AI Threat Landscape Digest March-April 2026

This report documents the operational deployment of commercial and hosted AI models as active components in offensive cyber campaigns: a multi-month Mexico government breach using Claude Code for exploitation and post-exploitation, a mass-exploitation platform (Bissa Scanner) harvesting .env files and AI provider API keys at scale, and an AI-driven Phishing-as-a-Service (EvilTokens) that automates credential theft and BEC workflows; it highlights persistent supply-chain risks from agentic configuration files, AI-accelerated discovery and weaponization of vulnerabilities, and measurable enterprise GenAI data-exposure trends.