SUPPLY CHAIN
(43)43 hack(s).
Poisoned chat templates: inference-time backdoors in GGUF models
Early-2026 research shows a poisoned Jinja2 chat template inside a GGUF model can silently inject hidden instructions at inference time — passing standard model-hub scans while the weights stay clean.
Skill scanners bypassed: why static checks miss malicious skills
Trail of Bits slipped four malicious skills past ClawHub, Cisco's scanner, and skills.sh in under an hour each. The lesson: a static scanner can't be the trust boundary for agent skills.
Phantom squatting: registering the web domains that LLMs hallucinate
Palo Alto's Unit 42 named 'phantom squatting' in late June 2026: attackers register the non-existent domains that models reliably invent, inheriting the trust users place in AI-suggested links.
The open-source AI patch gap: discovery is outrunning remediation
AI is now finding open-source vulnerabilities far faster than maintainers can fix them. A July 2026 analysis put the discovery-to-repair ratio at about 16.5 to one — widening the window defenders have to manage.
HalluSquatting: weaponizing hallucinated names to seed agentic botnets
Attackers can pre-register the repository and skill names that coding agents predictably hallucinate, turning a routine 'clone this' prompt into remote code execution at scale.
One in three MCP servers is an SSRF gateway to your cloud metadata
Two 2026 ecosystem scans found server-side request forgery in a large share of public MCP servers — and that stars, commit activity and 'verified' badges do not predict which ones are safe.
PhantomSkill: hiding a malicious payload as an ordinary-looking bug
A June 2026 paper shows attackers can disguise a malicious agent-skill payload as a plain, triggerable vulnerability in a helper script — passing SKILL.md review and reducing malware-level detection while keeping the skill fully functional.
ShareLock: threshold poisoning hides MCP payloads across many tools
A June 2026 paper splits a malicious MCP instruction into benign-looking secret shares spread over several tool descriptions, defeating per-tool scanners while keeping attack success above 90%.
Agent skills carry hidden dependencies: transitive risk in skill supply chains
A July 2026 study of 1.43 million agent skills finds most security-relevant risk hides in transitive dependencies a reviewer never sees by reading the skill file alone.
Static scanners miss repacked agent-skill malware — runtime auditing catches it
A July 2026 study shows adaptive repacking bypasses over 90% of agent-skill scanners, and argues behavioral runtime auditing, not appearance checks, is what actually detects the malware.
Claude Code Action: a bot-actor trust flaw opened a supply-chain path
A researcher showed Claude Code GitHub Action trusted any actor ending in [bot], letting a self-registered GitHub App trigger agent-mode workflows on public repos and chain prompt injection to OIDC-token theft. Fixed in v1.0.94.
LLMO abuse: poisoning package docs to fool AI coding agents
ReversingLabs' June 2026 PromptMink report shows a North Korean group writing npm package documentation to read as authoritative to LLM coding agents, so the agent recommends and installs a malicious dependency.
When a poisoned agent skill hides in the false alarms
New research shows a position-aware skill-poisoning attack that blends malicious instructions into ordinary skill prose, slipping past LLM scanners that already cry wolf on most clean skills.
SkillMutator: attacks that hide between an agent skill's prose and its code
A June 2026 benchmark shows agent skills can be malicious in the interaction between their natural-language instructions and their scripts — passing both prompt-injection and code review while steering the agent to exfiltrate files.
A fake Perplexity extension turned an AI brand into a search wiretap
Microsoft found a Chromium extension impersonating Perplexity that rerouted every address-bar keystroke through an attacker's server before showing real results — no browser bug, just abused trust and Manifest V3 permissions.
The tool you approved isn't the tool you're running: MCP description rug-pulls
Microsoft's June 30, 2026 research shows an approved MCP tool can be silently re-described after review. Because agents pick up description changes on the fly, a clean tool turns into a data-exfiltration channel with no alarm.
Bucket squatting in Vertex AI: the "Pickle in the Middle" cross-tenant RCE
Unit 42 disclosed a Vertex AI Python SDK flaw (June 16, 2026): a predictable default staging bucket plus a missing ownership check let an attacker hijack a victim's model upload and gain cross-tenant code execution. Patched in v1.148.0.
Agent skills are a supply chain: malware and prompt injection in SKILL.md
A February 2026 audit of ~4,000 agent skills found 13.4% with critical issues and 76 live malicious payloads. SKILL.md is now a software supply chain — here's how to triage it.
Mastra npm scope takeover: a dormant maintainer account poisons an AI agent framework
On June 17, 2026, a forgotten contributor account republished the entire @mastra npm scope — ~142 packages — with one malicious dependency that drops a crypto stealer and RAT. A stale credential, not a zero-day.
Chat templates are code: Jinja2 SSTI in LLM inference servers
CERT/CC's VU#915947 (April 20, 2026) documents CVE-2026-5760, a CVSS 9.8 RCE in SGLang: a malicious GGUF model file carries a Jinja2 chat template that runs Python on the server. It is the same class as Llama Drama and a vLLM flaw before it.
MalTool: when an AI writes the malicious tool your agent installs
Researchers used a coding LLM to synthesize 6,487 working malicious agent tools. VirusTotal missed most of them. The lesson: signature scanning is the wrong control for agent tool supply chains.
Secret Stealing: backdoored model code exfiltrates fine-tuning data
A 30 April 2026 paper shows that tampered model code — not poisoned weights — can steal API keys and PII from local fine-tuning data, reaching >98% recovery while bypassing DP-SGD and audits.
LiteLLM backdoored: when a poisoned CI scanner takes over the LLM gateway
In March 2026, attackers stole LiteLLM's PyPI publishing token by compromising Trivy inside its CI pipeline, then shipped two backdoored releases. The chain shows why the LLM gateway is a high-value supply-chain target.
Semantic Compliance Hijacking: payload-less agent skills that scanners can't see
A May 14, 2026 arXiv paper shows a skill file with no code and no explicit harmful intent can steer a coding agent into writing its own malware at runtime — with a 0.00% detection rate against current scanners.
HAMLOCK: a backdoor split between the model and the chip
A USENIX Security 2026 paper, covered June 15, 2026, splits a neural-network backdoor across software and silicon — the model alone never misclassifies, so software-only scanners like Neural Cleanse and MNTD find nothing.
ktransformers: unauthenticated RCE via pickle over ZeroMQ (CVE-2026-26210)
A critical RCE in the ktransformers inference engine exposes a ZMQ socket on all interfaces and pickle-loads whatever it receives. It is the latest case of the 'ShadowMQ' pattern copied across AI serving stacks.
Malicious LLM API routers: the unguarded man-in-the-middle for agents
A UC Santa Barbara study (arXiv, April 9, 2026) measured 428 third-party LLM API routers and found dozens injecting code, stealing credentials and draining a crypto wallet — all from a trust boundary developers configure voluntarily.
MalSkillBench: we can't measure malicious-skill detectors because the test data is biased
A June 2026 paper builds the first runtime-verified benchmark of malicious agent skills — 3,944 samples across 108 attack cells — and shows a single detector's recall can swing 66 points depending on which dataset you test it on.
When #1 trending is malware: the Open-OSS/privacy-filter Hugging Face typosquat
On May 7, 2026 HiddenLayer found Open-OSS/privacy-filter, a typosquat of OpenAI's model that reached #1 trending on Hugging Face with ~244K downloads in 18 hours before shipping a Rust infostealer.
Beyond tool poisoning: what a malicious remote MCP server can actually do
A May 21, 2026 study maps the full threat surface of malicious remote MCP servers across ChatGPT, Claude Desktop and Gemini CLI — finding host filtering swings from 95% to 50% on the same request, and successful attacks are almost never disclosed.
RTK (CVE-2026-45792): untrusted filter configs hide backdoors from AI review
Pillar Security disclosed on May 20, 2026 a flaw in RTK, a token-optimisation filter for Claude Code: a repo-supplied .rtk/filters.toml could silently strip a backdoor from command output before the model ever saw it. The target is the agent's perception, not its execution.
Hades worm: poisoned AI coding-tool config that runs on repo open
The Hades supply-chain worm commits config files for Claude Code, Gemini, Cursor, and VS Code that execute on session start or folder open — turning a cloned repo into a credential stealer with no install step.
Transformers config injection: silent RCE that walks past trust_remote_code
CVE-2026-4372, disclosed June 4, 2026, lets a single config.json field run attacker code on a routine from_pretrained() call — bypassing trust_remote_code=False in Hugging Face Transformers.
Sequential data poisoning: splitting a backdoor across post-training stages
A June 3, 2026 paper shows that poison spread across SFT and preference data — negligible at each stage alone — combines into a working backdoor. Per-stage audits create a 'single-attacker illusion'.
Back-Reveal: data exfiltration through a backdoored agent's own tool calls
A finetuned agent carries a hidden trigger. On a benign cue it reads your session memory and ships it out disguised as an ordinary retrieval call — no prompt injection, no malicious tool. Paper dated April 7, 2026.
MetaBackdoor: a length-based backdoor trigger that leaves no trace in the input
A May 2026 paper from Microsoft and Institute of Science Tokyo plants a backdoor whose trigger is the input's length, not its text. The prompt looks clean, content filters see nothing, and 90 poisoned examples are enough.
GGUF model files are untrusted input: llama.cpp's recurring parser RCEs
CVE-2026-33298 (March 2026) and a May 15, 2026 oss-sec disclosure show llama.cpp's GGUF parser keeps hitting integer-overflow heap corruption: loading a crafted model file can mean RCE.
trust_remote_code=False isn't a boundary: vLLM's recurring model-load RCE
CVE-2026-27893 (disclosed March 27, 2026) is vLLM's third trust_remote_code bypass. Two model files hardcode trust_remote_code=True, silently overriding an operator's opt-out and enabling RCE from a malicious model repo.
AGENTS.md injection: a poisoned dependency can silently rewrite your coding agent's orders
An April 20, 2026 NVIDIA AI Red Team report shows a malicious dependency can drop a crafted AGENTS.md at build time, override the developer's prompt, and instruct OpenAI Codex to hide the change from the pull request.
Slopsquatting in 2026: 127 package names that all five frontier LLMs hallucinate
A May 16, 2026 arXiv replication of the USENIX Security '25 slopsquatting study finds hallucination rates are down across frontier models — but identifies 127 phantom packages that every tested model invents identically, a model-agnostic supply-chain attack surface.
pgAdmin 4 ships an LLM panel and a classic LFI+SSRF arrives with it (CVE-2026-7817)
pgAdmin 4 9.15 patches an authenticated LFI and SSRF in its new LLM API configuration endpoints. The bug class is decades old; the surface is brand new.
Hidden triggers in SKILL.md: semantic supply-chain attacks on agent skill registries
A May 12, 2026 University of Maryland paper shows that 20-token additions to a SKILL.md file can make an agent discover and select an adversarial skill in 77–86% of trials, and bypass registry-side scans up to 100% of the time.
Mini Shai-Hulud: the supply-chain worm that came for the AI tooling stack
Disclosed May 11–18, 2026, the Mini Shai-Hulud worm trojanised 170+ npm and PyPI packages — including Mistral AI, Guardrails AI and TanStack — and persists inside Claude Code and VS Code.