Security Supply Chain AI
The Part of Your AI Stack You Trust Most and Check Least Every engineer now builds with AI they've never audited. One compromise reaches your customer data — and you answer for it, not the engineer.
TL;DR — The Gist
Your engineers carry production keys, and now they all use AI — AI tooling has spread from a specialist few to every engineering laptop, including the SREs and platform engineers who already hold the widest production access. One compromised package, model, or plug-in reaches as far as those keys reach: production cloud, customer data, code in flight to live systems. Three Python supply chain attacks in three months, same criminal group — LiteLLM in March 2026, PyTorch Lightning in April, Mini Shai-Hulud in May. Any incident that reaches customer personal information triggers Notifiable Data Breach obligations within 30 days under the Privacy Act, regardless of whether the attacker came in through your code or someone else's. A serious or repeated breach now carries penalties of up to AUD 50 million, or 30% of company turnover.
+ 4 more in the post →
Jun 16, 2026 21 min read