      Report · 2026-04-02
      · 63d
    

Supply Chain Security in the Age of AI: From Surgical Attacks to Automated Cascades

Supply chain attacks have evolved from patient, targeted exploits to fast, automated campaigns leveraging AI-driven dependency management and self-propagating malware. Recent incidents like the Axios and TeamPCP attacks demonstrate how compromised packages can cascade across entire ecosystems in days, while AI coding tools simultaneously increase both developer productivity and attack surface vulnerability.

12 metrics· Cited 0× in the knowledge base ·Open source ↗

Metrics in this report

AI vs Human Vulnerable Dependency Selection Rate

50%

higher for AI agents

117,000+ dependency changes analyzed

Attack Timeline Compression

2920days

reduction from years to

supply chain attack duration (2 years to 8 days)

Consistent Hallucinated Package Names

43%

of hallucinated packages

appearing repeatedly across queries

Developer Productivity Gain from AI Tools

2-4multiplier

range

code generation speed improvement

Downloads of Slopsquatting Honeypot Package

30,000downloads

in weeks

single commonly hallucinated package name

Ecosystems Compromised by Single Token

5platforms

cascading impact

TeamPCP campaign (GitHub, npm, PyPI, Docker, VS Code)

Hallucinated Package Rate in AI Recommendations

20%

proportion of recommendations

LLM package suggestions

Open Source Components per Application

1,100packages

average

typical production application

Packages Compromised by TeamPCP/CanisterWorm

66packages

minimum

npm ecosystem

Packages in Bare-Bones Next.js Project

282packages

before code development

minimal Next.js setup

Transitive Dependencies - JavaScript Projects

755packages

median

GitHub JavaScript projects

Weekly npm Downloads - Axios

100,000,000downloads

weekly average