Scoopfeeds — Intelligent news, curated.
Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering
ai

Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering

VentureBeat AI · May 18, 2026, 5:16 PM · Also reported by 2 other sources

Why this matters: a development in AI with implications for how people work, create, and decide.

Four supply-chain incidents hit Open AI, Anthropic and Meta in 50 days: three adversary-driven attacks and one self-inflicted packaging failure. None targeted the model, and all four exposed the same gap: release pipelines, dependency hooks, CI runners, and packaging gates that no system card, AISI evaluation, or Gray Swan red-team exercise has ever scoped.On May 11, 2026, a self-propagating worm called Mini Shai-Hulud published 84 malicious package versions across 42 @tanstack/* npm packages in six minutes flat. The worm rode in on release.yml, chaining a pull_request_target misconfiguration, GitHub Actions cache poisoning, and OIDC token extraction from runner memory to hijack TanStack’s own trusted release pipeline. The packages carried valid SLSA Build Level 3 provenance because they were published from the correct repository, by the correct workflow, using a legitimately minted OIDC token. No maintainer password was phished. No 2FA prompt was intercepted.The trust model worked exactly as designed and still produced 84 malicious artifacts.Two days later, OpenAI confirmed that two employee devices were compromised and credential material was exfiltrated from internal code repositories. OpenAI is now revoking its macOS security certificates and forcing all desktop users to update by June 12, 2026. OpenAI noted that it had already been hardening its CI/CD pipeline after an earlier supply-chain incident, but the two affected devices had not yet received the updated configurations. That is the response profile of a build-pipeline breach, not a model-safety incident.Four incidents, one findingModel red teams do not cover release pipelines. The four incidents below are evidence for a single architectural finding that belongs in every AI vendor questionnaire.OpenAI Codex command injection (disclosed March 30, 2026). BeyondTrust Phantom Labs researcher Tyler Jespersen found that OpenAI Codex passed GitHub branch names directly into shell commands with zero sanitization. A

Article preview — originally published by VentureBeat AI. Full story at the source.
Read full story on VentureBeat AI → More top stories

Also covered by

Hacker News What "Amazon Supply Chain Services" Tells Us About What Amazon Is Yahoo Finance More than 5,100 freight-related layoffs hit US supply chain sector

More in ai

TechCrunch AI
Anthropic has acquired the dev tools startup used by OpenAI, Google, and Cloudflare
MIT Technology Review
Roundtables: Inside the Musk v. Altman Trial
Wired
These 11 Automatic Cat Feeders Were the Best We Tested in 2026
Wired
Elon Musk Loses Landmark Lawsuit Against OpenAI
MIT Technology Review
What to expect from Google this week

Browse all ai coverage →

Aggregated and edited by the Scoop newsroom. We surface news from VentureBeat AI alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop