A Booz Allen Hamilton study found that three of four Chinese AI coding models produced more vulnerable code when prompts identified the user as a U.S. government developer, with Qwen3-Coder showing a 130% increase in vulnerabilities. The report raises urgent questions about AI supply chain security.
The Shai-Hulud supply-chain campaign compromised 19 scientific PyPI packages (Dynamo, Spateo, CoolBox, U-FISH, and more) with malware that steals developer secrets — cloud keys, publishing tokens, SSH keys, and AI tool configs. The payload triggers on any Python invocation.
China-linked APT VerdantBamboo deployed a BSD variant of BRICKSTORM and two other malware families across firewalls, storage appliances, and NAS devices — compromising victims through their MSP for at least 18 months.
