On December 4, 2025, a 17-year-old was arrested in Osaka beneath Japan’s Unauthorized Entry Prohibition Act. The younger man had run malicious code to extract the private knowledge of over 7 million customers of Kaikatsu Membership, Japan’s largest web cafe chain. When requested, the younger man shared his motivation for the hack: he needed to purchase Pokémon playing cards.
In a way, this can be a pretty typical story. For the reason that Nineties, we’ve examine computing wunderkinds comparable to Kevin Mitnick, whose technical capacity exceeded their judgment and who had been drawn into high-profile cybercrimes in pursuit of standing, revenue, or pleasure. However one thing is totally different on this story: the younger man in query wasn’t technical.
The rise of AI-assisted assaults
In 2025, LLM-backed chat and agent programs crossed a threshold, going from helpful however error-prone coding assistants to end-to-end coding powerhouses. All year long, a number of measures of cybercrime frequency and severity roughly doubled. Situations of malicious packages found on public repositories elevated by 75%, cloud intrusions elevated by 35%, and AI-generated phishing started outperforming human pink groups solely. A extra qualitative distinction, nevertheless, has been within the profiles of these conducting assaults.
In February 2025, three youngsters (ages 14, 15, and 16) with no coding background used ChatGPT to construct a instrument that hit Rakuten Cellular’s system ~220,000 instances, spending their proceeds on gaming consoles and on-line playing. In July 2025, a single actor utilizing Claude Code, a extra subtle agentic coding platform, carried out an extortion marketing campaign concentrating on 17 organizations over the course of 1 month, utilizing agentic AI to develop malicious code, arrange stolen information, analyze monetary information to calibrate calls for, and draft extortion emails. In December 2025, one other particular person used Claude Code and ChatGPT to breach the Mexican authorities, concentrating on greater than 10 businesses and stealing over 195 million taxpayer information.
Whereas these assaults had been attainable earlier than 2025, we are actually seeing single-actor assaults that will have been attribute of organized groups and smaller-scale assaults by nontechnical people that will have been extra attribute of assaults carried out by a gifted hacker or engineer within the pre-AI period. In 2025, the barrier to entry for conducting a technically subtle assault has been considerably lowered.
Dangerous numbers go up
All through 2025, measures of bot exercise, malware, focused compromise, and phishing exhibited dramatic will increase. On the identical time, measures of LLM functionality on technical benchmarks leaped ahead.
In 2022, there have been 55,000 malicious packages in public repositories, in response to Sonatype. By 2025, that quantity had grown to 454,600. Notable leaps occurred in 2023 (the yr GPT-4 was launched) and 2025 (a marquee yr for agentic coding).
One other sensible measure of real-world attacker functionality, time to take advantage of, is nearly unrecognizable from the pre-AI period. Time to take advantage of measures the time from when a vulnerability is publicizeduntil an exploit for that vulnerability has been found within the wild.
This quantity has come down from over 700 days in 2020 to solely 44 days in 2025. This implies attackers are creating exploits for identified vulnerabilities in lower than 2 months, relatively than in virtually 2 years. In actual fact, Mandiant’s M-Traits 2026 report discovered that time-to-exploit has successfully gone unfavorable — exploits are actually routinely arriving earlier than patches, with 28.3% of CVEs exploited inside 24 hours of disclosure.
All through 2024, 2025, and early 2026, the efficiency of frontier fashions comparable to ChatGPT, Claude, and Gemini on benchmarks comparable to SWE-bench, a check of software program growth functionality, rocketed by way of the roof. In August 2024, prime fashions might resolve 33% of actual GitHub points on the bench. By December 2025, that quantity had climbed to only beneath 81%.
In late 2024 and particularly 2025, AI-assisted coding hit an inflection level. Supercharging coding, nevertheless, has additionally supercharged offensive capabilities, and the atmosphere in 2026 displays these adjustments, with assaults occurring extra often, with higher severity, and with higher influence.
Can’t patch the ache away
AI is rushing up each defenders and attackers. Sadly, primarily based on knowledge from 2025 and 2026, the arms race is favoring attackers. The typical time to remediate a identified high- or critical-severity CVE is now 74 days, in response to the Edgescan 2025 Vulnerability Statistics Report. As well as, 45% of vulnerabilities in programs maintained by massive firms (1000+ workers) by no means get remediated.
Organizations have additionally been feeling stress from the elevated malware present in public bundle repositories. In September 2025, the Shai-Hulud assault concentrating on the npm ecosystem compromised over 500 packages. Over 487 organizations had secrets and techniques compromised, and $8.5m was stolen from Belief Pockets after attackers used uncovered credentials to poison its Chrome extension. Many organizations instituted code freezes following the assault.
The detection downside compounds this. In 2025, malicious npm packages posing as widespread libraries like chalk and debug included documentation, unit exams, and code structured to look as official telemetry modules. Static evaluation and signature scanners missed them solely — as a result of the code, probably AI-generated, appeared like actual software program. As Chainguard CEO Dan Lorenc has noticed, “The complexity and scale of vulnerability administration has outgrown the capabilities of most organizations to handle on their very own.”
Deleting classes of assault
The lesson of 2025 is that you may’t outrun these assaults. The exploit window is shrinking quicker than patch cycles can compress, and AI-generated malware is slipping previous the detection instruments that organizations have relied on for many years. The Venn diagram of “keen to do assaults” and “has technical capacity to do assaults” was a sliver, however it’s rising each month. On the identical time, we’re constructing extra software program, quicker. And if the provision chain assaults are coming quick in 2026, what’s going to 2027 appear to be with mannequin capabilities dialed as much as 10?
Considering when it comes to velocity and outrunning assaults will solely get groups thus far within the present atmosphere. Relatively, the good transfer is to hit delete on total classes of vulnerability, releasing up groups to deal with the remaining areas. That is the strategy behind Chainguard Libraries, which rebuilds each open supply library from verified, attributable supply code. The concept behind Libraries is to render complete classes of assaults structurally unattainable, defending customers from CI/CD takeover, dependency confusion, long-lived token theft, or bundle distribution assaults. When examined in opposition to 8,783 malicious npm packages, Chainguard Libraries blocked 99.7%. In opposition to roughly 3,000 malicious Python packages, it blocked roughly 98%.
454,600 malicious packages final yr. 394,877 in a single quarter. An novice in Algeria constructed ransomware that hit 85 targets in his first month. A 17-year-old exfiltrated 7 million information to purchase Pokémon playing cards. The instruments that enabled these assaults are getting cheaper, quicker, and extra accessible. As an alternative of scrambling when the subsequent Axios or Shai-Hulud hits subsequent week or subsequent month, you could possibly simply examine it over your cup of espresso whereas your group populates manufacturing programs, artifact managers, and developer workstations from Chainguard Libraries.
Word: This text was expertly written and contributed by Patrick Smyth, Principal Developer Relations Engineer, Chainguard.
