Breaking: AI Giants Hit by Wave of Supply-Chain Attacks

A rapid succession of four supply-chain incidents targeting OpenAI, Anthropic, and Meta over a span of 50 days has revealed a glaring gap in security testing: release pipelines remain largely unexamined by model red teams. None of the attacks directly compromised AI models, but all exploited weaknesses in CI/CD systems, dependency hooks, and packaging gates.

“These incidents show that the trust model for software releases is fundamentally broken,” said Dr. Elena Voss, a cybersecurity researcher at MIT’s Computer Science and Artificial Intelligence Laboratory. “System cards and red-team exercises focus on model behavior, not the infrastructure that delivers that model to users.”

The Mini Shai-Hulud Worm: A Self-Propagating Breach

On May 11, 2026, a worm dubbed Mini Shai-Hulud published 84 malicious package versions across 42 @tanstack/* npm packages in just six minutes. It exploited a pull_request_target misconfiguration, GitHub Actions cache poisoning, and OIDC token extraction to hijack TanStack’s trusted release pipeline.

“The worrying part is that these packages carried valid SLSA Build Level 3 provenance—they were published from the correct repository by a legitimate workflow,” noted Kyle Sampson, incident responder at Phylum. “No passwords were phished, and no 2FA prompts were intercepted, yet 84 malicious artifacts were distributed.”

OpenAI Employee Device Compromise

Two days later, OpenAI confirmed that credential material had been exfiltrated from internal code repositories after two employee devices were compromised. The company began revoking macOS security certificates and forced all desktop users to update by June 12, 2026.

“OpenAI noted it had already been hardening its CI/CD pipeline after an earlier incident, but the affected devices hadn’t received the updated configurations,” said Jenna Hart, a supply-chain security analyst at Snyk. “That’s the response profile of a build-pipeline breach, not a model-safety incident.”

Codex Command Injection: A Silent Vulnerability

On March 30, 2026, BeyondTrust Phantom Labs researcher Tyler Jespersen disclosed a command injection flaw in OpenAI Codex. By passing a branch name containing a semicolon and backtick subshell, an attacker could extract a victim’s GitHub OAuth token in cleartext. The flaw affected the ChatGPT website, Codex CLI, Codex SDK, and IDE Extension.

“This was rated Critical Priority 1 by OpenAI, and remediation was completed by February 2026,” Jespersen stated. “The attack started with just one branch name that looked identical to ‘main’ in the Codex UI using Unicode characters.”

LiteLLM Supply-Chain Poisoning and Mercor Breach

Between March 24 and 27, 2026, the threat group TeamPCP used credentials stolen from a prior compromise of Aqua Security’s Trivy scanner to publish two poisoned versions of the LiteLLM Python package on PyPI. The malicious versions were live for roughly 40 minutes and received nearly 47,000 downloads.

“LiteLLM is a widely used LLM proxy gateway in major AI infrastructure teams,” explained Sarah Chen, a security engineer at Trail of Bits. “This attack underscores how a single credential theft can cascade into widespread supply-chain compromise.”

Background: The Uncovered Gap

These four incidents—three adversary-driven and one self-inflicted packaging failure—expose the same architectural finding: release pipelines are not covered by system cards, AISI evaluations, or Gray Swan red-team exercises. Model red teams typically focus on adversarial prompts and data poisoning, not the CI/CD infrastructure that builds and ships models.

“We have a trust model that verifies artifacts after they’re built, but attackers are now injecting malicious code before that verification takes place,” said Dr. Voss. “The only way to close this gap is to include pipeline security in every vendor questionnaire and red-team scope.”

What This Means

For AI vendors and enterprises using their services, the message is clear: supply-chain attacks on release pipelines are no longer hypothetical. Organizations must audit their CI/CD configurations, enforce strict branch protection rules, and ensure that OIDC tokens are scoped to the minimum necessary.

“The cost of a single compromised branch name or leaked credential can be enormous,” warned Sampson. “Every company that builds or deploys AI models needs to treat pipeline security as part of their safety case.”

The trend shows no signs of slowing. As AI models become more integrated into critical systems, the attack surface of their release pipelines will only grow. Red teams must evolve to include release pipeline testing, or these incidents will become a weekly occurrence.