Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The dominant narrative around AI in security is one of emboldened defenders suppressing attackers. Yet, not everyone is convinced the future will be so rosy. In a recent Defender Fridays episode, Josh Neil, Co-founder and CTO of Alpha Level, made an argument that cuts against the celebratory mood: as AI makes known attack vectors harder to use, adversaries don't disappear. They adapt. For MSSPs and SOC teams, an adversary that looks like a user is a harder problem than one that looks like malware.

Ransomware is pivoting toward faster, more targeted data-extortion models, where encryption is no longer the primary objective. According to WatchGuard’s 2026 cybersecurity predictions, crypto-ransomware will lose ground to models driven by data exfiltration and reputational leverage, lowering the technical bar for threat actors while increasing their attack velocity. This shift has a direct consequence.

In the IT world, there is something quietly sinister about a bank holiday. It’s not the holiday itself – who doesn’t love a bank holiday – a long weekend, a reason to grill something in unpredictable weather, the particular pleasure of feeling like you’ve slipped a Monday… The sinister part is structural.

Ransomware has moved beyond simple malware attacks. It is now operating under a structured business model that disrupts operations, not just systems. Attackers are not depending on phishing or malicious files to deploy ransomware. They instead use compromised identities and existing tools present within environments to move undetected. By the time encryption starts, the attack has already progressed across systems.

On May 22 and May 23, 2026, an attacker republished hundreds of malicious versions under historical release tags for four community-maintained Laravel localization libraries that are published on Packagist under the laravel-lang namespace.

On 2026-05-22, an attacker rewrote every repository tag across four Composer packages in the Laravel-Lang ecosystem to point at malicious commits. The affected packages are laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions. The rewrite took place on 2026-05-22 into the early hours of 2026-05-23. Every malicious commit makes the same two-file change: one entry added to composer.json, and one new file at src/helpersphp.

On May 22, 2026, we detected an active supply chain attack against Laravel-Lang. We filed a report with the maintainers immediately. The attacker published malicious version tags across three widely used repositories, injecting credential-stealing code that loads automatically via composer’s autoloader feature. What makes this particularly sneaky is that the malicious code was never committed to the official repos at all.

For decades, finding a zero-day flaw followed a predictable script: a highly skilled human researcher spent weeks staring at source code, digging for edge cases, and manually stitching together an exploit. In April 2026, Anthropic flipped that script by announcing Claude Mythos. This frontier model didn’t just mark an incremental upgrade; it introduced autonomous, machine-speed vulnerability hunting.