When we think about AI security, our minds often jump to futuristic threats: rogue autonomous agents, complex model jailbreaks, or clever prompt injections. We imagine attackers outsmarting the AI itself. But over the past few months, our research team has discovered that the biggest threat to your enterprise AI data might not be as complex as you think. In fact, it hides in the invisible, foundational plumbing that connects your AI to your business. This layer is vulnerable to some of the oldest tricks in the hacker playbook. In March 2026, the Trivy supply chain compromise set a new benchmark for open-source security incidents. Understanding how it happened is key to seeing its impact on AI security. The incident began in late February when an automated agent exploited a misconfigured GitHub Actions workflow in Aqua Security’s Trivy repository. The weakness was a pull_request_target trigger, which let attacker-controlled code from a fork run with the base repository’s secrets and write permissions. This led to stolen credentials and a full repository takeover. Aqua Security rotated some credentials but missed others. This incomplete response allowed the incident to escalate.On March 19, a threat group known as TeamPCP used the remaining tokens to update about 75 GitHub Action version tags to malicious commits and released trojanized Trivy binaries. The malicious code acted as a silent infostealer inside CI/CD pipelines, collecting GitHub tokens, cloud credentials, and SSH keys while running normal vulnerability scans. This made detection difficult. Then the stolen credentials snowballed. TeamPCP used them tobackdoor LiteLLM on PyPI(an AI middleware present in 36% of all cloud environments, according to Wiz), injecting a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. Theycompromised Checkmarx’s GitHub Actions and OpenVSX extensionsusing the same stolen tokens. Malicious Docker images followed. Self-propagating npm worms followed.Mandiant reported 1,000+ SaaS environments already compromised, with expectations of 10,000+. TeamPCP is now collaborating with LAPSUS$. Five ecosystems hit: GitHub Actions, Docker Hub, npm, Open VSX, PyPI. One misconfigured CI workflow started it all. As Wiz put it: “The open source supply chain is collapsing in on itself.”Our research tells a complementary story. Months before the Trivy compromise (starting in late 2025), we began auditing the frameworks that power enterprise AI applications. What we found suggests the problem runs deeper than any single supply chain incident. The same categories of vulnerabilities that enabled this cascade (credential exposure, trust boundary confusion, missing input validation) are embedded in the most popular AI framework on the planet. We found three independent paths an attacker can use to drain sensitive data from any enterprise LangChain deployment. If your organization has built an AI chatbot, a document Q&A system, or an autonomous agent in the last two years, there’s a good chance LangChain is somewhere in the stack. You might not even know it’s there. It could be a transitive dependency, pulled in quietly by another library your team chose. But it’s there, and everything your AI touches flows through it. Think of LangChain as the plumbing behind modern AI applications. It handles the entire lifecycle: accepting user prompts, routing them to language models, managing conversation memory, retrieving documents from knowledge bases, calling external tools, and orchestrating multi-step agent workflows. It’s the middleware layer between your users and your AI models. And like any middleware, it touches all the data passing through. The scale is hard to overstate. As of late 2025, LangChain’s Python packages have accumulated roughly 847 million total downloads from PyPI. Fortune 500 companies, startups, government agencies, and academic institutions all use it. Why Should You Care? Your AI framework is not just a library. It's a data pipeline. Every prompt your users submit, every document your RAG system retrieves, every conversation your agent remembers, every API key your application uses to call a language model: all of it flows through LangChain's code. And as we’ll show, that code had three independent holes through which that data could be extracted. Files from the filesystem. Secrets from the environment. Conversations from the checkpoint database. Three paths. Three types of data. Three ways it walks out the door. Most organizations don't even know LangChain is in their stack, let alone what data flows through it. The frameworks powering enterprise AI have become critical data infrastructure, but they're invisible to the tools and processes organizations use to track and protect sensitive data. If you can't answer where your AI frameworks are deployed, what versions are running, and what data passes through them, you're flying blind. This is precisely the problem Cyera was built to solve. Cyer...