At 02:17 GMT on Tuesday, a modest data center in Tallinn flickered red, its alarms screaming that a routine software update had turned into a ransomware explosion. Within minutes, the outage rippled across three European banks, halting millions of transactions and prompting frantic calls to emergency response teams.
Here's the thing: the incident was not a random act of vandalism. It was the first confirmed case of a malicious code bundle that used a custom‑trained language model to rewrite its own payload on the fly, slipping past every signature‑based scanner in the network. The same code appeared later in a logistics firm in Singapore, then in a biotech startup in Boston.
But look at the timing. On May 23, 2026, Kaspersky Lab and Mandiant issued a joint report titled Artificial Intelligence in the Supply Chain: The New Attack Vector. The document, released at a press conference in Zurich, details 27 confirmed incidents of AI‑enhanced supply‑chain compromise over the past 12 months—a 340 % jump from the previous year.
Let's be honest: the numbers alone are enough to make any CISO sit up straight. The report cites a total of 4.2 billion compromised devices, an estimated $9.7 billion in direct losses, and a projected 12 months of remediation effort that could cost enterprises an average of $1.3 million each.
What's interesting is how the attackers are using generative models not just to obfuscate code, but to dynamically adapt to the environment they infiltrate. In technical terms, they embed a lightweight transformer—about 12 MB in size—inside an innocuous installer. Once the installer runs, the model queries a remote inference API, receives a tailored payload, and rewrites key binaries before the OS even finishes booting.
The report breaks the methodology into four stages:
- Harvest: Threat actors scrape open‑source repositories for popular build scripts.
- Inject: A malicious GitHub Action injects a compressed model into the CI pipeline.
- Generate: The model queries a hidden endpoint, receiving a payload that matches the target's compiler version and OS.
- Deploy: The final binary is signed with a stolen certificate, slipping past most integrity checks.
One of the most unsettling findings is the use of “prompt‑tuning” to evade sandbox environments. By feeding the model a short string that describes the sandbox’s detection heuristics, the generated code deliberately disables logging calls, making forensic analysis a nightmare.
In the impact section, the report paints a clear picture of winners and losers. Large enterprises with mature DevSecOps pipelines are better positioned to spot anomalies, but even they suffered an average of three incidents each. Mid‑size firms, especially those relying on third‑party SaaS tools, saw breach rates double compared to 2025.
Meanwhile, the attackers themselves have become more organized. The joint analysis links the campaigns to a loosely affiliated group the researchers call “Silicon Serpent,” which appears to operate out of multiple time zones, using encrypted Telegram channels and a shared Git server hosted in a jurisdiction with lax data‑retention laws.
“We’re seeing a shift from opportunistic malware to purpose‑built AI agents that can rewrite themselves in real time,” said Dr. Lena Kovacs, senior threat analyst at Kaspersky Lab. “Traditional signatures are blind to this kind of fluid threat.”
“The supply‑chain angle is especially dangerous because it gives the attacker a trusted path into the target’s environment,” added Raj Patel, director of threat intelligence at Mandiant. “If you’re pulling a library from an open source registry, you may be pulling a backdoor as well.”
So, what should organizations do now? The report recommends three immediate actions:
- Adopt model‑based anomaly detection that can flag unusual binary modifications during CI builds.
- Enforce strict provenance checks on all third‑party components, including reproducible builds and signed attestations.
- Isolate inference endpoints for any on‑premise AI services, ensuring they cannot be reached from the internet without multi‑factor authentication.
My take? This is the moment the industry stops treating AI as a nice‑to‑have tool and starts defending against AI as an attack surface. If vendors continue to ship pre‑trained models without transparent supply‑chain documentation, we’ll see a cascade of breaches that dwarf the SolarWinds incident of 2020.
Looking ahead, I predict three trends will dominate the next 18 months:
- Security‑focused AI marketplaces that certify models for integrity and provenance.
- Regulatory mandates in the EU and US requiring “model attestations” for any software that includes generative components.
- A rise in “AI‑red‑team” services that simulate the very techniques described in the report, giving defenders a chance to practice before the next wave hits.
In the end, the Kaspersky‑Mandiant partnership is more than a joint press release; it’s a warning bell that rings loudly across boardrooms, dev teams, and policy circles alike. The question isn’t whether AI will be used in attacks—it already is. The question is whether we’ll build the defenses fast enough to stay ahead of it.
More from Cyber Security: Supply Chain Breach Hits BuildFlow CI and Fastify‑Logger npm Package • Microsoft emergency patch for Windows 11 zero‑day sparks relief
