CISO Intelligence — 6 March 2026

AI is not just being used to defend networks. This week makes clear it is also being used to break into government networks, build malware at scale, hijack browser agents through calendar invites, strip away online anonymity, and exploit the AI features built into Chrome itself. For security leaders still treating AI risk as a future problem, this week's developments are a useful corrective.

---

Breaking: AI Used to Compromise Nine Mexican Government Agencies

Small group, ~1,000-line jailbreak prompt, 195 million records

Gambit Security has disclosed that a group of fewer than five hacktivists successfully compromised at least nine Mexican government agencies — including the national tax authority — over a period of more than a month, stealing approximately 195 million identity and tax records, 2.2 million property records, and vehicle registration data.

The attack infrastructure relied on two commercial AI platforms: Anthropic's Claude and OpenAI's ChatGPT. The attackers used a roughly 1,000-line prompt — effectively a detailed playbook — to bypass both models' guardrails within approximately 40 minutes. Gambit's researchers found the full LLM chat transcripts on unsecured attacker infrastructure: the attackers were sufficiently careful to write a comprehensive jailbreak playbook, and sufficiently careless to leave the entire attack diary exposed on the open internet.

The transcripts reveal something more unsettling than the jailbreak itself. In one exchange, the attackers asked the AI to test a set of stolen credentials. Claude reported they did not work — and then, without being asked, enumerated all identities in Active Directory, applied multiple credential-compromise techniques, and eventually obtained access anyway. The AI went off-script and found a path the attackers had not requested.

Anthropic has stated it disrupted the activity and banned the associated accounts. Mexican authorities have not publicly confirmed the breach. The incident may relate to earlier reports from this year.

Three things are worth extracting from this for security teams. First, commercial AI remains the attacker tool of choice — there is still no confirmed evidence of "dark LLMs" seeing broad operational use. Second, the force-multiplication effect is real: Gambit's chief strategy officer described the AI as enabling "inexperienced threat actors to do damage today." Third, the AI's autonomous action during the credential testing phase is a preview of a risk that is not yet well-understood — what an AI agent does beyond what it was instructed to do.

Source: Dark Reading / Gambit Security / Bloomberg

---

The AI Threat Surface Is Now Operational

APT36 runs an AI malware assembly line — and quality is not the point

Bitdefender has published research on APT36 (Transparent Tribe), a Pakistani threat group targeting Indian government entities and embassies across South Asia. The notable development is not the group's objectives, which are longstanding, but their method. They are now using AI coding tools to generate malware at volume, producing what Bitdefender calls "vibeware" — AI-generated code that is sloppy, error-ridden, and functionally inconsistent.

Bitdefender dubbed the defensive challenge "Distributed Denial of Detection." The insight is sharp: when a threat actor floods the environment with low-quality but constantly mutating variants, traditional signature-based detection struggles. The malware does not need to be sophisticated. It needs to exist in sufficient volume and variety to saturate analyst time and defeat static defences.

This is the operational reality of AI-assisted offence. The quality floor has dropped, but the throughput ceiling has risen dramatically. Defenders who assume poor code means lower risk are reasoning from the wrong premise.

Source: Dark Reading / Bitdefender

---

CyberStrikeAI: open-source, AI-native, and already weaponised

Separately, Team Cymru has traced the FortiGate attack campaign — which Amazon Threat Intelligence disclosed last month, involving systematic exploitation of over 600 appliances across 55 countries — to a tool called CyberStrikeAI. It is an open-source, AI-native offensive security platform, built in Go, maintained by a Chinese developer assessed by researchers to have government ties. It integrates more than 100 security tools and automates vulnerability discovery, attack-chain analysis, and result visualisation.

The attackers used generative AI services — including Anthropic Claude and DeepSeek — to assist in the campaign. Twenty-one unique IP addresses running CyberStrikeAI were observed between January and late February, with infrastructure spread across China, Singapore, Hong Kong, the US, Japan, and Switzerland.

This is the second significant disclosure in two months connecting publicly available AI offensive tooling to active nation-state campaigns. The normalisation of AI as attack infrastructure is well underway.

Source: The Hacker News / Team Cymru

---

Agentic AI: The Attack Surface You Are Probably Underestimating

Zenity Labs discloses agentic browser vulnerabilities, including Perplexity's Comet

Researchers at Zenity Labs have published findings on a class of vulnerabilities affecting AI browsers, including Perplexity's Comet. The attack vector is a legitimate calendar invite seeded with prompt injection. The AI browser cannot distinguish between a user instruction and content ingested from an external source. A correctly crafted invite causes the browser to access local file systems, read files, and exfiltrate data to a third-party server — no malware required, no elevated permissions needed.

The core problem, as Zenity's researcher put it, is that these flaws do not target a single application bug. They exploit the execution model and trust boundaries of AI agents. Any connected content source — an email, a calendar entry, a webpage — is a potential command surface.

Agentic browsers are entering enterprise environments quickly. The assumption that AI assistants inherit the user's security posture is wrong. They inherit the user's access and have no reliable way to verify whether an instruction is legitimate.

Source: CyberScoop / Zenity Labs

---

AI agents as identity dark matter: 70% of enterprises are already exposed

A piece in The Hacker News drawing on Gartner research and the Team8 2025 CISO Village Survey puts numbers to a problem that most security teams have not yet formally addressed. Nearly 70% of enterprises already run AI agents in production. Another 23% plan deployments in 2026. Two-thirds are building them in-house.

These agents do not go through HR. They do not submit access requests. They do not retire accounts when projects end. They are invisible to traditional IAM. And because they are optimised to complete tasks with minimum friction, they gravitate towards whatever access already works — stale service accounts, long-lived API keys, bypass authentication paths.

The Gartner Market Guide for Guardian Agents notes that enterprise AI adoption is significantly outpacing the maturity of governance and policy controls. That is not a prediction. It is a current-state assessment.

If you have AI agents in production and no programme to govern their identities, you have an unmanaged attack surface.

Source: The Hacker News / Team8 / Gartner

---

AI Infrastructure as Attack Target

Chrome CVE-2026-0628: Gemini panel hijacked via malicious extensions

Palo Alto Networks Unit 42 disclosed a high-severity vulnerability in Chrome's Gemini Live integration, CVE-2026-0628 (CVSS 8.8). A malicious Chrome extension with basic permissions could inject scripts into Gemini's WebView context, gaining access to local files and the Gemini panel's elevated capabilities. Google has patched the flaw.

The same Patch Tuesday forecast article from Help Net Security notes a separate and growing problem: fake AI browser extensions that appear functional but are quietly collecting data. These extensions are appearing in multiple app stores, exploiting user demand for AI tooling to distribute information stealers.

Two things are happening simultaneously. AI features are being embedded in browsers and productivity tools faster than security teams can assess them. And threat actors are exploiting that demand to distribute malware through channels users now regard as legitimate.

Source: Help Net Security / Palo Alto Networks Unit 42

---

Bing AI promoted a fake AI agent installer pushing infostealers

Huntress researchers discovered a campaign in which malicious GitHub repositories posing as installers for an AI assistant tool were promoted by Bing's AI-enhanced search results. The repositories were newly created but borrowed legitimate open-source code to appear credible. Users were instructed to run a bash command in Terminal, which pulled and executed infostealer and proxy malware payloads.

Huntress observed that "just hosting the malware on GitHub was enough to poison Bing AI search results." The AI recommendation layer added a veneer of legitimacy that a standard search result would not have carried as readily.

This is a preview of a category of risk that will grow: AI-mediated discovery is now a malware distribution vector. Search summaries and AI recommendations carry implicit trust. Attackers are learning to exploit that trust efficiently.

Source: BleepingComputer / Huntress

---

Benchmarks and Governance

AI vs humans in offensive security: AI wins at volume, humans still lead at depth

The NeuroGrid competition on Hack The Box ran for 72 hours and is now one of the largest controlled datasets comparing AI-augmented teams to human-only teams on professional-grade offensive security tasks. The results are nuanced and worth reading carefully.

AI-augmented teams completed challenges at 73% compared to 46% for human-only participants — a substantial gap overall. The advantage was largest at lower skill tiers and narrowed steadily as difficulty increased. The best human team outscored the top AI-augmented team on total challenges at the elite tier. AI teams failed to complete three challenges entirely. On the easiest tasks, AI teams solved at more than double the human rate.

The practical read for security leaders: AI is not replacing senior practitioners. It is, however, capable of handling a significant portion of routine analytical and offensive work. The entry-level job market for security analysts is already under pressure. More importantly, this data confirms that adversaries using AI for lower-complexity attacks have a real statistical advantage in volume and speed.

Source: Help Net Security / Hack The Box NeuroGrid

---

LLMs are getting better at unmasking people online

Research from ETH Zurich, conducted with participation from Anthropic, found that LLM agents can perform automated deanonymisation at scale. In testing, models were given anonymous bios from HackerNews and Reddit and directed to scour the internet for identifying information. The results replaced "in minutes what could take hours for a dedicated human investigator." Fine-tuned models connected profiles to LinkedIn accounts and other identifiers.

For the anonymous sources, whistleblowers, and incident reporters that many security programmes rely on: the operational security assumption that no one will spend hours correlating your online activity no longer holds. The time cost has collapsed.

Source: CyberScoop / ETH Zurich

---

AI usage control: the procurement problem

LayerX has released an RFP guide for AI Usage Control and AI Governance solutions, aimed at security buyers who have budget approval but no structured requirements process. The guide is vendor-produced, so the usual caveats apply, but it correctly identifies a real problem: many organisations are deploying AI governance solutions without clear criteria for what those solutions should actually do.

Given the pace at which AI tooling is entering enterprise environments — often through individual business units rather than IT procurement — the absence of a structured evaluation framework is a genuine risk. Security teams that have not yet formalised their AI governance requirements are behind the curve.

Source: The Hacker News / LayerX

---

What This Week Tells Us

AI is not arriving in the threat landscape gradually. It is operating there now, across multiple distinct attack classes: AI-generated malware at volume, AI-assisted exploitation of network infrastructure, AI browsers hijacked through prompt injection, AI search results weaponised as malware distribution, and AI models used to strip away pseudonymity.

The defensive posture that security teams need is not one that treats AI as an emerging risk. It is one that treats AI as current infrastructure, with all the governance, identity management, and vulnerability assessment that implies.

March Patch Tuesday arrives next week. The Gemini Chrome patch is already out. The agentic browser vulnerabilities disclosed by Zenity have been addressed. What has not been addressed is the structural problem: AI capabilities are being deployed into enterprise environments faster than security teams can classify, assess, or govern them.

That gap is where the next significant incidents will originate.

---

Curated by CISO Intelligence. Sources: Dark Reading, The Hacker News, BleepingComputer, CyberScoop, Help Net Security, Palo Alto Networks Unit 42, Bitdefender, Team Cymru, ETH Zurich, Hack The Box / NeuroGrid. Coverage: 6 March 2026.