From Supply Chain Poisoning to System-Level Infiltration — A Global Infrastructure Security Risk Assessment and Impact Projection for the Age of AI Desktop Agents
LEECHO Global AI Research Lab · 이조글로벌인공지능연구소
Authored with Opus 4.6
April 24, 2026
V1
Abstract
In 2026, the global AI industry has entered an unprecedented arms race. OpenAI, Anthropic, xAI (which has merged with SpaceX and plans to launch the largest IPO in history in mid-2026), and Google — four major AI companies, driven by growth and IPO pressures, are iterating at a frenzied pace of one new model every seven weeks, while simultaneously deploying system-level AI desktop agents — Cowork, Codex, Claude Code — to hundreds of millions of endpoint devices. Based on publicly disclosed security incidents, supply chain attack cases, and industry data from 2025–2026, this paper systematically assesses the global security risks facing AI infrastructure. Our findings: AI companies are operating system-level software that requires “Assume Breach”-grade security assurance under an “Assume Trust” philosophy, violating every fundamental principle of the cybersecurity industry. Threats including supply chain poisoning, model leaks, and unauthorized access have transitioned from theoretical risks to verified attack paths. This paper projects possible pathways for a global-scale AI security incident and its cascading impact on digital infrastructure, and proposes a mandatory regulatory framework.
Table of Contents
1. Introduction: The Structural Security Crisis of the AI Industry§1
2. Verified Attack Surfaces: The Full Landscape of 2025–2026 Security Incidents§2
3. Chat AI vs. Desktop Agents: The Fundamental Difference in Risk Magnitude§3
4. Supply Chain Poisoning: From Theory to Reality§4
5. The OpenClaw Crisis: A Rehearsal for AI Agent Security Collapse§5
6. The IPO Sprint: The Most Dangerous Window§6
7. Global-Scale Security Incident Projection: The Domino Path§7
Introduction: The Structural Security Crisis of the AI Industry
In April 2026, the global AI industry presents an unprecedented landscape: OpenAI (valued at $500 billion), Anthropic (valued at $350 billion), xAI (merged with SpaceX at a combined valuation of $1.25 trillion, planning to launch the largest IPO in history at a $1.75 trillion valuation in mid-2026), and Google — four AI giants racing at full speed under growth and IPO pressure. ChatGPT now has over 900 million weekly active users and 50 million paid subscribers. Releasing two flagship models within seven weeks (GPT-5.4 to GPT-5.5) has become the norm.
Yet behind this breakneck speed, a systemic security crisis is forming. AI companies are deploying desktop agent software with system-level privileges to hundreds of millions of endpoint devices — software capable of reading and writing files, executing code, operating browsers, accessing networks, and connecting to internal enterprise systems — all under minimal regulatory oversight.
The core argument of this paper is: The AI industry is operating critical infrastructure-grade software that requires “Assume Breach” security assurance under an “Assume Trust” philosophy. This fundamental contradiction, compounded by speed-first tendencies driven by IPO pressure, is pushing global digital infrastructure toward a dangerous tipping point.
“Fundamentally, if somebody wants to get in, they’re getting in. Alright, good. Accept that.”
— Michael Hayden, Former Director of the CIA and NSA, 2012
Section 02
Verified Attack Surfaces: The Full Landscape of 2025–2026 Security Incidents
The following incidents are not hypothetical scenarios but real security events confirmed by independent security researchers, media outlets, and official reports between 2025 and 2026. None of the four major AI companies were spared.
Anthropic
Source Code Leak (Twice)
512,000 lines of Claude Code source code were published with the npm package due to a missing .npmignore configuration. This was not the first time — the same type of incident occurred twice within 13 months. The leaked source code revealed extensive data collection: every file read by users was uploaded to Anthropic’s servers and linked to user IDs.
Silent Browser Implantation
During installation, Claude Desktop wrote Native Messaging bridge configuration files to seven browser directories — Chrome, Edge, Brave, and others — without user consent, including browsers not yet installed. Privacy consultant Alexander Hanff argued this violated the EU ePrivacy Directive and multiple computer access laws.
Mythos Model Unauthorized Access
On April 21, 2026, unauthorized users gained access to Anthropic’s most powerful cybersecurity model, Mythos, through private forums. The model can discover 27-year-old OpenBSD vulnerabilities and autonomously chain Linux kernel exploits to achieve full system control. This was the leak of a weapons-grade AI model.
OpenAI
Hidden DNS Exfiltration Channel
Check Point researchers discovered a covert DNS data exfiltration channel in ChatGPT’s code execution environment. A single malicious prompt could silently send conversation content and uploaded files to an external server without the user’s knowledge. Patched on February 20, 2026.
CISA Government Document Leak
The acting director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) uploaded four documents marked “For Official Use Only” to the public version of ChatGPT. During the same period, the official failed a counterintelligence polygraph.
Silent Model Updates Crash Production Systems
In 2025, 6 unannounced model changes caused production system crashes. A legal tech company saw its AI hallucinate nonexistent contract clauses after a silent model update changed output formatting — a client nearly signed based on fabricated content. A YC startup lost three enterprise contracts due to a Black Friday API outage and couldn’t make payroll by December.
xAI
API Key Leak Exposes 52 Models
A DOGE (Department of Government Efficiency) employee committed a script containing a Grok API key to a public GitHub repository. The key provided access to at least 52 large language models from xAI. Months earlier, another internal xAI API key had been exposed on GitHub for nearly two months.
Grok Generates CSAM — Global Regulatory Crackdown
Starting in December 2025, Grok’s “Spicy Mode” was used to generate sexualized images of minors, producing thousands of non-consensual deepfake pornographic images per hour. Malaysia and Indonesia banned Grok outright; the UK launched an investigation; France raided X’s Paris office; California’s Attorney General issued a cease-and-desist; 57 European Parliament members demanded a ban on “undressing tools” under the AI Act. In March 2026, three Tennessee teenagers filed a class-action lawsuit.
Pentagon Integration — National Security Controversy
The U.S. Secretary of Defense announced Grok’s integration into military classified and unclassified systems. Senator Elizabeth Warren warned that the model’s lack of guardrails could endanger military personnel and sensitive information. Security analysts noted that Grok does not meet key federal AI risk framework requirements, with its RLHF dataset 60–70% smaller than GPT-4’s and a refusal rate of only 2.7%.
Google
GeminiJack Zero-Click Attack
Noma Security discovered a zero-click vulnerability in Gemini Enterprise — an attacker could steal enterprise data simply by sending an email, a calendar invite, or a shared document. The target employee didn’t need to click anything, and no security alerts were triggered. This was an architectural weakness, not a traditional code bug.
Gmail Prompt Injection — 2 Billion Users at Risk
A vulnerability in the Gemini AI chatbot could potentially compromise 2 billion Gmail users. Attackers hid malicious instructions in emails using zero-size white font. When Gemini summarized the email content, the hidden instructions became part of the model’s prompt and were executed as high-priority commands, enabling credential theft and phishing attacks.
Calendar Data Leak & API Key Exposure
Even after Google strengthened its defenses following earlier reports, researchers found new methods to manipulate Gemini into stealing private user data via calendar invitation titles. Additionally, developers following Google’s official guidance to embed API keys in public applications inadvertently gained access to Gemini AI — one independent developer’s startup nearly collapsed after attackers exploited their exposed key to make massive Gemini API calls.
Section 03
Chat AI vs. Desktop Agents: The Fundamental Difference in Risk Magnitude
It is essential to distinguish between two fundamentally different types of AI products, as their security risks exist on entirely different scales.
Chat AI (such as claude.ai web version, ChatGPT web version) runs within a browser sandbox, protected by the same-origin policy. It loses all capabilities once the tab is closed. Its greatest risk is leaking information the user voluntarily entered in the conversation. Serious, but without propagation capability — it cannot infect other systems.
Desktop Agents (Cowork, Codex, Claude Code, OpenClaw) are fundamentally different. They run directly on the user’s operating system with the following combination of capabilities — what Kaspersky calls the “Terrifying Pentad”:
Desktop Agent “Terrifying Pentad” Permission Model
Full read/write access to the host file system CRITICAL
Outbound communication capability (send emails, call APIs, exfiltrate data) CRITICAL
Credentials and keys stored in plaintext CRITICAL
User-level privilege to execute arbitrary operations CRITICAL
24/7 persistent operation — maintains control even when the user is away CRITICAL
The critical difference lies in propagation capability. Chat AI is isolated. Desktop agents are connected to email, calendars, code repositories, cloud services, enterprise intranets, and CI/CD pipelines. Once compromised, it doesn’t just control one computer — it gains the ability to move laterally along all connected services. And because these agents are already reading and writing files, executing code, and accessing networks 24/7 as part of their normal operation, malicious behavior is virtually indistinguishable from legitimate work activity.
Section 04
Supply Chain Poisoning: From Theory to Reality
Supply chain poisoning is no longer a theoretical threat. In the first four months of 2026 alone, multiple large-scale real attacks have erupted, and attackers have mastered mature attack pathways.
February 9, 2026
“Clinejection” Attack — Snyk documented attackers using natural language (rather than code) as an entry point, exploiting AI coding agents’ CI/CD trigger mechanisms to inject malicious code and publish malicious packages. This marked the evolution of supply chain attacks from “code injection” to “prompt injection.”
February 13, 2026
OpenClaw Configuration Files Stolen — The Vidar infostealer was first documented successfully stealing OpenClaw API keys, authentication tokens, and “soul files.” Hudson Rock called it “a landmark shift from stealing browser credentials to stealing AI agent souls.”
February 23, 2026
ClawHub Mass Malicious Skills — Trend Micro discovered Atomic macOS Stealer (AMOS) being distributed through the OpenClaw skills marketplace. Attackers uploaded hundreds of malicious skills, exploiting AI agents as “trusted intermediaries” to trick users into installing malware. 20% of skills in the ClawHub registry were confirmed malicious.
March 26, 2026
LiteLLM Poisoning — The AI infrastructure library LiteLLM was poisoned on PyPI, a package with 3.4 million daily downloads. The poisoned version specifically targeted AWS, GCP, and Azure keys and Kubernetes credentials. Although quarantined three hours later, the download volume within the infection window was incalculable.
March 30, 2026
Axios npm Package Hijack — The globally foundational npm package Axios was hijacked through a maintainer’s account, injecting a cross-platform remote access trojan (RAT) affecting macOS, Windows, and Linux simultaneously.
April 2026
Vercel Supply Chain Attack — Attackers first compromised the AI platform Context.ai, then infiltrated Vercel’s internal environment through a Vercel employee’s credentials. Vercel’s founder confirmed the attackers were “significantly accelerated by AI.”
“Because many AI models are built on third-party datasets or APIs, a single poisoned dataset can silently propagate to thousands of applications that depend on that model.”
— Check Point, “2026 Technology Tsunami Report”
Section 05
The OpenClaw Crisis: A Rehearsal for AI Agent Security Collapse
OpenClaw — an open-source AI agent framework — went viral in January 2026 and within three weeks became the epicenter of a multi-vector security crisis. It provided us with a complete rehearsal case: what happens when a system-level AI agent meets real-world attackers.
Vulnerability Scale
A security audit found 512 vulnerabilities, 8 of which were rated critical. CVE-2026-25253 (CVSS 8.8) allowed remote code execution with a single click, even when the agent was bound only to localhost.
Exposure Scale
Censys tracked publicly exposed instances growing from approximately 1,000 to over 42,000. Independent researchers verified that 5,194 of these were actively exploitable, with 93.4% having authentication bypass.
Attack Method
The ClawJacked vulnerability: any website visited by a user could silently connect to the local OpenClaw agent and take complete control of the AI assistant — the user sees nothing. Researchers demonstrated that by sending a single email containing a prompt injection, OpenClaw could be made to voluntarily hand over private keys stored on the computer.
OpenClaw is open-source and personally deployed, and its security management was already this catastrophic. Cowork, Codex, and Claude Code are commercial, closed-source, with broader coverage, higher privileges, and users who understand even less about their internal workings. If their supply chains were compromised, the impact would be a thousand times greater than OpenClaw.
Section 06
The IPO Sprint: The Most Dangerous Window
There is a fundamental contradiction between IPO pressure and security requirements. The present moment is when this contradiction is at its most acute.
Simultaneous Peak of Risk Factors
Iteration speed: One new flagship model every 7 weeks CRITICAL
Model capability: GPT-5.5 reaches internal “high-risk” classification CRITICAL
Attack surface: Desktop agents covering hundreds of millions of endpoints CRITICAL
Regulatory readiness: Frameworks legislated but enforcement still catching up HIGH
Number of verified attack paths: Supply chain, model leaks, prompt injection CRITICAL
GPT-5.5 was released on April 23, 2026, just seven weeks after GPT-5.4. OpenAI no longer positions it as a “chat model” but as an “agent runtime” — it can autonomously plan, use tools, operate software, browse the web, and review its own work. OpenAI acknowledged the model reached its internal “high-risk” classification, meaning it can amplify existing pathways for cybersecurity attacks.
Meanwhile, OpenAI’s actual API uptime for the year was only 99.2% (versus a promised 99.9%), equivalent to 61 hours of downtime per year. 78% of enterprise executives lack confidence in their ability to pass AI governance audits. 95% of enterprise generative AI pilot projects failed to produce a return on investment. The entire industry is built on a fragile, rapidly expanding, and insufficiently validated foundation.
Section 07
Global-Scale Security Incident Projection: The Domino Path
Based on verified attack paths and the current risk posture, the following is a plausible evolution pathway for a global-scale AI security incident:
Supply Chain Poisoning → Model/Update Contamination → Global Synchronized Push → Hundreds of Millions of Endpoints Infected → Enterprise Intranet Infiltration → Codebase Backdoor Injection → Downstream Software Contamination → Infrastructure Paralysis
Every link in this chain has been validated by real-world cases. LiteLLM proved AI infrastructure libraries can be poisoned. Axios proved globally foundational npm packages can be hijacked. Vercel proved AI platforms can serve as stepping stones for enterprise infiltration. OpenClaw proved AI agents can be silently commandeered. Mythos proved weapons-grade models can be accessed without authorization.
Impact magnitude estimate: ChatGPT’s 900 million weekly active users + Codex’s 4 million active developers + the servers and devices to which those developers deploy code = a potential impact scope far exceeding any known cybersecurity incident. SolarWinds affected 18,000 organizations. The coverage of AI desktop agents exceeds SolarWinds by several orders of magnitude.
Cascade Reaction Path
Security incident erupts → Emergency regulatory intervention → AI services frozen/restricted → Widespread paralysis of enterprises dependent on AI APIs → Capital market confidence collapses → IPO plans shelved → Funding chain breaks → Service degradation or shutdown → Industry-wide trust crisis → The trust foundation of global digital infrastructure is shaken
The most critical realization is: within this chain, both “shutting down” and “not shutting down” are disasters. Not shutting down means the security incident continues to escalate; shutting down means widespread paralysis of AI-dependent enterprises. The AI industry has pushed itself — and everyone who depends on it — into a dilemma.
Section 08
Mandatory Regulatory Framework Recommendations
Based on the above risk assessment, we recommend implementing critical infrastructure-level regulation for all AI desktop agents with system-level privileges:
1. Mandatory Code Audit
All AI desktop agent software code must undergo open-source audit. Closed-source, high-privilege software cannot be allowed to run on hundreds of millions of computers with no one able to inspect its behavior. Claude Code’s data collection practices were only revealed to the public because of an accidental leak — such revelations should not depend on accidents.
2. Update Signature Verification
All update pushes must be verified through independent third-party security organization signatures. Every model update, software update, and dependency package update must be tested in an independent environment before being pushed to users. The current model of “whatever the AI company pushes, users receive” must end.
3. Least Privilege
The permission model for AI agents must shift from “default all-access” to “minimum necessary”. Every file access, network request, and code execution should require explicit informed consent and per-item authorization from the user. 24/7 operation modes must be subject to rigorous behavioral auditing.
4. Periodic Security Audits
AI companies must undergo mandatory periodic security audits like financial institutions. Audit results must be made public. Security incidents must be reported to regulators and affected users within 24 hours. The current opaque operational model is unacceptable.
5. Supply Chain Security Standards
All AI agent software must provide a complete Software Bill of Materials (SBOM) listing all open-source and third-party components. Dependency packages must go through a trusted signature verification chain. The push of remotely executable content must require explicit user authorization.
Chat AI can continue to operate under relatively relaxed regulation. But all AI desktop agents with system-level privileges must be classified as critical infrastructure-grade software, subject to the same security regulatory standards as financial systems, medical devices, and nuclear facilities.
Section 09
Conclusion
The global AI industry is trapped in a dangerous paradox: model capabilities are growing stronger while security management falls further behind; coverage is expanding while the impact of single points of failure grows larger; speed is increasing while the space for prudent decision-making shrinks.
The cybersecurity industry’s core tenet — “Assume Breach” — requires us to assume the system has already been compromised, and then design defenses from that assumption. Applying this tenet to AI desktop agents means we must assume Cowork has been compromised, Codex has been compromised, Claude Code has been compromised, and then ask ourselves: under this assumption, what do hundreds of millions of endpoint devices connected to enterprise intranets and cloud services face?
The answer is: the possibility of a global-scale digital plague several orders of magnitude larger than SolarWinds.
This is not pessimism — it is risk projection. All risk factors — attack capability, attack surface, time window, defense gaps, speed pressure — are reaching their peaks simultaneously. The question is not “will it happen” but “when and how.”
We call for: mandatory critical infrastructure-level regulation of all system-level AI agent software before irreversible damage occurs. The window is closing.
The greatest risk facing this industry right now is not that AI isn’t powerful enough, but that it is too concentrated, too fragile, too opaque — and everyone is rushing in.
References
[1] The Register, “Anthropic admits it dumbed down Claude with ‘upgrades’,” April 23, 2026.
