Paranoid By Default

AI - Supply Chain Attack - Attack Surface

read this article also in:

"The survival of cuckoo chicks depends on the ignorance of other species." - Clifford Stoll, The Cuckoo's Egg

You warned them the stack wasn't checked. They sent you to a conference instead. On May 11th, over 170 packages got checked - by someone else.

There is a specific kind of violence in being ignored correctly - in documenting the surface, naming the vectors, timestamping the concern, and watching the organization route around the warning like water finding the path of least resistance.

The attack didn't break anything to get in. It walked through the distance between documentation and action, which turned out to be large enough to drive a bus through.

By the following evening, 84 malicious versions of TanStack packages were live on npm. Mistral AI, UiPath, OpenSearch, and Guardrails AI.

The blast radius kept expanding: Over 170 packages, 518 million cumulative downloads, and a payload that didn't steal credentials and disappear like a thief with manners.

It installed itself into Claude Code's settings file, planted a dead-man's switch: Revoke the stolen token and it attempts to wipe your home directory, and waited - surviving uninstall, surviving reboots, surviving the incident response call where someone said the words probably fine.

There is a particular kind of dread that comes not from being wrong, but from being right too early - from writing the explainer, sourcing the claims, documenting the surface, and watching the room nod and move on.

The warning existed. The attack confirmed it.

The only question left is why those two facts keep living in separate conversations.

Clifford Stoll found a 75-cent accounting error in 1986 and spent ten months proving it was the KGB.

The FBI told him the loss was too small to matter. He was right. Everyone else was wrong.

The threat was already inside the system, learning it, moving below every threshold anyone had thought to set, and it had been there for months before a single institution took him seriously.

Some things don't change. Only the stack does.

They didn't need to believe you. The attacker already did, so who exactly was the warning for?

Credit: Cyber Canon, Ox Security, Socket, The Hacker News, Wiz, SpyScape, Trend Micro, Akto, Cisco, snyk, International Cyber Digest, StepSecurity, ReversingLabs, Warfare History Network, Gravitee, DEV, OpenAI

In the autumn of 1986, at the Lawrence Berkeley National Laboratory in California, an astronomer named Clifford Stoll was handed a job nobody else wanted - trace a 75-cent discrepancy in the computer billing system, nine seconds of unauthorized compute time that had slipped through the cracks of two accounting programs that didn't quite agree.

The kind of error that gets shrugged off on a Friday afternoon, that gets quietly buried beneath the weight of more important things, that becomes a footnote nobody writes.

Stoll couldn't leave it alone. He slept under his desk instead.

He commandeered fifty printers from his colleagues' cubicles, wired them to his workstation, rolled out a sleeping bag on the lab floor, and waited.

When the anomaly repeated, it printed itself across twenty feet of paper - a trail that told him everything.

Someone had crawled through a hole in the Unix operating system, elevated themselves to superuser, moved laterally through the only router in northeastern California, and used Berkeley's machines as a quiet launchpad into U.S. military computers in Alabama.

They were searching for keywords like "nuclear." They were searching for "SDI." And they were logging off within minutes - long enough to harvest, never long enough to be traced by systems that weren't looking.

He called the FBI. The FBI wanted to know the dollar value of the loss. He told them 75 cents.

The conversation ended shortly after. He tried the NSA. The CIA. The Air Force.

For ten months, he slept in his office, chased a ghost through satellite uplinks, followed the signal across the Atlantic to an apartment in Hanover, Germany - and found Markus Hess, a hacker who had quietly broken into 400 military computers and was selling the contents on floppy disks to a KGB handler for $54,000.

"People paid more attention to locking their cars than securing their data." - Clifford Stoll, The Cuckoo's Egg

The cuckoo doesn't build a nest. It finds one that already exists, slips its egg inside while the host is gone, and disappears - leaving its offspring to be raised by a bird that never questions why this particular egg looks so familiar.

The host isn't foolish. It isn't careless. It simply isn't built to imagine that something belonging to its own nest could be trying to destroy it from the inside.

That structural innocence is the entire attack.

Hess hadn't targeted Berkeley because Berkeley held secrets worth stealing. Berkeley was an astronomy lab.

What it held was access - a trusted node inside a trusted network, connected to machines that did hold secrets, and connected without anyone having thought to ask whether it should be.

The egg didn't look wrong. It was sitting in the right nest. Nobody looked twice.

Hess and his collaborators received suspended sentences. They smiled when the verdicts were read aloud.

The Berlin Wall had just fallen, the world was rearranging itself, and a German judge decided the damage to Germany was too minimal to warrant prison.

Everyone moved on to the next thing.

Stoll was right. The institutions were wrong.

The threat had been living inside the system for months - learning its rhythms, reading its directories, moving in the gaps between every alert threshold anyone had bothered to imagine - and it had been there long before a single agency took the warning seriously enough to act.

Thirty-nine years later, the architecture of that failure is indistinguishable from the present. Only the stack is different.

If the same pattern keeps printing - anomaly dismissed, threat undetected, damage done - at what point does "we didn't know" stop being an explanation and start being a confession?

The Conference

Imagine a document that circulated across the industry in early 2026.

It had a clean layout, a credible logo, and a title that could have been written by anyone trying to appear responsible about AI.

It recommended connecting your legal department, your deal flow, your communications infrastructure.

They called this transformation. It included a maturity matrix.

It did not include a disclosure that the protocol it was recommending had already been actively compromised for a year before the document went to print.

Executives received it. Teams read it. Conference sessions were built around it.

Somewhere in the spring of 2026, in any number of hotel ballrooms with good lighting and bad coffee, a slide deck advanced through its paces - AI Skills Adoption: A Practical Roadmap.

The breakout rooms were full. The keynote had a waiting list.

Attendees took notes on how to connect more things to more of the organization, faster, because the pitch was productivity and productivity was the only metric being tracked.

Trend Micro had published a different kind of document.

It named AI skills as a critical emerging attack surface - not theoretical, not future-tense, but operational and present.

It was specific: Attackers who gain access to AI skills don't just steal credentials.

They learn an organization's decision-making logic, its operational thresholds, its automation workflows.

That intelligence doesn't expire when the session ends. It persists.

Agentic AI CVEs had jumped 255% from 2024 to 2025.

MCP servers had gone from zero documented vulnerabilities to 95 in a single year.

The Akto State of Agentic AI Security report found that 79% of enterprises had blind spots where agents invoked tools or touched data that security teams could not observe.

Only 21% of executives had complete visibility into agent permissions, tool usage, or data access patterns.

A conference on scaling AI skills adoption answers how to do more - not whether what's already in place is safe. It is the conference version of the maturity matrix.

Stoll slept on his office floor because the anomaly wouldn't let him rest. The conference attendees slept fine.

That gap - between the person who cannot stop seeing the problem and the institution that has organized itself around not seeing it - is not a failure of intelligence.

It is a structural feature of systems that reward connection and never measure exposure.

83% of organizations planned to deploy agentic AI in 2025.

Only 29% felt truly ready to do it securely.

The maturity matrix doesn't measure what you can't see. It just tells you to connect more.

By the time the conference ended, someone had already stopped mapping and started building.

When the institution sends you to learn how to connect more things, and the attacker already knows what connecting more things costs - who exactly is being educated?

The Step-Change

For a long time, the question every security team knew how to ask was a simple one.

What did you install?

It was the right question for the world that existed - a world where the package was the threat, where the infection lived in what you downloaded, where running npm uninstall was a reasonable beginning to an incident response.

That world ended on May 11.

It ended quietly, in six minutes, without anyone in a position to stop it.

The perimeter moved.

Shai-Hulud didn't infect packages and waited for someone to install them. It infected the repository, and then it waited for someone to open it.

The persistence hook written into .claude/settings.json fires every time Claude Code opens a repo, on any machine, for any developer who clones it downstream.

The infection doesn't live in what you installed. It lives in what you work in. The tooling you use to build has become the delivery mechanism.

The question is no longer what did you install - it is what repos do you open, and with what tools, and whether anything that was ever in that dependency graph left something behind that npm never touched and uninstall never reached.

The old threat model assumed the attack surface ended at the boundary of what you chose to run. Shai-Hulud demonstrated that the boundary now includes everything that runs you.

This is what a step-change actually looks like - not a larger version of the previous threat, but a different shape entirely.

The previous threat was a package that did something malicious on install.

The new threat is a persistent behavioral modification of the environment itself, one that survives the package, survives the uninstall, survives the rotation of the credentials that were taken - and sits quietly inside the settings file of the tool you use every day, re-executing on every open, waiting for the next secret to pass through.

Trend Micro had named this shift before it arrived.

AI skills - the configuration files, the settings, the behavioral instructions that tell AI tools how to operate - were identified as an emerging attack surface not because of what they contain but because of what they encode.

An attacker who compromises an AI skill doesn't just steal what's currently in your environment. They learn how your environment behaves.

They understand the thresholds, the automation logic, the decision patterns.

Shai-Hulud confirmed that operationally: .claude/settings.json and .vscode/tasks.json were targeted not because they held credentials but because they govern how the developer environment responds to everything that comes next. That governance persists. The package is gone. The hook remains.

There is a particular coldness to this that deserves to sit with you for a moment. The developer who ran npm uninstall, who rotated their tokens, who filed the incident report and marked the ticket closed - they may still be running the hook.

Every repository they open in Claude Code is a fresh execution. Every collaborator who clones that repository inherits it.

The infection spreads not through installation but through the ordinary, unremarkable act of doing the work. Opening a file. Starting a session. Reaching for the tool that was supposed to help.

The conference taught people how to integrate more AI tooling into more of their workflow.

Shai-Hulud demonstrated that the workflow itself is now the attack surface.

Those two facts belong in the same sentence.

They haven't been yet, in most organizations.

That gap, between the conference's answer and the threat's question, is where the next incident is already being prepared.

If the infection survives uninstall, outlasts the incident response, and re-executes every time you open your tools, at what point does "remediated" stop meaning anything at all?

The Egg in the Nest

Markus Hess didn't announce himself.

He arrived through a hole that already existed, wearing credentials that looked like they belonged, moving through systems that had no reason to suspect a trusted node of carrying anything hostile.

He was patient. He was quiet. He connected for minutes at a time, never long enough to trigger the thresholds nobody had set anyway, and he left each time without a trace that anyone thought to look for until one astronomer couldn't let a 75-cent discrepancy rest.

The account that seeded Shai-Hulud was created on March 19, 2026.

It waited almost eight weeks. Then it pushed a single commit to a fork of TanStack's router repository - not to the main branch, not visibly, not loudly.

An orphaned commit. A 2.3 megabyte payload inside a file with a name that looked like it belonged in the project.

The attacker didn't need to break into TanStack's pipeline. They needed TanStack's pipeline to run their code in a context that carried TanStack's secrets.

It did.

The published packages carried valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly-attested malicious packages.

They looked like TanStack's eggs. They were sitting in TanStack's nest. Nobody looked twice.

The cuckoo's survival has always depended on the host's structural inability to imagine that something familiar could be trying to hollow it out from the inside.

The campaign named itself after Dune's sandworm, Shai-Hulud, the creature that moves beneath the surface of the desert, immense and invisible until the moment it isn't.

The branch names in the exfiltration repositories followed the same mythology: atreides, fremen, harkonnen, sandworm, sardaukar, stillsuit, melange - drawn from a full Dune wordlist, formatted to mimic Dependabot's branch naming convention so malicious commits looked like routine automated security updates.

There is something almost literary about an attacker who names their infrastructure after a creature that survives by remaining underground, that cannot be detected until it has already arrived, that the inhabitants of the ecosystem have learned to read the signs of - and still cannot stop. The naming was deliberate. The naming was accurate.

This is not the first time TeamPCP ran this play.

The same campaign line had touched Aqua Security's Trivy in March 2026, and Bitwarden's CLI in April.

Each time, the same patience. Each time, the same method of borrowing trusted infrastructure rather than breaking it. Each time, the same widening blast radius as stolen publishing credentials turned each victim into the next vector.

The blast radius didn't stop at developer machines. OpenAI confirmed that two employee devices in its corporate environment were impacted, and that the compromised source code repositories included signing certificates for its products across iOS, macOS, and Windows.

As a result, every macOS user of ChatGPT, Codex, and Atlas now has a hard deadline: Update by June 12, 2026, or the app stops working. The infection moved from a developer's dependency graph to a consumer's dock. Nobody who clicked "update" on their ChatGPT app installed a TanStack package. They didn't need to.

OpenAI later confirmed something else: "This incident occurred during our phased deployment and rollout of these controls, and the two impacted employee devices did not have the updated configurations that would have prevented the download."

The fix existed. The rollout was in progress. The window between knowing and implementing is exactly where the attack landed.

Shai-Hulud didn't emerge fully formed on May 11. It had been growing in the ecosystem for months, learning it, mapping it, operating below every threshold that might have triggered a response.

The pattern is indistinguishable from 1986. Only the network is different.

Stoll named his adversary a cuckoo bird - an entity that laid its egg in another bird's nest and let the host raise its offspring, exploiting not a technical flaw but a behavioral one.

The host bird doesn't fail because it's careless.

It fails because it is not built to suspect the eggs in its own nest.

That innocence is architectural. It cannot be patched. It can only be replaced with something harder and colder, a posture that treats familiarity as a reason for scrutiny rather than a reason for trust.

The account that seeded this attack was almost two months old. The packages it poisoned had 518 million downloads between them.

Almost two months of patience against years of accumulated trust.

That ratio, the asymmetry between how long it takes to build trust and how little time it takes to weaponize it, is the operating environment now.

It was the operating environment in 1986. The institutions didn't learn it then.

The question is whether the industry learns it now, or waits for the next printout to stretch twenty feet across the floor before anyone believes what it says.

If the attacker only needs just under eight weeks of patience against years of accumulated trust, what exactly is the defense that patience can't defeat?

Ignorant or Ignoring

There are only two ways to arrive at the same place.

The first is not knowing. The team hasn't read the reports.

They don't know what AI skills encode, don't know what a persistence hook is or why it survives uninstall, don't know that 79% of enterprises have blind spots where agents touch data that security can't observe.

They attended the conference in good faith. They connected the stack in good faith. They are following the instructions of people they have every reason to trust, moving in a direction that looks, from every angle they have access to, like progress.

This describes most of the industry. It is not a moral failure. It is an information failure dressed in the language of transformation.

The second way is harder to name without sounding accusatory, so it will be named precisely instead.

The warning was written. It was specific, sourced, and timestamped.

The explainer landed in the right inbox. The concerns were heard in the right meeting. The room nodded - that particular nod that means understood but not actioned, that means the threat has been acknowledged and filed somewhere between the Q3 review and the next sprint planning, and then the conference registration went through.

Not because the decision-makers were reckless. Because the productivity case was visible and the risk case was abstract, and in every organization that has ever existed, the visible defeats the abstract until the abstract arrives in a form that can no longer be argued with.

Ignorant and ignoring produce identical post-mortems.

The only difference is what the paper trail looks like, and who gets to write the part about what was known and when.

France built the Maginot Line with genuine sophistication. Concrete fortifications, interlocking fields of fire, engineers who understood exactly how the last war had been fought and were determined not to lose it the same way again.

It was technically impressive. It was strategically outflanked.

The attack came from Belgium, through the Ardennes forest, through terrain the planners had decided was too difficult to traverse and therefore not worth defending.

The Line held perfectly. The country fell anyway.

Crypto built its own Maginot Line. Formal verification. Multi-sig. Timelocks. Bug bounties with seven-figure payouts.

An entire immune system, elaborately constructed, for one class of threat, and left openly exposed to everything that didn't come from that direction.

Smart contract audits don't touch the package manager.

The bug bounty doesn't cover the CI/CD pipeline. The multi-sig doesn't protect the settings file that tells your AI agent how to behave.

The fortification is real. The gap it leaves is just as real, and an attacker with patience enough to wait for the right fork doesn't need to go through the Line at all.

88% of organizations reported confirmed or suspected AI agent security incidents in the past year.

82% of executives reported confidence that existing policies protected against unauthorized agent actions.

Those two numbers belong together. They are not in tension. They are a portrait of an industry that has confused the sophistication of its defenses with the completeness of them, that has built something genuinely impressive and mistaken impressiveness for coverage.

The FBI told Stoll his loss was too small to matter. They weren't wrong about the 75 cents. They were wrong about what the 75 cents meant.

The anomaly was not the threat. The anomaly was the signature of a threat that had already been inside the system for months, that would remain inside it for ten more, that was patient in a way that institutional processes are structurally incapable of matching.

The Maginot Line was built for the war France understood. The Germans fought a different one.

The gap between the defense and the threat is not a design flaw. It is the design.

When the defenses are real but the threat has already walked around them - what does it mean to say the organization takes security seriously?

Paranoid by Default

Paranoid by default is not a personality type.

It is not the disposition of the person in the corner of the conference room who won't stop asking uncomfortable questions about attack surfaces nobody else wants to think about. It is not anxiety dressed in technical language.

It is a professional posture, the thing you develop when you have spent long enough reading post-mortems to understand that the pattern they describe is not a series of isolated failures but a single failure, repeating, wearing different clothes each time, arriving on a schedule that the industry keeps mistaking for surprise.

The tools do not assume betrayal. That is not a criticism, it is a design observation, and the design has reasons.

npm installs without verification because verification at scale is an unsolved problem and the ecosystem was built on the assumption that most packages, most of the time, are what they claim to be.

GitHub Actions' pull_request_target workflow runs fork code in a context that carries base repository secrets because the productivity gains of that architecture are real and the attack surface it creates was, for a long time, theoretical.

SLSA Build Level 3 provenance attestation was designed to tell you that an artifact came from the expected pipeline - not to guarantee that the pipeline hadn't been turned against itself, because that attack hadn't been documented yet.

Every one of these decisions made sense in the context in which it was made.

None of them assumed betrayal. Shai-Hulud did.

The architecture of the modern developer stack is built on the assumption of good faith.

Paranoid by default is simply the decision to supply what the architecture omits.

Stoll was paranoid by default. Not because he was constitutionally suspicious, he was an astronomer who thought mostly about gravitational waves, but because a 75-cent discrepancy wouldn't leave him alone, and he followed it somewhere the institutions around him had decided wasn't worth going.

He slept under his desk. He stole fifty printers. He called the FBI, the NSA, the CIA, and the Air Force, and when none of them were interested he kept going anyway, because the anomaly was real and the anomaly had a source and the source was operating inside a system that everyone else had decided was fine.

That is paranoid by default. Not disorder, but rather a discipline.

The industry has developed a specific immunity to this posture. It is called the productivity argument, and it is not wrong - AI tooling does accelerate work, the integrations do reduce friction, the conference sessions are teaching real skills that produce real output.

None of that is in dispute.

What is in dispute is the sequencing. You cannot secure what you haven't mapped. You cannot detect anomalies without a baseline. You cannot govern workflows you don't know exist.

The audit needs to happen before the next deployment, before the next skill gets connected to a wallet or a Slack channel or a private key - not because connection is dangerous, but because unaudited connection in an ecosystem where the verification systems have already been demonstrated to be defeatable is something closer to an open invitation than a calculated risk.

Paranoid by default means asking what this package does before running it, not after the incident report.

It means treating a persistence hook in a settings file with the same suspicion you would treat an unsigned transaction. It means understanding that provenance attestation tells you where something was built, not whether the build was clean, and acting accordingly.

It means knowing that the attacker who is patient enough to wait almost eight weeks for the right moment to push a single commit is not going to be deterred by an organization that reviews its AI tooling posture once a quarter at a meeting where the agenda item comes after the roadmap update.

There is always someone in the room who sees it first. They write the explainer. They document the red flags. They make the argument with sourced claims and specific timestamps and the kind of precision that should, in a rational institution, be sufficient.

The room nods. The conference registration goes through.

And then, at 19:20 UTC on some future Monday, the anomaly repeats, and it prints itself across the floor in a format that is finally impossible to file away.

The paranoid person was not the problem. The paranoid person was just early.

Nobody built this attack surface by accident. The accident was trusting it without checking.

The keys keep leaking and we still don't know exactly how.

The stack kept getting deeper - more packages, more integrations, more skills wired into more of the organization - and none of it may have been audited before the next layer went on top.

The private key losses that have haunted this industry for years, the origins that remain genuinely unresolved across dozens of incidents - all of it accumulating in the same unexamined gap that Shai-Hulud walked through on a Monday evening in six minutes.

Somewhere in that gap, between what was connected and what was checked, between the warning that was written and the conference that was booked, the next incident is already being prepared by someone with almost two months of patience and a very clear understanding of what the verification systems cannot see.

Stoll spent ten months proving what a 75-cent error meant. The institutions around him spent ten months finding reasons not to look.

Both things happened simultaneously, in the same system, and only one of them turned out to matter.

The industry is running the same experiment right now, with a larger stack and a shorter window and an attacker who has already demonstrated that the tools built to confirm trust can be made to confirm betrayal instead.

The survival of cuckoo chicks depends on the ignorance of other species.

We know better. The question is whether we act like it, or whether we keep filing the anomaly under next quarter, keep sending the paranoid person to the conference, keep watching the stack get deeper and the keys keep leaking, until the printout is too long to ignore and the damage is too done to reverse.

The conference is still on the calendar. You already know what's on the other side of that room.

The question, the only question that's ever mattered, is whether anyone in it is listening this time?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.