Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering

Four supply-chain incidents recently impacted OpenAI, Anthropic, and Meta within a span of just 50 days. These incidents included three adversary-driven attacks and one self-inflicted packaging failure, highlighting a significant gap in release pipelines, dependency hooks, CI runners, and packaging gates that had not been covered by system cards, AISI evaluations, or Gray Swan red-team exercises.

The first incident occurred on May 11, 2026, when a self-propagating worm known as Mini Shai-Hulud infiltrated TanStack’s trusted release pipeline and published 84 malicious package versions across 42 @tanstack/* npm packages in a matter of minutes. Despite the packages carrying valid SLSA Build Level 3 provenance, the attack was successful due to a series of vulnerabilities in the release pipeline, including a pull_request_target misconfiguration and GitHub Actions cache poisoning.

Two days later, OpenAI confirmed that two employee devices had been compromised, leading to the exfiltration of credential material from internal code repositories. In response, OpenAI announced plans to revoke its macOS security certificates and enforce mandatory updates for all desktop users by June 12, 2026.

The incidents at OpenAI, Anthropic, and Meta underscored a critical architectural finding – the lack of coverage for release pipelines in model red teams. These incidents highlighted the need for a more comprehensive approach to security that includes evaluating and securing the entire release process, not just the AI models themselves.

Each incident revealed different vulnerabilities and failures in the security infrastructure of these AI vendors. From a command injection vulnerability in OpenAI Codex to a supply-chain poisoning attack on LiteLLM leading to a breach at Mercor, the incidents showcased the wide range of threats facing AI companies today.

In response to these incidents, OpenAI launched Daybreak, a cybersecurity initiative built on GPT-5.5 and GPT-5.5-Cyber, aimed at enhancing red teaming, penetration testing, and vulnerability discovery. However, the subsequent attack on OpenAI by the TanStack worm highlighted the ongoing challenges in securing release pipelines and CI/CD processes.

The security community and experts have emphasized the need for a more holistic approach to security that covers not only the AI models but also the entire release pipeline. The incidents serve as a stark reminder that modern supply-chain defenses are essential but not sufficient on their own. Proactive identification and closure of workflow gaps are crucial in mitigating the risks posed by sophisticated cyber threats like the Mini Shai-Hulud worm.

In conclusion, the recent supply-chain incidents at OpenAI, Anthropic, and Meta have shed light on the critical need for AI vendors to strengthen their release pipelines and security measures to protect against evolving cyber threats. By addressing the gaps in their security infrastructure and adopting a more comprehensive approach to security, AI companies can better safeguard their systems and data from malicious attacks.