More than 10 million documents spanning 8 terabytes of data were reportedly stolen from Foxconn’s network. Confidential AMD, Google, and Intel projects are at risk of exposure, but Apple’s tech appears to be safe.

Even with Apple’s extensive security measures for pre-production designs, the company’s supply chain partners often fall victim to cyberattacks. In December 2025, an Apple assembler in China was targeted by attackers, with the same thing happening to Luxshare in January 2026.

Now, Foxconn has become the latest Apple supply chain and assembly partner to suffer a cyberattack. On Tuesday, the company confirmed its facility in Mount Pleasant, Wisconsin, had been impacted by the attack in May 2026.

Ransomware group Nitrogen claims to have taken 8TB of data, or over 11 million files. “These include files such as confidential instructions, projects, and drawings from Intel, Apple, Google, Dell, Nvidia, and many other projects,” reads the group’s announcement.

Nitrogen also posted a collection of sample files, meant to serve as proof of the alleged attack. While AppleInsider won’t share links to the allegedly stolen files, we did analyze the sample provided by the group to gain a better understanding of the scope of the attack.

The attackers seemingly stole financial documents related to Foxconn’s Houston, Texas, facility. Also stolen was documentation related to Foxconn temperature sensors, integrated circuits, board layouts, and more.

Additionally, the files appear to contain network topology documentation related to AMD, Intel, and Google projects, including files related to server processors, sockets, and other components. The sample set seems to contain files related to Foxconn’s electrical engineering team more than anything else.

It’s not clear if there are any files directly related to existing or future Apple projects. This ultimately doesn’t serve as much of a surprise, given that Foxconn’s Mount Pleasant facility primarily produces televisions and data servers rather than Apple devices.

Based on the sample provided, it does not look like Nitrogen obtained any Apple schematics, documentation related to Foxconn’s Apple product development teams, or Apple quality control data.

Foxconn’s manufacturing facilities, be they in China, India, or elsewhere, are typically protected via an internal VPN. While the facility network typically encompasses on-site computers, Foxconn plants do communicate with one another and with Apple via email.

As the group has documents related to Foxconn’s Houston, Texas, facility, they may have acquired additional data from facilities beyond the one in Wisconsin. In other words, Nitrogen might have obtained Apple designs from a separate Foxconn factory, maybe through emails or file-sharing servers.

While it’s difficult to ascertain exactly what was taken, given the group allegedly stole 8TB worth of files, it does not look like Apple has much to worry about.

How the Foxconn cyberattack allegedly happened

As noted by the Wisconsin publication TMJ4, Foxconn’s Mount Pleasant facility experienced a network outage in early May 2026 because of a cyberattack. Production was allegedly interrupted for around a week, but has since resumed.

Foxconn’s Wisconsin plant in 2020.

Per The Cybersec Guru, the facility’s network began experiencing issues on May 1, with Wi-Fi being cut off at 7 AM ET, and disruptions to the core plant infrastructure occurring by 11 AM ET. Manufacturing seemingly remained affected until May 12, 2026.

“We were told to turn off our computers and not log back in under any circumstances,” allegedly said an unnamed worker. “The timecard terminals were dead. We were filling out paper timesheets just to track our hours.”

Analyst Mark Henderson claims that “the topology specs for Google and Intel are the real concern.” He explains that these are “architectural maps of live infrastructure,” and that attackers could use the data to identify vulnerabilities in data centers across the world.

The ransomware group behind the attack, Nitrogen, has been around since 2023. The group seems to have ties to the BlackHat/ALPHV ransomware and is known for utilizing a double-extortion model. This means it resorts to encrypting data and later threatening to leak it.

However, according to Coveware, Nitrogen’s ESXi encryptor has a critical flaw. During encryption, the files’ public key gets corrupted, meaning that victims are unable to receive decrypted files even if the ransom is paid.

The full scope of the cyberattack targeting Foxconn’s Wisconsin facility remains to be seen. Judging by the available information, however, it’s unlikely we’ll see Apple’s product designs surface as a result of the hackers’ efforts.

In the frame, NASA’s six-wheeled Perseverance rover is securely planted on a stretch of dirt far to the west of Jezero Crater. You can see its mast dipping down towards Arethusa, the rocky protrusion we’ve all become familiar with, before swinging back around to face the camera full on. Years of driving have created a fine layer of dust on the rover and its wheels, catching the light and creating a beautiful warm glow. Meanwhile, a new circular mark on Arethusa indicates where the rover dug in with its biters and removed a portion of the surface to examine what was hidden beneath. The robotic arm in front, with the WATSON camera attached to its end, is the one that took it all in.

Sixty-one separate exposures went into the final composite. The arm performed sixty-two precise shifts across roughly one hour on March 11, 2026, the 1,797th Martian day of the mission. Each small adjustment let the camera capture another slice of the rover and its surroundings until the pieces fit together into one complete portrait.

Sale

LEGO Technic NASA Mars Rover Perseverance Building Toys – STEM Model Kit for Boys & Girls, Ages 10+ Years…

• Feed a passion for science and technology – Kids can learn more about the challenges of space exploration with this LEGO Technic NASA Mars Rover…
• Conduct a test flight – This advanced building kit for kids ages 10 and up includes a buildable toy version of NASA’s Ingenuity helicopter, which…
• AR brings the mission to life – The accompanying augmented reality app experience lets kids dive into the details of the rover and its mission

Beyond the rover, the landscape stretches in all directions. The western rim of Jezero Crater is made up of all these ancient rock layers that continue on for as far as the eye can see beneath that pale, pale sky. The land around the rover is covered with boulders and strange ridges that have formed over billions of years. We name that area Lac de Charmes, and it’s all the way out on the western side, the farthest Perseverance has gotten since it landed five years ago.

The rock named Arethusa drew the rover here for good reason. After the abrasion the team studied the freshly exposed material and found it consists of igneous minerals with large crystals that formed deep underground long before Jezero Crater itself existed. Those crystals point back to some of the earliest chapters in Mars history, when molten rock cooled slowly far beneath the surface.

Moments like this one are a big part of what keeps the mission going, as Perseverance is currently in the middle of its fifth science campaign on the northern rim, collecting data that helps connect the younger sedimentary layers inside the crater to the much older stuff that’s exposed outside. So far, the rover has cut a piece out of 62 rocks, filled 25 sample tubes, and explored about 26 miles of terrain, which is just a couple of miles shy of a full marathon.

cyber-crime

Affected factories back up and running, we’re told

Foxconn, a critical supplier for major hardware companies like Apple and Nvidia, on Tuesday confirmed a cyberattack affecting its North American operations after the Nitrogen ransomware gang listed the electronics manufacturer on its data leak site.

“Some of Foxconn’s factories in North America suffered a cyberattack,” a Foxconn spokesperson told The Register. “The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production.”

Nitrogen ransomware criminals on Monday claimed to have breached the Taiwan-based company and stolen 8 TB of data comprising more than 11 million files. The miscreants say the leaks include confidential instructions, internal project documentation, and technical drawings related to projects at Intel, Apple, Google, Dell, and Nvidia, among others.

Foxconn declined to confirm that these – or any – customers’ information was hoovered up in the digital intrusion.

Nitrogen, which has been around since 2023, is believed to be one of the various ransomware offshoots that borrowed code from the leaked Conti 2 builder.

And, in what may be very bad news for its latest victim, even paying the ransom demand may not guarantee recovery of encrypted files.

In February, Coveware researchers warned that a programming error prevents the gang’s decryptor from recovering victims’ files, so paying up is futile. The finding specifically concerns the group’s malware that targets VMware ESXi.

This isn’t the first time Foxconn has been targeted by ransomware gangs. In 2024, LockBit claimed to have infected Foxsemicon Integrated Technology, a semiconductor equipment manufacturer within the Foxconn Technology Group. The same criminal crew also hit a Foxconn subsidiary in Mexico in 2022. ®

Networks

Quietly extends waivers to 2029 after realizing it was about to leave millions of devices unpatched

America’s telco regulator has seen some sense over its ban
on foreign-made routers, deciding that existing devices should continue receiving software and firmware updates after all.

The Federal Communications Commission (FCC) has extended waivers covering certain foreign-made routers (and drones) already operating in the US, pushing the update deadline to at least January 1, 2029. Without the extension, updates would have been blocked as early as 2027.

Back in March, the FCC updated its Covered List to include all
foreign-made consumer routers, prohibiting the approval of any new models.
This effectively banned any new kit made in other countries from being sold,
but did not prevent the import, sale, or use of existing models that had previously
been authorized.

The policy stems from fears that foreign-made router pose a security threat. Because they handle network traffic, they could introduce
vulnerabilities exploitable against critical infrastructure, and in
the words of the FCC represent “a severe cybersecurity risk that could harm
Americans.”

Miscreants have exploited security flaws in routers to
disrupt networks or steal intellectual property, and routers are implicated in
the Volt, Flax, and Salt Typhoon cyberattacks.

The policy was widely regarded as flawed, not just because the
vast majority of consumer router kit is made outside the US or built from components
sourced abroad, but because vulnerabilities and security flaws are not limited
to any particular geography, and appear in products from all brands and
countries of origin, as noted
by the Global Electronics Association (GEA).

Blocking firmware updates, which typically deliver security patches for newly discovered flaws, also seemed a peculiar own goal for a regulator whose stated motivation is reducing network vulnerability. 

The FCC has belatedly recognized this, stating that its
policies would have “had the effect of prohibiting permissive changes to the
UAS, UAS critical components, and routers added to the Covered List in December
and March.

“This prohibition would be in effect even for Class I and Class II
permissive changes – such as software and firmware security updates that
mitigate harm to US consumers – because previously authorized UAS, UAS critical
components, and routers are now covered equipment.”

The waivers now run until at least until January 1, 2029, falling into the final month of the Trump administration, when there is a chance this may be overlooked in the preparations for Trump’s successor.

The FCC extension was met with some approval. Doc McConnell, head
of policy and compliance at security biz Finite State said in a supplied
remark: 

“I strongly support the FCC’s decision to allow firmware and software
updates for already-authorized routers, including covered devices already
deployed in the United States.”

“The biggest practical security risk with routers is not
only who made them, but whether they remain patched. When they stop receiving
updates, known vulnerabilities remain exposed, attackers gain durable
footholds, and consumers are left with equipment they cannot realistically
secure on their own.

“The original restriction risked creating exactly that
problem: millions of deployed routers frozen in time, unable to receive
security fixes. I appreciate the FCC recognizing that preventing updates could
unintentionally make Americans less safe,” he added.

However, as previously reported by The Register, the FCC’s
Conditional Approval framework explicitly requires vendors seeking approval for
new routers to submit plans to establish or expand manufacturing in America, with quarterly progress updates.

As stated by the GEA, “The policy’s logic assumes that
manufacturers can and will move production to the United States.” That might be
an assumption too far. 
®

A cyberattack against one of the world’s largest digital education platforms has forced attention onto the vulnerability of U.S. schools’ data.

Instructure, the company behind Canvas, a learning management system used by thousands of schools which has 30 million active users, had its service interrupted late last week. According to a company statement, hackers breached Instructure’s “free for teacher” account, or those specifically offered to give teachers access to Canvas courses.

The criminal hacking group ShinyHunters claims to have stolen 275 million records from roughly 9,000 educational institutions around the world, per reporting from Security Week.

In the latest, at the beginning of this week, Instructure published a note saying that it had reached a deal with the hackers to return the stolen data and had received digital confirmation of data destruction, along with assurance that none of its customers would be extorted. The note did not mention what Instructure gave in return. But the note announced a webinar with “Instructure leadership” scheduled for Wednesday.

According to Instructure, this is the second data breach within the year. The latest included a breach of customer — including teacher and students’ — email addresses, usernames, enrollment information and course names.

The attacks happened around finals for many colleges. Canvas was back online as of Saturday, according to a note about the incident on Instructure’s website. But at least six universities and school districts in a dozen states sent out alerts noting they had been impacted by the attack, according to reporting from CNN. Prior to Instructure’s deal, CNN noted that ShinyHunters had set a Tuesday deadline for schools to “negotiate a settlement.”

The education sector is an attractive target for hackers, with experts describing it as “target rich, resource poor.”

The breach comes amid immense frustration and legislative pushback against the extent schools have become reliant on edtech since pandemic closures forced schools to rush to embrace digital instruction and tools. Some wonder whether the attacks raise thorny questions about trust and the ability of schools to respond when outside vendors are targeted.

While this latest incident has renewed attention, cyber attacks against schools are not a new concern. Cybersecurity was even identified as a top concern in EdSurge’s 2025 trends forecast.

Indeed, the frequency of attacks has increased dramatically in recent years against both higher ed and K-12 schools, and some experts worry that AI is making attacks more sophisticated.

The figures are startling. For example, 82 percent of K-12 organizations reported a cyber security incident, according to a 2025 report from the Center for Internet Security, which noted 9,300 confirmed incidents.

Schools have struggled to figure out how to respond to new cybersecurity threats. Here are some notable highlights from the past few years:

• 2022: A cyberattack against Illuminate Education made the rounds. In 2018, the European Union passed the General Data Protection Regulation, or GDPR, providing clarity into what data protection parents, teachers and students should get. But a few years later, during the Illuminate attack, experts noted that the U.S. lacked a national consensus, though states were beginning to pass legislation.
• 2022: Later that year, after a major attack against Los Angeles Unified School District, one of the largest in the country, experts warned EdSurge that schools represent “honey pots of highly sensitive information.” In that attack, a ransomware gang dumped 500 GB of files, including sensitive student and teacher information, on the dark web when the district refused to pay.
• 2025: Early into the Trump administration’s second term, experts noted that coordinated federal attacks had been impacted by cuts, weakening federal support for schools. At the time, districts noted that they were operating “in the dark” with an uncertain future around cybersecurity issues.
• 2025: In a two-part EdSurge series, “Under Siege: How Schools Are Fighting Back Against Rising Cyber Threats,” reporter Ellen Ullman tracked how districts around the country are responding to AI’s rise in cyber incidents. Ullman’s reporting found that many schools remain weak on the fundamentals of cybersecurity, with small schools becoming attractive targets for cyber criminals. Schools are having to learn that the first line of defense against scams is humans, Ullman notes.

Some argue that the latest attacks are a sign that institutions need more meaningful expectations around cybersecurity, since the audits and certifications they currently rely on are failing to safeguard student data.

“Too often they serve as compliance theater and as weak shields against liability,” wrote Douglas Levin, national director of K12 Security Exchange Information, on social media.

Over the years, cybersecurity experts have shared a range of tips for schools to stay secure — from educating staff and students to seeking outside help to deal with the mounting threat.

With increasingly sophisticated attacks, there’s more than ever pressure for schools to secure student data despite all the challenges.

Bristol Myers Squibb has signed a deal worth up to 15.2 billion dollars with Jiangsu Hengrui Medicine, China’s largest pharmaceutical company by market capitalisation. The agreement covers 13 early-stage drug programmes across oncology, haematology, and immunology. None of the drugs have entered human clinical trials. The deal was announced on the same day that President Trump flew to Beijing for his first state visit to China in his second term.

The timing is coincidence. The economics are not. Bristol Myers Squibb is staring at a patent cliff that will strip roughly 300 billion dollars in revenue from the global pharmaceutical industry by 2030. Its own blockbusters, Opdivo and Eliquis, together generating more than 22 billion dollars in annual sales, face loss of exclusivity around 2028. The company needs new molecules. It cannot discover them fast enough on its own. China can.

The deal

BMS will pay Hengrui 600 million dollars at closing, 175 million on the first anniversary, and a contingent 175 million in 2028, totalling 950 million dollars in structured payments through the near term. The remaining 14.25 billion is in development, regulatory, and commercial milestones. BMS gets exclusive worldwide rights to Hengrui’s four oncology and haematology assets outside mainland China, Hong Kong, and Macau. Hengrui gets exclusive rights to four BMS immunology assets inside those territories. The two companies will jointly discover and develop five additional programmes using Hengrui’s discovery engine.

The structure tells the story. BMS is not acquiring Hengrui. It is licensing Hengrui’s research output. The American company with the patent cliff is paying the Chinese company with the pipeline. The transaction is expected to close in the third quarter of 2026, subject to antitrust review. Hengrui’s share price rose on the announcement. BMS’s did not fall.

The pipeline

Hengrui is not the Chinese pharmaceutical company that American executives imagined a decade ago. It is not a generics manufacturer. It operates more than 90 in-house therapies in clinical development across 400 clinical trials, including over 20 international studies. It is the only Chinese pharmaceutical company to rank among Citeline’s global top 10 pharma pipelines, alongside Pfizer, Roche, and AstraZeneca. Its R&D spending exceeded 2.22 billion yuan in the first quarter of 2026 alone, representing 27 per cent of revenue. It has 30 commercialised drugs in China and 20 approved in the EU, the US, and Japan.

The company’s market capitalisation is roughly 54.6 billion dollars. It reported first-quarter profit growth of 21.8 per cent. Its pipeline spans oncology, cardiometabolic diseases, immunology, respiratory conditions, and neuroscience. The deal with BMS is not Hengrui’s first major international licensing agreement. It is the largest. And it comes after a year in which Chinese drug companies collectively struck 137.7 billion dollars in out-licensing deals, a figure that was nearly tenfold the total recorded in 2021.

The cliff

The pharmaceutical industry’s patent cliff is not a future event. It is underway. BMS reported full-year 2025 revenues of 48.2 billion dollars, down from 48.3 billion the year before, and guided 2026 revenues between 46 billion and 47.5 billion dollars. Legacy product revenue fell 15 per cent to 21.8 billion in 2025. Pomalyst sales declined from 3.55 billion to 2.73 billion as generic competition arrived. The company’s growth portfolio, led by Opdivo, Breyanzi, Reblozyl, and Camzyos, is generating 16 per cent year-over-year increases, but the growth must outrun the erosion.

BMS is not alone. The industry faces more than 300 billion dollars in revenue losing patent protection between 2025 and 2030. Merck’s Keytruda, the world’s best-selling drug at 29.5 billion dollars in 2024, hits its own cliff. Pfizer is racing to launch obesity drugs by 2028 to offset expiring franchises. The entire sector is searching for the same thing: molecules. The companies that have them are increasingly Chinese.

The pattern

AstraZeneca signed an 18.5 billion dollar deal with China’s CSPC Pharmaceutical in January for eight obesity and diabetes drug candidates. AbbVie agreed to a 5.6 billion dollar cancer deal with RemeGen. Chinese companies accounted for roughly one third of all global licensing spending in 2025, up from a fraction of that five years earlier. The average upfront payment for a licensing deal with a Chinese company rose from 52 million dollars in 2022 to 172 million in early 2026. The bargain era is over. Chinese biotechs know the value of what they have built.

Stanford’s 2026 AI Index found that China has narrowed the performance gap with the US to 2.7 per cent while spending 23 times less on AI investment. The same dynamic is playing out in pharmaceutical R&D. Chinese clinical trial output surpassed the US for the first time in 2025. Chinese biotechs now account for nearly 70 per cent of global AI-driven drug discovery patent filings. The country is producing more drug candidates, faster, at lower cost, than the Western pharmaceutical companies that need them most.

The contradiction

The BIOSECURE Act became law in December 2025. It restricts federal agencies from contracting with designated Chinese biotechnology companies. The law was designed to reduce American dependence on Chinese biotech infrastructure, particularly contract research and manufacturing organisations like WuXi AppTec and WuXi Biologics. The intention was to decouple the US pharmaceutical supply chain from China.

BMS’s 15.2 billion dollar deal with Hengrui is not covered by the BIOSECURE Act. The law targets government contracts, not private licensing agreements. But the contradiction is structural. Congress passed legislation to restrict Chinese biotech access on national security grounds while the largest American pharmaceutical companies are signing record-breaking deals with Chinese drug developers because they cannot fill their pipelines without them. The decoupling strategy that works in semiconductors and AI chips does not work in drug discovery, because the molecules that Chinese scientists are finding are the molecules that American patients need.

Foreign automakers have been forced to partner with Chinese technology companies because they cannot develop competitive software fast enough on their own. The same logic now applies to pharmaceuticals. BMS is not signing a 15.2 billion dollar deal because it wants to. It is signing it because the patent cliff has made Chinese innovation the fastest path to commercial survival.

The timing

The deal was announced as Trump’s delegation, including Elon Musk, Tim Cook, and Larry Fink, prepared to land in Beijing for three days of talks on trade, technology, and the Iran war. Semiconductor export controls, rare earth restrictions, and tariff extensions dominate the summit agenda. Pharmaceuticals are not on the official programme. But the BMS-Hengrui deal illustrates a reality that the trade negotiators on both sides already understand: American companies are dependent on Chinese innovation in ways that export controls cannot reach.

China’s manufacturing supply chain is pivoting from smartphones to humanoid robots, from consumer electronics to autonomous systems, from generics to novel drug candidates. The pattern is the same across industries. Chinese companies that were once low-cost manufacturers are now high-value innovators, and the Western companies that once outsourced production to them are now licensing intellectual property from them. The power dynamic has inverted.

American capital is flowing into R&D at industrial scale, with billions pouring into AI laboratories, biotech platforms, and drug discovery engines. But the capital is increasingly being deployed to access Chinese research rather than replace it. BMS’s structured payments to Hengrui, 950 million dollars through 2028 before a single drug reaches clinical trials, represent the price of admission to a pipeline that took decades of Chinese R&D investment to build.

China’s regulatory environment is maturing alongside its innovation capacity, with governance frameworks for AI, biotech, and pharmaceutical research developing in parallel with the scientific output. The Chinese pharmaceutical industry that American companies are now licensing from is not the unregulated manufacturing sector of the early 2000s. It is a state-supported, globally competitive, scientifically rigorous ecosystem that produces drug candidates that meet FDA standards, which is why BMS is paying 15.2 billion dollars for access to 13 of them.

The deal will close this summer. The drugs will take years to reach patients, if they work at all. Thirteen early-stage programmes with no human clinical data carry enormous risk. But Bristol Myers Squibb calculated that the risk of not signing was greater than the risk of signing. The patent cliff does not wait for geopolitics. The largest pharmaceutical deal with a Chinese company in history was announced on the same day the American president arrived in Beijing to discuss decoupling. One conversation is about separating the two economies. The other is about why that is no longer possible.

Google has identified the first zero-day exploit it believes was developed with artificial intelligence. The criminal threat actor that built it planned to use it in a mass exploitation event. Google’s Threat Intelligence Group discovered the vulnerability before it was deployed, worked with the affected vendor to patch it, and disrupted the operation. The exploit, a Python script that bypasses two-factor authentication on a popular open-source system administration tool, contained hallucinated CVSS scores, educational docstrings, and the structured textbook formatting characteristic of large language model output. Google has high confidence that an AI model was used to find and weaponise the flaw.

The disclosure comes in a report published on Monday by the Google Threat Intelligence Group that documents a maturing transition from experimental AI-enabled hacking to what GTIG calls the “industrial-scale application of generative models within adversarial workflows.” State-sponsored actors from China and North Korea are using AI for vulnerability research. Russia-nexus threat actors are deploying AI-generated decoy code against Ukrainian targets. An Android malware called PROMPTSPY uses Google’s own Gemini API to autonomously navigate victim devices, capture biometric data, and block its own uninstallation. The AI cybersecurity arms race that experts warned about is no longer theoretical. It is in Google’s incident response logs.

The zero-day

The exploit targeted a semantic logic flaw, not a memory corruption bug or an input sanitisation error, but a high-level design mistake where the developer hardcoded a trust assumption into the two-factor authentication logic. Traditional vulnerability scanners and fuzzers are optimised to detect crashes and data-flow sinks. They miss this category of flaw. Large language models do not. Frontier models can perform contextual reasoning, reading the developer’s intent and correlating the authentication enforcement logic with hardcoded exceptions that contradict it. The model surfaced a dormant logic error that appeared functionally correct to every traditional scanner but was strategically broken from a security perspective.

GTIG worked with the impacted vendor to responsibly disclose the vulnerability. It does not believe Gemini was used. The criminal group behind the exploit has, according to Google, “a strong record of high-profile incidents and mass exploitation.” The planned mass exploitation event was prevented by proactive counter-discovery. The implication is that AI has crossed a threshold. It can now find vulnerabilities that humans and traditional tools miss, and it is being used by criminal actors to do so at scale.

The autonomous malware

PROMPTSPY is an Android backdoor first identified by ESET in February 2026. Initial reporting focused on its use of the Gemini API to maintain persistence by navigating the Android user interface to pin the malicious application in the recent apps list. Google’s analysis revealed capabilities that go significantly further.

The malware contains an autonomous agent module called GeminiAutomationAgent. It serialises the device’s visible user interface hierarchy into an XML-like format via the Accessibility API and sends it to the gemini-2.5-flash-lite model. The model returns structured JSON responses containing action types and spatial coordinates, which PROMPTSPY parses to simulate physical gestures: clicks, swipes, and navigation. The AI interprets the device’s state and generates commands in real time without human supervision.

PROMPTSPY can capture victim biometric data to replay authentication gestures and regain access to compromised devices. If a victim tries to uninstall it, the malware identifies the on-screen coordinates of the uninstall button and renders an invisible overlay that intercepts touch events, making the button appear unresponsive. Its command and control infrastructure, including Gemini API keys and VNC relay servers, can be updated dynamically at runtime, meaning that blocking specific endpoints does not disable the backdoor. Google has disabled the assets associated with this activity and confirmed that no apps containing PROMPTSPY are found on Google Play.

The state actors

Chinese and North Korean state-sponsored threat actors are using AI for vulnerability research with increasing sophistication. GTIG observed UNC2814, a Chinese-linked group, directing Gemini to act as a “senior security auditor” and “C/C++ binary security expert” to support vulnerability research into TP-Link firmware and file transfer protocol implementations. North Korea’s APT45 sent thousands of repetitive prompts that recursively analysed different CVEs and validated proof-of-concept exploits, building an arsenal of exploit capabilities that would be impractical to manage without AI assistance.

Chinese threat actors experimented with a specialised vulnerability repository called wooyun-legacy, a Claude code skill plugin containing a distilled knowledge base of more than 85,000 real-world vulnerability cases collected by the Chinese bug bounty platform WooYun between 2010 and 2016. By priming an AI model with this vulnerability data, the actors enabled in-context learning that steered the model to approach code analysis like an experienced researcher and identify logic flaws the base model would otherwise miss.

Russia-nexus actors targeting Ukrainian organisations are deploying malware families called CANFAIL and LONGSTREAM, both of which use AI-generated decoy code to obfuscate their malicious functionality. CANFAIL’s source code contains developer comments that explicitly identify unused blocks as filler content designed to disguise malicious activity. LONGSTREAM contains 32 instances of code querying the system’s daylight saving status, a repetitive benign-looking operation that exists solely to camouflage the downloader’s real purpose. APT27, a Chinese-linked group, used Gemini to accelerate development of an operational relay box network management tool with multi-hop proxy configurations designed to obfuscate intrusion origins.

The supply chain

A cyber crime group called TeamPCP claimed responsibility for multiple supply chain compromises of popular GitHub repositories and associated GitHub Actions in late March 2026, including Trivy, Checkmarx, LiteLLM, and BerriAI. The attackers gained initial access through compromised PyPI packages and malicious pull requests, then embedded credential-stealing malware to extract AWS keys and GitHub tokens from affected build environments. The stolen credentials were monetised through partnerships with ransomware and data theft extortion groups.

The compromise of LiteLLM, an AI gateway utility used to integrate multiple large language model providers, is particularly significant. Because the package is widely deployed, the breach could expose AI API secrets across the software supply chain. GTIG notes that attackers who gain access to an organisation’s AI systems through compromised dependencies could leverage internal models to identify, collect, and exfiltrate sensitive information at scale, or perform reconnaissance to move deeper within the network. The AI software ecosystem has become both a tool for attackers and a target.

Google announced its agent infrastructure at Cloud Next 2026, positioning Gemini as the reasoning backbone for autonomous AI workflows across enterprise. The same company is now documenting how adversaries are using agentic workflows to orchestrate attacks. The GTIG report describes threat actors deploying tools called Hexstrike and Strix against a Japanese technology firm and an East Asian cybersecurity platform, with Hexstrike using a temporal knowledge graph to maintain persistent state of the attack surface and autonomously pivot between reconnaissance tools. The agents that Google is selling to enterprises are being mirrored by agents that adversaries are deploying against them.

The defence

Google’s response includes Big Sleep, an AI agent developed by Google DeepMind and Google Project Zero that searches for unknown security vulnerabilities in software. Big Sleep found the vulnerability that the criminal group planned to exploit before the attack was launched. Google also introduced CodeMender, an AI-powered agent that uses Gemini’s reasoning capabilities to automatically fix critical code vulnerabilities. The defensive AI found the flaw. The offensive AI created the exploit. Google’s proactive discovery arrived first.

Google has repositioned Chrome as an enterprise security platform with real-time data loss prevention and AI governance controls, reporting a 50 per cent reduction in unauthorised AI data transfers. The investment in defensive infrastructure reflects the scale of the threat GTIG is documenting: 308 petabytes of industry telemetry in 2025 across more than four million identities, endpoints, and cloud assets, producing nearly 30 million investigative leads. No human team can process that volume. The defensive AI is not optional. It is the only way to match the speed of the offensive AI.

The policy gap

The Trump administration blocked the expansion of Anthropic’s Mythos, the most powerful vulnerability-discovery AI ever built, even as the GTIG report documents criminal and state-sponsored actors using AI to find and exploit the same types of flaws that Mythos was designed to detect. The policy contradiction is that the US government is simultaneously restricting access to defensive AI and facing an adversary landscape in which offensive AI is being deployed at industrial scale.

UK banks received their Mythos briefing within days of the European access crisis, illustrating the scramble among governments and financial institutions to gain access to AI security tools that can match the capabilities GTIG describes. Euro-area finance ministers convened to discuss the fact that no EU government had access to the most advanced vulnerability-discovery AI while the adversaries documented in the GTIG report, state-sponsored actors from China, North Korea, and Russia, were already using AI to find zero-days, generate autonomous malware, and attack the AI software supply chain.

The GTIG report is 33 pages of evidence that the AI cybersecurity arms race has moved from hypothesis to operational reality. Criminal actors are using AI to discover zero-day vulnerabilities and plan mass exploitation events. State-sponsored groups are building AI-augmented exploit arsenals. Autonomous malware is using commercial AI APIs to navigate victim devices without human supervision. The supply chain that connects AI models to enterprise systems is under active attack. Google’s defensive AI found the zero-day before the attackers could deploy it. The question the report does not answer is how many zero-days have been found by actors whose work Google has not yet detected.