Date of record: May 6, 2026

AI capability and supply chain attacks, indexed growth from 2020 through May 2026 A two-series editorial line chart on a cream background. The navy AI capability index and the deep red malicious packages and supply chain attacks index rise steeply from 2020 to a year-to-date May 2026 endpoint, with annual markers from 2020 through 2025 and a year-to-date 2026 marker for both curves. The two lines remain in near-lockstep, and the red series finishes modestly above the blue series. AI capability and supply chain attacks Indexed growth, 2020 to May 2026 100 200 400 800 1,600 3,200 6,400 12,800 2020 2021 2022 2023 2024 2025 2026 Index (2020 = 100) MALICIOUS PACKAGES & SUPPLY CHAIN ATTACKS (Sonatype Open Source Malware Index, annual new packages; 2026 YTD) AI CAPABILITY (MMLU, GPQA, ARC-AGI) AI capability and supply chain attacks, indexed growth from 2020 through May 2026, mobile view Mobile version of the dual-curve indexed growth chart. Navy indicates AI capability and deep red indicates malicious packages and supply chain attacks. Both series rise from 2020 through a year-to-date May 2026 endpoint, with annual markers from 2020 through 2025 and a year-to-date 2026 marker. AI capability and supply chain attacks Indexed growth, 2020 to May 2026 100 400 1,600 6,400 12,800 2020 2022 2024 2026 Index (2020 = 100) Malicious packages & supply chain attacks AI capability

The same compounding curve. Two different beneficiaries.

Capability index: each benchmark series begins at its public introduction (MMLU September 2020, GPQA November 2023, ARC-AGI-2 March 2025) and is normalized to 100 at first measurement; values prior to introduction are extrapolated from predecessor benchmarks where available, otherwise held at 100. For each year, the top-scoring frontier model on the year-end leaderboard is used; the three normalized series are equally weighted to form the composite. Attack index: Sonatype Open Source Malware Index annual new-malicious-package counts, calculated by summing quarterly new-package counts within each calendar year and indexing 2020 = 100. Underlying data series available on request. 2026 values reflect year-to-date through May 2026; full-year figures will exceed plotted points.

Indexed comparison illustrates relative growth rates of two independent series; it does not assert causation between AI capability gains and supply-chain attack volume.

Source: Sonatype Open Source Malware Index.

Live vs. Pinned: The Architectural Boundary That Matters Now

The procurement question is no longer where the model runs. It is whether the runtime is live or pinned.

The Asymmetry

Capability compounds. Exposure compounds with it.

The asymmetry is not that AI capability and malicious package discovery measure the same thing. They do not. The asymmetry is that both now benefit from automation. AI compresses development cycles; the same tooling can compress naming, publication, obfuscation, credential theft, and payload iteration. For sensitive professional work, the dependency graph becomes part of the confidentiality boundary.

Cloud vs. Local is therefore an imprecise frame. A local runtime that still pulls packages, model weights, tool servers, telemetry, or updates over a live network remains on the exposure side of the boundary. The operative boundary is Live vs. Pinned.

188%Sonatype tracked a 188 percent surge in Q2 2025 open-source malware discovery versus Q2 2024.23
73%ReversingLabs reported a 73 percent increase in malicious open-source package detections in 2025.24
100,000+packages flooded onto npm in days, one every seven seconds.25

The Incident Wave

The 2026 supply-chain record moved from package compromise to propagation.

These incidents sit on the Sonatype and ReversingLabs trend curves above; they are recent points on a rising series, not isolated events.

The incident sequence matters because it tests the central architectural claim. The LiteLLM event affected live dependency paths. The official Proxy Docker path was not affected because dependencies were pinned. That distinction is the research record's concrete example of Live vs. Pinned operating under real compromise conditions.1

LiteLLM PyPI

LiteLLM PyPI versions 1.82.7 and 1.82.8 were compromised on March 24, 2026. Research synthesis reports exfiltration of cloud credentials, SSH keys, Kubernetes tokens, Docker configs, environment variables, CI/CD secrets, shell history, and wallets. Synthesis reports LiteLLM present in 36 percent of cloud environments, 1,000 or more affected enterprise SaaS environments, and projections to 10,000 or more, with source caveat.1

Primary source

Trivy and KICS

CVE-2026-33634 maps to Trivy, not directly to LiteLLM, in the research correction. The TeamPCP campaign is reported across Trivy and KICS before downstream credential reuse.1

Primary source

Telnyx PyPI token path

The analytical record reports Telnyx PyPI tokens compromised in the broader campaign linked to Trivy and LiteLLM. Blast radius is treated as incident-linked, not independently quantified in the fact bank.1

Primary source

Axios npm

Attackers used stolen npm credentials to publish malicious Axios releases containing a phantom dependency and cross-platform remote access payload. Blast radius is not quantified in the fact bank.26

Primary source

npm, PyPI, Docker Hub

Three credential-stealing campaigns hit npm, PyPI, and Docker Hub in a 48-hour window. The common target class was developer and CI/CD secrets: API keys, cloud credentials, SSH keys, and tokens.27

Primary source

Mini Shai-Hulud propagation

Shai-Hulud-style activity reappeared against SAP-related npm packages through preinstall scripts and credential-stealing payloads. The earlier Shai-Hulud record is treated as the self-replicating, registry-native propagation precedent.29

Primary source

PyTorch Lightning

PyPI-distributed Lightning packages were compromised in versions 2.6.2 and 2.6.3 with credential-stealing malware on import. The package is part of the AI training toolchain, which makes the incident structurally relevant to model and runtime governance.28

Primary source

The Wrong Frame

Cloud vs. Local hides the actual exposure boundary.

Local hardware is not sovereignty. Local-but-connected AI does not satisfy H1. Air gap means no live network path to internet, telemetry, update services, package registries, model registries, remote support, or cloud APIs. The H1 design is paired data diodes plus pinned offline artifacts plus operator-controlled weights.

Path A

Cloud SaaS

Plaintext enters a third-party runtime for inference. Controls can include no training, zero data retention, audit packages, contract terms, and confidential computing.

Control boundary: provider-operated. Exposure boundary: provider runtime, provider custody, legal process, platform lifecycle.

Path B

Live-connected Local

Inference may occur on operator hardware, but packages, weights, model hubs, MCP servers, tools, telemetry, or updates remain live.

Control boundary: mixed. Exposure boundary: dependency graph, package registries, tool servers, update channels.

Path C

Pinned-Offline Enclave

Weights, tokenizer, runtime, kernel, container image, and dependency graph are fixed by hash and signature, installed through a controlled path, and operated with no outbound path.

Control boundary: operator-controlled. Exposure boundary: diode-gated ingress and reviewed export.

Control and exposure boundaries for cloud, live-connected local, and pinned-offline AI A three-lane diagram marks Path A as cloud SaaS, Path B as live-connected local, and Path C as pinned-offline enclave. Path A and Path B cross live exposure boundaries; Path C crosses only diode-gated import and export boundaries. Path A: Cloud SaaS Path B: Live-connected Local Path C: Pinned-Offline Enclave Provider runtime Provider custody Registry pulls Tool servers Inbound diode Outbound diode live exposure remains live exposure remains exposure is operator-gated

Eight Mechanisms

The failure modes couple rather than arrive one at a time.

The eight mechanisms are not presented as universal cloud failure. They are the basis for the segmented H1 claim under Tier 1 scope: privileged, regulated, high-IP, or otherwise sensitive professional work where third-party runtime exposure is itself material.

M001

Inference-time plaintext exposure on third-party infrastructure.

Dense transformer inference requires user content to be cleartext in host memory at the moment of token generation.

Strongest steel-man counterApple PCC claims stateless computation, deletion after response, non-targetability, attested nodes, public software images, and researcher verification; confidential-computing variants rely on TEE attestation.

Adversarial assessment outcomeVERIFIED The steel-man defends partially but is breached by AI-specific 2024-2025 academic attacks. Trail of Bits is cited as stating homomorphic encryption does not currently scale to Apple cloud AI workload.2321

M002

Supply-chain compromise at the inference layer.

Cloud and live-network-pulling local stacks alike inherit the AI dependency graph: model registries, package indexes, transitive dependencies, MCP servers, gateway proxies.

Strongest steel-man counterThe symmetric supply-chain objection: local systems can be compromised too.

Adversarial assessment outcomeVERIFIED The LiteLLM event inverts the objection: compromised PyPI packages hit live dependency paths, while the official Proxy Docker path was not affected because dependencies were pinned.1

M003

Log retention and U.S. statutory compulsory-process exposure.

18 U.S.C. section 2713 reaches provider-held data regardless of storage location; Section 2705(b) and NSL nondisclosure provisions can block customer notice.

Strongest steel-man counterSection 2702 content bars, warrant practice, and transparency reports narrow some exposure.

Adversarial assessment outcomeVERIFIED The counter does not eliminate provider possession, gagged process, or the NYT v. OpenAI preservation record.789

M004

Privilege waiver and discovery exposure.

Consumer or open cloud AI use outside counsel direction can create privilege and discovery exposure.

Strongest steel-man counterABA Formal Opinion 512 and state-bar opinions provide a compliant cloud path with proper competence, consent, confidentiality, supervision, and fees controls.

Adversarial assessment outcomeVERIFIED Heppner and Jeffries show the failure mode in privilege and discovery contexts, while preserving a narrower counsel-directed path.101112

M005

Vendor lock-in and unilateral platform risk.

Provider-controlled retirements, pricing, routing, and content-policy changes force revalidation on the provider's schedule.

Strongest steel-man counterMarket competition produces newer, better, often cheaper-per-unit-intelligence models, and customers can reroute.

Adversarial assessment outcomeVERIFIED OpenAI February 13, 2026 ChatGPT retirements included GPT-4o, GPT-4.1, GPT-4.1 mini, o4-mini, GPT-5 Instant, and GPT-5 Thinking. GPT-5.5 API pricing was recorded as 5 dollars per million input tokens and 30 dollars per million output tokens; GPT-5.5 Pro pricing was recorded as 30 dollars per million input and 180 dollars per million output tokens. OpenRouter reported 49 to 92 percent observed cost increases for selected GPT-5.4 to GPT-5.5 switches.45

M006

Embedded values-layer behavior as silent override.

Behavioral dispositions baked into weights or post-training can alter refusal, framing, vulnerability, and compliance behavior without operator control.

Strongest steel-man counterProviders test, monitor, and roll back; customers can choose different providers.

Adversarial assessment outcomeVERIFIED CrowdStrike DeepSeek R1 study used 30,250 prompts per LLM and reported 91 percent human-annotator concordance for the LLM-judge process. CrowdStrike finding as recorded: 19 percent baseline vulnerable-code rate, 27.2 percent Tibet-context rate, and more than 45 percent Falun Gong-context refusal rate. NIST CAISI DeepSeek evaluation is cited as finding 12 times greater agent-hijacking susceptibility.1516

M007

Cumulative-profile surveillance capacity.

Prompts, drafts, corrections, and queries are intent-revealing and longitudinally aggregable under provider retention and legal-process regimes.

Strongest steel-man counterTransparency reports show small absolute volumes; warrant practice provides procedural protection.

Adversarial assessment outcomeVERIFIED at capability-and-incentive level and PLAUSIBLE-to-CREDIBLE on realization rate.89

M008

Cognitive monoculture and reasoning homogenization.

Population-level convergence of language, framing, reasoning, and idea production can emerge when many professionals use a small set of dominant models.

Strongest steel-man counterUsers retain agency and tools are used selectively.

Adversarial assessment outcomePLAUSIBLE-to-CREDIBLE with rising evidence; this is the weakest current mechanism in the record.18

The Architecture

Pinned-offline means update timing becomes a deliberate event.

The architectural definition is narrower than local deployment. A pinned offline artifact chain fixes the weights, tokenizer, runtime, kernel, container image, and dependency graph by hash and signature. Operation has no live update mechanism and no outbound path. The boundary is enforced by paired one-way transfer paths and operator review.

Pinned-offline enclave architecture A process diagram shows inbound diode, verification gate, fixed-artifact inference enclave, outbound diode, operator review, and approved export, with control boundaries labeled. Inbound diodeone-way import Verification gatehash + signature Fixed-artifactinference enclaveweights + runtime + deps pinned Outbound diodeone-way export Operator reviewapprove or hold Approved export Control boundary 1: inbound artifacts admitted only through one-way import and verification. Control boundary 2: enclave has no live path to internet, telemetry, package registries, model registries, remote support, or cloud APIs. Control boundary 3: outbound material crosses a one-way path and human review before export.
Ingress. Documents, weights, patches, and dependencies arrive through an audited import path. Signature and hash verification precede admission.
Runtime. The enclave operates fixed weights and fixed dependencies. No package registry, model hub, update service, telemetry endpoint, remote support path, or cloud API remains reachable.
Egress. Outputs leave only through a one-way channel and operator review. Export is an affirmative decision, not a continuous network condition.

The Decision Framework

The control should match the custody consequence.

Use generic SaaS AI when

  • The input is public, synthetic, already disclosed, or low sensitivity.
  • No privilege, statutory confidentiality, export-control, trade-secret, or client-consent issue is load-bearing.
  • No-training, retention, audit, logging, and contractual controls are sufficient for the workflow.
  • Frontier capability is materially more important than runtime sovereignty.
  • The workflow can absorb model retirement, rerouting, and pricing changes without regulated revalidation.

Treat live-connected local AI as insufficient when

  • The runtime pulls from PyPI, npm, Docker Hub, model hubs, MCP servers, or remote tools during operation.
  • Weights, tokenizer, runtime, container image, kernel, or dependencies are not hash-fixed.
  • Telemetry, support channels, update services, or cloud APIs remain reachable.
  • Developer credentials, API keys, CI/CD secrets, SSH keys, Kubernetes tokens, or environment variables are visible to the runtime.
  • The procurement claim turns on local hardware rather than pinned dependency discipline.

Require pinned-offline enclave when

  • The matter involves privileged, regulated, high-IP, litigation, investigation, M&A, source-code, credential, board, or critical-infrastructure material.
  • The objective is no third-party runtime, not merely no training.
  • Provider custody, gagged legal process, discovery preservation, or cross-border possession would change the risk posture.
  • Updates must be deliberate, testable, reversible events rather than continuous exposure.
  • Operator control over weights, data ingress, data egress, runtime state, and legal regime is itself the control.

The Verdict

The supported claim is segmented, not universal.

The record supports a Tier 1 conclusion only under defined conditions. Tier 1 means sensitive professional work where confidentiality, privilege, statutory control, client consent, or third-party custody is load-bearing. It does not support a universal claim that all professional cloud AI use is structurally unacceptable.

60 to 80%Tier 1 segmented H1 has 60 to 80 percent confidence in the research record.
30 to 60%Universal H1 for all professional cloud AI is not supported; GPT final synthesis gives 30 to 60 percent.
60 to 80%H0 for typical enterprise professional use is 60 to 80 percent in the GPT final synthesis.
60 to 80%H2 as current capability constraint is 60 to 80 percent.

H2 remains material. NIST CAISI is cited as finding DeepSeek V4 Pro lagging leading frontier models by about eight months. DeepSeek V4 Pro is recorded at 74 percent SWE-Bench Verified and 90 percent GPQA-Diamond; GPT-5.5 is recorded at 81 percent SWE-Bench Verified and 96 percent GPQA-Diamond. AA Intelligence Index gap is reported as narrowing from 13 points to 6 points in 12 months, while AA-Omniscience hallucination-resistance gap is reported as 25 to 40 points.1617

Falsifiers that would move the bands:

  1. F001 [NOT MET] Production-grade FHE for transformer inference at GPT-4-class scale within 24 months. Status: NOT MET (E021): ~10,000× multiplier persists; horizon 5-10+ years for 1T-parameter models.
  2. F002 [NOT MET] TEE attestation conclusively shown to defeat AI-specific extraction (no successful CipherSteal-class attack against current generation). Status: NOT MET (E003): published 2024-2025 attacks succeed against shipping silicon.
  3. F003 [NOT MET] Federal appellate court overturning Heppner-class privilege loss for cloud AI use. Status: NOT MET (E010): no appellate reversal; Jeffries cuts the same direction.
  4. F004 [NOT MET] A major AI provider committing contractually to refuse non-warrant content production with no gag-order carve-out. Status: NOT MET (E009 + EFF): no provider has made this commitment.
  5. F005 [NOT MET] Open-weight capability gap on contamination-resistant benchmarks (ARC-AGI-2, AA-Omniscience) closing to <5 points within 24 months. Status: NOT MET (E017): gap on ARC-AGI-2 is 33 points and not narrowing.
  6. F006 [NOT MET] A regulatory regime emerging that explicitly bans local open-weight deployment in the U.S. or EU. Status: NOT MET (E022): direction targets frontier and platform layer, not local sub-frontier deployment.
  7. F007 [NOT MET] Cognitive-monoculture literature retracted or empirically contradicted at scale. Status: NOT MET (E018): converging across disciplines.

Source Register

Evidence backbone.

The numbered citations above resolve to the frozen evidence IDs where applicable. Supplemental supply-chain trend sources are listed after E022 because the attack-curve layer is not assigned an E-ID in the frozen register.

  1. E001 LiteLLM, "Security Update: March 2026," March 24, 2026. https://docs.litellm.ai/blog/security-update-march-2026. Primary advisory for compromised LiteLLM PyPI versions 1.82.7 and 1.82.8, with official pinned Proxy Docker statement. Corroborating incident sources include Datadog Security Labs, "LiteLLM compromised PyPI and TeamPCP supply-chain campaign," https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/; Snyk, "Poisoned security scanner backdooring LiteLLM," March 2026, https://snyk.io/blog/poisoned-security-scanner-backdooring-litellm/; NVD, "CVE-2026-33634," https://nvd.nist.gov/vuln/detail/CVE-2026-33634; Trend Micro, "Inside LiteLLM supply chain compromise," March 2026, https://www.trendmicro.com/en_us/research/26/c/inside-litellm-supply-chain-compromise.html.
  2. E002 Apple Security Engineering and Architecture, "Private Cloud Compute," June 10, 2024; "Private Cloud Compute Security Research," October 2024; Trail of Bits, "PCC: a bold step forward, not without flaws," June 14, 2024. https://security.apple.com/blog/private-cloud-compute/; https://security.apple.com/blog/pcc-security-research/; https://blog.trailofbits.com/2024/06/14/pcc-bold-step-forward-not-without-flaws/. Strongest H0 cloud counter-architecture and independent caveat record.
  3. E003 Academic TEE attack record: HyperTheft, CCS 2024; CipherSteal, IEEE S&P 2025; BadRAM, CVE-2024-21944; RMPocalypse, CCS 2025; TDXdown, CCS 2024; Heckler, USENIX 2024. https://yuanyuan-yuan.github.io/files/ccs24-HyperTheft-full.pdf; https://yinqian.org/papers/sp25.pdf; https://rmpocalypse.github.io/; https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3020.html. TEE and AI-specific side-channel evidence.
  4. E004 OpenAI, "Retiring GPT-4o, GPT-4.1, GPT-4.1 mini, and OpenAI o4-mini in ChatGPT," January 29, 2026; OpenAI Help Center, "Retiring GPT-4o and other ChatGPT models," February 13, 2026. https://openai.com/index/retiring-gpt-4o-and-older-models/; https://help.openai.com/en/articles/20001051-retiring-gpt-4o-and-other-chatgpt-models. Model retirement and lifecycle control evidence.
  5. E005 OpenAI, "Introducing GPT-5.5," April 2026; OpenAI API Pricing; OpenRouter, "GPT-5.5 cost analysis," April 2026. https://openai.com/index/introducing-gpt-5-5/; https://openai.com/api/pricing/; https://openrouter.ai/announcements/gpt55-cost-analysis. GPT-5.5 pricing and observed switch-cost evidence.
  6. E006 Harvey, "Security by Design," May 29, 2025; Harvey Security, current posture pages. https://www.harvey.ai/blog/security-by-design; https://www.harvey.ai/security. Hosted legal AI comparator for inference-time-only, no-training, ZDR, certification, DPF, and subprocessor posture.
  7. E007 Legal Information Institute, 18 U.S.C. sections 2702, 2703, 2705, and 2713. https://www.law.cornell.edu/uscode/text/18/2702; https://www.law.cornell.edu/uscode/text/18/2703; https://www.law.cornell.edu/uscode/text/18/2705; https://www.law.cornell.edu/uscode/text/18/2713. U.S. provider-held-data and nondisclosure-process statutes.
  8. E008 The New York Times Co. v. OpenAI, S.D.N.Y. preservation and production orders, May 13, 2025, June 26, 2025, November 7, 2025, and January 5, 2026. https://cdn.arstechnica.net/wp-content/uploads/2025/06/NYT-v-OpenAI-Preservation-Order-5-13-25.pdf; https://law.justia.com/cases/federal/district-courts/new-york/nysdce/1%3A2023cv08292/606655/812/. Preservation and 20 million de-identified log production evidence.
  9. E009 OpenAI Trust and Transparency; OpenAI Civil User Data Requests; EFF, "AI Chatbot Companies Should Protect Your Conversations from Bulk Surveillance," December 2025; The American Prospect, "AI Is Supercharging the Surveillance State," April 30, 2026. https://openai.com/trust-and-transparency/; https://openai.com/policies/civil-user-data-requests/; https://www.eff.org/deeplinks/2025/12/ai-chatbot-companies-should-protect-your-conversations-bulk-surveillance; https://prospect.org/2026/04/30/ai-supercharging-surveillance-state-congress-fisa-section-702/. Transparency, content-request, and Section 702 disclosure evidence.
  10. E010 United States v. Heppner, 25-cr-00503-JSR, S.D.N.Y., Rakoff J., written opinion February 17, 2026; Harvard Law Review commentary. https://www.akingump.com/a/web/ssTGsd5NHbtZ1onzXQMTye/1_25-cr-503-27-memorandum.pdf; https://harvardlawreview.org/blog/2026/03/united-states-v-heppner/. Privilege and work-product treatment of consumer Claude-generated documents when not counsel-directed.
  11. E011 Jeffries v. Harcros Chemicals, 2:25-cv-02352, D. Kan., Mitchell M.J., March 25, 2026. https://law.justia.com/cases/federal/district-courts/kansas/ksdce/2%3A2025cv02352/158740/152/. Protective-order amendment for discovery materials and AI tool use.
  12. E012 American Bar Association, Formal Opinion 512, July 29, 2024; Oregon State Bar, Formal Opinion No. 2025-205. https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/ethics-opinions/aba-formal-opinion-512.pdf; https://www.osbar.org/_docs/ethics/2025-205.pdf. Professional-duty and cloud-vs-open-model confidentiality guidance.
  13. E013 Independent Agent, "Verisk to roll out new general liability exclusions for generative AI exposures," 2025; sample form CG 40 48 01 26. https://www.independentagent.com/vu_resource/verisk-to-roll-out-new-general-liability-exclusions-for-generative-ai-exposures/; https://assets.alm.com/63/68/46ed4bf34a0e807c9695e15c9e19/cg-40-48-01-26-exclusion-generative-artificial-intelligence-coverage-b-only.pdf. Insurance-signal evidence, verified on form and title, PARTIAL on full body text.
  14. E014 European Commission, AI Act regulatory framework and GPAI obligations materials. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai; https://digital-strategy.ec.europa.eu/en/factpages/general-purpose-ai-obligations-under-ai-act. EU AI Act timing and GPAI systemic-risk threshold evidence, with timing nuance.
  15. E015 CrowdStrike, "CrowdStrike researchers identify hidden vulnerabilities in AI-coded software," November 20, 2025. https://www.crowdstrike.com/en-us/blog/crowdstrike-researchers-identify-hidden-vulnerabilities-ai-coded-software/. DeepSeek R1 vulnerable-code and refusal-rate study.
  16. E016 NIST CAISI, "Evaluation of DeepSeek AI models finds shortcomings and risks," September 30, 2025; "CAISI evaluation of DeepSeek V4 Pro," May 1, 2026. https://www.nist.gov/news-events/news/2025/09/caisi-evaluation-deepseek-ai-models-finds-shortcomings-and-risks; https://www.nist.gov/news-events/news/2026/05/caisi-evaluation-deepseek-v4-pro. DeepSeek agent-hijacking and frontier-lag evaluation evidence.
  17. E017 Meta, "Introducing Meta Llama 3," 2024; Artificial Analysis Intelligence Index and AA-Omniscience; Epoch AI open-weight vs. closed-weight model analysis; Stanford HAI AI Index technical performance. https://ai.meta.com/blog/meta-llama-3/; https://artificialanalysis.ai/evaluations/artificial-analysis-intelligence-index; https://artificialanalysis.ai/evaluations/omniscience; https://epoch.ai/data-insights/open-weights-vs-closed-weights-models; https://hai.stanford.edu/ai-index/2026-ai-index-report/technical-performance. Open-weight capability trajectory and hard-task gap evidence.
  18. E018 Sourati et al., Trends in Cognitive Sciences, March 2026; Anderson et al., ACM Creativity and Cognition 2024; Bommasani et al., NeurIPS 2022; related cognitive-monoculture literature. https://www.cell.com/trends/cognitive-sciences/fulltext/S1364-6613(26)00003-3; https://proceedings.neurips.cc/paper_files/paper/2022/hash/17a234c91f746d9625a75cf8a8731ee2-Abstract-Conference.html; https://dl.acm.org/doi/10.1145/3635636.3656204. Cognitive homogenization and algorithmic monoculture evidence.
  19. E019 OpenAI, GPT-4o sycophancy analysis and rollback materials, April 2025; public reporting on Grok "MechaHitler," July 2025. https://openai.com/index/sycophancy-in-gpt-4o/; https://openai.com/index/expanding-on-sycophancy/; https://www.theguardian.com/technology/2025/jul/09/grok-ai-praised-hitler-antisemitism-x-ntwnfb. Values-layer failure and rollback evidence.
  20. E020 Air-gapped and restricted deployment record: Google Distributed Cloud air-gapped; AI.mil; H2O.ai NIH air-gapped h2oGPTe; LMI USSOCOM Ligerr; associated defense and enterprise comparator record. https://cloud.google.com/distributed-cloud-air-gapped; https://www.ai.mil/; https://h2o.ai/case-studies/nih/; https://www.lmisolutions.com/case-study/mission-ready-ai-how-ligerr-transforms-planning-us-special-operations-command. Feasibility and restricted-environment comparator evidence.
  21. E021 FHE transformer-inference non-viability record: Llama-3-8B encrypted inference timing papers, Cachemir, Bumblebee, and Trail of Bits PCC caveat. https://arxiv.org/abs/2604.12168; https://blog.trailofbits.com/2024/06/14/pcc-bold-step-forward-not-without-flaws/. Current FHE performance limitation evidence.
  22. E022 Regulatory trajectory: EU AI Act; California SB 53; BIS rescission of AI Diffusion Rule; China Deep Synthesis registry. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai; https://legiscan.com/CA/text/SB53/id/3271094; https://www.gov.ca.gov/2025/09/29/governor-newsom-signs-sb-53-advancing-californias-world-leading-artificial-intelligence-industry/; https://www.bis.gov/press-release/department-commerce-announces-rescission-biden-era-artificial-intelligence-diffusion-rule-strengthens; https://digitalpolicyalert.org/change/6175. Regulatory direction evidence.
  23. S001 Sonatype, "Open Source Malware Index Q2 2025," July 8, 2025. https://www.sonatype.com/blog/open-source-malware-index-q2-2025. Source for the 188 percent Q2 2025 versus Q2 2024 open-source malware increase.
  24. S002 ReversingLabs, "2026 Software Supply Chain Security Report," January 27, 2026; ReversingLabs press release. https://www.reversinglabs.com/sscs-report; https://www.reversinglabs.com/press-releases/reversinglabs-2026-software-supply-chain-security-report-identifies-73-increase-in-malicious-open-source-packages. Source for 73 percent 2025 increase and malicious package trend.
  25. S003 Sonatype Security Research Team, "Unprecedented Automation: IndonesianFoods Pits Open Source Against Itself," November 12, 2025; Brian Fox, LinkedIn post, November 12, 2025. https://www.sonatype.com/blog/unprecedented-automation-indonesianfoods-pits-open-source-against-itself; https://www.linkedin.com/posts/brianefox_unprecedented-automation-indonesianfoods-activity-7394471217816313856-21bM. Source cluster for IndonesianFoods automation, 100,000 packages in days, and one publication every seven seconds.
  26. S004 Trend Micro, "Axios NPM Package Compromised," March 31, 2026; Microsoft Security, "Mitigating the Axios npm supply chain compromise," April 1, 2026; Sophos, "Axios npm package compromised to deploy malware," March 31, 2026. https://www.trendmicro.com/en_us/research/26/c/axios-npm-package-compromised.html; https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/; https://www.sophos.com/en-us/blog/axios-npm-package-compromised-to-deploy-malware. Axios npm supply-chain compromise sources.
  27. S005 GitGuardian, "No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours," April 23, 2026. https://blog.gitguardian.com/three-supply-chain-campaigns-hit-npm-pypi-and-docker-hub-in-48-hours/. April 21 to 23, 2026 cross-ecosystem credential-stealing source.
  28. S006 Lightning AI, "How the PyTorch Lightning community discovered a supply chain attack," April 2026; Snyk, "Lightning PyPI compromise," April 2026; Semgrep, "Shai-Hulud themed malware found in PyTorch Lightning," April 30, 2026. https://lightning.ai/blog/pytorch-lightning-supply-chain-attack; https://snyk.io/blog/lightning-pypi-compromise-bun-based-credential-stealer/; https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training. PyTorch Lightning and Lightning PyPI compromise sources.
  29. S007 Wiz, "Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware," April 29, 2026; Palo Alto Networks Unit 42, "Shai-Hulud Worm Compromises npm Ecosystem," September 2025; StepSecurity, "A Mini Shai-Hulud Has Appeared," April 29, 2026. https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm; https://unit42.paloaltonetworks.com/npm-supply-chain-attack/; https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared. Shai-Hulud and Mini Shai-Hulud propagation sources.