Trust is the objective: the emerging supply-chain attacks in the AI era.

      Hackers are no longer forcibly breaking in; they are simply walking through doors we leave open for them. Recent events have made this shift very clear. Two significant campaigns have demonstrated that the tools developers rely on the most—open-source code and AI tools—have now become the easiest avenues for attacks.

      1,000 compromised packages

      The first incident involves a group known as TeamPCP. In less than four months, they have infiltrated over 1,000 open-source software packages with malicious code, according to CyberScoop. What began with a single tool in February has continued with little slowdown.

      The strategy is simple, and that’s the crucial point. Many companies automatically incorporate code and seldom verify its safety. TeamPCP exploits this blind trust. Collectively, these compromised packages accumulate about 500 million downloads each week.

      The identified victims include notable names: Bitwarden, Red Hat, SAP, PyTorch Lightning, and even GitHub itself. Nonetheless, the group doesn’t appear to be motivated by financial gain, having only earned around $90,000 through extortion. One security firm currently estimates that there is about a 1-in-10 probability that any package an organization installs could activate an attack.

      AI exacerbates the problem

      AI is intensifying this issue. Developers traditionally would cautiously evaluate their dependencies, though not always meticulously. Now, coding agents autonomously install packages, often without human oversight. “In some cases, there’s virtually no human involvement,” said Socket’s Feross Aboukhadijeh to CyberScoop.

      These same agents are also targets. Researchers have demonstrated that a fraudulent bug report could hijack an AI coding agent and compel it to execute an attacker’s commands. Self-replicating worms are already spreading through code repositories, and a compromised editor extension recently allowed attackers to extract thousands of GitHub repositories.

      Even Claude has been weaponized

      The second campaign is more insidious. Hackers have turned Anthropic’s Claude against its users, exploiting the “Shared Chats” feature that allows individuals to share public links to past conversations.

      Here’s the method employed: The attackers created fake “Apple Support” chats on claude.ai, instructing macOS developers to run a command in their Terminal. They then purchased Google ads targeting searches like “Claude Code on Mac” to direct victims to these links. Because the URLs were on Claude’s trusted domain, they appeared secure.

      Trend Micro identified over 2,000 victims, mostly from the Asia-Pacific region. Anthropic has since suspended the accounts associated with the activity and disabled the offending conversations.

      The significance

      The common thread connecting these incidents is trust. Attackers no longer require complex exploits; they merely need to leverage something that you already trust: a package registry, a coding agent, or a familiar domain. As one industry report expressed, “legitimate” does not equate to “safe.”

      This presents a challenging reset for the industry. It necessitates vigilance not just regarding downloaded files, but also concerning the tools people rely on. It calls for treating a package installation as equivalent to executing code and considering an AI agent akin to a user account. The web did not break this week; it simply functioned exactly as intended, which could prove to be the more difficult issue to address.