SUPPLY CHAIN
(27)27 hack(s).
Bucket squatting in Vertex AI: the "Pickle in the Middle" cross-tenant RCE
Unit 42 disclosed a Vertex AI Python SDK flaw (June 16, 2026): a predictable default staging bucket plus a missing ownership check let an attacker hijack a victim's model upload and gain cross-tenant code execution. Patched in v1.148.0.
Agent skills are a supply chain: malware and prompt injection in SKILL.md
A February 2026 audit of ~4,000 agent skills found 13.4% with critical issues and 76 live malicious payloads. SKILL.md is now a software supply chain — here's how to triage it.
Mastra npm scope takeover: a dormant maintainer account poisons an AI agent framework
On June 17, 2026, a forgotten contributor account republished the entire @mastra npm scope — ~142 packages — with one malicious dependency that drops a crypto stealer and RAT. A stale credential, not a zero-day.
Chat templates are code: Jinja2 SSTI in LLM inference servers
CERT/CC's VU#915947 (April 20, 2026) documents CVE-2026-5760, a CVSS 9.8 RCE in SGLang: a malicious GGUF model file carries a Jinja2 chat template that runs Python on the server. It is the same class as Llama Drama and a vLLM flaw before it.
MalTool: when an AI writes the malicious tool your agent installs
Researchers used a coding LLM to synthesize 6,487 working malicious agent tools. VirusTotal missed most of them. The lesson: signature scanning is the wrong control for agent tool supply chains.
Secret Stealing: backdoored model code exfiltrates fine-tuning data
A 30 April 2026 paper shows that tampered model code — not poisoned weights — can steal API keys and PII from local fine-tuning data, reaching >98% recovery while bypassing DP-SGD and audits.
LiteLLM backdoored: when a poisoned CI scanner takes over the LLM gateway
In March 2026, attackers stole LiteLLM's PyPI publishing token by compromising Trivy inside its CI pipeline, then shipped two backdoored releases. The chain shows why the LLM gateway is a high-value supply-chain target.
Semantic Compliance Hijacking: payload-less agent skills that scanners can't see
A May 14, 2026 arXiv paper shows a skill file with no code and no explicit harmful intent can steer a coding agent into writing its own malware at runtime — with a 0.00% detection rate against current scanners.
HAMLOCK: a backdoor split between the model and the chip
A USENIX Security 2026 paper, covered June 15, 2026, splits a neural-network backdoor across software and silicon — the model alone never misclassifies, so software-only scanners like Neural Cleanse and MNTD find nothing.
When #1 trending is malware: the Open-OSS/privacy-filter Hugging Face typosquat
On May 7, 2026 HiddenLayer found Open-OSS/privacy-filter, a typosquat of OpenAI's model that reached #1 trending on Hugging Face with ~244K downloads in 18 hours before shipping a Rust infostealer.
MalSkillBench: we can't measure malicious-skill detectors because the test data is biased
A June 2026 paper builds the first runtime-verified benchmark of malicious agent skills — 3,944 samples across 108 attack cells — and shows a single detector's recall can swing 66 points depending on which dataset you test it on.
ktransformers: unauthenticated RCE via pickle over ZeroMQ (CVE-2026-26210)
A critical RCE in the ktransformers inference engine exposes a ZMQ socket on all interfaces and pickle-loads whatever it receives. It is the latest case of the 'ShadowMQ' pattern copied across AI serving stacks.
Malicious LLM API routers: the unguarded man-in-the-middle for agents
A UC Santa Barbara study (arXiv, April 9, 2026) measured 428 third-party LLM API routers and found dozens injecting code, stealing credentials and draining a crypto wallet — all from a trust boundary developers configure voluntarily.
Beyond tool poisoning: what a malicious remote MCP server can actually do
A May 21, 2026 study maps the full threat surface of malicious remote MCP servers across ChatGPT, Claude Desktop and Gemini CLI — finding host filtering swings from 95% to 50% on the same request, and successful attacks are almost never disclosed.
RTK (CVE-2026-45792): untrusted filter configs hide backdoors from AI review
Pillar Security disclosed on May 20, 2026 a flaw in RTK, a token-optimisation filter for Claude Code: a repo-supplied .rtk/filters.toml could silently strip a backdoor from command output before the model ever saw it. The target is the agent's perception, not its execution.
Hades worm: poisoned AI coding-tool config that runs on repo open
The Hades supply-chain worm commits config files for Claude Code, Gemini, Cursor, and VS Code that execute on session start or folder open — turning a cloned repo into a credential stealer with no install step.
Transformers config injection: silent RCE that walks past trust_remote_code
CVE-2026-4372, disclosed June 4, 2026, lets a single config.json field run attacker code on a routine from_pretrained() call — bypassing trust_remote_code=False in Hugging Face Transformers.
Sequential data poisoning: splitting a backdoor across post-training stages
A June 3, 2026 paper shows that poison spread across SFT and preference data — negligible at each stage alone — combines into a working backdoor. Per-stage audits create a 'single-attacker illusion'.
MetaBackdoor: a length-based backdoor trigger that leaves no trace in the input
A May 2026 paper from Microsoft and Institute of Science Tokyo plants a backdoor whose trigger is the input's length, not its text. The prompt looks clean, content filters see nothing, and 90 poisoned examples are enough.
Back-Reveal: data exfiltration through a backdoored agent's own tool calls
A finetuned agent carries a hidden trigger. On a benign cue it reads your session memory and ships it out disguised as an ordinary retrieval call — no prompt injection, no malicious tool. Paper dated April 7, 2026.
trust_remote_code=False isn't a boundary: vLLM's recurring model-load RCE
CVE-2026-27893 (disclosed March 27, 2026) is vLLM's third trust_remote_code bypass. Two model files hardcode trust_remote_code=True, silently overriding an operator's opt-out and enabling RCE from a malicious model repo.
GGUF model files are untrusted input: llama.cpp's recurring parser RCEs
CVE-2026-33298 (March 2026) and a May 15, 2026 oss-sec disclosure show llama.cpp's GGUF parser keeps hitting integer-overflow heap corruption: loading a crafted model file can mean RCE.
AGENTS.md injection: a poisoned dependency can silently rewrite your coding agent's orders
An April 20, 2026 NVIDIA AI Red Team report shows a malicious dependency can drop a crafted AGENTS.md at build time, override the developer's prompt, and instruct OpenAI Codex to hide the change from the pull request.
Slopsquatting in 2026: 127 package names that all five frontier LLMs hallucinate
A May 16, 2026 arXiv replication of the USENIX Security '25 slopsquatting study finds hallucination rates are down across frontier models — but identifies 127 phantom packages that every tested model invents identically, a model-agnostic supply-chain attack surface.
pgAdmin 4 ships an LLM panel and a classic LFI+SSRF arrives with it (CVE-2026-7817)
pgAdmin 4 9.15 patches an authenticated LFI and SSRF in its new LLM API configuration endpoints. The bug class is decades old; the surface is brand new.
Hidden triggers in SKILL.md: semantic supply-chain attacks on agent skill registries
A May 12, 2026 University of Maryland paper shows that 20-token additions to a SKILL.md file can make an agent discover and select an adversarial skill in 77–86% of trials, and bypass registry-side scans up to 100% of the time.
Mini Shai-Hulud: the supply-chain worm that came for the AI tooling stack
Disclosed May 11–18, 2026, the Mini Shai-Hulud worm trojanised 170+ npm and PyPI packages — including Mistral AI, Guardrails AI and TanStack — and persists inside Claude Code and VS Code.