A 17-year-old boy in Osaka exfiltrated personal data from 7 million users of Japan’s largest internet cafe chain. His motivation: to buy Pokémon cards. He had no technical background.
That story — which would have been impossible five years ago — today surprises no one. It’s just another Tuesday in 2026.
The numbers that should alarm you
Chainguard’s April 2026 analysis puts hard data behind what security teams have been feeling for months. The headline number: 28.3% of CVEs are exploited within 24 hours of public disclosure. To put it in context: that number was around 2% in 2023.
Read that again. In 2023, there were weeks — sometimes months — between a vulnerability going public and someone weaponizing it. Today, nearly one in three CVEs is being actively exploited before most security teams finish their morning standup.
The trajectory of time-to-exploit tells the complete story:
- 2020: Average time to exploitation — over 700 days
- 2025: 44 days
- 2026: Effectively negative. Exploits arrive routinely before patches
That last data point deserves explanation. “Negative time-to-exploit” means attackers are weaponizing vulnerabilities faster than vendors can publish fixes. The disclosure-patch window — the entire premise of the patch-and-pray defense model — no longer exists as a real buffer.
Meanwhile, the attack surface expands at the same pace. Malicious packages in public repositories went from 55,000 in 2022 to 454,600 in 2025. A single quarter of 2025 produced 394,877. The Shai-Hulud attack on the npm ecosystem compromised over 500 packages, exposed secrets in 487 organizations, and resulted in the theft of $8.5 million from Trust Wallet through a poisoned Chrome extension.
The same tools, opposite direction
This is the structural problem, and it’s one that no CISO budget can simply outspend.
The AI capabilities that developers use to solve GitHub issues — frontier models today solve approximately 81% of real issues in SWE-bench — are the same capabilities attackers are deploying. There’s no moat. The model that writes your feature also writes the exploit.
Incidents are no longer theoretical:
- February 2025: Three teenagers aged 14 to 16 used ChatGPT to hit the Rakuten Mobile system 220,000 times. No coding background. The proceeds went to gaming consoles and online betting.
- July 2025: A single actor using Claude Code conducted an extortion campaign against 17 organizations over a month — developing malicious code, organizing exfiltrated data, calibrating ransom amounts based on financial records analysis, and drafting extortion emails. All with agentic AI.
- December 2025: Another individual used Claude Code and ChatGPT to breach over 10 Mexican government agencies, stealing over 195 million taxpayer records.
The Venn diagram between “willing to attack” and “technically capable of attacking” was once a thin line. Today it’s a circle.
Why patching faster isn’t the answer
The reflexive response from most security teams is: move faster. Adjust SLAs. Automate vulnerability scanning. Deploy more tooling.
The data says that approach has structural limits. The average remediation time for a known high or critical severity CVE is currently 74 days, according to the Edgescan 2025 Vulnerability Statistics Report. And 45% of CVEs in large organizations — companies with more than 1,000 employees — are never remediated.
You can’t compress a 74-day remediation cycle to under 24 hours through process optimization alone. The gap is architectural, not operational.
The detection problem is equally difficult to solve. The malicious npm packages that flooded repositories in 2025 included documentation, unit tests, and well-structured code — because the code was AI-generated and modeled on legitimate libraries. Static analyzers and signature scanners didn’t detect them. The malware looked like real software.
As Dan Lorenc, CEO of Chainguard, noted: the complexity and scale of vulnerability management have exceeded most organizations’ capacity to manage it independently.
The strategic shift: eliminate attack categories
Security teams gaining ground in this environment aren’t the ones running faster on the same treadmill. They’re the ones asking a different question: what can we make structurally impossible to attack?
This reframing matters. Instead of compressing reaction time — which AI-enabled attackers will always be able to overcome — the defensible position is eliminating entire categories of vulnerability. Reducing the attack surface to the point where speed ceases to be the determining factor.
For Ibero-American organizations operating with smaller security teams and tighter budgets than their North American counterparts, this framing is especially relevant. You can’t outresource a threat actor using the same frontier models you use. But you can make entire classes of attacks structurally irrelevant to your infrastructure.
The question for your team isn’t “how do we patch faster?”. It’s “what attack categories can we make impossible?”.
What this means for your security posture in 2026
Chainguard’s analysis is a good conversation starter for the discussion most security and engineering leaders need to have with their organizations. Some concrete takeaways:
1. Treat the 24-hour exploitation window as the new baseline. Any vulnerability management process that doesn’t account for near-immediate exploitation is operating on outdated assumptions.
2. AI-generated malware defeats signature-based detection. If your detection posture relies primarily on pattern matching and known signatures, you have a structural gap. AI-generated code is designed to look like legitimate software.
3. The supply chain is the attack surface of 2026. With 454,600 malicious packages in public repos last year, trust in dependencies cannot be taken for granted. Every package entering your build pipeline is a potential vector.
4. The attacker profile has changed fundamentally. Security models built around “sophisticated state-nation actors” or “organized criminal groups” underestimate the real threat. Non-technical actors with access to frontier models are conducting attacks that once required engineering teams.
The tools are accessible. The barrier has disappeared. The question is whether your organization’s defense model was designed for the world that exists in 2026, or for the one that existed in 2022.
Source: 2026: The Year of AI-Assisted Attacks — Chainguard · The Hacker News