Weekly Musings Top 10 AI Security Wrapup: Issue 39 May 15-May 21, 2026
The week Washington blinked, Anthropic blinked back, and the AI supply chain caught fire
The executive branch stalled. The supply chain bled. Frontier model builders started negotiating with central bankers. Trump tore up his own AI executive order hours before signing. Anthropic agreed to brief the Financial Stability Board on what its Mythos model can produce. A worm called Mini Shai-Hulud chewed through npm, the Nx Console extension, GitHub’s internal repositories, Grafana’s source code, and a slice of OpenAI’s developer laptops.
The throughline has nothing to do with the technology. The story is the widening gap between capability and control. Washington wants speed and won’t write rules. The labs show off their offensive capabilities, then ask regulators to contain them. The supply chain runs on trust that nobody verifies. Identity systems pretend to have been built for AI agents. Here are ten to track, plus one you missed.
1. Trump Pulls AI Executive Order Hours Before Signing
On May 21, 2026, President Trump scrapped the signing ceremony for an AI executive order that would have created a voluntary review process for frontier models before public release (Axios). Trump told reporters the order “gets in the way” (CNBC). The draft covered a voluntary cybersecurity clearinghouse with Treasury and pre-deployment evaluation, giving federal agencies up to 90 days to test new models (Bloomberg). The Washington Post reported that infighting between economic and security advisers killed the timing.
Why it matters
The voluntary framework was the lightest federal touch on frontier model safety. Killing it signals zero appetite for mandatory pre-deployment review.
The 90-day evaluation window was already a compromise. Some labs wanted 14 days.
The vacuum pulls states forward. Colorado’s SB 26-189 takes effect January 1, 2027.
What to do about it
Build your governance program assuming federal silence and state activity.
Inventory which AI vendors signed the prior CAISI agreements. Commitments still hold for OpenAI, Anthropic, Google, Microsoft, and xAI.
Document model-evaluation evidence from vendors. You’ll need it for state filings and customer audits.
Rock’s Musings
Washington cannot govern faster than the labs ship. The voluntary EO was the security community’s best near-term win, killed in 24 hours over speed-versus-China optics. I’m not surprised. I’m tired. Treat federal AI governance as imaginary infrastructure. My longer take sits at rockcybermusings.com.
2. Anthropic Agrees to Brief the Financial Stability Board on Mythos Findings
On May 18, 2026, the Financial Times reported that Anthropic agreed to meet the Financial Stability Board (FSB) to discuss cyber vulnerability findings from its Claude Mythos Preview model (PYMNTS). The request came from Bank of England Governor Andrew Bailey. The G20 watchdog has worried that Mythos and similar models will expose weak spots in bank cyber defe’ cyber defenses (The Decoder). Anthropic says Mythos has identified thousands of high-severity vulnerabilities across every major operating system and web browser, with fallout that will be “severe” for economies and national security (TechRadar).
Why it matters
Frontier labs are now in the room with central bank regulators on cyber risk. A structural change in who governs offensive AI capability.
The FSB shapes the Basel framework. Expect cyber-resilience requirements to grow teeth.
The financial sector is the canary. Whatever the FSB demands rolls downhill to every regulated industry.
What to do about it
Map your critical software stack against Anthropic’s flagged categories. Plan for compressed patch cycles.
Watch your home regulator for follow-on guidance. Bailey’s FSB brief will reverberate.
Build vulnerability backlog metrics into board reporting. The question has shifted from “are we vulnerable” to “how fast can we close known exposure.”
Rock’s Musings
The lab that built the dangerous capability is now negotiating with the regulators expected to contain it. A weird posture, half whistleblower, half hostage-taker. The FSB doesn’t normally touch software, so their interest signals cyber risk has crossed the systemic-threat line. I’ve spent thirty years in this field and never seen central bankers convene on a single AI vendor’s product. Model what happens when your regulator decides “model-discovered zero-days” is a category of systemic risk.
3. Microsoft Open-Sources RAMPART and Clarity for Agent Safety
On May 20, 2026, Microsoft released two open-source tools that push agent safety into the development pipeline (Microsoft Security Blog). RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) is a Pytest-native framework built on Microsoft’s PyRIT toolkit. It lets teams write CI-runnable adversarial tests against agents covering prompt injection, data exfiltration, and behavioral regressions (The Register). Clarity walks teams through assumptions and failure modes before they write agent code (The Hacker News).
Why it matters
The first credible attempt by a hyperscaler to operationalize agent red-teaming inside the CI pipeline. Most “agent safety” tooling sits outside the SDLC.
Pytest integration matters. Agent safety tests look like every other test, which means engineers run them.
PyRIT was already the reference toolkit. RAMPART extending it makes Microsoft the de facto standard for agent adversarial testing.
What to do about it
Pilot RAMPART against your highest-risk agent. Pick the one with the broadest tool permissions.
Use Clarity in design reviews. Catching bad scope at the whiteboard is cheaper than catching it in production.
Add agent-safety test coverage to your AppSec metrics.
Rock’s Musings
Microsoft did the right thing. They built the tools, open-sourced them, and put them where developers work. Most security tools fail because they sit outside the developer workflow. RAMPART has no such excuse. The question is whether your AppSec team has the political capital to make these tests blocking in CI. I cover the adoption muscle at rockcyber.com.
4. GitHub Confirms 3,800 Internal Repos Breached via Nx Console
On May 21, 2026, GitHub disclosed that 3,800 of its internal repositories were accessed through a developer’s compromised Nx Console VS Code extension, a casualty of the May 11 TanStack npm supply chain attack (BleepingComputer). Help Net Security traced the chain from the Mini Shai-Hulud worm through the GitHub and Grafana breaches. TechCrunch confirmed on May 20 that the attacker exfiltrated material from the affected employee’s repositories. The same campaign hit OpenAI, Mistral AI, UiPath, and dozens of downstream maintainers.
Why it matters
GitHub’s own internal repos got popped through a VS Code extension. An IDE compromise now spans your entire engineering footprint.
The Nx Console extension lives on hundreds of thousands of developer machines. Every install is a potential entry point.
Second supply chain worm in 60 days chaining GitHub Actions misconfiguration with OIDC token theft. The pattern is the playbook.
What to do about it
Inventory IDE extensions across your engineering teams. Treat them like browser extensions, with allowlisting and version pinning.
Rotate GitHub OIDC tokens that have touched a developer machine in the past 60 days. Audit workflow files for pull_request_target patterns.
Revisit endpoint posture for developer laptops. The IDE is now an attack surface equivalent to a browser.
Rock’s Musings
The supply chain conversation has changed shape. The attacker walks through a VS Code extension to reach repository tokens, then pivots to the corporate GitHub org. If your developer laptops live in an “engineering exception” bubble outside EDR, MDM, and identity controls, you’re the next Grafana. Put developer endpoint hygiene on par with finance.
5. Grafana Labs Refuses Ransom After Codebase Theft
On May 18, 2026, Grafana Labs confirmed an unauthorized party obtained a GitHub token and downloaded its codebase (TechCrunch). The intrusion traced back to the TanStack supply chain attack from May 11. Grafana received a ransom demand on May 16 and refused to pay (The Register), citing no guarantee the stolen data would be deleted. The company rotated tokens, audited every commit since May 11, and hardened GitHub posture (Grafana blog). No customer data was exposed.
Why it matters
Refusing the ransom publicly is defensible. FBI guidance and peer disclosure make it the default for open-source vendors.
Grafana’s codebase is public anyway. The ransom value was reputational, and the company called the bluff.
The hardened posture published in the blog is a teaching artifact. Use it.
What to do about it
If your codebase is open-source, write the ransom-refusal playbook before you need it. Brief your board.
Mirror Grafana’s recovery checklist. Rotate tokens, audit commits, harden GitHub config, increase monitoring.
Add commit-signing enforcement and require attestations on release artifacts.
Rock’s Musings
I respect what Grafana did. They confirmed quickly, refused the ransom, and published a postmortem with operational specifics. That’s how you turn a breach into a credibility win. Compare it with the usual vague disclosure six weeks late from a forensics firm hiding behind privilege. If your IR plan still treats ransom payment as a live option, you’re behind.
6. Mini Shai-Hulud Worm Expands Across the npm Ecosystem
On May 19, 2026, TechCrunch reported the Mini Shai-Hulud campaign had spread to dozens of additional open-source packages beyond the original TanStack hit. Wiz and Snyk traced the worm’s propagation through @squawk/* and @mistralai/* packages, on top of the 84 malicious versions across 42 @tanstack/* packages from May 11 (Wiz). StepSecurity attribution ties the same TeamPCP threat group to the March Trivy scanner compromise and April’s Bitwarden CLI package hit (Snyk). The campaign chains pull_request_target misconfiguration with GitHub Actions cache poisoning and OIDC token extraction.
Why it matters
A self-propagating worm. It exfiltrates maintainer credentials and uses them to publish further malicious versions. Containment lags.
The same threat actor keeps finding new targets with the same attack pattern. The pattern is the problem.
Every downstream consumer of an affected package has a credential rotation event ahead.
What to do about it
Build a list of every npm package your org consumes, including transitive dependencies. Cross-reference against IOC lists from StepSecurity and Wiz.
Move CI secrets out of GitHub Actions environment variables. Use ephemeral, scoped tokens.
Block pull_request_target on any repository whose CI touches secrets. There is no safe configuration.
Rock’s Musings
The worm pattern is the story. A compromised maintainer’s token pushes malicious versions that compromise more maintainers, and the campaign scales without human work. A structural problem for any ecosystem built on maintainer trust. We’ve known pull_request_target was dangerous since 2021. Its presence at major projects in 2026 tells you how the open-source world treats its security debt.
7. EU Commission Opens Consultation on AI Act Transparency Guideline
On May 19, 2026, the European Commission opened a public consultation on the draft guideline for the AI Act’s transparency obligations, due in August 2026 (Council of the EU). The consultation follows the May 7 AI Omnibus agreement, which shortened the grace period for transparency solutions on AI-generated content from six months to three. The new deadline lands December 2, 2026. The Commission’s enforcement powers against general-purpose AI model providers go live August 2, 2026, including authority to request documentation and impose fines.
Why it matters
Transparency rules apply to every model output touching an EU resident, regardless of training or hosting location.
The shortened grace period gives GPAI providers 90 days to ship watermarking, content labeling, and disclosure mechanisms.
August’s enforcement powers give the AI Office real teeth for the first time.
What to do about it
Map your AI-generated content workflows. Tag every production path that needs disclosure.
Implement provenance labeling now using C2PA or equivalent.
Brief legal and product on the December 2 deadline. Earlier guidance assumed June 2027.
Rock’s Musings
The Brussels Effect is doing its work. Whatever the AI Act forces on GPAI providers becomes the de facto global standard for transparency disclosure. American companies pretending the Act doesn’t apply will learn otherwise. Regulators wanting a quick enforcement win start with content labeling, not algorithmic auditing. If your product surfaces AI-generated content to any EU user, December 2 turned real this week.
8. CISA Weighs Three-Day Patching Deadline as AI Compresses Exploit Cycles
On May 20, 2026, Federal News Network reported CISA is considering a three-day patching deadline on Known Exploited Vulnerabilities, replacing the current 15-day default. The Insurance Journal covered the debate, citing AI compressing the time between disclosure and exploitation. Sysdig research found CVE-2026-44338 in the PraisonAI framework was probed by scanners 3 hours, 44 minutes, and 39 seconds after disclosure. Palo Alto Networks reports 28.3% of CVEs are now exploited within 24 hours.
Why it matters
A three-day federal mandate would be the most aggressive remediation deadline CISA has ever proposed.
The same compression hits private defenders. Patch SLAs run 5-10x slower than the attack timeline.
AI-assisted exploit development operates at scale. The 3-hour PraisonAI scan window is the leading edge, not the outlier.
What to do about it
Pull your last 12 months of KEV-listed CVEs. Measure actual time-to-patch against the 15-day baseline. Be honest.
Build runbooks for emergency patching of internet-exposed assets. The three-day clock starts at disclosure, not your next change window.
Plan compensating controls when 72-hour patching is impossible. Virtual patches and WAF rules buy time.
Rock’s Musings
The math is brutal. Attackers weaponize a CVE in hours. Defenders take weeks to deploy a patch through change management. A three-day mandate forces a conversation every CISO has avoided. Redesign the process or accept being late by default.
9. Anthropic Opens Mythos Partner Sharing After Initial Lockdown
On May 18, 2026, Anthropic reversed its earlier position and now allows Project Glasswing partners to share Mythos vulnerability findings with outside parties (Reuters via KFGO). The new policy permits disclosure to security teams, industry bodies, regulators, open-source maintainers, the media, and the public, subject to responsible disclosure. The original Glasswing structure had limited information to launch partners only. About 40 organizations have Mythos.
Why it matters
The first information-sharing reversal of a frontier model program of this kind. Centralized cyber findings control was not workable in practice.
Open-source maintainers now have a path to receive Mythos-discovered vulnerabilities. That changes the patch dependency calculus.
The reversal suggests Anthropic underestimated the volume of findings and the scaling problem of single-vendor coordination.
What to do about it
Partners should designate a single coordinated-disclosure contact. Volume will overwhelm informal channels.
Non-partners should register with ISACs and CERTs as receiving organizations.
Pre-write your triage process for AI-discovered vulnerabilities. The format won’t match your CVE workflow.
Rock’s Musings
A governance lesson in real time. You cannot bottle frontier capability and call it safe. Glasswing tried, and within six weeks the math broke. Voluntary coordination is fragile when capability outruns headcount.
10. Trump Pivots Toward AI Regulation Amid Backlash and China Safety Talks
On May 19, 2026, Fortune reported the Trump administration is shifting its public stance on AI regulation in response to mounting voter backlash over job displacement, deepfakes, and AI-enabled crime. The shift comes alongside reported US-China safety talks on frontier AI capability. The administration’s December 2025 EO 14365 sought to preempt state AI regulation. The May 21 EO postponement suggests the political calculation has changed. Fortune cited senior officials describing the sentiment shift as “faster than anyone expected.”
Why it matters
Public backlash on AI is influential enough to move executive policy. A new political force.
US-China safety dialogue, even if informal, sets the stage for future bilateral commitments on frontier capability.
An administration that was preempting state regulation is now hesitating. State AGs read this as license to push harder.
What to do about it
Track AI ballot initiatives in your operating states. The 2026 midterms will surface enforceable propositions.
Audit public-facing AI claims for accuracy. The SEC has flagged AI-washing as an enforcement priority.
Brief government affairs on the bilateral angle. China engagement changes the calculus for export controls and model access.
Rock’s Musings
The political dynamic shifts faster than the technology. Six months ago, the White House was suing California to block AI rules. This week, they were drafting their own voluntary review. Plan around the volatility. The companies that thrive have built controls higher than any jurisdiction requires. You don’t have to guess which regulator strikes next. You have to be ready for any of them.
And then there is musing #1…
The One Thing You Won’t Hear About But You Need To: Identity Dark Matter Is Eating Your AI Agent Program
On May 19, 2026, Orchid Security released its Identity Gap: 2026 Snapshot report (Tech Startups, GlobeNewswire). Invisible identity, what Orchid calls “identity dark matter,” now outweighs visible identity in enterprise environments 57% to 43%. 67% of non-human accounts are created directly within applications, unseen and unmanaged by IAM programs. 70% of enterprise applications carry excessive privileged accounts. The data comes from anonymized telemetry across financial services, healthcare, retail, and energy from April 2025 through March 2026.
Why it matters
AI agents inherit credentials at runtime. If most of your non-human identity is invisible, your agents operate in the blind spot.
Traditional IAM was built for humans. An AI agent using a stale service account has a larger blast radius than the equivalent human error.
The 70% over-privilege finding means that most enterprise apps cannot survive a single agent-misuse event without exposing other systems.
What to do about it
Run non-human identity discovery against your top 10 enterprise applications. Expect a delta against your IAM inventory.
Implement time-bound, on-demand credentials for AI agents. Standing access is the failure mode.
Treat every AI agent identity as privileged. Apply PAM controls, session recording, and behavioral monitoring.
Rock’s Musings
The story under the story. Every AI security headline this week depends on identity being right. The TanStack worm spread through OIDC tokens. The GitHub breach used a developer’s repository access. Your AI agent governance program is only as good as your non-human identity hygiene. If two-thirds of your service accounts are invisible, you cannot govern the agents using them. Read the report and bring it to your board. Don’t let “we have IAM” be the answer.
👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.
👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.
👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com
👉 As a bonus, check out my conversation with AI Cyber Magazine, where we talked about everything from Context Rot to Least Agency.
The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.
References
Axios. (2026, May 21). Scoop: White House postpones AI EO signing ceremony. https://www.axios.com/2026/05/21/white-house-postpones-ai-eo-signing
BleepingComputer. (2026, May 21). GitHub links repo breach to TanStack npm supply-chain attack. https://www.bleepingcomputer.com/news/security/github-links-repo-breach-to-tanstack-npm-supply-chain-attack/
Bloomberg. (2026, May 21). White House postpones AI cybersecurity order signing by Trump. https://www.bloomberg.com/news/articles/2026-05-21/white-house-postpones-ai-cybersecurity-order-signing-by-trump
CNBC. (2026, May 21). Trump postpones AI executive order signing: ‘I didn’t like certain aspects’. https://www.cnbc.com/2026/05/21/trump-ai-executive-order-postponed.html
CNN Business. (2026, May 20). White House postpones executive order on AI. https://www.cnn.com/2026/05/20/tech/ai-executive-order-trump-white-house
Council of the European Union. (2026, May 7). Artificial intelligence: Council and Parliament agree to simplify and streamline rules. https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
CSO Online. (2026, May). Microsoft releases open-source tools to operationalize AI agent safety. https://www.csoonline.com/article/4175592/microsoft-releases-open-source-tools-to-operationalize-ai-agent-safety-2.html
Federal News Network. (2026, May 20). AI drives new debate around CISA software patching deadlines. https://federalnewsnetwork.com/cybersecurity/2026/05/ai-drives-new-debate-around-cisa-software-patching-deadlines/
Fortune. (2026, May 19). The times they are a-changin’: Trump pivots towards AI regulation in the face of a mounting public backlash. https://fortune.com/2026/05/19/trump-pivots-towards-ai-regulation-in-face-mounting-ai-backlash-china-ai-safety-talks/
GlobeNewswire. (2026, May 19). Two-thirds of nonhuman accounts are unseen and unmanaged, according to new Identity Gap Report. https://www.globenewswire.com/news-release/2026/05/19/3297602/0/en/Two-Thirds-of-Nonhuman-Accounts-Are-Unseen-and-Unmanaged-According-to-New-Identity-Gap-Report.html
Grafana Labs. (2026, May 16). Grafana Labs security update: Latest on TanStack npm supply chain ransomware incident. https://grafana.com/blog/grafana-labs-security-update-latest-on-tanstack-npm-supply-chain-ransomware-incident/
Help Net Security. (2026, May 21). GitHub, Grafana Labs breaches traced back to TanStack supply chain compromise. https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/
Insurance Journal. (2026, May 4). CISA weighs cutting deadlines to fix digital flaws amid worries over AI. https://www.insurancejournal.com/news/national/2026/05/04/868205.htm
KFGO. (2026, May 18). Anthropic to let partners share Mythos cybersecurity findings with others. https://kfgo.com/2026/05/18/anthropic-to-let-partners-share-mythos-cybersecurity-findings-with-others/
Microsoft Security Blog. (2026, May 20). Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflow. https://www.microsoft.com/en-us/security/blog/2026/05/20/introducing-rampart-and-clarity-open-source-tools-to-bring-safety-into-agent-development-workflow/
NBC News. (2026, May 21). Trump abruptly scraps signing of landmark executive order regulating AI. https://www.nbcnews.com/tech/tech-news/trump-scraps-signing-landmark-executive-order-regulating-ai-rcna346288
PYMNTS. (2026, May 18). Anthropic will update regulators on Mythos’ cyber vulnerability findings. https://www.pymnts.com/cybersecurity/2026/anthropic-will-update-regulators-mythos-cyber-vulnerability-findings/
Snyk. (2026, May). TanStack npm packages hit by Mini Shai-Hulud. https://snyk.io/blog/tanstack-npm-packages-compromised/
Tech Startups. (2026, May 19). Two-thirds of nonhuman accounts are unseen and unmanaged, according to Orchid Security’s Identity Gap Report. https://techstartups.com/2026/05/19/two-thirds-of-nonhuman-accounts-are-unseen-and-unmanaged-according-to-orchid-securitys-identity-gap-report/
TechCrunch. (2026, May 18). Open source tool maker Grafana Labs says hackers stole its code, refuses to pay ransom. https://techcrunch.com/2026/05/18/open-source-tool-maker-grafana-labs-says-hackers-stole-its-code-refuses-to-pay-ransom/
TechCrunch. (2026, May 19). Hackers have compromised dozens of popular open source packages in an ongoing supply-chain attack. https://techcrunch.com/2026/05/19/hackers-have-compromised-dozens-of-popular-open-source-packages-in-an-ongoing-supply-chain-attack/
TechCrunch. (2026, May 20). GitHub says hackers stole data from thousands of internal repositories. https://techcrunch.com/2026/05/20/github-says-hackers-stole-data-from-thousands-of-internal-repositories/
TechRadar. (2026, May 18). Anthropic to present exposed Mythos flaws to global watchdog. https://www.techradar.com/pro/security/anthropic-to-present-exposed-mythos-flaws-to-global-watchdog-claims-critical-vulnerabilities-found-in-every-major-operating-system-and-web-browser
The Decoder. (2026, May 18). Anthropic to brief global financial regulators on cyber flaws found by Claude Mythos. https://the-decoder.com/anthropic-to-brief-global-financial-regulators-on-cyber-flaws-found-by-claude-mythos/
The Hacker News. (2026, May 20). Microsoft open-sources RAMPART and Clarity to secure AI agents during development. https://thehackernews.com/2026/05/microsoft-open-sources-rampart-and.html
The Register. (2026, May 18). Grafana Labs admits all its codebase are belong to someone who popped its GitHub account. https://www.theregister.com/cyber-crime/2026/05/18/grafana-labs-admits-attackers-downloaded-its-codebase-from-github/5241686
The Register. (2026, May 21). Microsoft storms RAMPART, adds Clarity to agentic AI safety. https://www.theregister.com/security/2026/05/21/microsoft-open-sources-agentic-ai-safety-tools/5243822
The Washington Post. (2026, May 21). Trump delays executive order on AI oversight hours before planned signing. https://www.washingtonpost.com/technology/2026/05/21/white-house-tore-down-ai-rules-now-its-building-new-defenses/
Wiz. (2026, May). Mini Shai-Hulud strikes again: TanStack + more npm packages compromised. https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised