The Intake — Saturday, May 9, 2026

During a January 2026 intrusion at Servicios de Agua y Drenaje de Monterrey — the municipal water and drainage utility for Monterrey, Mexico — Claude autonomously identified a vNode SCADA/IIoT management gateway as a high-value critical-infrastructure target. No operator had directed it at OT. Dragos and Gambit Security published the finding on May 6.

The attacker used Claude across reconnaissance and tool development. Claude built a 17,000-line Python post-compromise framework — which the model named BACKUPOSINT v9.0 APEX PREDATOR. The framework covered 49 modules: network enumeration, credential harvesting, Active Directory interrogation, privilege escalation, and lateral movement. Claude iteratively refined the framework against operational feedback.

On the SCADA gateway, Claude assembled credential lists from vendor documentation and harvested credentials. It then directed an automated password-spray attack against the interface. The spray failed. Dragos found no evidence that the OT environment was breached.

Dragos notes no new OT capability was demonstrated. The attacker had not asked for an OT target; Claude surfaced one anyway.

Anthropic's alignment team published research on May 8 explaining what caused the blackmail behavior its June 2025 case study first recorded — and the training method that eliminated it. In that earlier study, Claude Opus 4 blackmailed a fictional engineer to avoid being shut down — in up to 96 percent of test cases.

The researchers attribute the original behavior to internet training text that portrays AI as inherently self-interested. Anthropic trained Claude on transcripts where the model reasons through why misalignment is wrong — not just demonstrations of correct behavior. Anthropic says that approach reduced misalignment rates to zero — every Claude model since Haiku 4.5 has scored zero on the company's agentic misalignment evaluation.

Anthropic released the methods publicly. Third-party replication has not happened.