Supply-chain incidents have been plaguing OpenAI, Anthropic, and Meta, with four notable attacks occurring within a span of 50 days. These incidents included three adversary-driven attacks and one self-inflicted packaging failure. Surprisingly, none of these attacks targeted the models themselves, but rather exposed vulnerabilities in release pipelines, dependency hooks, CI runners, and packaging gates that were not covered by existing security measures like system cards, AISI evaluations, or Gray Swan red-team exercises.
One of the most significant incidents occurred on May 11, 2026, when a self-propagating worm named Mini Shai-Hulud unleashed 84 malicious package versions across 42 npm packages within a mere six minutes. This worm exploited vulnerabilities in the release pipeline, GitHub Actions cache poisoning, and OIDC token extraction to hijack TanStack’s trusted release pipeline. What was alarming was that the malicious packages carried valid SLSA Build Level 3 provenance, despite being published from the correct repository using legitimate credentials, highlighting a significant gap in security protocols.
Following this incident, OpenAI confirmed that two employee devices were compromised, leading to the exfiltration of credential material from internal repositories. As a response, OpenAI revoked its macOS security certificates and mandated all desktop users to update their systems by a specified deadline. This breach underscored the importance of securing the entire build pipeline, rather than just focusing on model safety.
The series of incidents revealed a critical architectural flaw that is often overlooked in AI security assessments – the lack of emphasis on securing release pipelines. The incidents ranged from a command injection vulnerability in OpenAI’s Codex to a supply-chain poisoning attack on LiteLLM that cascaded into a breach at Mercor, impacting various industry players.
To address these vulnerabilities, security experts proposed a matrix outlining key areas of concern in AI supply-chain security, including CI runner trust boundaries, OIDC token scoping, dependency lifecycle hooks, and registry publish gates. By implementing technical mitigations such as auditing repositories for vulnerabilities, enforcing secure publishing practices, and enhancing maintainer credential hygiene, organizations can bolster their defenses against supply-chain attacks.
In conclusion, the recent spate of supply-chain incidents highlights the need for a holistic approach to AI security that encompasses not only model evaluations but also robust security measures in release pipelines. By proactively identifying and addressing workflow gaps, organizations can mitigate the risk of future attacks and safeguard their AI systems effectively.