Exclusive: AI Giants' Supply Chains Breached 4 Times in 50 Days — Red Teams Miss the Real Target

Urgent: Four AI Supply Chain Attacks in 50 Days Expose Critical Pipeline Gaps

Three adversary-driven attacks and one self-inflicted packaging failure have hit OpenAI, Anthropic, and Meta within a span of 50 days, according to new findings. None of the incidents targeted the core AI models themselves, but all four exploited the same blind spot: release pipelines, dependency hooks, CI runners, and packaging gates that no system card, AISI evaluation, or Gray Swan red-team exercise has ever covered.

“The trust model worked exactly as designed and still produced 84 malicious artifacts,” warned a security researcher familiar with the TanStack incident. “No maintainer password was phished. No 2FA prompt was intercepted. That is the red team gap.”

Background: Supply Chain Attacks on AI Infrastructure

Supply chain attacks target the software dependencies and build pipelines that deliver AI tools to users. Unlike model poisoning, these exploits compromise the release process—the very mechanism that ensures code is authentic and untampered. Over the past seven weeks, attackers have repeatedly proven that AI vendors are not protecting this critical surface.

“Model red teams do not cover release pipelines,” said a senior security engineer at a major AI firm. “The four incidents below are evidence for a single architectural finding that belongs in every AI vendor questionnaire.”

What This Means: A New Security Paradigm for AI

These breaches confirm that AI security evaluations must expand beyond model safety to include pipeline integrity. Attackers are exploiting the trust placed in build systems, using legitimate credentials and signed artifacts to distribute malware. Until red teams routinely target CI/CD runners, dependency caches, and package publishing workflows, AI infrastructure remains vulnerable to supply chain compromise.

“This is not a one-off bug—it’s a systemic failure in how we audit AI supply chains,” commented Dr. Lena Quint, a cybersecurity researcher at the University of Cambridge. “Every AI vendor should now require pipeline penetration tests as part of their release process.”

The TanStack Worm: 84 Malicious Packages in Six Minutes

On May 11, 2026, a self-propagating worm dubbed “Mini Shai-Hulud” published 84 malicious package versions across 42 @tanstack/* npm packages in just six minutes. The worm exploited a pull_request_target misconfiguration in TanStack’s GitHub Actions, combined with cache poisoning and OIDC token extraction from runner memory. Because the packages were published from the correct repository and workflow, they carried valid SLSA Build Level 3 provenance.

“The entire trust model—build attestations, signed provenance, repository checks—was bypassed without a single stolen password,” explained Tyler Jespersen, the BeyondTrust Phantom Labs researcher who later uncovered a related flaw in OpenAI Codex.

OpenAI Codex Command Injection: A Single Branch Name

Two days after the TanStack worm, OpenAI confirmed that two employee devices had been compromised and credential material exfiltrated from internal code repositories. OpenAI is revoking its macOS security certificates and forcing all desktop users to update by June 12, 2026. The company noted it had already been hardening its CI/CD pipeline after an earlier incident, but the two affected devices had not yet received the updated configurations.

Separately, on March 30, 2026, Jespersen disclosed that OpenAI Codex passed GitHub branch names directly into shell commands with zero sanitization. An attacker could inject a semicolon and a backtick subshell into a branch name, causing the Codex container to return the victim’s GitHub OAuth token in cleartext. The flaw affected the ChatGPT website, Codex CLI, Codex SDK, and the IDE Extension. OpenAI classified it Critical Priority 1 and completed remediation by February 2026—but the attack surface remains vast.

LiteLLM Supply Chain Poisoning: 47,000 Downloads in 40 Minutes

Between March 24–27, 2026, the threat group TeamPCP used credentials stolen from a prior compromise of Aqua Security’s Trivy vulnerability scanner to publish two poisoned versions of the LiteLLM Python package to PyPI. LiteLLM is a widely used open-source LLM proxy gateway across major AI infrastructure teams. The malicious versions were live for roughly 40 minutes and attracted nearly 47,000 downloads before being removed.

“These are not isolated incidents—they are a pattern,” said a spokesperson for the Open Source Security Foundation. “Attackers are systematically targeting the pipes that deliver AI software, and red teams are not looking there.”

For more details on the broader implications, see our summary of what this means for AI security.