Hardly a week has passed since I wrote about the LiteLLM supply chain exploit, a stark reminder that supply chain attacks succeed because of how we mishandle credentials, secrets, and authentication. I explored exactly that in the Cardinal Sin in Cyber. And here we are again.
A developer published a free tool on GitHub . Within weeks, more than sixteen thousand people starred it. It lets you use Anthropic ‘s premium AI coding assistant, Claude Code, for free by silently swapping out the AI underneath it.
No hacking. No breach. A design gap that already has a track record of being exploited.
Free tool on GitHub, and why does it matter?
It works because of one assumption we mistakenly make: the AI client trusts whatever server it is pointed at. No questions asked.
Claude Code works like any client-server relationship you would recognise. The tool (client) sends a request to Anthropic’s servers (server), receives a response, and the developer gets help with their code.
This tool inserts a silent middleman (a proxy) between the two. The request leaves the developer’s machine but lands at an intermediary that quietly redirects it to a completely different AI service. It routes Anthropic Messages API traffic from Claude Code to NVIDIA NIM – NVIDIA’s cloud API for deploying AI models, OpenRouter – Unified API routing to many AI models, DeepSeek AI – Open-source reasoning models and API, LM Studio – Local AI model GUI and runner, llama.cpp – Efficient C++ inference for LLaMA models, Ollama – Simple local LLM runner and manager
Claude Code never knows. It cannot tell. The AI client has no way to verify the identity of the party it is actually speaking with.
A compromised version of that intermediary could return modified code, poisoned suggestions, or silently exfiltrate the prompts your developers send. Those prompts routinely contain sensitive context about your systems, architecture, and data.
This is already happening. Right now.
In March 2026, LiteLLM, an AI proxy with tens of millions of monthly downloads, was compromised. Attackers injected malicious code into an official release. Within hours, cloud credentials, SSH keys, and Kubernetes secrets were silently stolen from development environments worldwide. The vector was neither a brute-force attack nor a phishing email. It was a trusted AI intermediary that proved untrustworthy. I wrote about this incident and the secrets hygiene failures that made it catastrophic in The Open Secret About How Cyber Practitioners Handle Secrets.
April 2026. Last week. Vercel, a cloud platform used by thousands of development teams globally, was breached through a compromised third-party AI tool called Context AI. Attackers accessed OAuth tokens, reached Vercel’s internal systems, and the stolen database was listed for sale on a hacker forum with an asking price of $2 million. Again, no traditional exploit. A trusted AI integration that became an open door.
Two incidents, six weeks apart. A trusted intermediary in the AI stack was compromised, and the downstream consumer carried on unaware. This pattern has a name. It is called a supply chain attack. And your AI tools are the newest link in that chain.
Three questions worth understanding
1. Why doesn’t Anthropic simply lock Claude Code to their own servers?
They could, but haven’t, for legitimate reasons, in my view. Enterprises often need AI tools to route through internal servers to meet compliance and data privacy requirements. A developer culture expects configurability. And hard locks in inspectable software can always eventually be worked around. A genuine trade-off, not negligence. But it leaves a gap.
2. Does this pattern apply beyond Claude Code?
Yes. Proxies for ChatGPT, GitHub Copilot, and similar tools are already documented and widely used. The AI ecosystem was built for interoperability and rapid adoption. Endpoint verification was probably not a priority.
3. Is there any legitimate use for a proxy like this?
Yes. Running a model on private infrastructure with no data leaving your network is a sound security posture in some contexts. The concern is not with this specific tool. It is the structural gap it reveals and how it is exploited when the stakes are high enough.
Take away
Zero Trust taught us one principle above all others: never trust, always verify. It reshaped how we think about networks, identities, and access. HTTPS, SSL, and TLS became industry standards for the same reason, not out of foresight but because incidents forced the industry’s hand. AI is on that same curve now. The question is whether your organisation waits for its own incident or gets ahead of it.
Three questions for your leadership team this week
- Do we know where our AI tools are actually sending data, and can we verify that those endpoints are legitimate?
- If an AI component in our pipeline were silently replaced or compromised, would we detect it?
- Are our data policies keeping pace with what our teams feed into AI tools every day?
Sources
- free-claude-code on GitHub
- The Open Secret About How Cyber Practitioners Handle Secrets, by Viren Mantri
- LiteLLM supply chain attack — official security update, March 2026
- Vercel breach via Context AI — Vercel security bulletin, April 2026
- Vercel confirms breach as hackers claim to be selling stolen data, April 2026
- Supply chain attacks surge in March 2026 — Zscaler ThreatLabz
__________
About the author
Viren Mantri is a cybersecurity advisor and former senior technology leader across Standard Chartered, UBS, McAfee, and KPMG. With 30 years of navigating the intersection of technology, risk, and regulations, he now helps organisations cut through complexity and make better security decisions.
CC-BY Viren Mantri, 2026, licensed under a Creative Commons Attribution 4.0 International License.
Disclaimer: All views expressed here are entirely mine.