Skip to main content
Graphic showing four AI-driven supply-chain attack incidents over 50 days, highlighting vulnerabilities in software release p

Editorial illustration for Four AI supply-chain attacks in 50 days expose release pipeline red‑team gaps

Four AI supply-chain attacks in 50 days expose release...

Updated: 4 min read

The software supply chain’s weakest link is no longer the code, it’s the pipeline that pushes it to production. In just 50 days, four separate AI supply-chain attacks demonstrated exactly where red teams consistently fail to look. One compromised dependency sat on PyPI for a mere 40 minutes, yet its blast radius cut across industries.

No single vendor’s model red team would have caught it. Then came Anthropic. On March 31, 2026, Claude Code version 2.1.88 shipped to npm with a 59.8 MB source map file that should never have been included.

The map pointed straight to a Cloudflare R2 bucket holding 513,000 lines of unobfuscated TypeScript across 1,906 files, a complete architectural blueprint. A researcher flagged it within hours. Anthropic called it a release packaging error, human-caused.

This was the second such leak in 13 months. The pattern is clear. Red teams are chasing model vulnerabilities while attackers open the back door in the build, the bundle, the registry.

The pipeline is unguarded, and it’s bleeding.

One compromised open-source dependency sitting 40 minutes on PyPI created a cross-industry blast radius that no single vendor's model red team would have caught.Anthropic Claude Code source map leak (March 31, 2026). Anthropic shipped Claude Code version 2.1.88 to the npm registry with a 59.8 MB source map file that should never have been included. The map file pointed to a zip archive on Anthropic's own Cloudflare R2 bucket containing 513,000 lines of unobfuscated TypeScript across 1,906 files.

Security researcher Chaofan Shou flagged the exposure within hours, and Anthropic pulled the package. Anthropic confirmed it was a "release packaging issue caused by human error." This was the second such leak in 13 months.

The pattern is undeniable. Four attacks in fifty days. Each one exploited a blind spot that no red team had been tasked to defend, the release pipeline itself.

The PyPI dependency sat for forty minutes. The Claude Code source map leaked for hours. These are not failures of model security or code quality.

They are failures of process, of packaging, of the mundane infrastructure that ships intelligence into production. Red teams have been trained to stress-test the algorithm, not the registry. But the blast radius does not discriminate.

A single misconfiguration in a build script can poison every downstream consumer. The threat landscape has shifted, and the defensive playbook has not kept pace. Until red teams are empowered to attack the pipeline with the same rigor they apply to the model, these windows of exposure will keep opening.

The question is not whether the next one will happen, but whether the industry will finally treat its release process as the attack surface it has become.

Common Questions Answered

What were the four AI supply-chain attacks that occurred within 50 days?

The article documents four separate AI supply-chain attacks that exposed critical vulnerabilities in release pipelines. One compromised dependency was hosted on PyPI for only 40 minutes before detection, while another incident involved Claude Code version 2.1.88 shipping to npm with a 59.8 MB source map leak that persisted for hours. These attacks collectively demonstrated systematic gaps in how red teams evaluate production release infrastructure.

Why did the PyPI dependency attack have such a wide blast radius despite being live for only 40 minutes?

The compromised PyPI dependency's impact cut across multiple industries because it was a widely-used package in the software supply chain. The brief 40-minute window was sufficient for the malicious code to be downloaded and integrated into numerous projects before detection, making the attack's reach extensive despite its short exposure time.

What is the main vulnerability that red teams failed to identify according to the article?

Red teams consistently failed to focus on the release pipeline itself as a security target, instead concentrating their efforts on model security and code quality. The article emphasizes that the vulnerabilities exploited in these four attacks were in the mundane infrastructure responsible for packaging and shipping AI models to production, not in the algorithms or code themselves.

How did the Claude Code source map leak represent a process failure rather than a code quality issue?

The Claude Code version 2.1.88 incident, where a 59.8 MB source map leaked to npm for hours, demonstrates a failure in packaging and deployment processes rather than flaws in the underlying code. This type of vulnerability exists in the infrastructure and procedures that manage how software is released to production, highlighting the need for red teams to stress-test registries and release mechanisms.

LIVE03:21OpenAI's Miles Wang in Talks for USD 2B AI Drug Discovery Startup