By Ayusha Oli, Cybersecurity Operations, Jutsu
This week, five of the world’s most powerful spy agencies (the US, UK, Canada, Australia, and New Zealand), collectively known as the Five Eyes issued a rare joint statement. Not about a specific attack, but about AI.
Their words were that frontier AI models are advancing fast enough to “exceed current industry expectations” and “fundamentally transform both offensive and defensive cyber capabilities.” They urged governments and businesses to act now. Now.
When the Five Eyes agree on something and say it publicly, it is usually because the thing is already happening and they have run out of patience for subtlety.
So here is what is actually happening!
A new attack class was disclosed this week called Agentjacking. If you use Claude Code, Cursor, or any AI coding agent, this one is worth understanding. Attackers craft fake Sentry error reports: the kind your coding agent reads automatically when debugging and inject instructions into them. The agent reads the report, interprets the injected instructions as legitimate guidance, and executes malicious commands. It achieved an 85% exploitation rate across 2,388 organizations.
The reason this works is not a technical flaw. It is a trust flaw. Developers have trained themselves to do what their AI coding agent tells them to do. That trust is the attack surface. The agent says run this command, you run it. Except the agent was told to say that by someone who crafted a fake error report three steps upstream.
The mitigation, for now, is treating all error-tracking platform output as untrusted before passing it to an AI agent. Which is a sentence that would have made no sense to write two years ago.
Meanwhile ShinyHunters — the same group behind the University of Nottingham breach, the Canvas breach that hit 9,000 universities, and about a dozen other incidents this year alone has been running multiple parallel extortion campaigns simultaneously this month. In parallel.
They hit Oracle PeopleSoft servers at over 100 organizations. They listed Eastman Kodak on their leak site and gave them a deadline. They dropped a 45 GB archive of Madison Square Garden Sports data with customer records, ticketing data, internal files classifying high-profile individuals with fields including “cost of talent” and “risk rating” just days after the Knicks won the NBA Finals.
The timing on that last one felt deliberate. It probably was.
What is notable about ShinyHunters in 2026 is not just the scale. It is the operational tempo. Running multiple extortion tracks in parallel, against targets in completely different industries, simultaneously, is a level of coordination that used to require a large organized group. The tools have made it manageable for a much smaller one.
The government noticed too, though the government’s response has been its own kind of drama.
Earlier in June, the Trump administration used export control authorities to pull Anthropic’s most advanced models offline : a finished commercial product before any formal regulatory framework existed for doing that. The Five Eyes warning came a few days after that. The White House and Anthropic are now apparently drafting a joint risk framework together.
Security researchers have been pointing out, politely but repeatedly, that traditional cybersecurity frameworks were built for predictable systems and that AI changes the operational rules in ways those frameworks were not designed to handle. Nobody has fully figured out the new rules yet. The government is trying to write them while the thing they are trying to regulate keeps moving.
There is something genuinely strange about this moment that I find hard to articulate cleanly.
The tools being used to attack and the tools being used to defend are the same tools. Claude, GPT, Gemini : they are in the pipeline of the person trying to breach your network and in the pipeline of the team trying to stop them. Google DeepMind introduced new guardrails for AI agents this week : access restrictions, monitoring, emergency shutdown capabilities. OpenAI launched Patch the Planet, partnering with security firms to help open-source maintainers find vulnerabilities using AI-driven analysis. The defensive applications are real and they are working.
At the same time, a 17-year-old exfiltrated 7 million records to buy Pokémon cards. An amateur in Algeria built ransomware that hit 85 targets in his first month. The barrier to entry has not just dropped. It has essentially disappeared for a certain category of attack.
The thing you thought was true about your threat model in February might not be true in August.
I work at Jutsu building AgentSOC, which means I think about the defensive side of this every day. And the honest answer to “now what” is that the speed advantage attackers have built is real, and the only way to close it is with systems that operate at the same speed : detecting, enriching, correlating, and responding without waiting for a human to pick up the ticket.
Not because humans are the problem. They aren’t. Because the volume and the pace have simply outrun what human-speed workflows can handle. The queue is too long.
I feel like Authorities were not being dramatic. They were describing the arithmetic.
Ayu works in Cybersecurity Operations and Compliance at Jutsu, where the team is building AgentSOC – an AI-powered Security Operations Center. If your SOC team is drowning in alerts, you know where to find us.