In a span of 50 days, OpenAI, Anthropic, and Meta were affected by four supply-chain incidents, comprising three attacks by adversaries and one internal packaging mishap. Remarkably, none of these incidents directly targeted the models themselves. Instead, they revealed vulnerabilities in release pipelines, dependency hooks, CI runners, and packaging gates—areas not previously assessed by any system card, AISI evaluation, or Gray Swan red-team exercise.
On May 11, 2026, a worm named Mini Shai-Hulud unleashed 84 malicious package versions across 42 @tanstack/* npm packages in a mere six minutes. This worm infiltrated via release.yml, exploiting a pull_request_target misconfiguration, GitHub Actions cache poisoning, and OIDC token retrieval from runner memory, thereby commandeering TanStack’s trusted release pipeline. The packages bore authentic SLSA Build Level 3 provenance because they were correctly published from the verified repository and workflow, with a valid OIDC token. Notably, no maintainer passwords were breached, nor were any 2FA prompts intercepted.
The security framework functioned as intended, yet still resulted in 84 malicious artifacts.
Two days later, OpenAI confirmed that two employee devices were compromised, leading to the extraction of credential material from internal code repositories. In response, OpenAI is revoking its macOS security certificates and mandating an update for all desktop users by June 12, 2026. The company noted that, while it had been strengthening its CI/CD pipeline following a previous supply-chain incident, the two affected devices had not yet been updated with the new configurations. This situation is indicative of a breach in the build pipeline, rather than a model safety issue.
Four Incidents, One Conclusion
Model red teams typically do not evaluate release pipelines. The incidents outlined below highlight a single architectural vulnerability that should be considered in any AI vendor questionnaire.
OpenAI Codex command injection (disclosed March 30, 2026). Researcher Tyler Jespersen from BeyondTrust Phantom Labs discovered that OpenAI Codex was passing GitHub branch names directly into shell commands without sanitization. This allowed attackers to inject semicolons and backtick subshells into branch names, causing the Codex container to execute them and expose the victim’s GitHub OAuth token in cleartext. The flaw affected multiple platforms, including the ChatGPT website, Codex CLI, SDK, and IDE Extension. OpenAI rated this flaw as Critical Priority 1 and addressed it by February 2026. The attack began with a single branch name, visually disguised as “main” in the Codex UI using Unicode characters.
LiteLLM supply-chain poisoning and Mercor breach (March 24–27, 2026). The threat group TeamPCP exploited credentials stolen during an earlier compromise of Aqua Security’s Trivy vulnerability scanner to release two contaminated versions of the LiteLLM Python package on PyPI. Widely used by major AI infrastructure teams, LiteLLM was downloaded nearly 47,000 times in just 40 minutes before PyPI quarantined the malicious versions.
This was sufficient to trigger a cascade effect impacting Mercor, a $10 billion AI data startup providing training data to Meta, OpenAI, and Anthropic. Four terabytes of data were exfiltrated, including proprietary training methodologies from Meta. As a result, Meta suspended their partnership indefinitely, leading to a class action within five days. A single compromised open-source dependency, active for just 40 minutes on PyPI, led to a widespread impact that no individual vendor’s model red team could have predicted.
Anthropic Claude Code source map leak (March 31, 2026). This incident was due to an internal error, not an attack. Anthropic released Claude Code version 2.1.88 on npm including a 59.8 MB source map file unintentionally. It pointed to a zip archive on Anthropic’s Cloudflare R2 bucket with 513,000 lines of unobfuscated TypeScript code, detailing agent orchestration, 44 feature flags, system prompts, and coordination architecture. This data was publicly accessible and downloadable without authentication. Security researcher Chaofan Shou identified and reported the leak within hours, prompting Anthropic to remove the package. Anthropic attributed the issue to a “human error” in release packaging. This was the second such leak in 13 months, caused by a missing line in .npmignore. No malicious actor was involved, but the gap in the release process was clear. There was no human review gate between the build artifact and registry publication.
TanStack worm and downstream spread (May 11–14, 2026). Wiz Research linked the Mini Shai-Hulud attack to TeamPCP with high certainty. StepSecurity detected the breach within 20 minutes. The worm rapidly spread beyond TanStack, affecting Mistral AI, UiPath, and over 160 packages. Mini Shai-Hulud even impersonated the Anthropic Claude GitHub App identity, authoring commits as “claude <claude@users.noreply.github.com>” to bypass code review.
These four incidents, spanning three frontier labs, all point to one conclusion: the red team’s scope ends at the model boundary, while the build pipeline resides beyond it.
Unexplained Timing by System Cards
On May 10, 2026, OpenAI introduced Daybreak, a cybersecurity initiative built on GPT-5.5 and a new model, GPT-5.5-Cyber, designed for authorized red teaming, penetration testing, and vulnerability identification. Daybreak collaborates with partners like Cisco, CrowdStrike, Akamai, Cloudflare, and Zscaler. OpenAI promoted the launch as evidence that advanced AI can favor defenders.
The very next day, the TanStack worm compromised two devices at OpenAI.
In its incident report, OpenAI acknowledged this gap. While the company had been enhancing its CI/CD pipeline after a prior Axios supply-chain attack, the two affected devices “had not received the updates needed to block the download.” Controls were in place, deployment was underway, but the worm struck first.
Security experts observed the same gap: Researcher @EnTr0pY_88 commented on X that the true indicator was the certificate rotation, not the stolen code. “Rotating certificates…is necessary when the breach extends to signing trust, beyond just source access.” @OpenMatter_ encapsulated the SLSA provenance issue succinctly: “If an attacker controls your CI runner, they control your attestations. Policy-based security is failing at scale.” @The_Calda highlighted the contradiction in the disclosure: “‘Limited impact’ yet the next sentence states ‘we’re rotating signing certs.'”
A company that launched a cybersecurity platform on a Sunday and disclosed a build-pipeline breach by Tuesday is not lacking in model safety. Instead, OpenAI is highlighting the precise gap this audit framework aims to address. The model and release-pipeline red teams operate in distinct fields; the four incidents within 50 days suggest that only one is consistently supported.
The VentureBeat Prescriptive Matrix
The matrix below identifies seven release-surface classes absent from AI vendor questionnaires, detailing the vendor affected, failure mechanism, detection gap, technical mitigation, and priority level for security teams to address before Q2 renewals.
For teams mapping these rows into existing GRC tools, rows 2, 3, and 5 align with NIST SSDF PS.1.1 (protecting code from unauthorized access and tampering). Row 4 corresponds to SSDF PS.2.1 (providing mechanisms to verify software release integrity). Row 6 partially aligns with SLSA Source Track requirements for verified contributor identity, although no current framework addresses upstream maintainer credential provenance. Row 7 remains unaddressed by any published framework, which is notable.
|
Release-surface class |
Vendor hit |
Failure mechanism |
Detection gap |
Technical mitigation |
Priority |
|
Model capability evals (jailbreak, misuse, exfiltration) |
All three (ongoing) |
Covered. System cards, AISI Expert suite, Gray Swan currently assess this. |
None. This row establishes the baseline. |
Maintain the requirement for a system card at each renewal. |
Baseline |
|
CI runner trust boundary (pull_request_target) |
TanStack; OpenAI downstream (May 11–14, 2026) |
TanStack exposed by pwn-request using fork code in the base-repo context. Poisoned pnpm cache. Extracted OIDC token from runner memory. Two OpenAI employee devices compromised. |
No system card addresses CI runner isolation. No AISI evaluation tests fork-to-base trust boundaries. |
Audit all repositories for pull_request_target + fork SHA checkout. Prevent fork code from executing in base-repo context. Pin cache keys to commit SHA. |
Immediate action |
|
OIDC trusted-publisher + SLSA provenance |
TanStack; OpenAI downstream (May 11, 2026) |
TanStack generated valid SLSA Build Level 3 provenance for all 84 malicious packages. First npm worm with valid cryptographic attestation. |
SLSA attestation verifies build origin, not intent. No vendor questionnaire differentiates the two. |
Anchor trusted publisher to branch + workflow, not just repository. Implement behavioral analysis during installation. |
Immediate action |
|
Release packaging review (human gate before publish) |
Anthropic (Mar 31, 2026) |
Missing .npmignore resulted in 59.8 MB source map in Claude Code npm package. 513K lines disclosed, including agent logic, 44 feature flags, and system prompts. Second leak in 13 months. Self-inflicted, not adversary-driven. |
No red-team exercise verifies artifact content before registry publication. |
Implement human review between build and registry publication. Enforce .npmignore in CI. Halt build on unexpected artifact size. |
Before renewal |
|
Dependency lifecycle hooks (prepare, postinstall) |
TanStack; OpenAI + downstream (May 11, 2026) |
router_init.js executes upon import. tanstack_runner.js self-replicates using optionalDependencies prepare hook. Propagated to Mistral AI, UiPath, 160+ packages rapidly. |
Lifecycle hooks operate before any scanner. Model evaluations do not assess package installation behavior. |
Disable lifecycle scripts in CI by default. Implement explicit allowlist for production. Flag new optionalDependencies in PR reviews. Set minimumReleaseAge. |
Immediate action |
|
Vendor maintainer credential hygiene |
Meta via Mercor (Mar 24–27, 2026) |
TeamPCP acquired LiteLLM maintainer credential through previous Trivy compromise. Two tainted PyPI versions active for 40 minutes. Mercor cache contained Meta training methodology references. 4 TB exfiltrated. Meta paused the partnership. |
Vendor questionnaires inquire about encryption and access control, not maintainer credential provenance for upstream dependencies. |
Mandate hardware-key authentication for all maintainers pre-onboarding. Introduce package-manager cooldown. Conduct quarterly audits of the transitive dependency tree. |
Include in vendor contract |
|
Agent container input sanitization |
OpenAI Codex (disclosed Mar 30, 2026) |
BeyondTrust Phantom Labs injected shell commands via GitHub branch-name parameter. Obtained OAuth tokens from Codex container. Scalable across shared repositories. Rated Critical P1, patched Feb 2026. |
Agent red teams assess prompt injection, not input-parameter injection at the container level. |
Sanitize all external inputs prior to shell execution. Audit OAuth token scope and lifespan per agent session. Enforce least-privilege on every container. |
Immediate action |
Action Plan for Security Directors
The matrix outlines what needs fixing, while three actions guide security directors forward.
-
Incorporate a new question in every AI vendor questionnaire. “Does your organization red-team its release pipeline, including CI runner trust boundaries, OIDC token scoping, dependency lifecycle hooks, and registry publish gates? Please provide the last assessment date and scope.” The absence of a date and scope document is a finding.
-
Evaluate rows 2 through 7 against your own CI pipelines this week. StepSecurity and Snyk have both published detection and remediation strategies for the TanStack worm patterns. Development teams frequently pull OpenAI SDKs, Anthropic packages, and Llama weights through npm, PyPI, and HuggingFace. The vulnerabilities exploited are likely present in your CI right now.
-
Inform the board about the provenance gap. The TanStack worm highlighted that valid cryptographic provenance can mask a malicious package. Attestation informs the board where a package was built, while behavioral analysis reveals its actions post-installation. Q2 renewal requires both. Snyk’s analysis suggests pinning trusted publisher configurations to specific branches and workflows, not merely repositories. Use this language in board presentations.
The Worm has Identified Where Your AI Credentials Reside
Mini Shai-Hulud extends beyond CI secrets. Datadog Security Labs reported that the payload reads ~/.claude.json and exfiltrates it. It scans for 1Password and Bitwarden vaults, Kubernetes service accounts, cloud provider tokens, and shell history files where developers store API keys. StepSecurity’s analysis confirmed that Mini Shai-Hulud extracts Claude and Kiro MCP server configurations, which store API keys and auth tokens for external services. Developers using AI coding agents should be aware that the worm already knows where their credentials are located.
OpenAI, Anthropic, and Meta will continue to issue system cards, fund red-team competitions, and pass model evaluations. However, these actions alone will not prevent the next worm from exploiting release.yml vulnerabilities.
The TanStack postmortem team clearly stated: modern supply-chain defenses are crucial but insufficient by themselves. Teams need to proactively identify and address workflow gaps rather than solely relying on the security features of their tools.
