Four major AI companies faced supply-chain attacks within 50 days, exposing a critical blind spot in how the industry secures its release infrastructure.
Between May and June 2026, OpenAI, Anthropic, and Meta each experienced breaches. Three involved external adversaries. One was self-inflicted. None targeted the AI models themselves. Instead, attackers exploited the exact same weakness: unmonitored release pipelines, dependency management systems, CI/CD runners, and packaging gates that fall outside the scope of standard AI safety practices.
The gap is stark. Red-team exercises, system cards, and regulatory evaluations like those from AISI focus on model behavior and outputs. They ignore the infrastructure that actually ships those models to users. This matters enormously. A compromised package manager account or a hijacked CI runner can inject malicious code into millions of installations without triggering a single safety evaluation.
The most notable incident involved a self-propagating worm named Mini Shai-Hulud, which published 84 malicious package versions across 42 npm packages under the @tanstack/* namespace on May 11. The worm used valid provenance signatures, meaning defenders couldn't immediately spot it as fraudulent. It spread via dependency chains and CI/CD automation, proving that traditional code-signing mechanisms alone provide false confidence.
The pattern repeats. Attackers don't need to compromise model weights or inference code. They target the plumbing. A poisoned dependency gets pulled into the build process. Automated systems propagate it. By the time human reviewers notice, the damage spreads across multiple products and organizations.
Current safety frameworks assume the model itself is the attack surface. They miss that supply chains are asymmetric. One developer mistake or one stolen credential in the packaging pipeline affects millions of downloads before detection. A model's behavior can be tested. A