In the ever-evolving cat-and-mouse game of cybersecurity, the latest tactic demands almost no technical wizardry. Hackers are no longer forced to break through fortified walls; they simply stroll through doors left open by the very tools developers rely on. This paradigm shift was starkly illustrated in the past week by two separate campaigns that exposed how trust—in open-source code and AI-driven platforms—has become the most vulnerable attack vector.
The rise of supply-chain attacks
Supply-chain attacks are not new, but they have reached a critical inflection point. Instead of targeting a single organization’s perimeter, attackers inject malicious code into widely used software components. Once these components are adopted downstream, the taint spreads to thousands of unsuspecting users. Historically, such attacks required sophisticated exploits or insider access. Now, they leverage the blind trust that developers place in package registries, code repositories, and automated tools.
The concept is simple: if you can compromise the building blocks that everyone uses, you control the entire ecosystem. This approach has become increasingly effective as software development accelerates and reliance on third-party libraries grows. A single malicious package can ripple through supply chains, affecting everything from cloud applications to IoT devices.
TeamPCP: A thousand poisoned packages
The first campaign involves a group known as TeamPCP. According to cybersecurity researchers, this group has injected malicious code into more than 1,000 open-source software packages in under four months. What began with a single tool in February has snowballed into a sprawling operation. The group’s methods are not particularly clever—and that is precisely the point. They exploit a fundamental weakness: most organizations pull in code automatically via package managers like npm, PyPI, or RubyGems, rarely performing thorough security checks.
TeamPCP’s poisoned packages collectively rack up an estimated 500 million downloads per week. The named victims read like a who’s-who of the tech industry: Bitwarden, Red Hat, SAP, PyTorch Lightning, and even GitHub itself. Yet researchers note that the group appears to be motivated by chaos and notoriety rather than financial gain, having pocketed only about $90,000 in extortion payments. One security firm now estimates that there is roughly a 1-in-10 chance that any package an organisation installs could trigger an active attack—a staggering statistic that underscores the urgency of the problem.
To understand the scale, consider that open-source software powers the majority of modern applications. From operating systems to web frameworks, developers depend on free, community-maintained packages. The implicit trust these packages enjoy is their greatest strength but also a profound vulnerability. TeamPCP's campaign highlights how easily that trust can be weaponised.
AI coding agents: The new soft target
The second campaign adds a dangerous twist: the rise of AI coding agents. Tools like GitHub Copilot, Amazon CodeWhisperer, and Anthropic’s Claude are now integrated directly into developers’ workflows. These agents can automatically install packages, write code, and even debug issues—often with minimal human oversight. As Feross Aboukhadijeh of Socket noted, “There’s in some cases virtually no human in the loop.”
This automation accelerates development but also creates new channels for attack. Researchers have demonstrated that a fake bug report can hijack an AI coding agent, causing it to execute attacker commands. Self-spreading worms are already tearing through code registries, and a poisoned editor extension recently allowed attackers to steal thousands of GitHub repositories. The problem is that AI agents treat package registries as trusted sources, much like human developers do—but they act far faster and with less skepticism.
Moreover, these agents are themselves becoming targets. Attackers realise that if they can manipulate the training data or the recommendation algorithms of AI tools, they can steer entire developer communities toward malicious libraries. The same trust that makes AI assistants helpful makes them susceptible to subtle manipulation.
Claude as a weapon: The shared-chat exploit
The second recent campaign is arguably sneakier. Hackers turned Anthropic’s Claude—a reputable AI assistant—against its own users. They abused a feature called “Shared Chats,” which allows users to publish public links to past conversations. The attackers staged fake “Apple Support” chats on claude.ai, instructing macOS developers to paste a command into their Terminal. Then they purchased Google ads for searches like “Claude Code on Mac” to direct victims to these fraudulent chats. Because the links resided on Claude’s trusted domain, they appeared legitimate and safe.
Trend Micro counted more than 2,000 victims, primarily in the Asia-Pacific region. The attack demonstrates how even trusted AI platforms can be hijacked. Anthropic has since banned the accounts involved and disabled the malicious conversations, but the vulnerability remains: any platform that allows user-generated content can be weaponised for social engineering.
This incident is particularly concerning because it exploits the trust users place in the AI itself. Victims thought they were interacting with an official support channel, but instead they were falling for a sophisticated phishing scheme. The use of paid Google ads shows the attackers were willing to invest money to maximise reach.
Why traditional defenses fail
Most cybersecurity strategies focus on preventing intrusion through network perimeters, endpoint protection, and vulnerability patching. But supply-chain attacks bypass these defenses entirely. They don’t exploit a bug in the code—they exploit the process by which code is obtained. Trust is the target, not a technical flaw.
Traditional security tools like antivirus or firewalls are largely ineffective against packages that appear benign but contain hidden logic. Even static code analysis may fail if the malicious code is obfuscated or only activates under specific conditions. Additionally, the sheer volume of packages—millions in public registries—makes thorough vetting impractical for most organisations.
The situation is exacerbated by the speed of modern development. Continuous integration/continuous deployment (CI/CD) pipelines automatically fetch the latest package versions. A malicious update can be deployed to production within minutes, long before any security review takes place.
The shifting threat landscape
The attacks on TeamPCP and Claude are not isolated incidents. They are part of a broader trend where attackers target the software supply chain rather than individual companies. According to industry reports, supply-chain attacks increased by over 600% in recent years. Nation-state actors, ransomware gangs, and hacktivists have all adopted this approach because it offers a high return on investment.
One notable historical precedent is the SolarWinds attack of 2020, where hackers inserted backdoor code into a widely used IT management platform. That attack compromised thousands of organizations, including multiple US government agencies. However, SolarWinds required a sophisticated breach of the vendor’s build environment. Today’s attacks are simpler: they only need to upload a malicious package to a public registry.
Moreover, the rise of large language models (LLMs) has introduced new attack vectors. Researchers have shown that it is possible to poison the training data used by AI coding agents, causing them to suggest dangerous code. This “data poisoning” is hard to detect because it can be subtle—for example, inserting a non-obvious security flaw that an AI agent would copy into generated code.
Another emerging threat is “dependency confusion,” a technique where attackers upload packages with the same name as internal dependencies used by private organizations. If the package manager is misconfigured, it downloads the malicious public version instead. This method has been used in several high-profile breaches.
What organisations can do
To defend against these attacks, organisations must rethink their approach to trust. It is no longer enough to assume that packages from public registries are safe. Several measures can mitigate risk:
- Implement software composition analysis (SCA): Tools that scan dependencies for known vulnerabilities and malicious patterns.
- Use private registries: Maintain curated mirrors of approved packages to reduce exposure to newly uploaded malicious versions.
- Enforce code signing: Require that all packages come with a verified digital signature from their publisher.
- Isolate build environments: Run CI/CD pipelines in sandboxed containers with restricted network access.
- Human oversight of AI agents: Review all code and package installs suggested by AI tools before deployment.
- Monitor for behavioral anomalies: Detect unusual outbound network connections or file modifications that may indicate a compromise.
Furthermore, the industry as a whole needs to shift its mindset. As one security bulletin observed, “legitimate” is not the same as “safe.” Platforms like npm, PyPI, and even AI chat services must implement proactive measures such as automated malware scanning, reputation scoring, and rapid takedown procedures. Users, in turn, must adopt a default posture of skepticism, treating every package installation as a potential security event.
The recent campaigns underscore that the weakest link in the security chain is often human nature: our tendency to trust what is familiar and widely used. Attackers are exploiting that trust systematically. Until the software ecosystem adapts, these attacks will only grow in frequency and sophistication.