r/AnthropicAi

You probably remember the old supply chain attacks. SolarWinds. Log4j. Someone sneaks bad code into a trusted piece of software, and everyone who installed that software is suddenly in trouble. Here's what happened on March 24 of this year, and why it's different.

A popular open-source tool called LiteLLM — it's a connector that a lot of companies use to route requests to ChatGPT, Claude, and other AI models — got compromised. Someone slipped malicious code into it. That part's the old playbook.

The new part: a lot of the exposure didn't come from a person clicking install. It came from agent frameworks pulling the poisoned version in as part of doing normal work a developer had asked for. Anywhere pip install litellm ran without a pinned version during the window — CI jobs, build containers, agent frameworks with LiteLLM as a transitive dependency — was potentially exposed.

And here's the kicker: the attackers didn't break into LiteLLM directly. They first broke into Trivy, which is a security tool companies use to scan for this exact kind of threat. The compromised Trivy action ran inside LiteLLM's CI/CD pipeline and exfiltrated the PyPI publishing token, which the attackers then used to push the bad code. The tool you use to catch supply chain attacks became the way one got in.

Three big attacks in under three weeks — LiteLLM, then Axios (the JavaScript library that runs in a huge chunk of the internet, present in roughly 80% of cloud and code environments), then a roughly six-hour hijack of the CPUID website that pushed trojanized CPU-Z installers to anyone downloading from the official page. Different attackers, same pattern: the bad stuff came in through software you already trusted.

So when we say "supply chain attack" in 2026, we mean three things that used to be separate:

• The code your team installs — packages, libraries, signed apps
• The AI infrastructure your agents depend on — model gateways, connectors, MCP servers, fine-tuned models pulled from public repos
• The AI agents themselves — which are now installing things, making decisions, and running with permissions they probably shouldn't have

We're Itamar Golan (u/Itamar_PromptSec) and David Abutbul (u/David_PromptSec) from Prompt Security, the company inside SentinelOne securing enterprise AI usage. We spend our time on what happens at the agent layer specifically, the part that's newest and weirdest. We also maintain an open-source project called ClawSec, a security skill suite for OpenClaw and related agents (Hermes, PicoClaw, NanoClaw) that does drift detection, skill integrity verification, automated audits, and live advisory monitoring, so an agent's behavior and configuration can't quietly drift out from under you.

Ask us anything about:

• The March 24 LiteLLM attack — what actually happened, what the poisoned code tried to do, and why the fact that a lot of the exposure came through automated pipelines and agent frameworks (not humans clicking install) matters for how you defend against this going forward.
• Agents doing things you didn't explicitly ask them to — your coding assistant grabbing a library, your customer-service agent pulling from a data source, your internal chatbot chaining tools together. Where's the line between "helpful" and "this thing just ran a command with your permissions"?
• Shadow AI, but worse — last year it was employees pasting stuff into ChatGPT. This year it's agents your company officially deployed quietly connecting to tools and services nobody mapped. How do you even get visibility into that?
• Why "just add another approval step" isn't going to work — the whole point of agents is speed. If every action needs a human to click yes, you don't have an agent, you have a very slow chatbot. What actually works instead.
• ClawSec — why we made it free and open source, what it does differently from the usual "AI guardrails" pitch, and what we've learned from people actually using it.
• State-sponsored actors, ransomware crews, and who's really behind this — who profits from attacking trusted software, and why the economics point to a lot more of this coming, not less.
• What a normal company should actually do on Monday — not a 40-page framework. The two or three things that meaningfully reduce your exposure this quarter.

We'll be live Wednesday, May 20, and sticking around all day (Israel time). Bring the hard questions — the dumb ones too. Honestly, the "dumb" ones are usually the ones everyone else is afraid to ask out loud.

I'm thinking about getting Code for $100 USD, but I've read a lot of comments saying that Codex is more generous with its $20 USD plan and offers better quality. Have you tried it? Is it worth it?

Recently, I’ve seen a lot of people saying:

“Oh, Anthropic is so stupid.”

“They’re hiking up the usage limits.”

“They’re making it too expensive.”

“They’re killing their users.”

“They’re being ridiculous.”

But they’re not.

They’re actually kind of smarter than OpenAI in this specific way.

Here’s the thing.

A lot of people either weren’t paying attention, or they just didn’t hear Anthropic when they said this…

but Anthropic has said multiple times they’re trying to move more into the enterprise side of things.

So when Anthropic charges $200 for what doesn’t feel like a huge amount of tokens, everyone looks at those prices, then looks at ChatGPT, and goes:

“Why is Anthropic doing this?”

“Anthropic is stupid.”

No.

They’re charging according to their niche.

OpenAI, on the other hand, has a massive consumer user base.

They have way more mainstream usage.

They have more compute.

And it makes more sense for them to offer cheaper prices and more tokens because their audience needs that.

Well, whether they can actually afford that long-term is a different problem.

But the point is, OpenAI users are very different from Anthropic’s ideal users.

Most normal ChatGPT users are not going to pay $200 for a limited amount of tokens.

Obviously, I’m not saying OpenAI doesn’t have enterprise customers.

Of course they do.

They have developers.

They have businesses.

They have serious users.

But Anthropic is positioning itself differently.

Anthropic doesn’t have an image model.

It doesn’t have a video model.

And the reason they don’t have that is because most enterprise businesses don’t really need that as their main priority.

Sure, image and video can be useful for marketing.

But that’s not the most important thing for a lot of big enterprise companies.

The important stuff is:

Can it code?

Can it handle complex workflows?

Can it manage tasks across a small team?

Can it make decisions based on financial data?

Can it work through large amounts of business data?

Can it be trusted in serious environments?

That’s the kind of stuff big enterprise companies actually care about.

People were also surprised when Anthropic closed off Mythos to the public.

But that actually makes sense if you understand who they’re targeting.

They’re not building for little Timmy who wants to vibe code some random startup so he can finally escape his mum’s basement.

They’re building for big enterprise customers.

That’s their target.

So if you’re looking at what Anthropic is doing and thinking:

“Why would they do that?”

“That’s so stupid.”

You need to switch your frame.

Instead of looking at it like they’re trying to beat ChatGPT for normal consumers…

look at it like they’re trying to win enterprise.

Then a lot of their decisions make way more sense.

Some of you probably already knew this.

Good.

You’re smart.

But if you didn’t, look at Anthropic through that lens and then look at the OpenAI versus Anthropic rivalry again.

Because suddenly, the rivalry starts to make way more sense.

OpenAI is always laying little traps for Anthropic.

Anthropic rarely hits back.

They barely mention competitors.

They don’t really flex their customers publicly.

They come across as a much more professional, B2B company.

Meanwhile, Sam Altman is on X talking about goblin mode.

Now, to be fair…

it is funny.

And it’s good.

But it makes a lot more sense once you realise OpenAI and Anthropic are playing slightly different games.

So if you want to understand the Anthropic versus OpenAI rivalry properly, you need to watch what happens in the news.

Because there’s going to be a lot of AI news this week.

Especially on Thursday.

I’ve heard something is dropping from OpenAI.

And if you want more news on that, head to my newsletter below in the comments.

I talk about this stuff every week.

Last weekend, I dropped something about the AI safety sector that not many people are talking about, and it opened a lot of people’s eyes about the OpenAI and Anthropic situation.

So check it out.

Have a look.

Tell me what you think.

And wait till Monday.

We’ve got something great dropping.

Look out for that.