Hackers have stopped breaking in. They’re abusing the things developers already trust.

Hackers are not really breaking in any more. They are walking through doors we hold open for them.

This past week made the shift plain. Two campaigns showed that the things developers trust most, open-source code and AI tools, have become the easiest way to attack them.

1,000 poisoned packages

The first is a group called TeamPCP. In under four months, it has injected malicious code into more than 1,000 open-source software packages, according to CyberScoop. It started with a single tool in February and has barely slowed since.

The method is not clever, and that is the point. Most companies pull in code automatically and rarely check that it is safe. TeamPCP simply abuses that blind faith. Together, the poisoned packages rack up roughly 500 million downloads a week.

The named victims are a who’s-who: Bitwarden, Red Hat, SAP, PyTorch Lightning, even GitHub itself. Yet the group does not seem to be chasing money. Researchers say it is after chaos and notoriety, having pocketed only about $90,000 in extortion. One security firm now estimates a roughly 1-in-10 chance that any package an organisation installs could trigger an active attack.

AI makes it worse

AI is pouring fuel on this. Developers used to vet their dependencies, however loosely. Now coding agents install packages on their own, often with no human checking. “There’s in some cases virtually no human in the loop,” Socket’s Feross Aboukhadijeh told CyberScoop.

Those same agents are targets, too. Researchers have shown that a fake bug report can hijack an AI coding agent and make it run an attacker’s commands. Self-spreading worms are already tearing through code registries, and a poisoned editor extension recently let attackers steal thousands of GitHub repositories.

Even Claude became a weapon

The second campaign is sneakier. Hackers turned Anthropic’s Claude against its own users. They abused “Shared Chats”, a feature that lets people post public links to past conversations.

Here is how it worked. The attackers staged fake “Apple Support” chats on claude.ai, telling macOS developers to paste a command into their Terminal. Then they bought Google ads for searches like “Claude Code on Mac” to send victims there. Because the links sat on Claude’s own trusted domain, they looked safe.

Trend Micro counted more than 2,000 victims, most in the Asia-Pacific region. Anthropic has since banned the accounts and disabled the conversations.

Why it matters

The thread tying these together is trust. Attackers no longer need a clever exploit. They just need something you already believe in: a package registry, a coding agent, a familiar domain. As one industry bulletin put it, “legitimate” is not the same as “safe”.

For the industry, that is an uncomfortable reset. It means watching the tools people trust, not just the files they download. It means treating a package install like running code, and an AI agent like a user account. The web did not break this week. It just got used exactly as designed, which may be the harder problem to fix.