#supply-chain
8 articles exploring supply-chain. Expert insights and analysis from our editorial team.
Articles
InstructLab CVE-2026-6859: Hardcoded trust_remote_code=True Turns Any HuggingFace Model Into RCE
InstructLab CVE-2026-6859 hardcodes trust_remote_code=True in transformers, enabling RCE from any HuggingFace repo. Existing supply-chain scanners cannot detect this vector.
Mercor Breach: 4TB of AI Trainer Voice Samples Stolen from 40,000 Contractors
The Mercor breach shows how AI vendors classify contractor voice recordings as work product rather than biometric data, leaving 40,000 people with no way to revoke stolen.
Mercor's 4TB Lapsus$ Breach Hands Voice-Clone Attackers 40,000 Pre-Verified Targets
Mercor's LiteLLM breach exposed interviews with IDs and 2-5 minute voice samples, collapsing the cost of voice-clone phishing by pairing clean audio with verified identities.
Bitwarden CLI Compromise Extends the Checkmarx Supply-Chain Campaign to Credential Tooling
A trojanized @bitwarden/cli release spent 93 minutes on npm April 22. The Checkmarx-themed payload harvested credentials via preinstall hook, exposing vault session tokens.
March-April MCP CVEs Expose the Local-Host Trust Model (see also confused deputy trust violations) (see also local-host trust model) in AI Agent Frameworks
Three CVEs scoring up to 9.8 reveal a structural flaw: MCP's local-host trust model lacks authentication primitives for networked multi-tenant deployments.
Marimo's CVE-2026-39987: 9h41m From Disclosure to Exploitation, NKAbuse Staged on Hugging Face
Marimo CVE-2026-39987 was exploited 9h41m after disclosure, with 662 events and a NKAbuse backdoor staged on Hugging Face. Same-day patching is the new minimum for AI tooling.
TeamPCP Backdoored LiteLLM via a Poisoned CI Scanner: What It Means for Every AI Python Stack
TeamPCP stole LiteLLM's PyPI token through a compromised Trivy GitHub Action, shipping credential-stealing releases to 36% of monitored cloud environments.
The 2026 OSSRA Report: AI Coding Tools Are Behind a 107% Surge in Open-Source Vulnerabilities
Black Duck's 2026 OSSRA found 581 mean vulnerabilities per codebase — double last year. Here's what's driving it and how to audit your own repo.