Check Point Research's threat digest for March–April 2026 documents a significant escalation in AI-assisted offensive cyber operations. Key cases include a single operator using Claude Code and GPT-4.1 in a dual-AI workflow to breach nine Mexican government agencies, and Bissa Scanner, a mass-exploitation platform targeting AI provider credentials at scale. The EvilTokens PhaaS platform embeds LLM pipelines (Llama 3.1, Llama 3.3, GPT-4o-mini) to automate BEC fraud, with jailbreaks baked in at the platform level. On the defensive side, Anthropic's Claude Mythos found 181 Firefox exploits versus 2 for its predecessor, and OpenAI's Codex Security has already been credited with 14 CVEs. Meanwhile, attackers are weaponizing newly disclosed vulnerabilities within hours of publication. The report also covers CVEs in Claude Code's agentic configuration files (CLAUDE.md, .mcp.json) that enable supply chain attacks on developer machines, and notes that enterprise GenAI data exposure risk is rising proportionally with usage volume.
Table of contents
Executive SummaryAI as Live Attack OperatorAgentic Configuration Files: A Persistent Attack SurfaceAI-Powered Fraud at Scale: EvilTokensThe Vulnerability Race: AI on Both Sides of the Patch WindowEnterprise Adoption and ExposureConclusionSort: