May 2026 read less like a string of separate incidents and more like a single trend arriving from several directions at once. Attackers are industrializing. Artificial intelligence is raising the autonomy of offensive operations, the speed of vulnerability discovery, and the volume of concurrent campaigns. Underneath all of it, the human element stayed central: people sold access, people trusted the wrong vendor, people approved the wrong prompt. Here are the stories that mattered, what happened, why the human angle matters, and what to do.
AI attack autonomy is accelerating
The doubling time for AI autonomous cyberattack capability fell from roughly eight months to under five. In the same news cycle, a frontier model solved a 32-step attack range in 6 of 10 attempts, and a single AI scan cycle surfaced 26 security flaws where a typical pass turns up fewer than five.
The human angle: this does not remove people from the loop, it changes their job. Defenders now compete against tooling that finds and chains weaknesses faster than manual review can keep up. What to do: shorten the gap between discovery and remediation, and assume that anything trivially findable by an automated scan has likely already been found.
The first AI-developed zero-day in a live operation
Google's threat intelligence team documented what it described as the first time it had identified a threat actor using an AI-developed zero-day exploit in a live criminal operation. The framing from the reporting was direct: adversaries are industrializing AI inside their attack workflows.
The human angle: the workflow change is the story. When attackers fold AI into routine operations, the people defending have to treat AI-assisted offense as a baseline, not an outlier. What to do: update threat models to assume AI-accelerated reconnaissance and exploit development, and prioritize fast patch cycles for internet-facing systems.
One in eight employees sold company logins
A survey found that one in eight employees at large enterprises had sold company credentials or knew a colleague who had. The attitudes behind it were just as notable: a sizable share of C-suite respondents, reported at 43 percent, considered selling access justifiable.
The human angle: this is insider risk by choice, not by accident. Least-privilege design alone cannot contain someone who decides to sell legitimate access. What to do: pair access controls with behavioral monitoring, make credential abuse easy to detect and trace, and treat the cultural signal, leadership rationalizing the sale of access, as its own risk.
Ransomware tactics shift as the payment rate falls
The ransom payment rate fell to 28 percent, yet attacks kept rising. The economics shifted rather than improved: groups leaned harder on extortion and disruption. Manufacturing was hit hardest, with reported losses topping 18 billion dollars across three quarters.
The human angle: fewer victims paying is progress, but the pressure simply moved to data theft, operational disruption, and the people who have to make the call under stress. What to do: build and rehearse a response plan that assumes you will not pay, and make sure backups and recovery are tested, not just documented.
A trusted vendor handed over 123 days of access
In one incident response case, a nation-state actor lurked undetected in a network for 123 days after a trusted third-party IT vendor was compromised. The intrusion relied on abusing trusted access rather than on exploits or malware-based delivery, which is part of why it stayed hidden so long.
The human angle: the failure was a trust boundary, not a missing patch. Patching alone would not have stopped this. What to do: extend monitoring to vendor and third-party access, scope that access tightly, and watch for legitimate-looking activity that simply should not be happening.
A self-propagating npm worm, in a crowded week
One seven-day stretch produced an Exchange zero-day, a Cisco exploit, a fake AI model repository, and a self-propagating npm supply-chain worm that poisoned 42 packages and spread toward 160 or more. Four active threats, running concurrently. As the placement cards put it: one week, four active threats, the new normal.
The human angle: supply-chain compromise turns developer trust into an attack path. A poisoned dependency executes with the trust the developer extended to it. What to do: pin and verify dependencies, monitor for unexpected package updates, and treat the build pipeline as production infrastructure.
Also this month
A few items rounded out the picture. More than 1,800 Model Context Protocol servers were found exposed online without authentication, a reminder that the AI agent buildout is creating new unguarded surfaces. Device-code phishing surged sharply over the year, with Microsoft 365 emerging as a primary credential battleground. And the measured AI capability gap between US and Chinese systems narrowed to a small margin, reported at 2.7 points, which matters for how quickly advanced offensive tooling proliferates.
What ties it together
The throughline is consistent. AI-as-attacker is no longer a scenario, it is an operating assumption. Microsoft 365 is now the primary credential battleground. And credential trust is collapsing from both directions at once: insiders selling access on one side, compromised vendors and supply chains on the other. The forecast everyone has been planning around has become the present.
None of these stories were purely technical. Each one turned on a human decision: a credential sold, a vendor trusted, a prompt approved, a dependency pulled in without a second look. That is the attack vector you cannot patch, and it is where attention pays off most.
If you want this kind of briefing every week, subscribe to the free weekly briefing at threatlevelhuman.substack.com. New subscribers also get the free Social Engineering Red Flags field guide, a short reference for spotting the human-targeted tactics behind most of these incidents.
<- back to the blog