Cybersecurity · Monday, 13 July 2026
01 · Briefing · what happened
An AI found a serious flaw in the code that locks the internet
OpenSSL, the encryption behind much of the web, patched a high-severity bug that an AI helped uncover. The same fortnight, researchers documented an AI that ran a ransomware attack almost start to finish. The same machine that reads code to protect it can read code to break it.
Key takeaways
- OpenSSL, the encryption behind much of the web, patched a serious flaw an AI helped find — no known attacks, and the fix is a simple software update.
- Researchers documented an AI agent running most of a ransomware attack itself, though a human still chose the victim, built the infrastructure, and supplied the first stolen passwords.
- The same machine speed now points both ways; the way in was still a known unpatched bug and stolen credentials, so patching and two-step login matter more than ever.
Two stories this fortnight look separate and are really one. In the first, an AI helped find a serious flaw in the software that secures a large slice of the internet. It was patched before anyone was known to abuse it. In the second, an AI ran nearly the whole of a real ransomware attack by itself. The common thread is a machine that can now read code and networks faster than any human, on either side of the line.
The lock on the internet had a hidden crack
OpenSSL is the plumbing behind the padlock in your browser. It’s free, open-source code that scrambles traffic so a stranger on the same Wi-Fi can’t read your password or your bank session. A huge share of the web’s encrypted connections run through it or something like it.
This month OpenSSL’s maintainers shipped fixes for a batch of flaws, led by one rated high-severity: CVE-2026-45447
There is no sign it was used in an attack, and the fix is out — update to the patched OpenSSL versions and the crack closes
The same skill, pointed the other way
While one AI was reading code to protect it, another was reading a network to rob it. Researchers at Sysdig, a security firm, described what they call the first ransomware attack run almost entirely by an AI agent — they named it JADEPUFFER
Treat “first fully autonomous attack” as a claim, not gospel — and the careful reporting bears that out. A human still set the whole thing up. They picked the victim, built the servers behind the operation, and handed the AI the first stolen passwords from an earlier break-in
What it means for you
Nothing here demands panic, and no product will save you. The OpenSSL fix is your software vendors’ job. Your part is the dull, reliable one: install updates when your phone, browser, and apps offer them
The attack story carries the plainer lesson. For all the talk of a self-driving attack, the AI still needed a door left open: a known unpatched bug, and passwords stolen in an earlier breach
02 · Lesson · why it matters
Safe until someone bothered to look
For decades the safety of most systems rested not on how sound they were, but on how expensive it was to check them — and that cost just fell.
Two machines, one skill
This fortnight, one AI helped find a serious flaw buried in OpenSSL, the code that locks a huge share of the internet. Another AI ran nearly a whole ransomware attack on its own. They read as opposite stories — a rescue and a robbery.
They are the same story. Notice the strange fact about the OpenSSL flaw: it was already there. Nobody wrote a new bug this month. The code had carried that crack for a long time. Nothing about it changed. What changed is that something finally read it closely enough to see.
The real lock was attention
We tell ourselves a system is secure because it is well built. Sometimes it is. But most of the time, most systems are safe for a duller reason: reading them carefully is slow, boring, expensive work, and almost nobody bothers.
A million lines of code sit in the software you use. Auditing them line by line is thankless. So it mostly doesn’t happen. The flaw in your bank’s login, your car’s software, the library behind the padlock — it may be sitting there right now. It waits the same way OpenSSL’s did, for the first careful reader.
That reader was scarce. Skilled people are few, their hours are costly, and the work is tedious. Scarcity of attention was doing the job we credited to strong code. The lock on the door was really the fact that few people could be bothered to test the handle.
”No known problems” was about us
Look again at the phrase we lean on: no known vulnerabilities. It sounds like a fact about the code. It is a fact about us — about how hard anyone has looked.
The list of a system’s known flaws is a map of human effort. We keep mistaking it for a map of danger. The danger was always the whole of the code, every path through it. We only ever charted the paths someone happened to walk. The blank spaces on the map were never proven empty. They were just unvisited.
OpenSSL had one high-severity flaw found in all of 2025. That was easy to read as reassurance. It really measured how few people were reading — not how little there was to find.
The cost of looking just fell
Now the scarce thing is getting cheap. A machine that reads code does not get bored, does not skip the tedious middle, does not knock off at five. Point it at OpenSSL and it finds what was there. Point it at a network and it does the grinding, patient work of an attack — the reconnaissance, the trying again, the reading of its own errors.
That is why the two stories are one. The same falling cost lifts the blank spaces off the map, and it does so for whoever runs the reader first. A defender who reads their own code first closes the crack. An attacker who reads it first walks through. The advantage goes not to the more virtuous side, but to the faster one.
You are on this map
It is tempting to file this under “the security world” and step back. But the map is yours too. Every service you trust — your bank, your email, the app that holds your photos — is secure up to a budget. Someone decided how much checking to buy, and then it stopped. That limit was invisible to you. It looked like “it’s fine.”
The budget was not villainy. When looking was expensive, spending less on it was reasonable, and the systems held anyway, because attackers faced the same high cost. Both sides were priced out of reading carefully, and that shared limit kept an uneasy peace. What is changing is that the price is dropping for everyone at once — the auditor and the intruder both.
The whole, held loosely
The unsettling part is not that a machine can find a flaw. It is what that reveals about the confidence we already carried. For years, “secure” mostly meant “unexamined.” We could not tell the difference from the inside — because the thing that would have told us was the very reading nobody had done.
No single person ever saw the whole of these systems. That was always true; the code is too large for any one mind. We managed by trusting that the unread parts were probably fine. Now something can read more of it than any of us, and it works for whoever asks. That should not make us feel clever. It should make us hold our certainty a little more loosely — about our own systems, and the ones that hold our money and our secrets.
03 · Lab · your turn
The Audit Budget
Rehearse spending scarce checking across systems, sign them off as secure, then see what "unexamined" was hiding — and what changes when the cost of looking collapses for both sides.
04 · Hope · carry this
The patient, thankless work that security always needed and could never afford — reading every line — is finally getting cheap enough to actually do. And the first thing that cheaper attention did this fortnight was quietly close a hole in the internet's lock, before anyone was known to walk through it.
More from Cybersecurity