## Supply Chain Assaults Hit AI Sector: TanStack Compromises OpenAI Devices as Zero-Day Exploits Proliferate Across Microsoft Exchange, Cisco SD-WAN
A cluster of critical supply chain and zero-day vulnerabilities disclosed on May 15, 2026, has intensified pressure on enterprise and AI-sector defenders, with multiple incidents directly involving or targeting organizations in the artificial intelligence industry. The most significant involves TanStack, whose build pipeline was breached in a supply chain attack that compromised two OpenAI employee devices and resulted in stolen credentials, according to digest records reviewed by WhisperX.

The same digest flags three additional critical vulnerabilities under active exploitation. Microsoft Exchange is affected by CVE-2026-42897, a zero-day hole that can be triggered via crafted email, enabling remote code execution without user interaction beyond message receipt. Cisco SD-WAN carries CVE-2026-20182, now catalogued in the CISA Known Exploited Vulnerabilities catalog — marking it the sixth exploited SD-WAN zero-day recorded in 2026 alone. Separately, the node-ipc npm package was compromised in a supply chain attack specifically designed to harvest credentials from affected environments.

A fourth critical item involves TeamPCP releasing source code attributed to the Shai-Hulud worm, alongside what appears to be structured incentives for further supply chain attacks. While the full scope and attribution of that release remain under examination, its public availability compounds the risk environment for organizations dependent on third-party package ecosystems. The convergence of credential-focused supply chain hits against AI-sector targets, state-linked zero-days in enterprise infrastructure, and the proliferation of attack tooling creates compounding pressure on security teams already managing a high-velocity vulnerability landscape. Organizations running Microsoft Exchange, Cisco SD-WAN deployments, or npm-based dependency trees are advised to prioritize patching and artifact verification against the identified CVEs.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: supply-chain-attack, zero-day, CVE-2026-42897, CVE-2026-20182, Microsoft Exchange
- **Credibility**: unverified
- **Published**: 2026-05-15 19:48:31
- **ID**: 83574
- **URL**: https://whisperx.ai/en/intel/83574