Security researchers and industry experts are raising alarms about the growing use of artificial intelligence (AI) in both offensive and defensive cybersecurity operations. Attackers are leveraging AI to bypass advanced security controls, as demonstrated by a researcher who used AI to defeat an "AI-powered" web application firewall, and by the emergence of new malware that exploits AI model files and browser vulnerabilities to evade detection and exfiltrate credentials. Meanwhile, defenders are grappling with the proliferation of unsanctioned AI tools in the workplace, the challenge of auditing AI decision-making, and the surge in AI-powered bug hunting, which has led to a dramatic increase in vulnerability discoveries and bug bounty payouts. The risks are compounded by the lack of clear AI usage policies, the potential for data leaks through generative AI tools, and the difficulty in monitoring or controlling how sensitive information is processed and stored by these systems.
Industry reports highlight that a significant portion of employees use unauthorized AI applications, often exposing sensitive data without IT oversight, and that prompt injection and model manipulation are now common vulnerability types. The security community is also debating the extent to which ransomware and other attacks are truly "AI-driven," with some reports criticized for overstating the role of AI in current threat activity. As organizations rush to adopt AI for efficiency and innovation, experts urge the implementation of robust governance, continuous monitoring, and red-teaming to anticipate and mitigate the evolving risks posed by both sanctioned and shadow AI systems. The rapid evolution of AI in cybersecurity is forcing a reevaluation of traditional defense models, emphasizing the need for transparency, operational oversight, and adaptive security strategies.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
12 events from the most recent confirmed update back to the earliest known activity.
Researcher hxr1 disclosed a proof-of-concept living-off-the-land attack that hides malware in ONNX model files used by Windows' native AI stack. The PoC showed how trusted Microsoft-signed components could load malicious content from AI files while evading traditional EDR scrutiny.
Mozilla announced a new policy requiring clearer disclosure of data collection practices for Firefox extensions. The move was intended to improve transparency around extension behavior and user privacy.
The Counter Ransomware Initiative released new guidance focused on supply chain security. The publication represented a policy and defensive response aimed at improving resilience against ransomware-related supply chain risks.
A major AWS outage was attributed to a DNS defect. The incident was noted as a significant cloud-service disruption affecting availability.
Russia proposed legislation that would require all vulnerability disclosures to be reported to the FSB. The proposal prompted concern that vulnerability reporting could be redirected toward state misuse rather than coordinated disclosure.
The surveillance vendor formerly known as Hacking Team, now operating as Memento Labs, was reported to have resurfaced with new spyware. The development marked the re-emergence of a historically controversial spyware supplier.
Apple's iOS 26 update was reported to overwrite shutdown logs, removing forensic evidence that could reveal Pegasus and Predator spyware infections. The finding raised concerns about the impact of the update on mobile forensic investigations.
The Everest ransomware gang claimed responsibility for the Svenska Kraftnät incident and said it exfiltrated 280 GB of data. This added an attacker attribution and a reported scale of data theft to the breach narrative.
Sweden's power grid operator, Svenska Kraftnät, confirmed that it suffered a data breach related to a ransomware incident. The disclosure established the organization as a victim in a significant critical-infrastructure cyber event.
Threat actors targeted critical vulnerabilities in the WordPress plugins GutenKit and Hunk Companion in millions of exploitation attempts. The activity underscored the continued security risk posed by widely deployed plugin ecosystems.
Following reports of active exploitation of CVE-2025-59287 in Microsoft WSUS, CISA issued a warning urging attention to the vulnerability. The warning elevated the significance of the flaw beyond Microsoft's patch release.
Microsoft released an urgent patch for CVE-2025-59287, a major remote code execution flaw in Windows Server Update Services (WSUS) that was reported as being under active exploitation. The issue was highlighted as one of the week's most critical vulnerability developments.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
infosecwriteups.com
Open sourcecsoonline.com
Open sourcehelpnetsecurity.com
Open sourcehelpnetsecurity.com
Open sourcedarkreading.com
Open sourcesecuritysenses.com
Open sourcesocket.dev
Open sourcesecuritysenses.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.