Hackers are increasingly targeting the systems that power AI tools, rather than simply exploiting the tech to enhance their own attacks.

Why it matters: The AI tools that can supercharge hacks also contain highly valuable intellectual property that is itself a juicy target for attackers.

Driving the news: Recent incidents highlight how exposed different parts of the AI ecosystem are to breaches.

• Anthropic last week accidentally leaked parts of the source code for its Claude Code tool, exposing internal components of a system used to generate and execute code.
• Meta last week paused work with AI data contractor Mercor — which helps major AI labs generate custom datasets used to train models — after a breach at the startup raised concerns about whether proprietary training data was exposed.

The big picture: AI firms are racing to ship powerful tools while managing complex internal codebases, supply chains and developer environments.

• That combination is drawing increased attention from both cybercriminals and nation-state actors seeking valuable intellectual property or new entry points.

Yes, but: Many of these risks are not new. Similar supply chain and developer tool vulnerabilities have existed for years.

• The risks are amplified in the global competition for AI dominance.

Threat level: The leaked Claude Code source code gives hackers a way to look for bugs that could help them exploit the software — and the enterprise customers who depend on it.

• Zscaler even found evidence of hackers shipping malware through their own GitHub repositories claiming to have copied versions of Claude Code.

Zoom in: Researchers at Symbiotic Security said they found multiple vulnerabilities in Claude Code, including flaws that could allow remote code execution.

• The issues stem in part from how the tool handles project-level configuration, which could allow a malicious repository to execute commands on a developer's machine when opened.

Reality check: Symbiotic Security CEO Jérôme Robert told Axios that the issues are not unique to Anthropic and that his team found similar patterns in other AI coding tools, including Google's Gemini.

• Many companies are prioritizing developer speed over stricter controls, Robert said.
• "Their main goal is to make developers extraordinarily productive," he said. "If you have to approve everything that your agent does, you're not going to like it."
• Researchers at Straiker last week disclosed a vulnerability chain in Cursor's AI code editor that could allow attackers to hijack a developer's machine.

What to watch: Forthcoming compliance regimes, such as the EU Artificial Intelligence Act, could require AI companies to beef up their internal security stacks.

The bottom line: The race to build AI may be outpacing efforts to secure the systems behind it.

The White House is asking Congress to cut the budget of the nation's top cyber agency by roughly a quarter, according to a budget proposal released Friday.

Why it matters: The proposal would further narrow the federal government's role in defensive cybersecurity missions, including parts of the Cybersecurity and Infrastructure Security Agency tied to school safety, misinformation and external engagement.

Driving the news: The White House is proposing a $707 million cut to CISA for fiscal 2027, saying the budget would "refocus CISA on its core mission."

• The proposal says it would remove offices the Trump administration views as "duplicative of existing and effective programs at the State and Federal level," including some targeted school safety programs.
• It also would eliminate programs focused on "so-called misinformation and propaganda," as well as external engagement offices such as council management, stakeholder engagement and international affairs.

Between the lines: President Trump has continued to target CISA since agency leaders rejected his false claims that the 2020 election was rigged.

Reality check: Congress would need to approve the cuts, and Republican lawmakers have pushed back on some of the administration's earlier proposed reductions.

The big picture: The administration is seeking a 10% cut in non-defense discretionary spending compared with 2026 levels.

Yes, but: CISA already faced a hefty budget cut last year and lost hundreds of employees to buyouts, layoffs and early retirements.

• Many of those cuts focused on international offices and stakeholder engagement.

Suspected North Korean hackers used a phishing campaign involving AI deepfakes to infect a widely used open-source software package with malware, according to the project's maintainer.

Why it matters: The incident underscores how nation-state hackers are already using AI tools at scale to carry out highly convincing social engineering attacks.

Driving the news: Last week, a maintainer of the Axios npm package said his account was compromised, allowing attackers to publish two malicious updates.

• Google researchers assessed the activity as likely linked to UNC1069, a North Korean hacker group known for targeting cryptocurrency and decentralized finance firms using AI-driven impersonation techniques.
• Axios, a popular JavaScript library for making HTTP requests, is not affiliated with Axios Media.

Zoom in: Lead maintainer Jason Saayman said Thursday he was duped into believing he was working with a legitimate company to update the project.

• About two weeks before the attack, Saayman said, the hackers reached out to him using the likeness of the company's founder and branding for the company.
• They invited him into a Slack workspace that appeared authentic, including specific company channels, such as those for sharing social media posts about the company, and fake profiles impersonating employees and other open-source maintainers.
• The attackers then set up a Microsoft Teams call with what appeared to be multiple participants. During the meeting, Saayman was told his system was out of date and was prompted to install an update, which turned out to be malware.

The big picture: The suspected North Korean hackers are known to use live deepfake videos in calls and to stage technical issues in Microsoft Teams to manipulate victims.

• In similar cases, victims have been tricked into believing they were speaking with executives from partner companies, when in reality attackers were using AI to mimic real identities.
• Other victims have also been tricked into downloading a software update to fix audio and other technical issues on these calls.

What to watch: Axios is downloaded millions of times per week, and it remains unclear how widely the malicious updates were installed or whether they enabled further access into downstream organizations.

@ D.C.

🚨 The FBI has declared a suspected China-linked hack of a U.S. surveillance system a "major incident." (Politico)

🔍 Researchers warned that the new White House mobile app is riddled with security concerns, including features that regularly share users' IP addresses and other data. (NOTUS)

@ Industry

🏥 Stryker is now back to normal operations three weeks after a cyberattack linked to Iranian hackers. (CyberScoop)

👀 Embattled AI compliance startup Delve says it's "parted ways" with Y Combinator following a wave of social media posts claiming the startup misled customers into believing they were compliant with privacy and security regulations. (TechCrunch)

📲 Apple pushed a rare update to iOS 18 users, rather than forcing them to update to iOS 26, as the DarkSword spyware spreads. (Wired)

@ Hackers and hacks

⚠️ Fortinet released an emergency patch for a zero-day flaw in its endpoint management product, which hackers are already exploiting. (BleepingComputer)

🪙 Suspected North Korean hackers stole $280 million from decentralized platform Drift. (Fortune)

📚 How a college student helped long-time security professionals find who was operating Kimwolf, the largest botnet in history. (Wall Street Journal)

🦾 Hilary Duff, our millennial queen, is not here for the rise of the robots.