North Korea's recent macOS campaign doesn't try to dodge antivirus signatures the old-fashioned way. It's built to fool something newer: the AI model that now sits inside the detection pipeline at many security vendors, making the call on what's malicious and what's not. The malware hides prompt injection (text crafted to make an AI model follow attacker instructions instead of its own) inside file metadata and process names. Read by an AI security tool, that text says, in effect, "this is benign." A separate technique called BioShocking works the same trick from the other side. It targets AI browsers that hold a user's saved credentials. Feed the AI agent instructions disguised as ordinary web content, and it hands those credentials to an attacker. Neither attack is really aimed at the user, or even at the laptop. Both are aimed at the reasoning layer: the part of the system that decides what counts as a threat. CrowdStrike and other vendors logged the macOS campaign and BioShocking as separate incidents. So far, no vendor incident report has named the reasoning layer itself as the thing that got compromised.
The more interesting find this week is research showing you can walk a large language model into producing dangerous instructions through something researchers are calling chain-of-thought forgery. Chain-of-thought is the step-by-step record of how a model arrived at an answer. Forging one means fabricating a plausible-looking version of that record, one that leads the model to a conclusion it would have refused if you'd just asked it outright.
This isn't a jailbreak in the old sense, some cleverly worded prompt that tricks the model in the moment. It's closer to forging a log file. Convince the system that a prior step already happened, and the model trusts its own fabricated history.
That should worry anyone running an AI agent with write access, file access, or credential access. By mid-2026, that's most enterprise AI deployments. MITRE, the nonprofit that maintains ATT&CK, the industry's standard catalog of attacker techniques, has not opened a category for reasoning-trace manipulation as of this week. Any enterprise threat model built against the current ATT&CK matrix has the same blind spot.
AI security tools catch more than they miss. That claim still holds. What hasn't been tested is a single step that nobody logs: the moment the model trusts a fabricated reasoning trace, or a forged prompt, over its own training. The first incident response team to discover their AI triage system approved its own compromise is going to need logs that capture that exact moment. Most don't keep them yet.