Two supply chain attacks in a single week that targeted widely used software showed how attackers can quietly work their way into corporate networks without ever directly breaking into a company’s systems.
On March 24, 2026, LiteLLM, an open-source Python library for serving models as a multi-model API gateway, with an estimated 95 million monthly downloads, was compromised after an actor obtained publishing credentials and pushed backdoored versions to PyPI.
From there, the malware harvested login credentials and sensitive access keys and attempted lateral movements across cloud environments. A week later, axios, one of the most popular JavaScript HTTP client libraries, with more than 100 million weekly downloads, was targeted by a state-sponsored APT group.
The attackers, known for targeting cybersecurity and critical infrastructure companies for espionage, manipulated a trusted software developer into handing over access to their account, then used that access to push out corrupted software updates that gave them remote control over victims’ computers across operating systems.
C-Suite Framing
On a C-suite level, the critical issue is that neither operation was the result of a system break-in. Instead, the attacks trusted open-source workflows and routine update process. This represents a new kind of threat, where AI is being used to dramatically expand the number of potential entry points attackers can exploit.
For years, the enterprise risk model has been relatively stable: systems were deployed, vendors were vetted, and security teams worked to protect what they could see and control. The assumption: understand your architecture, and you understand the risk.
With AI, that thinking no longer holds.
AI is a force multiplier that expands and obfuscates the attack surface, leaving risk exposure for which executives are responsible but cannot fully see, measure, or govern.
The Rise of Invisible Dependencies
In today’s AI systems, the underlying pieces are assembled from complex ecosystems like open-source libraries, model frameworks, APIs, and agentic workflows. Each introduces dependencies that are indirect, transient, and often invisible to enterprise controls or oversight.
What the LiteLLM and axios attacks made painfully clear is that a single compromised package can propagate across millions of downstream environments within hours. The attack surface is no longer only what an organization builds or buys. It now extends to everything that its systems dynamically inherit.
When Trusted Actions Become Risk Events
Attackers are now weaponizing core update mechanisms : package updates, dependency installs, and automated builds. The danger lies in short exploitation windows paired with massive downstream impact.
In the axios incident, the malicious versions were live for approximately three hours before they were removed. In that timeframe, any environment with an unpinned install was vulnerable. AI-powered automation has fundamentally changed the speed of attacks, and the manual review steps that once created natural friction have been replaced by automation that outpaces security visibility. Yet, enterprise governance still largely operates on slow review cycles, and static policies. That mismatch is a serious problem when a breach can propagate globally in under an hour.
This exposes a deeper issue: the belief that risk can be contained within a single system, vendor, or business unit.
These attacks make clear how dangerously wrong that assumption is. A compromised developer account may seem isolated, but it can cascade instantly across every application, pipeline, and environment drawing from that same software dependency.
In today’s environment, traditional containment is no longer a realistic response strategy.
The Edge is the New Frontline
Developer machines, local environments, and experimental AI workflows have now become the primary entry points for supply chain attacks. This is where new tools are first pulled, dependencies are installed, and controls are weakest. By the time a supply chain threat makes it into production, it has typically already been executed. Yet, most enterprise security strategies remain primarily focused on production systems focusing on the wrong perimeter at the wrong time.
Accountability Without Visibility
The rules around accountability have not changed.
When a breach happens, when data is exposed, when regulators come knocking, responsibility still sits with the C-suite. Not with compromised maintainers, and not with individual developers.
Executives are now accountable for outcomes generated by systems they cannot fully see, audit, or control.
A Risk Model for the AI Era
What’s required is a fundamental shift in how organizations think about risk.
Security must move beyond systems to ecosystems.
It is no longer sufficient to secure what you deploy; you must continuously monitor dependencies.
What leaders must accept:
- Trust can no longer be assumed. Every dependency, update, and automated action must be treated as a potential risk event.
- Complete visibility is unrealistic. The goal is not to eliminate risk but to detect, contain, and recover from it quickly.
- AI is not just expanding the attack surface. It is breaking the link between risk and visibility, while accountability remains firmly at the top.
What leaders are now responsible for:
- Systems they cannot fully observe
- Dependencies they do not control
- Pipelines that operate outside traditional security boundaries
The mandate is clear: operate as if compromise is a matter of when, not if.
Treat your software supply chain as a frontline security priority and not an afterthought.
Close the gap between how fast threats move and how fast your organization responds.
The attackers are not waiting for your next quarterly review. Neither should you.
The threat landscape has shifted in ways that cannot be undone. AI has given attackers speed, scale, and sophistication that no perimeter defense was built to stop. The organizations that adapt by building resilience into their culture, their governance, and their technology decisions, will be the ones still standing when the next attack lands.
Zbyněk Sopuch is the CTO of Safetica, a global leader in data loss prevention and insider risk management, protecting close to 1 million devices in 120 countries. www.safetica.com
