On December 4, 2025, a 17-year-old boy was arrested in Osaka under Japan’s Unauthorized Access Prevention Act. The young man was running malicious code that extracted the personal data of more than 7 million users of Kaikatsu Club, Japan’s largest internet cafe chain. When asked, the young man explained his motivation for the hack. Because I wanted to buy Pokemon cards.
In some ways, this is a pretty commonplace story. Since the 1990s, we’ve been reading about computing geniuses like Kevin Mitnick. They became involved in high-profile cybercrimes where their technical abilities exceeded their judgment and they sought status, profit, or excitement. But something is different in this story. The young man in question was not an engineer.
The rise of AI-assisted attacks
In 2025, LLM-powered chat and agent systems have crossed a threshold, transforming from useful but error-prone coding assistants to powerful tools for end-to-end coding. Over the year, several measures of the frequency and severity of cybercrime nearly doubled. Instances of malicious packages discovered in public repositories increased by 75%, cloud intrusions increased by 35%, and AI-generated phishing began to completely outperform human red teams. However, a more qualitative difference lies in the profile of those carrying out the attacks.
In February 2025, three teenagers (ages 14, 15, and 16) with no coding experience used ChatGPT to build a tool that generated approximately 220,000 accesses to Rakuten Mobile’s systems and spent the proceeds on gaming consoles and online gambling. In July 2025, a single attacker using Claude Code, a more sophisticated agent coding platform, conducted a month-long extortion campaign targeting 17 organizations. The campaign used agent AI to develop malicious code, organize stolen files, analyze financial records to tailor requests, and draft extortion emails. In December 2025, another individual used Claude Code and ChatGPT to infiltrate the Mexican government, targeting more than a dozen government agencies and stealing over 195 million tax records.
These attacks were possible before 2025, but we are now seeing single-attacker attacks that were typical of organized teams, and small-scale attacks by non-technical personnel that were typical of attacks carried out by talented hackers and engineers in the pre-AI era. In 2025, the barrier to entry for conducting technically advanced attacks will be significantly lower.
bad numbers go up
Throughout 2025, measurements of bot activity, malware, targeted compromises, and phishing showed dramatic increases. At the same time, the measurement of LLM capabilities in technology benchmarks has also made significant advances.
According to Sonatype, there were 55,000 malicious packages in public repositories in 2022. By 2025, that number has increased to 454,600. We saw notable jumps in 2023 (the year GPT-4 was released) and 2025 (the key year for agent coding).
Exploit time, another practical measure of the capabilities of real-world attackers, was nearly imperceptible in the pre-AI era. Time-to-exploit measures the time between the publication of a vulnerability and the discovery of an actual exploit for that vulnerability.
This number decreased from more than 700 days in 2020 to just 44 days in 2025. This means that attackers are developing exploits for known vulnerabilities in less than two months instead of almost two years. In fact, Mandiant’s M-Trends 2026 report found that time-to-exploit has become virtually negative. Exploits now regularly arrive before patches, with 28.3% of CVEs being exploited within 24 hours of publication.
From 2024 to 2025 and early 2026, the performance of frontier models such as ChatGPT, Claude, and Gemini on benchmarks such as SWE Bench, a test of software development prowess, improved dramatically. In August 2024, top models could solve 33% of real-world GitHub problems on the bench. By December 2025, that number had risen by just under 81%.
In late 2024 and especially in 2025, AI-assisted coding reached an inflection point. However, improved coding also enhances attack capabilities, and the environment of 2026 will reflect these changes, with attacks occurring more frequently, more severely, and with greater impact.
can’t take away the pain
AI is making both defenders and attackers faster. Unfortunately, based on data from 2025 and 2026, the arms race is favoring the attackers. According to the Edgescan 2025 Vulnerability Statistics Report, the average time to remediate a CVE of known severity or severity is now 74 days. Additionally, 45% of vulnerabilities in systems managed by large enterprises (1000+ employees) are never remediated.
Organizations are also feeling pressure from an increase in malware found in public package repositories. In September 2025, a Shai-Hulud attack targeting the npm ecosystem compromised over 500 packages. Over 487 organizations’ secrets were compromised and $8.5 million was stolen from Trust Wallet after attackers compromised Trust Wallet’s Chrome extension with exposed credentials. Many organizations have had their code frozen after being attacked.
Detection issues make this even worse. In 2025, malicious npm packages disguised as popular libraries like Choke and Debug contained documentation, unit tests, and code structured to look like legitimate telemetry modules. Static analysis and signature scanners missed them completely. Perhaps because the code generated by the AI looked like real software. As Chainguard CEO Dan Lorenc states, “The complexity and scale of vulnerability management is beyond the ability of most organizations to manage it on their own.”
Delete attack category
The lesson for 2025 is that we cannot survive these attacks. Exploit windows are shrinking faster than patch cycles can compress them, and AI-generated malware is evading detection tools that organizations have relied on for decades. The Venn diagram of “willing to conduct an attack” and “have the technical ability to conduct an attack” used to be small, but it is increasing every month. At the same time, we’re building more software, faster. And if supply chain attacks are coming fast in 2026, what will happen in 2027 when the model is cranked up to 10?
The current environment can only get teams so far when it comes to speed and outmatching offense. Rather, a wise move is to remove the entire category of vulnerabilities and allow the team to focus on the remaining areas. This is the approach behind Chainguard Libraries, which rebuilds all open source libraries from verified, attributable source code. The idea behind the library is to make entire categories of attacks structurally impossible, protecting users from CI/CD hijacking, dependency confusion, long-term token theft, or package distribution attacks. When tested against 8,783 malicious npm packages, the Chainguard library blocked 99.7%. We blocked approximately 98% of approximately 3,000 malicious Python packages.
Last year there were 454,600 malicious packages. 394,877 in a single quarter. An Algerian amateur created ransomware that hit 85 targets in the first month. A 17-year-old boy stole 7 million records to buy Pokemon cards. The tools that made these attacks possible are cheaper, faster, and more accessible. Instead of panicking when the next Axios or Shai-Hulud is released next week or next month, you can simply read about it over a cup of coffee while your organization is ingesting data from the Chainguard library into your production systems, artifact managers, and developer workstations.
Note: This article was professionally written and contributed by Patrick Smyth, Principal Developer Relations Engineer at Chainguard.
Source link
