Another week, another supply chain attack. Plus Google confirms what we all suspected about AI-powered hacking.

TanStack Got Compromised Through npm

The popular React Query library (TanStack) published a detailed postmortem after hackers compromised their npm packages. They got in through a maintainer’s account and pushed malicious code to production packages.

The attack worked because modern JavaScript development relies on thousands of dependencies. One compromised package can infect entire applications. TanStack caught it quickly, but not before the malicious version was downloaded thousands of times.

This matters because your development pipeline is only as secure as its weakest dependency. Every package your AI coding tools pull in is a potential attack vector. Companies need dependency scanning that actually works, not just compliance theater.

AI Found a Zero-Day Before Humans Did

Google’s Threat Analysis Group confirmed that criminal hackers used AI to discover a previously unknown software vulnerability. This is the first documented case of AI being used to find a zero-day in the wild.

The hackers didn’t just use AI to write exploit code for known bugs. They used it to actually discover new vulnerabilities that human researchers hadn’t found. Google didn’t specify which AI model or technique was used.

This changes the security game completely. If AI can find bugs faster than humans can patch them, we’re entering an era where defense needs to be AI-powered too. Manual security reviews won’t keep up.

For businesses, this means your security team needs AI assistance, not just your development team. The same AI that helps your engineers write code faster can help attackers find ways to break it faster.

What This Means for AI Teams

Both stories point to the same problem: traditional security approaches don’t scale when AI accelerates everything else.

At Kerios, our autonomous AI teams don’t just write code—they understand the security implications of what they’re building. When an AI agent deploys infrastructure or integrates with third-party services, it evaluates the security posture automatically. No human needs to manually review every dependency or scan every code change.

That’s not just faster development. It’s development that stays secure even when the threat landscape moves at AI speed.

Ready to see how autonomous AI teams handle security by default?