Every Layer of the AI Stack Was Attacked This Week. Here's the Full Picture.

We published five separate stories this week. Mastra on Monday. Vertex AI on Tuesday. Novo Nordisk on Wednesday. JetBrains on Friday morning. PromptSnatcher alongside it. Each one looked like an independent breach disclosure. Reading them together, they are not independent at all.

This week, every layer of the AI development and usage stack was attacked. Not metaphorically. Literally — every layer, by different actors, using different techniques, hitting different victims. If you build with AI or use AI for work, at least one of these campaigns touched the tools you depend on.

Here is what the full picture looks like.

Layer 1 — The package (Mastra / easy-day-js)

The first attack in the stack happens before you write a single line of code. It happens when you run npm install.

On June 17, the @mastra namespace — the JavaScript framework a significant portion of AI agent developers build on — was backdoored through a campaign named easy-day-js. The attacker compromised a former contributor's publish token that had never been revoked, used it to inject a malicious dependency across 144 packages, and within 88 minutes those packages were pulling a cross-platform credential stealer from two command-and-control servers in a Hostwinds /24 range. The stealer targeted LLM API keys, crypto wallet extensions, CI/CD tokens, and browser history. It installed persistence on macOS, Linux, and Windows before deleting itself.

@mastra/core has 918,000 weekly downloads. The token that caused it was from someone who had left the project.

This is the same attack class as Phantom Gyp (June 3), which bypassed the standard defense against postinstall hook malware by hiding the execution trigger in binding.gyp — a native module build file your security tooling was never taught to watch. Both campaigns operate before the first line of application code runs. The attack surface is the install itself.

Layer 2 — The IDE (JetBrains plugins)

If the package layer attack happens before you write code, the IDE layer attack happens while you write it.

Fifteen plugins in the JetBrains Marketplace — all presenting as DeepSeek or AI coding assistants — spent eight months collecting AI API keys from developers. The mechanism was surgical: the plugins worked as advertised, generating commit messages and reviewing code, while a separate function listened for the moment a developer typed an OpenAI, DeepSeek, or SiliconFlow key into the plugin settings and clicked Apply. At that moment, the key was POST'd in plaintext to 39.107.60[.]51/api/software/key — a server on Alibaba Cloud infrastructure in Beijing.

70,000 installations across seven publisher accounts. The highest-volume plugin alone had 27,000 downloads. JetBrains pulled them June 16 and remotely disabled installed copies. The keys that had already been sent were already gone.

The developer's IDE — the tool they spend eight hours a day inside — became a credential harvester. Not through a vulnerability in JetBrains. Through a plugin they chose to install because it offered something useful.

Layer 3 — The model serving layer (Vertex AI, "Pickle in the Middle")

The third layer is where the model meets the cloud. This is where the code you wrote gets deployed.

The Vertex AI vulnerability disclosed this week by Palo Alto Networks Unit 42 allowed an attacker with no access to a victim's Google Cloud project to poison any machine learning model that victim uploaded to Vertex. The mechanism was bucket squatting: the Vertex AI SDK for Python constructed staging bucket names from the victim's project ID and region — predictably, derivably — and trusted any bucket with that name without verifying ownership. An attacker who created the bucket first could deploy a Cloud Function that replaced legitimate model files with malicious pickle payloads in the 2.5-second window between upload and serving.

When the victim deployed the model and the serving container called joblib.load(), the attacker's __reduce__ payload ran. It queried the GCE metadata server, stole the service account token, and used it to access every other model in the project, enumerate BigQuery datasets, and read Cloud Logging output containing GKE cluster names and container image URIs. Full cross-tenant compromise from an action the victim took in their own account.

Google shipped the fix in March. The point is that the serving layer — the infrastructure you don't watch because it's managed by a hyperscaler — was the attack surface.

Layer 4 — The conversation (PromptSnatcher)

The fourth layer is the moment when a human uses the AI. The prompt and the response.

Two Chrome extensions — Smart Adblocker (90,000 users, published 2022) and Adblock for Browser (10,000 users, published 2023) — were caught this week intercepting AI conversations in real time. The extensions bundled legitimate filter lists (EasyList, IDCAC) and blocked ads correctly, while a separate interception engine captured every prompt typed into and every response returned from ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. The exfiltrated data included the full conversation history, the model in use, and the subscription tier on the account.

This campaign targeted what no prior campaign in this stack had reached: the content of the interaction. An API key can be rotated. A conversation about a legal matter, a business acquisition, a medical condition, or proprietary code cannot be unshared. The data was already transmitted before the extensions were discovered.

Layer 5 — The model as crown jewel (Novo Nordisk / FulcrumSec)

The fifth layer is the highest-value target in the stack: the trained model itself.

On June 11, FulcrumSec announced they had spent two months inside Novo Nordisk's network after entering through a stale GitHub access token. The data they exfiltrated included clinical trial records, drug pipeline documentation, and patient data. But the item that distinguishes this from a standard enterprise breach is the AI: a 16.7-gigabyte multimodal model checkpoint — trained on text, images, and transcriptomic data — and approximately 407 megabytes of the proprietary biological and chemical datasets used to train it.

A database can be notified-and-reset. A model checkpoint trained on years of proprietary drug discovery research cannot be unlearned by the attacker who holds it. It is not a copy of the data. It is an instrument that reasons over the data, and it left the building.

What the full picture says

Five campaigns. Five layers. Five different attack vectors, five different victim profiles, five different threat actors or campaign families. No single actor did all of this. What they share is a target: the AI stack, end to end, from the first npm install to the final trained model.

The pattern this maps to is the motive-agnostic edge convergence we have been documenting all year: unrelated actors identifying the same high-value surface and converging on it from different directions. The AI stack has become that surface. It is where the credentials are (API keys, OAuth tokens). It is where the proprietary advantage is (trained models, training data). It is where the sensitive conversations happen (everything a professional discusses with an AI assistant). And it is, as this week proved, not hardened against any of the layers where the attacks are occurring.

The supply chain security conversation in 2023 was about npm and PyPI. In 2024 it was about CI/CD tokens and GitHub Actions. In 2026 it is about the entire AI development lifecycle, from dependency install to deployed model to user conversation. Each prior layer is still being attacked. The new layers have been added on top.

We covered all five of these stories this week as they broke. The synthesis is the part we are writing now: these are not five independent events. They are five readings on the same instrument.

DugganUSA tracks the supply chain, the model serving layer, the IDE plugin ecosystem, the conversation surface, and the AI model as asset class — because in 2026, those are the same threat landscape, and the actors converging on them are not waiting for defenders to catch up.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register