The Tuesday Briefing — Apr 14, 2026

The Big Picture

This week marked a turning point in cybersecurity: AI can now find and exploit security flaws faster than humans can fix them. A new AI model from Anthropic discovered thousands of hidden vulnerabilities—including bugs that went undetected for 27 years—in just weeks. Meanwhile, hackers are already using AI to break into systems in under 30 minutes. For small businesses, this means the old approach of updating software once a month is officially obsolete.

This Week's Top 5

1. AI Discovers Thousands of Security Flaws Humans Missed for Decades

What happened: Anthropic, an AI company, released a new AI model called Claude Mythos that can automatically find security vulnerabilities in software. It discovered thousands of previously unknown flaws in every major operating system and web browser—including a bug in OpenBSD that had existed undetected for 27 years and a 16-year-old flaw in FFmpeg that 5 million automated scans had missed.

Why it matters to your business: The AI found these flaws in weeks, but it takes humans months or years to fix them all—meaning hackers who build similar AI tools will have a massive head start. Security experts estimate criminals will have this same AI capability within 12-18 months, turning what used to be rare "zero-day" vulnerabilities into everyday threats.

What to do: Stop relying on monthly or quarterly security updates. Talk to your IT provider about implementing automated patch management that updates your systems within 24-48 hours of security fixes being released, especially for internet-facing systems like your website, email server, or remote access tools.

2. Hackers Now Break Into Systems in 29 Minutes (Down from 100 Minutes in 2021)

What happened: New research shows that once hackers get initial access to a network, they can now move laterally to other systems and steal data in an average of just 29 minutes—down from 100 minutes in 2021. Some attacks happen in as little as 27 seconds. AI automation allows hackers to identify vulnerable systems, find security holes, and execute attacks without writing any custom code.

Why it matters to your business: Traditional security approaches assume you have hours or days to detect and respond to an attack. With breakout times under 30 minutes, human-only monitoring can't keep pace. By the time you notice something wrong on Monday morning, attackers completed their theft over the weekend.

What to do: Implement automated security monitoring that works 24/7 and can alert you to suspicious activity in real-time. At minimum, enable multi-factor authentication (MFA) on all business accounts—even with fast attacks, MFA blocks 99.9% of automated account takeover attempts.

3. Critical Flaw in Popular AI Coding Tools Lets Attackers Steal Your Code and Credentials

What happened: Security researchers discovered multiple critical vulnerabilities in AI coding assistants like Claude Code, Cursor, and GitHub Copilot that millions of developers use daily. The worst issue: these tools can be tricked into sending your code, API keys, passwords, and project files to attacker-controlled servers—sometimes before you even approve the AI's actions. In one case, an entire product's source code (512,000 lines) accidentally leaked online for three hours.

Why it matters to your business: If your developers use AI coding tools, they may be inadvertently sharing your proprietary code, customer data, database passwords, and cloud credentials with third parties. A separate attack campaign already stole over 10,000 credentials including AWS keys, database passwords, and payment processor secrets from 760+ companies in just 24 hours.

What to do: Create a written policy about which AI tools developers can use and require IT review before installing new AI coding assistants. Set up secret scanning in your code repositories to catch accidentally committed passwords or API keys. Tools like GitGuardian and GitHub's built-in secret scanning can do this automatically.

4. North Korean Hackers Poisoned a Software Package Downloaded 100 Million Times Per Week

What happened: North Korean government hackers compromised the npm package manager account of a developer who maintains "Axios"—a JavaScript library downloaded over 100 million times weekly by developers worldwide. They published malicious versions that installed remote access malware on developer computers within 89 seconds of installation. About 600,000 downloads occurred in the three hours before the attack was detected and stopped.

Why it matters to your business: Modern software is built from hundreds or thousands of these shared code libraries. A single compromised library can infect every application that uses it—including your company's website, mobile apps, or internal tools. This attack showed that nation-state hackers can move from compromise to widespread infection in under three hours.

What to do: If you have custom software or websites, ask your developers to implement a 48-hour delay before automatically accepting updates to code libraries (called "dependency pinning" or "install cooldowns"). This gives the security community time to catch poisoned packages before they reach your systems.

5. Major Endpoint Security Tool Has Critical Flaw Under Active Attack

What happened: Fortinet released an emergency security fix for FortiClient EMS, software that manages security on employee computers and mobile devices. The flaw (rated 9.8 out of 10 for severity) allows hackers to take complete control of the system without needing a username or password. The U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) confirmed hackers are actively exploiting this vulnerability and added it to their "Known Exploited Vulnerabilities" list—the 10th Fortinet product added since early 2025.

Why it matters to your business: Endpoint management tools are supposed to protect your computers, but they're increasingly becoming the attack vector. With approximately 2,000 internet-accessible FortiClient EMS systems detected worldwide, businesses using this software face immediate risk of complete network compromise. This is part of a pattern: security tools themselves are becoming high-value targets.

What to do: If you use FortiClient EMS versions 7.4.5 or 7.4.6, apply Fortinet's emergency patch immediately. More broadly, subscribe to CISA's Known Exploited Vulnerabilities catalog alerts and treat any addition as a drop-everything emergency that requires patching within 48-72 hours, not your normal update schedule.

Quick Hits

• A critical flaw in Flowise AI (a tool for building AI agents) achieved a perfect 10.0 severity score and is being actively exploited against 12,000+ exposed systems worldwide.

• 92% of organizations lack adequate security controls for AI agents, with 47% delaying deployments due to security concerns—representing a massive unmet need for AI security expertise.

• AI-generated code vulnerabilities surged 211% in Q1 2026, with 35 new security flaws discovered in March alone from code written by tools like GitHub Copilot, Claude, and Gemini.

• Researchers demonstrated that a single person using AI assistants could breach 10 government agencies and steal 150GB of data without writing custom malware—just by giving the right prompts to tools like Claude.

• Hackers exploited a critical WordPress plugin flaw (Ninja Forms) affecting over 50,000 websites, enabling them to upload malicious files and take control of sites.

• A ransomware group called Storm-1175 now completes attacks—from first entry to data encryption—in under 24 hours by chaining together 16+ different vulnerabilities including zero-days they exploited a week before public disclosure.

• The Internet Bug Bounty program stopped paying security researchers for finding vulnerabilities because AI tools are now finding bugs faster than open-source developers can fix them.

• Gartner predicts over 40% of AI agent projects will be canceled by the end of 2027 due to costs, unclear value, or inadequate security and risk controls.

One Thing to Do This Week

Review what AI tools your team is using—especially developers, but also sales, marketing, and administrative staff using AI assistants. Create a simple spreadsheet listing each tool, who uses it, what business data it accesses, and whether it's a free consumer version or a business account with security controls. Many free AI tools explicitly state in their terms of service that they use your input data to train their models, meaning your confidential business information could end up in responses to other users. This 30-minute inventory will reveal shadow IT risks you didn't know you had and help you decide which tools need to be replaced with enterprise versions that have proper data protection guarantees.

Worth Reading

• Anthropic's Project Glasswing announcement — The company's explanation of why they're restricting access to their vulnerability-finding AI and partnering with major tech companies to use it defensively first.

• The Zero-Day Timeline Just Collapsed: Here's What Security Leaders Do Next — CSO Online's analysis of why "patch and pray" security strategies no longer work in an AI-accelerated threat landscape.

• The 29-Minute Breakout: Why Monthly Vulnerability Scanning No Longer Works — Detectify's explanation of why traditional security approaches can't counter automated attack speeds.

• What Is AI Security? — TrueFoundry's practical guide to understanding and implementing security for AI systems, including the OWASP Top 10 risks for AI applications.