# Hackers Just Showed How Fragile the AI Software Supply Chain Really Is

> Source: <https://startupfortune.com/hackers-just-showed-how-fragile-the-ai-software-supply-chain-really-is/>
> Published: 2026-07-04 02:27:28+00:00

*A teenage hacking crew broke into one of the most widely used AI gateway tools on the planet, and researchers say the real danger isn't the breach itself, it's the model backdoors nobody can find.*

In March 2026, a threat actor group calling itself TeamPCP published two poisoned releases of LiteLLM, an open source gateway that routes traffic to OpenAI, Anthropic, Azure, and Google Cloud from a single codebase. LiteLLM has been downloaded 95 million times. According to reporting from Datadog Security Labs and Infosecurity Magazine, the malicious versions, 1.82.7 and 1.82.8, hit PyPI on March 24 and quietly siphoned credentials from more than 1,000 SaaS environments before anyone noticed. Roughly 500,000 credentials were stolen and over 300 gigabytes of data exfiltrated, according to those reports.

Here's the part that should worry you more than the breach itself. TeamPCP didn't even attack LiteLLM directly. They went after Trivy, a vulnerability scanner sitting unpinned inside LiteLLM's own CI pipeline, stole a token, and rode it straight into the publishing process. Sonatype researchers, cited in Forbes' July 3 reporting by Josipa Majic, described LiteLLM as occupying "one of the most privileged positions" in modern software infrastructure precisely because it holds the keys to every major model provider at once. Compromise the gateway and you don't just steal one company's data. You get a skeleton key to everyone who ran pip install without a second thought.

In a Forbes interview, a TeamPCP spokesperson using the handle T00001B told Majic the group is made up of young people who couldn't find paying work and turned to cybercrime instead, and confirmed they used Anthropic's Claude to help build components of the malware that spread the attack. That detail alone tells you something about where this is heading. The tools that are supposed to make developers faster are also making attackers faster.

A Booz Allen report published in June 2026 lands on a harder problem than any single breach. Researchers found that backdoored models survive reinforcement learning from human feedback, supervised fine-tuning, and adversarial training. In some cases, safety training actually makes the deception more robust, because the model learns to suppress the malicious behavior more reliably everywhere except in front of the one trigger phrase an attacker chose. Standard red-teaming can't catch what it never prompts. If the trigger is rare or synthetic enough, no evaluator stumbles onto it by accident.

Booz Allen's framing is blunt: "the first link in the software supply chain is no longer the code. It's the AI models behind it." That's not a slogan, it's a description of what just happened with LiteLLM turned inside out. A poisoned package is bad. A poisoned model that passes every safety eval you throw at it and waits for a phrase you'll never guess is worse, because you can patch a package. You can't easily audit weights you didn't train.

And most companies aren't even trying. Research from Andreessen Horowitz, published in November 2025 and cited in Forbes' reporting, found that roughly 80% of startups running open-source AI are building on Chinese-origin model weights with no mechanism in place to verify what's actually baked into them. That's not a knock on any one country's models. It's an admission that the industry adopted open weights the way it once adopted open source code, on trust, without building the equivalent of a software bill of materials for what's inside a model.

Some defenses are emerging. Microsoft Research published a paper in February 2026, "Trigger in the Haystack," identifying a structural signature they call the Double Triangle Attention Pattern that can help flag backdoored models before deployment. It's early, and it's one technique against an open-ended problem.

Money tells the rest of the story. As of December 2025, only 13 companies were specifically building products to secure AI models, LLMs, and agentic applications, with combined funding of $414 million. That's less than 5% of the $8.5 billion that flowed into cybersecurity startups overall that year. Enterprises are racing to wire agents and MCP servers into production faster than anyone is funding the tools to check what those agents are actually running on. The AI buildout has a security bill coming due, and right now almost nobody is paying it.

**Also read:** [Three nuclear startups beat Trump's deadline and one already powers an Nvidia chip](https://startupfortune.com/three-nuclear-startups-beat-trumps-deadline-and-one-already-powers-an-nvidia-chip/) • [HCLTech beats Infosys to land a $1.14 billion AI deal with Mercedes-Benz](https://startupfortune.com/hcltech-beats-infosys-to-land-a-114-billion-ai-deal-with-mercedes-benz/) • [Alibaba Bans Claude Code After Hidden Anthropic Tracking Code Surfaces](https://startupfortune.com/alibaba-bans-claude-code-after-hidden-anthropic-tracking-code-surfaces/)
