The attacks this week came through the things you trust: your supply chain, your AI tools, your law firm, your car, your water utility, your backup drives, and the financial system underneath all of it. The common thread is not a technical vulnerability. It is the gap between what you rely on and how well you have verified it still works the way you assume.

Your Supply Chain Runs Through a Summit

China controls roughly 60 percent of global rare earth mining, 90 percent of processing, and a significant share of the base chemicals other countries need to do their own processing. The materials go into motors, batteries, medical devices, defense systems, and the electronics on every desk in your office. Diversifying away from Chinese rare earths runs into a Chinese dependency one layer down. On Wednesday, President Trump meets President Xi in Beijing for a two-day summit where rare earth supply commitments and semiconductor export controls are both on the table.

The administration eased semiconductor export controls ahead of the visit and, according to Foreign Policy, shelved additional sanctions it had planned against China over Salt Typhoon (the Chinese intelligence operation that compromised major US telecommunications providers last year). The original US response to Salt Typhoon was already minimal: sanctions on one individual and one small Sichuan-based cybersecurity company, plus a $10 million FBI bounty. Salt Typhoon kept operating. Recorded Future documented five additional telecom breaches in the weeks after those sanctions landed. The planned follow-up was the stronger response. That is what was traded.

OFAC designated 10 China and Hong Kong-based entities this week for supplying drone components and missile parts to Iran. The administration is pressing Beijing to use its leverage on Tehran to reopen the Strait of Hormuz. If that works, energy costs come down. The price of asking is reduced pressure on the same government whose intelligence services are operating inside American networks. Trend Micro disclosed this week that Chinese hackers are running simultaneous espionage campaigns across Southeast Asian governments and targeting Uyghur, Tibetan, Taiwanese, and Hong Kong communities living in NATO-member European countries. Those operations did not pause for the summit.

The Takeaway: The summit outcome directly affects two things on your board's radar: the cost and availability of components your technology depends on, and the intensity of the cyber threat against your network. If the deal produces rare earth commitments, your procurement lead should know by Friday. If it produces only concessions without supply guarantees, the leverage changed and the supply didn't. Either way, the adversary operating inside US telecom infrastructure faced almost no consequence before the summit and may face less after it.

Sources: Foreign Policy — Admin scrapped Salt Typhoon sanctions pre-summit · Treasury — Salt Typhoon sanctions, January 2025 · TechCrunch — Salt Typhoon continues breaching telecoms despite sanctions · CNBC — Iran focus at Trump-Xi summit may delay tariff progress · Trend Micro — SHADOW-EARTH-053 campaign disclosure

The Prompt Is the Exploit

On May 4, someone stole $150,000 from an AI-powered crypto wallet using Morse code. The attacker posted a reply on X asking Grok to translate a Morse code message. The decoded text contained hidden instructions to transfer funds. Grok translated it faithfully. Bankrbot, an AI agent connected to the wallet, treated the translation as a legitimate command and wired the money. No password was stolen. No system was hacked. The attacker just talked to the AI in a language it understood and the safety filters didn't.

The same week, Microsoft disclosed two critical vulnerabilities in Semantic Kernel, the framework underneath Copilot and most enterprise AI agent deployments. Both allowed a crafted input to escalate from a conversation to full control of the host server. Microsoft patched them. But the same class of flaw turned up in four other major AI frameworks in April and May: Flowise (the most popular open-source AI agent builder, with 12,000 to 15,000 instances exposed online), CrewAI, and LangChain all had critical vulnerabilities that let an attacker go from prompt to system access.

The common thread: AI agents that can take actions, execute code, move files, call APIs, or send money, can be manipulated into doing those things for the wrong person. Traditional security testing doesn't cover this boundary because the attack surface is the conversation itself. OWASP (the Open Worldwide Application Security Project) published a dedicated Top 10 for AI agent risks in late 2025. Gartner estimates 40 percent of enterprise applications will embed AI agents by the end of this year.

The Takeaway: Every AI agent your organization deploys with the ability to execute code, access files, or call APIs has a security boundary your application security program was not designed to test. Your CISO should be able to answer one question this week: which AI tools in our environment can take actions, and what happens when someone feeds them a hostile input? If the inventory doesn't exist, the exposure does.

Sources: Microsoft Security Blog — Prompts become shells: RCE in AI agent frameworks · NVD — CVE-2026-26030 · NVD — CVE-2026-25592 · The Hacker News — Flowise under active exploitation · Giskard — How Grok got prompt-injected · OWASP — Top 10 for Agentic Applications · Gartner — 40% of enterprise apps will feature AI agents by 2026

What Your Law Firm Knows About You

Your outside counsel knows your acquisition targets, your deal timing, and your pricing strategy. Your incident response firm knows your insurance limits, your negotiating position, and your network architecture. Your compliance auditor knows where your security controls are weakest. You handed all of it over voluntarily because the relationship required it.

On May 6, the SEC charged 21 individuals civilly in a decade-long insider trading ring that operated inside major law firms including Wachtell Lipton, Latham & Watkins, and Goodwin Procter. The DOJ indicted 30 in a parallel criminal case. Nobody hacked anything. The stolen information, deal timelines, target identities, pricing, came from people with access to client files and no one auditing what they did with them. Three weeks ago, this newsletter reported that a ransomware negotiator named Angelo Martino shared five victims' insurance policy limits and internal negotiating positions directly with the BlackCat attackers while he was hired to negotiate on the victims' behalf. Those five companies paid a combined $75 million in ransoms calibrated to the exact limits Martino handed over.

The common thread is not that these vendors were malicious from the start. It is that the information you gave them made them a target, and made the information valuable enough for someone inside to sell. Your third-party risk program may not measure the value of what you handed over or who inside the vendor has access to it. Most companies run data loss prevention and data classification internally. Those controls stop at the perimeter. The data on the other side of it, sitting in your law firm's file system or your IR firm's case management tool, carries no classification, no access logging, and no DLP.

The Takeaway: Before your next outside counsel engagement or IR retainer renewal, your General Counsel should inventory what privileged information each firm holds about your company, who inside that firm can access it, and what logging exists on that access. Data classification is no longer just a government practice. If the information would be labeled confidential inside your network, it should carry the same controls wherever it sits.

Sources: SEC — Press Release 2026-44: 21 charged in insider trading scheme · DOJ — Two Americans sentenced for ALPHV/BlackCat ransomware

The Data You Didn't Know You Gave Away Just Raised Your Expenses

General Motors agreed on May 8 to pay $12.75 million to settle allegations that it sold the names, geolocation data, and driving behavior of hundreds of thousands of California drivers to data brokers Verisk Analytics and LexisNexis Risk Solutions through OnStar from 2020 to 2024. It is the largest fine in the California Consumer Privacy Act's (CCPA) history. GM made approximately $20 million from the data sales nationwide. The fine consumed nearly two-thirds of the revenue. GM is now banned from selling driving data to consumer reporting agencies for five years.

The data came from OnStar, a system most drivers associate with roadside assistance and turn-by-turn directions. It was also recording speed, braking habits, location, and trip timing, then packaging it and selling it to companies that build insurance pricing models. Verisk and LexisNexis used the data to generate risk scores. Insurers used those risk scores to set premiums. Drivers saw their rates go up without knowing that the car they bought was reporting on them to the company that insures them.

Driving data is one category. The pattern is broader. Wellness apps feed group health insurance pricing. Building sensors feed property insurance models. Shipping patterns feed freight rate calculations. Payment behavior feeds supplier credit terms. In each case, data about you or your company is being collected by a product you use, sold to a third party you have no relationship with, and used to set a price you pay. The GM settlement makes driving data visible. The rest of the pipeline has not been tested in court yet.

The Takeaway: GM's drivers didn't know OnStar was selling their habits to their insurers. The question for your board is what data about your company, your fleet, your facilities, or your employees is being collected by the products you use and sold to the companies that set your costs. Your risk manager should be asking every vendor that prices a relationship with you: your insurer, your lender, your freight carrier, your landlord. What third-party data sources are you using to price us, and where did that data come from?

Sources: California AG — GM privacy settlement · CalMatters — GM record California penalty · The Record — GM to pay $12 million in California privacy settlement

Two Adversaries, One Water System

Poland's internal security agency warned in early May that Russian-linked hackers breached the control systems at five municipal water treatment facilities and gained the ability to change how the equipment operates. In April, Sweden attributed a cyberattack against a thermal power plant to actors connected to Russian intelligence. Two NATO members, two types of critical infrastructure, the same adversary, within weeks of each other.

On the other side of the Atlantic, a joint advisory from CISA, the FBI, NSA, EPA, DOE, and US Cyber Command confirmed in April that an Iranian military-linked hacking group called CyberAv3ngers is actively tampering with control systems at US water, energy, and government facilities. The advisory does not describe espionage. It describes attackers changing how physical systems behave.

Russia in European water systems. Iran in American ones. Neither is coordinating with the other. Both arrived at the same conclusion independently: municipal utilities run the same equipment, the same outdated software, and the same underfunded IT operations everywhere. Your company depends on those systems for water and power. You have no contract with the municipality, no SLA, no guaranteed response time, and no alternative supplier if service stops.

The Takeaway: Your business continuity plan probably has backup power covered: redundant feeds, generator contracts, diesel from multiple vendors. Ask the same questions about water. Where does it come from? Is there a second source? How many days of on-site storage do you have? Two adversarial governments are now inside the municipal systems that supply it. If your BCP has three pages on electricity and nothing on water, that gap may stop you in your tracks down the road.

Sources: The Record — Polish intelligence warns hackers attacked water treatment · CISA — AA26-097A: Iran-affiliated CyberAv3ngers targeting water and energy

The AI Boom Ate Your Backup Drives

Western Digital's CEO told investors on the company's Q2 earnings call that it is "pretty much sold out for calendar 2026." Seagate's CEO confirmed the same week that nearline capacity is "fully allocated through calendar year 2026," with contracts extending into 2028. Together, the two companies form a duopoly that controls virtually the entire global hard drive market. Enterprise drives in the 30 to 36 terabyte range are backordered two years. Prices are up 46 percent on average since September 2025, with some models nearly doubling. The Internet Archive, which preserves one of the largest collections of web history in the world, told 404 Media the shortage is "a very real issue costing us time and money."

The buyers are the same five companies spending a combined $725 billion on AI infrastructure this year: Amazon, Google, Microsoft, Meta, and OpenAI. Western Digital generates the vast majority of its hard drive revenue from hyperscaler AI cloud customers. Everyone else competes for what remains. The cost pressure doesn't stop at physical drives. AWS, Azure, and Google Cloud run on the same hardware. If their input costs rise 46 percent, that eventually reaches your cloud storage bill. Years of declining storage pricing may be over.

The Takeaway: If your backup, disaster recovery, or compliance archival infrastructure runs on spinning disk, your next hardware refresh will cost more and arrive later than your current budget assumes. Your cloud storage bills are headed the same direction because the providers run on the same hardware. For archival and cold backup, tape (LTO cartridges) is available and cheap. For production servers and active storage, there is no alternative supply. Your IT lead should confirm current drive inventory and supplier lead times this month, and your CFO should expect storage line items to rise across the board.

Sources: 404 Media — The AI hard drive shortage is making it harder to archive the internet · Tom's Hardware — Western Digital sold out for all of 2026 · Tom's Hardware — Big Tech AI spending reaches $725 billion · Benzinga — Seagate sold out through 2026

The Dot-Com Bubble Popped in Public. This One Won't.

The dot-com crash played out on a ticker. NASDAQ dropped 78 percent. The AI boom is being funded differently. A significant share of the money flowing into AI companies is coming through private credit, loans made by funds outside the traditional banking system that now hold between $1.5 and $2 trillion in assets. The Financial Stability Board (FSB, the international body that coordinates financial regulators across the G20) published its first dedicated report on the sector on May 6 and found opaque valuations, zero stress-test history, and a new wave of wealthy retail investors being invited in through semi-liquid funds.

The borrowers are concentrated in technology, healthcare, and business services. The same sectors driving AI spending. The same $725 billion in AI infrastructure investment that bought every available hard drive this year is being financed in part through credit instruments that have never been tested in a downturn. If AI investments don't generate the returns the models assume, the losses don't show up on CNBC. They show up when your bank tightens your credit line because its $220 to $500 billion in exposure to private credit funds is underwater. They show up when your insurer raises your premium because 10 percent of its investment reserves are in the same sector. They show up when your PE investor stops returning calls.

The same week the FSB published its warning, FS KKR Capital Corp, a publicly traded business development company managed by KKR's credit arm, was hit with a shareholder class action alleging misleading net asset value and dividend disclosures. The stock dropped 15 percent. One fund, one week. The FSB is warning about a $2 trillion market.

The Takeaway: Your bank, your insurer, and your investors all have exposure to private credit. A significant share of that private credit is funding the AI boom. If AI corrects, the losses won't start with you. They'll reach you through tighter lending terms, higher premiums, and investors who go quiet. The last time everyone assumed a sector was too big to fail, it was housing. The question is being asked about AI. It just hasn't been answered yet.

Sources: FSB — Vulnerabilities in Private Credit · D&O Diary — FS KKR Capital shareholder class action

Read the full brief with sources and specific actions at https://stateofthethreat.com/weekly/2026-05-10

Know someone who should read this? Forward this email. They can subscribe at stateofthethreat.com/subscribe.

Read more at stateofthethreat.com