Everything Everywhere All At Once

If you’ve felt like every week brought a new “huge hack” headline this spring, you weren’t imagining it. Between March and May 2026, the technology world lived through one of the most relentless stretches of serious security failures in recent memory — and the people who watch this stuff for a living are openly using words like “armageddon.”

This post is for normal people. You don’t need to know what a kernel is, or what “npm” stands for, or what a zero-day looks like. The goal here is simpler: explain what just happened, why it’s different from past scares, and what you can reasonably do about it.

The short version

Three things changed at once:

1. AI tools made it dramatically easier to find security holes in software. - What used to take a small group of highly paid experts months can now be done by automated systems running around the clock.

2. AI also made it easier to *use* those holes. - When a software company quietly publishes a fix, AI can often look at the fix and figure out the attack from it — within hours.

3. The system we’ve used for thirty years to handle these problems was not built for this. - That system assumed defenders had time. They don’t anymore.

The result: a steady drumbeat of major incidents, several of which would have been the biggest story of the year in any other year.

Spring 2026’s biggest security scare

A quick tour, in plain English:

• The Axios hijack. - Axios is a piece of software that essentially every modern website and app uses behind the scenes to talk to other services — picture a delivery driver who works for nearly every restaurant in town. Attackers slipped a malicious update into Axios that quietly stole login keys and credentials from anyone whose code pulled the update. (NetworkChuck called it the worst hack of the year; Fireship walked through it for developers)

• The GitHub takeover bug. - GitHub is the place where most of the world’s software is built and stored. A single misplaced semicolon in its code created a path that could have given an attacker access to enormous numbers of private projects with one command. The bug was found with the help of an AI assistant — Wiz researcher Sagi Tzadik tells the story.

• CopyFail and Dirty Frag. - Two flaws in Linux, the operating system that quietly runs most of the internet’s servers, your home router, and a huge share of business infrastructure. Both let an unprivileged user become an all-powerful administrator. CopyFail had been hiding in plain sight for nine years. (Brodie Robertson breaks down CopyFail; SavvyNik covers Dirty Frag)

• Mini Shai-Hulud, the self-spreading worm. - Like the Axios attack, but worse: this malware infected one piece of popular developer software, then used that infection to break into and infect dozens more on its own, with a built-in feature that would wipe a victim’s files if they tried to clean it up. (Fireship covered it the day it broke)

• The WordPress plugin wave. - WordPress runs roughly 40% of all websites. Yet another round of compromised plugins meant millions of those sites were exposed to attackers. (Fireship summary here)

• Microsoft SharePoint zero-day. - A flaw in the software many companies use to share internal documents — already being actively exploited by the time Microsoft announced it. (Walkthrough by Motasem Hamdan)

• Chrome zero-day. - A flaw exploitable through ordinary web styling code. Visit the wrong page, and bad things happen. Patched, but exploited in the wild first.

• Palo Alto firewall zero-day. - Palo Alto sells the firewalls protecting many large companies and government agencies. This bug let attackers walk straight through the front door without a password.

• The Canvas breach. - Canvas is the software many schools and universities use to manage classes. A breach exposed personal data for students across many institutions.

Any one of these would have been a story. They all happened inside about ten weeks.

What actually changed: AI flipped the rules

The clearest explanation of *why* this is happening comes from a YouTube essay by developer Theo Browne called “Everything is pwn’d now,” which builds on an essay by researcher Jeff Kaufman titled “AI is breaking two vulnerability cultures.”

For three decades, the security world operated on three quiet assumptions. AI broke all three at roughly the same time.

Assumption #1: “Only a few experts can find these bugs.”

For most of computing history, finding a serious security flaw required years of training, deep knowledge of how a particular piece of software was built, and weeks or months of patient hunting. That naturally limited how many vulnerabilities got discovered, and by whom.

Today, an AI agent can scan code in a loop, day and night, for as long as someone is willing to pay for the computing time. The work that used to require a rare expert can now be rented by the hour. That means a lot more people — including hostile ones — can find serious flaws.

Assumption #2: “Ninety days is enough warning.”

When a security researcher finds a flaw, the long-standing tradition is to privately tell the company that makes the software, give them about ninety days to fix it, and then publish the details. The assumption baked into that timeline: no one else is likely to independently find the same bug in those ninety days.

That assumption is now visibly false. In one recent case in the Linux operating system, a second researcher independently reported the *same* serious flaw just nine hours after the first one. When many automated systems are hunting in parallel, the odds that you’re the only person who found something drop to nearly zero.

Assumption #3: “A fix is safe to publish because attackers can’t tell what it fixed.”

This is the most counterintuitive one, and the most dangerous. When a company quietly pushes a software fix to its public code repository, the change itself usually doesn’t say “this fixes a security bug.” For years, the assumption was that figuring out which fixes were *security* fixes — and how to turn them into attacks — was hard enough to give defenders a meaningful head start.

Theo points to recent experiments where security fixes were shown to three different AI systems. All three correctly recognized them as security-related, even with no context. In other words: as soon as a fix is published, AI can often work backward from the fix to a working attack — sometimes within hours.

The net effect of all three assumptions breaking at once: **defenders and attackers are now learning about the same vulnerability at roughly the same time.** The head start defenders used to count on is gone.

The system wasn’t built for this

It’s tempting to call this “more bugs than usual,” but the real story is that the *process* the industry uses to handle security problems is breaking down. A few examples of how:

• The wrong people are in the room. - When a flaw is found in Linux, the warning typically goes to a small group of kernel developers — not to the companies (Ubuntu, Red Hat, etc.) that actually package Linux for everyday users. Those packagers often find out about a serious issue at the same moment as the attackers do. They’re told, in effect, “just keep up with updates” — but they’re racing the bad guys from a standing start.

• ”Quietly fix and move on” no longer works. - In the Linux world especially, there’s a culture of just fixing problems in public and hoping that obscurity plus update lead time protects users. With AI scanning every public code change, there is no more obscurity.

• Total openness has new costs. - Open source — the practice of building software in public where anyone can see the code — has been a huge force for good for decades. But it was designed for an era when “anyone can read the code” meant “a few hundred humans, slowly.” It didn’t anticipate “AI agents read every change the moment it appears.”

Theo’s argument is not that open source is bad. It’s that we may need new options *within* open source: a vetted middle layer of trusted defenders who get a head start on patches, private staging areas for sensitive fixes, and a willingness to ship updates to users before the technical details are made public.

What this means for you

You don’t need to become a security professional. But the old advice — “use antivirus, don’t click weird links” — is no longer enough. The pros are starting to operate from a new mindset, and a watered-down version of it is reasonable for everyone.

Assume something, somewhere, has already leaked. - This sounds bleak, but it’s actually freeing. Instead of trying to keep everything secret forever, you focus on what an attacker could *do* with your information and block those outcomes specifically.

Back things up the way you’d back up irreplaceable photos in a fire. - If every device in your house stopped working today, what would you wish you had saved? Make a copy of that — onto an external drive — and keep at least one copy *unplugged* and somewhere safe. Modern ransomware will happily encrypt every drive it can reach, including your network backup. A drive in a drawer is invisible to it.

Update your operating system promptly. Slow down on everything else. - When Apple, Microsoft, or your phone maker push a security update, install it within a day or two — attackers really are racing to exploit those flaws as soon as the patch ships. For smaller apps and plugins, it’s actually safer to wait a few days before installing brand-new versions; several of the worst attacks this spring were poisoned updates that got caught and pulled within hours of release.

Have a “safe word” talk with your family. - This is the one new habit worth adopting in 2026. AI-generated voice fakes are good enough now that “I got a panicked call from my kid” is no longer reliable evidence that it was actually your kid. Agree on a short phrase your family can use to prove identity over the phone, and make sure older relatives know about SIM-swap scams (where someone takes over your phone number to bypass security codes).

Keep paper copies of the things that matter. - Mortgage info, car titles, insurance policies, account numbers, and a list of which accounts use which email addresses. If you ever need to recover from a serious compromise, you’ll be grateful that not every important document lives inside the same compromised cloud account.

The honest takeaway

Spring 2026 was not the year cybersecurity got “more annoying.” It was the year the rulebook the industry has used since the 1990s stopped working. The companies and researchers responsible for keeping software safe are openly rethinking what they do and how they do it.

For the rest of us, the appropriate response isn’t panic — it’s an upgrade. A few small habits, practiced consistently, will put you well ahead of where most people are. The era when you could trust that “someone responsible is handling it” is ending. The era where each of us carries a small share of responsibility for our own digital safety is starting.

Five questions to ask your IT person this month

Whether you have an in-house tech, an outside MSP, or a nephew who “is good with computers,” these are the five questions worth asking before the next quarter starts. None of them are trick questions, and “I don’t know” is itself a useful answer.

1. Are operating systems and core business software being patched within a week of release across every device that touches client data? (Not “is auto-update on.” Actually verified.)
2. Where do our backups live — and is at least one copy kept offline, off-site, and tested? A backup nobody has ever restored from is a hope, not a backup.
3. Who has administrator access to our website, email, accounting, and client systems — and when did we last review that list? Old vendor accounts and former employees are a top entry point.
4. If one of our employees got compromised this week, how would we find out, and what would we do in the first 24 hours? If the answer is a shrug, that’s the project.
5. Do we have a documented identity-verification protocol for phone calls and email requests involving money or credentials? This is the single best defense against AI-generated voice fakes and social engineering — and it costs nothing.

If two or more of those questions don’t have a confident answer, that’s not a failing grade — it’s a normal starting point in 2026. It is, however, a signal that this is the year to fix it.

A note from TechTargets

This is the kind of work we do every day. TechTargets provides fractional IT leadership, managed operations, and automation for small and mid-sized businesses — the steady hand that makes sure your systems are stabilized, secured, automated, and scaled the way a much larger company’s would be.

If reading this post raised more questions than it answered, we offer a free Spring 2026 Exposure Check — a focused 30-minute conversation walking through the five questions above against your actual setup, with a written summary afterward. No pitch, no obligation.

👉 Book a Spring 2026 Exposure Check or reply to this post.

---

*Primary sources and further viewing:*

- Theo Browne — “Everything is pwn’d now”

- Jeff Kaufman — “AI is breaking two vulnerability cultures”

- NetworkChuck — “the WORST hack of 2026”

- Fireship — “A single PR just hijacked the NPM registry”

- Brodie Robertson — “CopyFail Compromises the Last 9 Years of Linux Distros”

- Wiz — “Hacking GitHub with a Semicolon & Claude”