How the AI Industry’s Software Supply Chain Was Compromised in May 2026
Three weeks ago, between May 11 and May 18, 2026, the software supply chain that sustains the artificial intelligence industry was compromised. The compromise unfolded across three discrete events, each one short, each one technically banal, each one tracing the same chain. The cumulative window in which an attacker had direct hands on the code that powers a significant fraction of the Western technology economy was, by the most generous reading, less than half an hour.
This article reconstructs the chain in chronological order, explains why each event was technically unremarkable and strategically catastrophic, and proposes what the cumulative incident says about the trust model that, in 2026, governs the software supply chain of the AI stack.
May 11, 2026, at 19:20 UTC: the TanStack release pipeline becomes the attacker
TanStack is a family of open-source software packages, widely used by developers across the JavaScript and TypeScript ecosystem, and distributed through the npm public registry. The library family is, in 2026, a foundational dependency in the development workflows of OpenAI, Mistral AI, Grafana, UiPath, and many other organisations of strategic relevance.
At 19:20 UTC on May 11, attackers hijacked the runner of the TanStack release pipeline. The hijacking did not involve stolen credentials. It involved attacker-controlled code, injected mid-workflow, that took advantage of the trusted OpenID Connect identity (commonly abbreviated OIDC) that the pipeline used to authenticate itself to npm. Between 19:20 and 19:26, in six minutes, the pipeline published eighty-four malicious package artifacts across forty-two packages in the @tanstack namespace. The artifacts were signed by the pipeline’s own legitimate identity. To the consumer, they were indistinguishable from any other release.
The malicious versions propagated immediately to the development workflows of every organisation that consumed TanStack packages. Within hours, the same code had reached Mistral AI, UiPath, and dozens of other maintainers. It is, the security firm StepSecurity later assessed, the first documented case of a malicious npm package carrying a valid SLSA provenance attestation, where SLSA refers to the industry standard for verifying that software artifacts were built in a reproducible, attestable way. The standard, in this incident, did exactly what it was designed to do. The standard had been quietly subverted.
May 18, 2026, at 12:30 UTC: the Nx Console extension is live for eighteen minutes
Nx Console is a popular Visual Studio Code extension, used by developers to manage projects built with the Nx development framework. It depends on TanStack packages. When the malicious TanStack versions of May 11 propagated, the next release of Nx Console inherited them. At 12:30 UTC on May 18, a trojanized version of Nx Console was published to the Visual Studio Code marketplace.
Eighteen minutes later, at 12:48 UTC, the trojanized version was detected and pulled. In those eighteen minutes, automated update mechanisms on developer machines around the world fetched the extension. The extension activated. It enumerated local credentials, GitHub workflow tokens, and access tokens to internal repositories. It exfiltrated what it found to attacker-controlled infrastructure.
The principal documented victim of this window is GitHub itself. Approximately three thousand eight hundred internal GitHub repositories were exfiltrated. The repositories were the property of GitHub, the company, and contained the source code, configuration, and credentials of the platform on which the Western open-source ecosystem largely depends. The attacker group, calling itself TeamPCP, subsequently listed the repositories for sale on a cybercrime forum.
Eighteen minutes is, in operational terms, a normal automated-update cycle. The defenders, in this window, did not fail. There was no window in which they could have succeeded. The extension was, for those eighteen minutes, legitimate from the marketplace’s point of view.
May 19, 2026: Grafana traces its own breach to a missed token rotation
On the morning of May 19, Grafana Labs detected unusual activity on its internal GitHub repositories. The forensic investigation, which the company shared publicly within forty-eight hours, traced the breach to a single GitHub workflow token that had not been rotated after the TanStack incident of May 11. One token, in a rotation program of presumably hundreds, had been missed. The attacker used that token to access Grafana’s private repositories.
The Grafana case is, in many ways, the cleanest articulation of what happened in May. Grafana was an indirect victim of TanStack. It had no compromised pipeline of its own. It had detected the TanStack incident, initiated a token rotation across its workflows, and missed one token. That one token, in the eight days between May 11 and May 19, was sufficient to expose the entire private repository set of one of the most widely deployed observability platforms in the European cloud market.
The defender that did the right thing, immediately, and missed by one item in a list of hundreds, lost the same exposure surface as the defender that did nothing at all.
OpenAI and Mistral AI confirm parallel compromises
Over the same period, two of the most strategically prominent AI organisations in the world confirmed parallel compromises. OpenAI confirmed that two employee devices had been compromised through the trojanized Nx Console extension, and that a limited subset of internal source code repositories had had credential material exfiltrated. Mistral AI confirmed that its npm and PyPI software development kits (SDKs) had been trojanized during the TanStack window, and that TeamPCP was advertising Mistral AI source code repositories for sale on a cybercrime forum.
Neither confirmation was unusual in its language. Both were measured, accurate, and properly contextualised. Both describe, in summary, an industry in which the leading institutions of artificial intelligence development discovered, within the same week, that their internal source code and credential material had been extracted by a criminal group via a six-minute window in a npm publishing pipeline.
What the chain says about the trust model of the AI stack
The technical responses to this incident, where they have been deployed, have been the responses that the cybersecurity industry has been recommending for a decade. Rotate the tokens after a supply chain event. Audit the build pipelines. Maintain a software bill of materials (SBOM) that lists every component in every artifact. Verify provenance with SLSA attestations. Limit the privileges of build pipelines to the minimum necessary. Each of these measures is sound. None of them is new.
The question that the chain of May 11 to May 19 raises is the strategic one. The artificial intelligence industry, by mid-2026, has reached a market capitalisation, and a strategic significance, that places it among the most consequential industries of the global economy. The defence of the assets of this industry, however, continues to rely on a software supply chain whose trust model is, in operational substance, an honor system. Maintainers of open-source packages, often working unpaid in personal time, hold the keys that publish code to millions of downstream consumers. Build pipelines authenticate themselves with trusted identities that, when compromised mid-workflow, produce indistinguishable malicious releases. Marketplaces of editor extensions, like the Visual Studio Code one, perform automated reviews that do not catch malware shipped in eighteen-minute windows.
The strategic asymmetry is the one that the incident makes visible. The attacker, in May 2026, did not require nation-state resources, did not require a zero-day vulnerability in a hardened operating system, and did not require months of preparation. The attacker required access to one pipeline, a window of six minutes, and a downstream propagation path that the open-source ecosystem provided for free. The most strategic technology industry of the Western economy was reached through the cheapest available vector.
What boards should ask in the next governance cycle
The next time the board of an organisation whose business depends on the AI stack reviews its cyber risk posture, three questions deserve to be asked explicitly, and answered with concrete operational data rather than framework references.
The first question is whether the organisation maintains a verified inventory of every open-source package on which its production stack depends, and how that inventory is updated when an upstream incident occurs. The answer is operational, not documentary.
The second question is whether the build pipelines of the organisation, and the build pipelines of its critical software vendors, have been audited for the kind of mid-workflow injection that the TanStack incident exemplifies. The audit is technically specific. The audit either has been done, recently, or has not.
The third question is the strategic one. The board should ask the CISO directly whether the organisation has accepted, as foundational, a software supply chain whose compromise window is, in 2026, measured in minutes. The answer, in the median European organisation, is yes, that acceptance has occurred, and it occurred implicitly, through the cumulative procurement of open-source dependencies over a decade, without an explicit decision being recorded in any board minutes.
The strategic fix to the incident of May 2026 is not technical. The technical fixes are necessary and known. The strategic fix is the acknowledgment, at the level of governance, that the software supply chain of the AI stack is a strategic asset of the institution that depends on it, and that its security posture must be governed, funded, and audited as such.
Eighteen minutes is, in operational terms, a normal automated-update cycle. The TanStack window of six minutes, on May 11, is shorter than a coffee break. The cumulative interval in which the entire chain was active, between May 11 and May 18, contains windows totalling less than half an hour in which an attacker had direct, unmediated access to the publishing infrastructure of a foundational component of the AI stack.
The next attack of comparable scale will arrive on a different vector. It will exploit a different package, a different marketplace, a different mid-workflow injection point. It will not arrive on a different question. The question, in May 2026, is the same: which industry has decided to defend its most strategic technology assets through a trust model that, twenty years after the founding of npm, remains essentially honor-based.
The institution that begins to answer the question, now, will be the institution that, in the next supply chain incident, is the one to confirm a few exfiltrated tokens rather than the one to confirm a few thousand exfiltrated repositories.
All my books on cybersecurity and governance are here 👉 https://www.amazon.it/stores/author/B0FB47T6Q4/allbooks
Sources: Snyk, The Hacker News, The Hacker News (Grafana), BleepingComputer (GitHub), BleepingComputer (Grafana), Phoenix Security, Notebookcheck, Orca Security, Cybertechnology Insights.
