains

Google GTIG also documented PROMPTSPY, an Android backdoor (first identified by ESET) that calls the Gemini API in real time to read a device's UI layout and decide what action to take next — tapping, swiping, or navigating menus based on what it observes, rather than following hardcoded logic.

This is a meaningful shift from traditional malware, which follows predetermined scripts. PROMPTSPY reads the environment, reasons about what it finds, and picks its next move — including capturing and replaying biometric authentication gestures and resisting uninstallation via an invisible overlay. GTIG has since disabled the associated assets, and Google Play Protect covers known versions on Android.


The Scale of the Ecosystem

Security researchers have catalogued dozens of open-source AI penetration testing tools that emerged over roughly the past 18 months, spanning autonomous end-to-end agents, vulnerability discovery, exploit generation, and reverse-engineering platforms.

The key difference from a human pentester: these tools work in parallel across an entire attack surface at once. They don't context-switch, lose track of findings, or get distracted mid-engagement.

State-sponsored actors are industrializing the same approach. North Korea's APT45 has been observed sending large volumes of automated prompts to iteratively analyze CVEs and validate proof-of-concept exploits — building an exploit arsenal that would be impractical to manage by hand. Researchers have also found China-nexus and North Korea-linked actors experimenting with datasets of tens of thousands of real-world vulnerability cases to prime models for more expert-level code analysis.


Supply Chain Is the New Front Door

AI tools aren't just being used to attack you directly. They're being used to attack the software — and the AI coding tools — you depend on.

In early 2026, a supply chain campaign tracked as SANDWORM_MODE spread through typosquatted npm packages. Beyond standard credential theft, it included a module that installs a rogue MCP (Model Context Protocol) server into the configuration files of AI coding assistants — including Claude Code, Cursor, Windsurf, and Continue — and uses prompt injection to quietly instruct the AI to read and exfiltrate SSH keys, AWS credentials, and other secrets from the developer's machine. MCP itself is an open protocol for connecting AI assistants to external tools; this campaign weaponized that connection point rather than compromising any single vendor's infrastructure.

Around the same time, the financially motivated group TeamPCP compromised GitHub repositories tied to the LiteLLM AI gateway and the Trivy vulnerability scanner, embedding a credential stealer (SANDCLOCK) that extracted AWS keys and tokens from build environments. This is the same attack pattern that has plagued traditional software supply chains for years — just now reaching into the AI tooling developers use every day.

The lesson for website owners is direct: if the plugins, gateways, or third-party services your site depends on can be compromised upstream, you're exposed regardless of your own security posture. The Ghost CMS SQL injection (CVE-2026-26980) makes this concrete — it compromised 700+ sites, including major universities, in a campaign detected in May 2026. The patch had been available since February. Most affected sites simply hadn't applied it.


What This Means for Website and Shop Owners

If you're running an ecommerce store, a WordPress site, or a web application, the practical implications are concrete:

Exploit development is faster, but not magic. AI-assisted attackers can iterate through evasion techniques or vulnerability research far faster than a solo human — but the process is still largely human-directed, and AI-generated success claims (like the EDR case above) aren't automatically reliable, even for the attackers using them.

EDR isn't a silver bullet. Relying solely on endpoint detection was never a complete strategy, and AI-accelerated testing against major EDR products is one more reason defense needs to be layered.

Your supply chain is the attack surface. That now includes the AI coding tools and gateways your developers use, not just your CMS and plugins.

Social engineering got smarter. Platform-aware phishing campaigns can fingerprint a visitor's device and serve different payloads accordingly — credential-harvesting pages to one OS, malware to another, from the same infrastructure.


What to Do About It

None of this requires becoming a security expert. The fundamentals that protect against AI-powered attacks are the same fundamentals that have always worked — they just need to be applied consistently:

  1. Patch promptly. The Ghost CMS exploit had a patch available before the mass-exploitation campaign began. This pattern repeats across almost every major incident.

  2. Use MFA everywhere. MFA doesn't prevent server exploitation, but it makes stolen credentials — still the most common initial access vector — significantly less useful.

  3. Segment your network. If one system is compromised, segmentation limits how far an attacker can move, especially where WordPress, payment processing, and email share infrastructure.

  4. Audit your dependencies — including AI tooling. Know what software your site runs, who maintains it, and whether updates are available. That now extends to any MCP servers, AI coding assistants, or AI gateways your team has connected to real credentials.

  5. Monitor for anomalies. You don't need a full SOC to notice unusual outbound connections or a login from an unexpected location.


The Bottom Line

AI hasn't created an entirely new category of cyberattack. What it's done is compress the timeline between vulnerability and exploitation, lower the skill floor for attackers, and make some attack chains adaptive in ways they weren't before — while also, ironically, introducing new failure modes like hallucinated success reports inside the attackers' own tooling.

The defensive fundamentals still work. Patch, segment, authenticate, monitor. The organizations hardest to breach won't be the ones with the most expensive tooling — they'll be the ones applying these basics consistently.

If you want to understand where your specific exposure points are, a structured security review can surface the gaps that matter most for your environment.


Sources referenced: Google Threat Intelligence Group, Sophos, Socket, The Hacker News, SecurityWeek, BleepingComputer, Malwarebytes, QiAnXin XLab.