In March 2026, a threat actor known as TeamPCP executed a cascading supply chain campaign reported across multiple ecosystems including GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI. The attack began on March 19 by compromising Trivy, a widely used open-source vulnerability scanner, overriding 76 of 77 version tags in its GitHub Actions. From there, TeamPCP pivoted to Checkmarx KICS (March 23) and LiteLLM (March 24) by stealing CI/CD publishing tokens. The malicious LiteLLM packages (v1.82.7 and v1.82.8) were live on PyPI for approximately 40 minutes before quarantine. The payload included a credential harvester targeting 50+ secret categories, a Kubernetes lateral movement toolkit, and a persistent backdoor. LiteLLM averages roughly 95 million monthly PyPI downloads and is widely used in enterprise AI stacks.

Why it matters: This is not a hypothetical software supply chain risk. Your AI gateway — the component that routes LLM calls across your organisation — was a backdoor. Your vulnerability scanner — the tool that checks your dependencies — was compromised first. The attack surface is not the AI model. It is the infrastructure that delivers the model to your systems. Every enterprise running LiteLLM, Trivy, or Checkmarx in their CI/CD pipeline needs to audit whether they pulled the compromised versions.

Source: Trend Micro — Inside the LiteLLM supply chain compromise · Kaspersky — Trojanization of Trivy, Checkmarx, and LiteLLM · Datadog Security Labs — LiteLLM compromised on PyPI

Meta's 8,000 layoffs — 10% of the workforce — took effect on Tuesday, May 20. An additional 7,000 employees are being transferred to AI-focused initiatives, meaning approximately 20% of the company's workforce is affected. The restructuring into AI-focused "pods" is now operational, with new role categories (AI builder, AI pod lead, AI org lead) being staffed. Internal backlash has been significant: according to Reuters, more than 1,000 employees signed a petition protesting the installation of mouse-tracking software used to train Meta's AI models, and protest materials have been reported at company offices.

Why it matters: This is the first major tech restructuring where the AI pod model is live in production, not announced in a memo. The internal backlash is also a signal: when workers discover their on-the-job behaviour is being harvested to train AI systems, resistance follows. For every enterprise planning a similar transformation, Meta is the template — including the governance gaps. The mouse-tracking backlash is what happens when data collection for AI training lacks a transparency framework.

Source: Republic World — Meta's brutal AI reset · BusinessToday — Meta internal memo reveals AI restructuring

NTT DATA's 2026 Global AI Report, published May 19, surveyed over 2,500 senior decision-makers across 35 countries. The report argues that infrastructure has become a core constraint on enterprise AI adoption. 95% of organisations consider private or sovereign AI important to their strategy. 35% of CAIOs identify enabling sovereign AI as their single biggest barrier. 98% of C-suite executives say protecting proprietary IP through GenAI models is imperative. 96% are contemplating relocating AI infrastructure to specific regions due to geopolitical and supply chain pressures. The report identifies three sovereignty models: mandated (legal/geopolitical), regulated privacy (auditable control), and strategic autonomy (IP and vendor independence).

Why it matters: The sovereignty demand is no longer a European policy preference — it is a global infrastructure constraint. When 95% of organisations say sovereign AI matters and 96% are considering regional infrastructure relocation, the Anthropic-SpaceX compute deal we covered two weeks ago looks less like a one-off and more like the beginning of a geographic arbitrage race for AI capacity. European enterprises have a structural advantage if they build sovereign infrastructure now — the AI Act already requires the governance the rest of the world is catching up to.

Source: Help Net Security — NTT sovereign AI strategy report

Google launched the Gemini Enterprise Agent Platform at Cloud Next '26 — an evolution of Vertex AI that combines model selection, agent building, DevOps, orchestration, governance, and security into a single workspace. The platform provides access to 200+ models including Gemini 3.1 Pro and Anthropic Claude. Agent Studio offers a low-code interface for building agents with natural language. Reports indicate Google announced a $750 million innovation fund for partners developing AI agents and an Agent Marketplace with pre-built agents — though these figures should be verified against Google's official announcements before citing.

Why it matters: Google is commoditising the agent stack. A low-code agent builder, a marketplace for pre-built agents, and a major partner fund to accelerate the ecosystem — this starts to look like a marketplace moment for enterprise agents. The governance question from our May 8 Deep Dive (who governs the autonomous agent?) now scales by two orders of magnitude. When any business user can deploy a pre-built agent from a marketplace, the governance model cannot depend on engineering teams. It must be platform-native and automatic — exactly what ServiceNow and IBM are building.

Watch: Agent Marketplace adoption rates. If enterprises start deploying marketplace agents without modifying governance frameworks, the Deloitte 85/21 gap (deployment vs. governance maturity) will widen faster.

Source: Google Cloud Blog — Introducing Gemini Enterprise Agent Platform · Bain — The Agentic Enterprise Control Plane

ESET researchers discovered PROMPTSPY, an Android backdoor that sends the device's live UI layout to Google's Gemini API and receives precise tap coordinates and gesture commands in return. The malware can simulate clicks, swipes, and interactions without human involvement — using an LLM to interpret device UI and automate multi-step tasks, including responding to security prompts and capturing credential-like inputs such as PINs or lock patterns. The malware uses Gemini API calls to parse and categorise screen content before exfiltrating to a C2 server.

Why it matters: This is the intersection of agentic AI and malware. PROMPTSPY does not follow scripted attack patterns — it uses an LLM to understand what is on screen and decide what to do next. Traditional malware detection relies on known signatures and behaviour patterns. An LLM-driven agent generates novel behaviour at runtime. For CISOs: if your mobile threat detection assumes predictable malware behaviour, PROMPTSPY breaks that assumption. For governance teams: a commercial LLM API was weaponised as a malware runtime — a use case that current AI governance frameworks do not address.

Source: The Hacker News — PROMPTSPY abuses Gemini AI · SecurityWeek — PROMPTSPY abuses Gemini at runtime

The provisional agreement reached May 7 is now moving through legal-linguistic revision. Both the European Parliament and Council are expected to formally vote between June and July. Once adopted, the amendments will be published in the Official Journal and enter into force three days later — likely around end of July, just before the original August 2 deadline. The transparency obligations under Article 50 remain on the original August 2, 2026 schedule. The synthetic content marking obligation for existing systems shifts to December 2, 2026.

Why it matters: The timeline is now clear enough to plan against. Formal adoption by end of July means the Omnibus will be in force before the original August 2 deadline — barely. Enterprise compliance teams should not wait for formal adoption to begin Horizon 2 work (high-risk compliance, due December 2027). The 16-month runway starts when the planning starts, not when the regulation publishes.

Source: Latham & Watkins — AI Act update · White & Case — EU agrees Digital Omnibus deal

The European Commission's draft guidelines on Article 50 transparency obligations are in consultation until June 3. These are the first formal interpretive guidelines under the AI Act. The obligations become applicable August 2, 2026 — the one major deadline that did not move. Key requirements: AI providers must inform users when they interact with an AI system, add machine-readable marks to AI-generated content, and deployers must disclose deep fakes, AI-generated publications on public interest matters, and the use of emotion recognition systems.

Why it matters: If you have not submitted your organisation's position on the transparency guidelines, you have two weeks. The final guidelines will shape enforcement expectations for the first AI Act compliance deadline. If your AI chatbots, content generation tools, or emotion recognition systems are in production, compliance is due in 10 weeks.

Source: European Commission — Transparency guidelines consultation

According to industry layoff trackers, the technology sector has shed an estimated 95,000+ jobs across roughly 250 layoff events in 2026. Meta's 8,000 (plus 7,000 transfers) and Microsoft's 8,750 voluntary retirements are the largest single events, but the pattern is sector-wide. The restructuring is structural, not cyclical: companies are simultaneously cutting human headcount and increasing AI infrastructure spending.

Why it matters: The AI Layoff Trap thesis we published in our May 1 Deep Dive is now running at sector scale. The Prisoner's Dilemma is not one firm's decision — it is hundreds of events across the industry. When we return to the demand-side modelling question (what happens to your customer base when your sector automates at this rate), the answer is no longer hypothetical. It is 95,000 data points and counting.

Source: Invezz — Big Tech's $725B AI splurge funded by mass layoffs

Bain & Company published an analysis of Google Cloud Next '26 arguing that the enterprise AI landscape is converging on a control plane model — a unified layer for building, governing, and operating AI agents across the enterprise. Bain positions Google's Agent Platform, ServiceNow's AI Control Tower, IBM's Sovereign Core, and Microsoft's Agent Governance Toolkit as competing implementations of the same architectural pattern. The argument: enterprises will standardise on one or two control planes, and the vendors who own that layer will control the enterprise AI stack for the next decade.

Why it matters: This is the platform war that matters for governance. If the agent control plane becomes the governance layer, then the vendor who controls the control plane controls the compliance surface. For European enterprises, the sovereignty question is not just "where is the data?" — it is "who governs the agent?" If your agent control plane is a US hyperscaler product, your governance infrastructure has a jurisdictional dependency. IBM Sovereign Core is the only current offering explicitly positioning against that risk.

Source: Bain — Google Cloud Next 2026: The Agentic Enterprise Control Plane

Deep Dive

The AI supply chain attack that should change how every enterprise thinks about AI infrastructure security.

In March 2026, TeamPCP — a cybercrime group — executed a cascading supply chain attack that compromised five ecosystems in six days. The sequence was methodical:

Day 1 (March 19): TeamPCP compromised GitHub Actions workflows for Trivy, the most widely used open-source vulnerability scanner in the container ecosystem. They overrode 76 of 77 version tags in aquasecurity/trivy-action, injecting malware into the CI/CD pipelines of every organisation that used Trivy in their build process.

Day 4 (March 23): Using credentials harvested from the Trivy compromise, TeamPCP pivoted to Checkmarx KICS — another security scanning tool — and compromised its GitHub Actions and AST products.

Day 5 (March 24): The Trivy compromise had already exfiltrated LiteLLM's PyPI publishing tokens. TeamPCP published malicious versions of LiteLLM (v1.82.7 and v1.82.8) directly to PyPI. These were live for approximately 40 minutes before PyPI quarantined them.

The payload was three-stage: a credential harvester targeting over 50 categories of secrets (cloud credentials, SSH keys, Kubernetes configs), a lateral movement toolkit for Kubernetes clusters, and a persistent backdoor providing ongoing remote code execution.

LiteLLM averages roughly 95 million monthly PyPI downloads. It is the abstraction layer that lets enterprises route LLM calls across multiple providers — OpenAI, Anthropic, Google, Azure — from a single API. It is widely used in enterprise AI stacks.

The architectural irony is precise: the tool you use to scan for vulnerabilities (Trivy) was the entry point. The tool you use to govern multi-model AI access (LiteLLM) was the payload delivery mechanism. The security tooling and the AI tooling were compromised in the same campaign, by the same actor, using the same technique.

This is not a novel attack pattern. Supply chain attacks have been a known threat since SolarWinds in 2020. What is novel is the target: the AI infrastructure stack specifically. TeamPCP did not attack a random npm package. They attacked the tools that sit at the intersection of AI deployment and security governance — the exact components that enterprise teams trust implicitly because they are "security tools" or "AI infrastructure."

Three structural gaps the TeamPCP campaign exposes:

First, AI gateway libraries are critical infrastructure with open-source risk profiles. LiteLLM is a Python package maintained by a small team, downloaded roughly 95 million times a month, and embedded in the CI/CD pipelines of companies processing billions in transactions. The gap between its criticality and its security resourcing is the attack surface. If your organisation uses LiteLLM (or vLLM, or any open-source AI gateway), it needs the same supply chain security scrutiny you apply to your operating system and database.

Second, vulnerability scanners are a single point of trust — and compromise. Trivy is trusted precisely because it is a security tool. That trust means organisations do not scan the scanner. When the scanner itself is compromised, every dependency it validates becomes suspect. The correct security posture is to treat security tooling as critical infrastructure with its own verification layer — not as a trusted root.

Third, the 40-minute window is a governance problem, not just a security one. PyPI quarantined the malicious LiteLLM packages in approximately 40 minutes. That is fast. But in 40 minutes, any CI/CD pipeline that ran pip install litellm during that window — automatically, without human review — pulled a compromised package into production. The governance question: does your pipeline have a lockfile? Does it pin versions? Does it verify package integrity? For most organisations using AI libraries, the answer is no — because AI infrastructure is still treated as "development tooling," not "production infrastructure."

The AI Act's Article 15 requires high-risk AI systems to achieve "an appropriate level of cybersecurity." Article 15 is part of the high-risk AI system framework. Under the Omnibus planning baseline, those obligations move to December 2, 2027 for Annex III systems and August 2, 2028 for Annex I systems, if the provisional agreement is formally adopted.

But Article 15 was written for the AI system itself — its model, its data, its outputs. It was not written for the infrastructure supply chain that delivers the AI system to production. When your AI gateway is compromised, the AI system's cybersecurity posture is irrelevant — the attacker is already inside the pipeline that deploys it.

The enterprise response needs three layers that most AI governance frameworks do not currently include:

Supply chain verification for AI dependencies. Every AI library in your stack — LiteLLM, vLLM, LangChain, LlamaIndex, Hugging Face Transformers — needs the same Software Bill of Materials (SBOM) discipline you apply to operating systems. Pin versions. Verify checksums. Monitor for unexpected updates.

Security tooling as a governed dependency, not a trusted root. Trivy, Checkmarx, Snyk, Dependabot — these tools should be in your risk register, not exempt from it. If a security tool is compromised, your entire assurance framework fails silently.

CI/CD pipeline governance for AI workloads. If your ML pipeline automatically pulls the latest version of any dependency without human review or integrity verification, you have an uncontrolled ingress point. The 40-minute window is not a margin of safety. It is a margin of exposure.

The organisations that audit their AI supply chain now — before the next TeamPCP — will be able to demonstrate to regulators, auditors, and customers that their AI systems were deployed through a governed pipeline. The ones that don't will discover the gap during an incident.

Security / Risk

Regulation

Enterprise AI

Market Signals

The AI infrastructure your organisation depends on was built on open-source libraries maintained by small teams, distributed through public registries, and pulled into production by automated pipelines that trust everything they download. That trust model is broken. The organisations that govern their AI supply chain like critical infrastructure will survive the next TeamPCP. The ones that don't will find out about the compromise from their incident response team — or their regulator.

Until next Thursday, João

OnAbout.AI delivers strategic AI analysis to enterprise technology leaders. European governance lens. Vendor-agnostic. Actionable.

If this landed in your inbox from a forward — subscribe here to get the full picture every week.