Reports
Check Point Research AI Security Report 2026: AI Moves From Cybersecurity Assistant to Active Operator

The Check Point Research AI Security Report 2026, published by Check Point Software Technologies (CHKP ), describes a cybersecurity landscape in which artificial intelligence is no longer merely helping attackers research targets, write phishing emails, or generate fragments of malicious code. AI is increasingly operating inside live attack chains, executing commands, analyzing stolen information, developing production-grade malware, and coordinating attacks across multiple systems. At the same time, enterprise adoption is exposing sensitive data, expanding software supply-chain risks, and weakening many of the signals traditionally used to verify identity.
AI Is Entering the Live Attack Chain
The report’s most important finding is not that AI has invented entirely new forms of cybercrime. Instead, it has dramatically reduced the time, expertise, and cost required to conduct established attacks.
AI now plays a role in social engineering, malware development, vulnerability research, reconnaissance, credential harvesting, lateral movement, and data analysis. The highest-risk operators are not necessarily those using the most advanced models, but those who have learned how to connect several AI tools and automate multiple stages of an intrusion.
One reported Chinese-linked espionage campaign used Claude Code to perform an estimated 80% to 90% of the tactical work across roughly 30 targeted organizations. The AI reportedly handled reconnaissance, exploitation, credential harvesting, lateral movement, and data triage, leaving the human operator to provide broader strategic direction.
An even clearer example involved the compromise of nine Mexican government agencies between late December 2025 and mid-February 2026. The operation exposed approximately 400 million records covering tax, civil registry, vehicle, patient, and electoral data. Researchers reconstructed the attack from the operator’s own infrastructure and found that 1,088 human-written instructions generated 5,317 AI-executed commands across 34 sessions.
The attacker used Claude Code to explore and compromise systems, while GPT-4.1 analyzed stolen data and generated instructions for later sessions. When Claude initially refused to assist, the operator inserted penetration-testing instructions into a trusted CLAUDE.md configuration file. Every subsequent session automatically inherited the altered behavior, removing the need to repeat the jailbreak.
This points to a broader problem. Many AI agents automatically trust project files and system configurations. A poisoned file can influence future sessions, turning what was once a temporary prompt-manipulation technique into a persistent compromise.
Mainstream AI Tools Remain the Preferred Option
Attackers generally access AI through commercial services, self-hosted open-source models, or purpose-built criminal platforms. Despite growing discussion around unrestricted local models, mainstream commercial tools remain the most practical choice.
Attackers use legitimate or stolen accounts for services such as ChatGPT, Gemini, Claude, DeepSeek, Kimi, and Qwen. They often divide malicious requests into smaller tasks that appear harmless when viewed individually, gradually guiding the model toward a prohibited result.
AI credentials have therefore become valuable targets. The Bissa Scanner campaign reportedly stole login details for Anthropic, OpenAI, Google, and other providers from more than 30,000 exposed developer environment files. AI accounts were the most common type of credential collected.
Stolen accounts can be resold through a practice known as LLMjacking. Buyers gain access to another organization’s AI resources, avoid usage costs, potentially reach stored information, and make their activity appear to originate from a legitimate user. In one case, a stolen Google Gemini application programming interface key generated approximately $82,000 in charges in only two days.
Self-hosted models offer fewer restrictions and less provider monitoring, but attackers frequently report that they require expensive hardware, technical expertise, and extensive fine-tuning. Criminal services such as WormGPT have also lost credibility because of poor performance. WormGPT itself was reportedly breached, exposing payment details belonging to more than 19,000 customers.
The ransomware-as-a-service group known as The Gentlemen illustrates how ordinary criminal groups are approaching AI. The operation had more than 330 published victims by May 2026, yet its members admitted they did not know how to run their own models. Instead, they compared commercial AI platforms based on which had the weakest protections. The group’s administrator reportedly used AI to create a management tool in only three days.
AI-Built Malware Reaches Professional Quality
AI-assisted malware development has moved beyond rough prototypes. In many cases, the completed malware contains no AI at all. The model is used during development to write, test, debug, and refine the code, leaving little visible evidence of its involvement once the malware is deployed.
VoidLink is the report’s strongest example. The modular Linux command-and-control framework included stealth and persistence capabilities, along with more than 30 post-exploitation plugins. Its quality initially suggested that a team of developers had spent several months building it.
The developer’s own operational mistake revealed that VoidLink had been created by one person using the commercial TRAE SOLO AI coding environment. Through detailed specifications and repeated AI-assisted testing, the developer produced approximately 88,000 lines of functional code in under one week.
Other groups have adopted similar methods. Transparent Tribe, also known as APT36, reportedly used an AI-driven assembly line to produce disposable malware targeting Indian government systems. The Russian-linked GREYVIBE group used ChatGPT and Gemini to create custom malware for operations against Ukraine, while the North Korean-linked KONNI group used AI to generate a PowerShell backdoor.
Malware that communicates with an AI model while actively running remains less common. LAMEHUG used Qwen through the Hugging Face API to generate commands on demand, while PromptLock applied a similar concept to ransomware. These examples remain limited, but they demonstrate that dynamically generated malicious behavior is technically possible.
The Time Available to Patch Is Shrinking
AI is accelerating vulnerability discovery for both defenders and attackers. This is reducing the window between public disclosure, exploitation, and remediation.
The report describes Anthropic’s Project Glasswing, which used an unreleased model called Claude Mythos Preview to identify more than 10,000 high- and critical-severity zero-day vulnerabilities across major operating systems and browsers during its first month. The model reportedly produced a working exploit on its first attempt in approximately 83% of cases.
Anthropic withheld the model from public release because of concerns that it could be misused, but committed $100 million in usage credits for selected organizations. The case demonstrates how vulnerability discovery is becoming cheaper and increasingly automated.
Government guidance already reflects this faster environment. The US Cybersecurity and Infrastructure Security Agency has required federal civilian agencies to remediate certain high-risk vulnerabilities within three days. India’s CERT-In has advised organizations to address some critical internet-facing weaknesses within 12 hours.
The technical discovery of vulnerabilities may no longer be the main bottleneck. Human review, testing, approval, and deployment could become the slower and more vulnerable parts of the process.
AI Applications Are Becoming Targets
As organizations embed AI into browsers, email platforms, documents, coding environments, and business workflows, the technology gains access to sensitive data and the ability to act using existing user permissions.
Prompt injection remains one of the most important threats. Direct prompt injection occurs when an attacker communicates with a model and attempts to override its rules. Indirect prompt injection hides malicious instructions inside content the AI later processes, such as a webpage, email, calendar invitation, document, or metadata field.
One study cited in the report scanned 1.2 billion URLs and identified approximately 15,300 indirect prompt-injection payloads. About 70% were hidden in non-rendered HTML, including comments, headers, and metadata that human visitors would not normally see.
Check Point telemetry recorded a sharp increase in longer malicious payloads. Between March and May 2026, detections rose approximately fivefold and approached 1% of observed prompts in May. Longer payloads are especially relevant to agents that process full webpages, documents, and outputs from connected tools.
AI-powered browsers create additional risk because they operate inside authenticated sessions. In one controlled test, a malicious calendar invitation caused Perplexity’s Comet browser to reveal saved passwords. In another experiment, an AI browser completed an entire phishing flow in less than four minutes without human involvement.
The Agentic Supply Chain Is Expanding the Attack Surface
AI agents gain capabilities through Model Context Protocol servers, extensions, configuration files, model hubs, and downloadable skills. These components are often trusted automatically and installed with limited human review.
Check Point Research identified vulnerabilities in Claude Code project files that could execute attacker-controlled commands when a developer opened a poisoned repository. Similar issues have appeared in Gemini CLI, Cursor, Windsurf, and other coding environments, suggesting a broader architectural weakness rather than an isolated vendor problem.
The GlassWorm malware reportedly spread through Model Context Protocol packages across more than 150 repositories. Researchers also examined approximately 46,500 published software packages and found that 428 accidentally contained a local Claude Code settings file. About one in 13 of those files included live credentials such as NPM tokens, GitHub keys, or Hugging Face keys.
A separate review of 10,000 Model Context Protocol servers found security weaknesses in 40% of them. Of 221 OpenClaw agent skills examined, 70% requested more credentials than necessary and 43% contained command-injection patterns.
The ClawHavoc campaign placed 44 malicious skills in a marketplace, where they were downloaded more than 12,500 times. Elsewhere, Trojanized coding extensions reportedly harvested code from approximately 1.5 million developers, while a malicious Hugging Face model disguised as an OpenAI privacy filter received 244,000 downloads before detection.
Synthetic Identity Is Undermining Digital Trust
Generative AI has made voices, faces, documents, and online personas easier to fabricate and harder to verify. A familiar voice, live video call, or government identity document can no longer serve as independent proof that someone is genuine.
The ATHR platform reportedly uses autonomous voice agents to conduct account-recovery calls and steal one-time passcodes. One operator can manage several conversations simultaneously without employing human callers.
Real-time face swapping is also appearing in cryptocurrency theft, romance scams, investment fraud, and state-linked operations. European authorities dismantled one network that allegedly used deepfake videos of celebrities and news organizations to promote fake investments and launder more than €700 million.
Researchers also identified more than 23,000 domains directing victims into messaging groups where AI chatbots impersonated financial advisers. The OnlyFake service sold more than 10,000 AI-generated identity documents covering the United States and approximately 56 other countries, allowing customers to bypass verification at banks and cryptocurrency exchanges.
North Korean-linked remote-worker schemes have gone further by using fabricated resumes, altered identity documents, generated photographs, and tailored personas to gain legitimate employment inside Western companies. US authorities linked one network to close to $800 million in revenue for North Korea’s weapons programs.
Humans are not especially reliable at detecting these fakes. In one controlled study, trained super-recognizers correctly identified only 41% of AI-generated faces. Ordinary viewers detected approximately 30%.
Enterprise AI Use Is Creating Persistent Data Exposure
The average organization now uses 10 different AI applications each month. The average number of prompts per employee increased from 56 in December 2025 to 70 in May 2026, representing growth of 25%.
Between 87% and 93% of organizations experienced at least one high-risk generative AI interaction every month. The share of prompts containing sensitive corporate, personal, or regulated information doubled from 2% to 4%, shifting from approximately one risky prompt in every 50 interactions to one in every 25.
Europe recorded the highest regional rate at 3.95%, followed by Latin America at 3.76%, North America at 3.33%, and Asia-Pacific at 2.88%. Business Services had the highest industry rate at 5.91%, or approximately one risky interaction in every 17 prompts. By May, its monthly rate had climbed to 6.98%, close to one in every 14 prompts.
Many leaks result from ordinary use rather than malicious activity. In one demonstration, a legitimate connection between ChatGPT and Google Drive retrieved more than 400 sensitive internal files in under one second following a single question.
Third-party providers introduce additional exposure. A consumer app called Chat & Ask AI reportedly exposed approximately 300 million messages belonging to more than 25 million users. A customer-support chatbot used by Sears Home Services exposed 3.7 million records, including call recordings, transcripts, and personal information.
Future Implications
The Check Point Research AI Security Report 2026 presents a security environment in which AI strengthens attackers, creates new software supply-chain weaknesses, undermines remote identity verification, and increases the everyday risk of confidential data exposure. Its central warning is that organizations cannot manage AI security through policies and annual reviews alone. They need continuous visibility into AI applications, agents, infrastructure, permissions, third-party providers, and the data employees share. As AI begins operating at machine speed, security teams will need to detect, verify, and respond at a comparable pace.












