On December 4, 2025, a Japanese police agency made an arrest in Osaka under Japan's Unauthorized Access Prohibition Act. He was 17 years old at the time of his arrest. According to reports, he had used malicious code to obtain the private information of more than 7 million users of Kaikatsu Club, Japan's biggest internet café chain. When questioned, the young man stated that he ran the malicious code in order to purchase Pokémon cards.
In a way, this is a pretty typical story. Since the 1990s we've heard about a string of computing "prodigies," including Kevin Mitnick, whose technical skills surpassed their common sense and who became involved in well-known cybercrimes motivated by either fame, money, or thrill-seeking. However, there is something new in this story: the young man in question wasn't skilled enough to write the malicious code himself; he got someone else to do it for him.
How did we arrive here? The rise of AI-assisted attacks
In 2025, LLM-based chat and agent systems reached a tipping point, evolving from reasonably useful but error-prone coding assistants to full-fledged coding platforms. Throughout all of 2025, numerous metrics related to cybercrime frequency and severity rose to nearly double. Malicious packages discovered on public repositories increased by 75%, cloud breaches rose by 35%, and AI-generated phishing started performing better than humans alone in simulations. Perhaps more notably, there have been some qualitative differences in the types of people creating attacks.
In February 2025, three teenagers (ages 14, 15, and 16), with no prior experience writing code, created an application using ChatGPT to create a tool that launched approximately 220,000 attempts against Rakuten Mobile's system. Afterward, they spent their earnings on video game consoles and online betting. In July 2025, a single user of Claude Code, an advanced coding platform that uses AI agents to assist in the process of writing code, created an extortion campaign that affected seventeen organisations over the span of one month. Using AI agents, the individual wrote malicious code, arranged the stolen documents, and analysed financial records to determine how much each victim should pay to keep their information private. The individual also drafted email communications to send to each organisation requesting payment. In December 2025, a separate individual breached the Mexican government using Claude Code and ChatGPT and stole more than 195 million tax records from over ten federal agencies.
Although this type of attack was possible prior to 2025, we are beginning to see single-actor attacks that were previously associated with organised groups, and smaller-scale attacks that were typically attributed to hackers and engineers with significant talent and skill in the pre-AI era. With AI assistance now available, the bar has been significantly lowered for conducting highly complex attacks.
Bad numbers go up
Throughout 2025, a variety of metrics indicating bot behaviour, malware generation, targeted compromises, and phishing attempts demonstrated rapid growth. At the same time, AI-driven improvements in LLM functionality on various technical benchmark platforms experienced exponential growth.
As of 2022, there were 55,000 malicious packages posted on public repositories. By 2025, the number had risen to 454,600. Significant spikes occurred during 2023 (when GPT-4 was released) and again in 2025 (when agentic coding became prominent).
A separate metric illustrating an attacker's ability in the real world, time to exploit, is virtually unrecognisable compared to previous eras. Time to exploit refers to the period of time between when a vulnerability is publicly disclosed and when an exploit for that particular vulnerability has been identified in the wild.
Time to exploit has fallen dramatically since 2020, dropping from over 700 days in 2020 to only 44 days in 2025. In fact, according to Mandiant's 2026 M-Trends report, time to exploit is essentially zero. Exploits are appearing regularly before fixes are issued, with nearly 28.3% of CVEs being exploited within 24 hours of publication.
During 2024, 2025, and early 2026, the scores for front-line models such as ChatGPT, Claude, and Gemini on benchmarks such as SWE-bench (which evaluates software development capability) skyrocketed.
At the start of August 2024, top models were resolving approximately 33% of actual GitHub issues on the benchmark. By December 2025, that number had increased to just shy of 81%.
Late in 2024 and throughout most of 2025, AI-powered coding passed an inflection point. While AI is empowering coders in many ways, it is also empowering attackers in similar ways. Consequently, the cybersecurity landscape in 2026 has evolved, with attacks occurring more frequently, at higher levels of severity, and with more impactful results.
You can't patch your way out of this pain
AI is driving both attackers and defenders. Unfortunately for defenders, it appears as though attackers are currently winning the arms race. Based on data collected from both 2025 and 2026, the average time required for organisations to address a known high- or critical-severity CVE has risen from 37 days (in 2019) to 74 days (in 2025), per the Edgescan Vulnerability Statistics Report for 2025. Furthermore, 45% of vulnerabilities existing in systems managed by larger organisations (>1,000 employees) never receive remediation.
Additionally, many organisations have faced challenges due to the increasing prevalence of malware located within public package repositories. In September 2025, an attack referred to as the Shai-Hulud attack impacted over 500 packages located in the npm repository, resulting in over 487 organisations having secrets compromised and $8.5M stolen from Trust Wallet after attackers used exposed credentials to poison its Chrome extension. Following the attack, many organisations placed code freezes on development.
However, even with remediation efforts underway, detection becomes increasingly difficult. In 2025, malicious npm packages masquerading as widely used packages such as chalk and debug contained documentation, unit tests, and code designed to mimic legitimate telemetry modules. No static analysis or signature scanning technology could detect them because the code appeared as though it had been written by a legitimate developer using AI-assisted tooling.
According to Chainguard CEO Dan Lorenc, "Vulnerability management has become too complex and too large for most organisations to manage themselves."
Erasing categories of attack
The takeaway from events occurring during 2025 is that you cannot outrun these attacks. The gap between when a vulnerability is patched and when it is exploited continues to shrink faster than developers can implement patches. Moreover, AI-generated malware is consistently bypassing traditional detection technologies that organisations have employed for decades. The overlap between "willingness" to carry out attacks and "technical competency" to conduct attacks is expanding monthly. Organisations are producing software faster than ever before. If supply chain attacks continue to escalate at this rate, what will happen in 2027 when model capabilities reach level ten?
Rather than relying solely on speed and attempting to outrun threats, organisations need to begin eliminating categories of vulnerabilities altogether, allowing teams to concentrate on other areas. This concept forms the basis for Chainguard Libraries, which creates a completely trustworthy version of every open-source library from verifiable, attributable source code. Chainguard Libraries eliminates entire classes of attacks, rendering them structurally impossible, thereby preventing CI/CD takeovers, dependency confusion, long-lived token theft, and package distribution attacks. When tested against approximately 8,783 malicious npm packages,Chainguard Libraries prevented approximately 99.7% Similarly tested against approximately 3,000 malicious Python packages, it successfully blocked approximately 98%.
454,600 malicious packages existed last year. Nearly 395,000 malicious packages existed during a single quarter. One teenage boy in Algeria developed ransomware that struck approximately 85 victims in his first month. A 17-year-old extracted over seven million records with the intention of purchasing Pokémon cards. Tools enabling these types of attacks are becoming increasingly cheaper, faster, and more accessible. Rather than frantically reacting whenever another Axios or Shai-Hulud event occurs, organisations can take a more proactive stance by deploying production systems, artifact managers, and developer workstations populated with Chainguard Libraries.
