A 17-year-old was arrested in Osaka on December 4, 2025, after running malicious code that exfiltrated the personal data of more than 7 million users of Kaikatsu Club — and, when asked, he said he wanted to buy Pokémon cards.
The new shape of attackers: nontechnical actors using LLMs
The Kaikatsu Club breach is emblematic of a broader shift documented across 2024–2026: large language models and agentic coding systems have turned from helpful but error-prone assistants into end-to-end coding powerhouses. The result is a changed attacker profile. In February 2025, three teenagers with no coding background used ChatGPT to build a tool that hit Rakuten Mobile’s system roughly 220,000 times. In July 2025, a single actor using Claude Code ran an organized extortion campaign against 17 organizations. In December 2025, another individual used Claude Code and ChatGPT to breach the Mexican government and steal over 195 million taxpayer records. The common thread: tools are amplifying capability so dramatically that individuals without traditional technical backgrounds can produce attacks once associated with skilled teams.
Exploit windows: faster, often faster than defenders
Measured attacker capability has accelerated sharply. Time to exploit — the interval between public disclosure of a vulnerability and the appearance of an exploit in the wild — fell from over 700 days in 2020 to 44 days in 2025. Mandiant’s M-Trends 2026 report described this shift as effectively producing a negative exploit window: 28.3% of CVEs were exploited within 24 hours of disclosure. At the same time, model performance on software-development benchmarks has surged. On SWE-bench, top models resolved 33% of real GitHub issues in August 2024 and climbed to just under 81% by December 2025. The net effect: attackers are discovering and weaponizing vulnerabilities far faster than in the pre-AI era.
Supply chain and package ecosystem breakdowns
Public package repositories are a flashpoint. Sonatype recorded 55,000 malicious packages in public repositories in 2022; by 2025 that figure had risen to 454,600, with 394,877 malicious packages appearing in a single quarter. The September 2025 Shai-Hulud attack on the npm ecosystem compromised over 500 packages; more than 487 organizations had secrets exposed, and attackers stole $8.5 million from Trust Wallet after using exposed credentials to poison its Chrome extension. Attackers used apparently legitimate artifacts — documentation, unit tests, and structured code — to evade static analysis and signature scanners. As Chainguard CEO Dan Lorenc observed, “The complexity and scale of vulnerability management has outgrown the capabilities of most organizations to manage on their own.”
Patch cycles, remediation, and detection gaps
Defenders are racing but losing ground on remediation timelines. The Edgescan 2025 Vulnerability Statistics Report found the average time to remediate a known high- or critical-severity CVE to be 74 days, and 45% of vulnerabilities in systems maintained by large companies (1,000+ employees) never get remediated. Meanwhile, AI-generated malware and package poisoning are slipping past conventional detectors because the malicious artifacts look like legitimate software. The combination of a shrinking exploit window and persistent remediation backlogs creates a structural advantage for attackers.
Chainguard Libraries and deleting categories of attack
One response highlighted in the record is a structural approach: “hit delete on entire categories of vulnerability.” Chainguard Libraries rebuilds open-source libraries from verified, attributable source code to prevent classes of attacks such as CI/CD takeover, dependency confusion, long-lived token theft, and package distribution attacks. In testing, Chainguard Libraries blocked 99.7% of 8,783 malicious npm packages and roughly 98% of approximately 3,000 malicious Python packages. The article’s author, Patrick Smyth of Chainguard, presents these figures as evidence that making whole categories of attack structurally impossible frees defenders to focus on the remaining surface area.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: face faster exploit timelines and AI-generated code that evades static signatures; remediation backlogs (74-day average for high/critical CVEs; 45% of vulnerabilities unremediated in large firms) mean defenses must shift toward structural mitigations and supply-chain hardening.
- Procurement and enterprise buyers: will see more attacks delivered through dependencies and third-party packages — the npm Shai-Hulud incident (500+ packages compromised, $8.5m Trust Wallet loss) argues for supply-chain provenance and verified artifact controls in procurement decisions.
- End users and the general public: incidents will increasingly be carried out by low-skill actors empowered by LLMs (examples include teenage attackers and single actors running multi-target extortion), widening the pool of potential offenders and increasing the volume of breaches that can affect everyday services.
The facts from 2025 point to a clear, uncomfortable conclusion: model-driven code generation has slashed the barrier to technically sophisticated attacks, and defenders who rely on chasing individual vulnerabilities will be perpetually behind. As the author puts it, if supply-chain attacks keep coming through 2026, “what will 2027 look like with model capabilities dialed up to 10?”
https://thehackernews.com/2026/05/2026-year-of-ai-assisted-attacks.html
