CYB_022predictionAILiteLLM-supply-chain-vulnerability

Supply-chain attacks targeting widely utilized open-source AI packages — exemplified by documented attacks on the LiteLLM framework — represent extreme systemic risk: a single compromised foundational code repository instantly and autonomously infects ...

Predictor: Alex Wissner-Gross

Prior probability

78.0%

Current probability

75.9%

evolves via intake + LBP

Conviction

5/5

Signal quality

Resolution

in_progress

Window

2026-01-01 – 2028-11-30

Edges in / out

2 / 0

Tickers exposed

Prediction text

Supply-chain attacks targeting widely utilized open-source AI packages — exemplified by documented attacks on the LiteLLM framework — represent extreme systemic risk: a single compromised foundational code repository instantly and autonomously infects thousands of downstream enterprise agent networks at machine speed, bypassing traditional firewall perimeters entirely. | Next major AI-package supply chain CVE

Key catalyst: Next major AI-package supply chain CVE

Watch events: PyPI/npm AI-package attack incidents; enterprise SBOM mandates

Resolution evidence

Status: in_progress

LiteLLM CVE-2024/2025 disclosures documented; PyPI / npm AI-package supply-chain attacks increasing 2024-2026. Snyk, Socket.dev reporting sharp rises.

Predictor: Alex Wissner-Gross

κ + Brier as of 2026-05-22

Full calibration →

κ (discount)

0.844

Brier

0.0341

excellent

Hits / Misses

6 / 1

of 11 resolved

Hit rate

54.5%

Calibration plot (stated vs observed)

Evidence about this node from Alex Wissner-Gross is multiplied by κ in /api/intake. Lower κ = less weight; floors at 0.10 (effectively silenced) and caps at 1.00 (full weight).

Reference class: ai_catastrophic_misuse_1y

Linked

All classes →

Frontier AI used in successful catastrophic-class (bio/cyber/chem) attack within 1y of capability claim

Base rate

—

1/20 historical

Inside weight

—

Outside weight

—

no pull

inside 75.9% → blend 75.9% (Δ 0.0pp)

Tetlock-style outside view: at TRF=1 (just predicted), outside view dominates (w_in=0.3). At TRF=0 (deadline), inside view dominates (w_in=1.0). The blend regularizes overconfident inside views toward the historical base rate.

Probability over time

4 prob_history rows

intake v2milestone miss sweeplbp propagationreference class assignedlegacy v1prior_prob (analyst seed)current = 75.9%

Milestone chain

Pre-event signals (upstream prereqs + window checkpoints) → resolution event → downstream cascades. Status/dates update from linked nodes; re-derive nightly via scripts/ops/derive_milestones.py.

Leading chain: 3 fired ✓ · 5 pending

2026-03-01hitCVE-2026-33634 issued for upstream Trivy / TeamPCP campaign
How: MITRE/NVD assigns CVE with CVSS ≥9.0 for AI-toolchain supply-chain attack with documented downstream cascade
Source: https://www.kaspersky.com/blog/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp/55510/conf 95%
Notes: HIT — CVE-2026-33634 with CVSS 9.4. Trivy → LiteLLM cascade was attack mechanism.
2026-03-24hitLiteLLM PyPI supply-chain compromise (versions 1.82.7, 1.82.8)
How: Documented compromise of widely-used AI package on PyPI/npm with confirmed downstream propagation
Source: https://docs.litellm.ai/blog/security-update-march-2026 — LiteLLM 1.82.7/1.82.8 compromised March 24 2026conf 99%
Notes: HIT — exactly the event Wissner-Gross referenced. LiteLLM downloaded 3.4M times/day, ≥20K downstream repos potentially exposed.
2026-03-24hitThree-stage payload hits credential / Kubernetes / backdoor at scale
How: Compromised package shown to deploy credential harvester targeting ≥50 secret types + lateral-movement toolkit + persistent backdoor
Source: https://www.helpnetsecurity.com/2026/03/25/teampcp-supply-chain-attacks/conf 99%
2026-07-21pendingQ1 window check-in (25%)
2026-06-01 → 2026-12-31pendingSecond wave of AI-package supply-chain CVE during 2026
How: ≥1 additional widely-deployed AI/agent package compromised at PyPI/npm scale during 2026, after LiteLLM
Source: TeamPCP campaign tracked as 'Phase 09' — implies further phases pending; Wiz/Snyk/Kaspersky monitoringconf 75%
2027-02-07pendingQ2 window check-in (50%)
2026-09-01 → 2027-12-31pendingEnterprise breach attributable to AI-package compromise reported in SEC 8-K
How: Public-company 8-K filing discloses material breach attributable to compromised open-source AI package
Source: SEC EDGAR, security-incident filingsconf 55%
Notes: Cascade — operationalizes Wissner-Gross's 'systemic risk' framing as a measurable enterprise impact event.
2027-08-27pendingQ3 window check-in (75%)
2028-03-15pendingSupply-chain attacks targeting widely utilized open-source AI packages — exemplified by documented attacks on the LiteLLM framework — repres

No downstream cascades — this prediction is a leaf in the dependency graph.

What if this resolves?

Clamp this prediction TRUE or FALSE and run a counterfactual Gibbs sample. Surfaces the predictions whose marginals shift most under that assumption.

(live posterior: 76%)

Click a button to clamp this prediction and run a Gibbs sample. Returns the predictions whose marginals shift most. ~30s per run; ideal for stress-testing "if X resolves, what else moves?"

Evidence chain

Every probability update with full Bayesian provenance — chronological, latest first

LBP2026-05-24T02:00:02Z75.9%-3.5pp

Network propagation: 79.4% → 75.9%

4-iter LBP, residual 0.01000 · damping 0.5, w_intrinsic 0.5 · method lbp_v3 · run 806b02f8

intake_event_update2026-05-21T23:15:16Z79.4%+6.1pp

intake:7afeeb9a-f217-4dd2-b910-24ff14bdfc39 bayesian_v2 inside=0.794 blend=0.794 LLR=0.342 κ=0.84 no_blend

Raw metadata

{
  "trf": 0.8675103990988756,
  "kappa": 0.8438,
  "base_rate": null,
  "predictor": "Alex Wissner-Gross",
  "total_llr": 0.4054651081081644,
  "bayesian_v2": true,
  "prior_logit": 1.009422591843683,
  "bayes_factor": "1.4:1 favoring",
  "blend_reason": "no reference_class linked",
  "inside_prior": 0.7329071343302511,
  "kappa_source": "predictor_table",
  "blend_applied": false,
  "contributions": [
    {
      "llr": 0.4054651081081644,
      "kappa": 0.8438,
      "label": "Industry concern about AI supply-chain / packaging attacks now mainstream enough to motivate dedicated cyber-AI initiati",
      "adjusted_llr": 0.3421314582216691
    }
  ],
  "evidence_kind": "intake_event_update",
  "inside_source": "history_v2",
  "inside_weight": 1,
  "outside_weight": 0,
  "posterior_prob": 0.7943835802353901,
  "evidence_origin": "daily_intake",
  "llm_suggestions": [
    {
      "polarity": "corroborates",
      "status_change": "unchanged",
      "evidence_strength": "weak",
      "delta_prob_suggestion": 0.03
    }
  ],
  "posterior_logit": 1.351554050065352,
  "predictor_brier": 0.03413,
  "evidence_doc_ids": [],
  "inside_posterior": 0.7943835802353901,
  "blended_posterior": 0.7943835802353901,
  "reference_class_id": null,
  "total_adjusted_llr": 0.3421314582216691,
  "predictor_n_resolved": 11
}

LBP2026-04-30T16:39:51Z73.3%-1.7pp

Network propagation: 75.0% → 73.3%

5-iter LBP, residual 0.00825 · damping 0.5, w_intrinsic 0.5 · method lbp_v2 · run 0c8a4ea3

LBP2026-04-30T02:18:57Z75.0%-3.0pp

Network propagation: 78.0% → 75.0%

5-iter LBP, residual 0.00825 · damping 0.5, w_intrinsic 0.5 · method lbp_v1 · run 592311ef

Network propagation neighbors

Top edges sorted by latest LBP cross-impact

All propagation →

Top incoming (parents)

Edges that influence THIS node's belief

Kind	Node	Their prob	P(c\|s=T)	P(c\|s=F)	Δ implied
killer	TK11 Autonomous Regulatory Block (Level 4 Halt)	10.0%	0.050	0.780	-0.052
killer	TK06 China-Taiwan Military Conflict	8.0%	0.050	0.780	-0.037

Top outgoing (children)

Predictions THIS node influences

No outgoing edges.

Ticker exposure

13 ticker(s) linked

Beneficiaries (13)

AI BBAI GTLB NVDA SOUN IBM META MSFT SHOP AMZN ORCL GOOGL PLTR

Prerequisites (2)

Predictions that must hit first

Type	Pred	Title	Domain	Lag
killer	TK11	Autonomous Regulatory Block (Level 4 Halt)	—	—
killer	TK06	China-Taiwan Military Conflict	—	—

Dependents (0)

Predictions enabled by this

Type	Pred	Title	Domain	Lag
No dependents

Validations (1)

Resolution events

Observed at	Status	By	Notes
2026-04-29	partial	thesis_timeline_v1.0_import	LiteLLM CVE-2024/2025 disclosures documented; PyPI / npm AI-package supply-chain attacks increasing 2024-2026. Snyk, Socket.dev reporting sharp rises.

Linked documents (10)

Auto-generated by cosine similarity from Polymarket / Manifold / EDGAR / GDELT

Sim	Source	Title	Market prob	Polarity	Reviewed	Published
0.717	arxiv	Tailored Prompts, Targeted Protection: Vulnerability-Specific LLM Analysis for Smart Contracts	—	mentions	pending	2026-05-05
0.716	arxiv	How Reliable Are AI Attackers Against a Fixed Vulnerable Target? A 400-Run Empirical Study of LLM Penetration Testing Consistency	—	mentions	pending	2026-05-28
0.700	arxiv	Cryptographic Registry Provenance: Structural Defense Against Dependency Confusion in AI Package Ecosystems	—	mentions	pending	2026-05-05
0.690	arxiv	Harmless Yet Harmful: Neutral Prompting Attacks for Stealthy Hallucination Steering in Agent Skills	—	mentions	pending	2026-05-28
0.686	arxiv	Correct Code, Vulnerable Dependencies: A Large Scale Measurement Study of LLM-Specified Library Versions	—	mentions	pending	2026-05-07
0.682	arxiv	Honeyval: A Comprehensive Evaluation Framework for LLM-powered HTTP Honeypots	—	mentions	pending	2026-05-28
0.678	arxiv	Agentic, Context-Aware Risk Intelligence in the Internet of Value	—	mentions	pending	2026-05-07
0.677	arxiv	Stable Agentic Control: Tool-Mediated LLM Architecture for Autonomous Cyber Defense	—	mentions	pending	2026-05-04
0.673	arxiv	Agora: Toward Autonomous Bug Detection in Production-Level Consensus Protocols with LLM Agents	—	mentions	pending	2026-05-28
0.673	arxiv	PragLocker: Protecting Agent Intellectual Property in Untrusted Deployments via Non-Portable Prompts	—	mentions	pending	2026-05-07

Raw metadata

From Thesis_Timeline_v1.0_FINAL workbook

{
  "nia": false,
  "mode": "FORECAST",
  "role": "Cited-Other",
  "context": "Specific vector extending 231_017 (Wissner-Gross: major supply chain attack from untrusted open-weight models is expected). LiteLLM is named vulnerable component.",
  "to_year": 2028,
  "conv_cues": "specific named framework vulnerability; severe framing",
  "direction": "HAPPEN",
  "from_year": 2026,
  "timeframe": "2026-2028",
  "conv_level": "HIGH",
  "milestones": [
    {
      "kind": "llm_pre_event",
      "label": "CVE-2026-33634 issued for upstream Trivy / TeamPCP campaign",
      "notes": "HIT — CVE-2026-33634 with CVSS 9.4. Trivy → LiteLLM cascade was attack mechanism.",
      "source": "https://www.kaspersky.com/blog/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp/55510/",
      "status": "hit",
      "weight": 0.4,
      "ordinal": -8,
      "source_id": null,
      "confidence": 0.95,
      "source_url": "https://www.kaspersky.com/blog/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp/55510/",
      "expected_date": "2026-03-01",
      "observed_date": "2026-03-01",
      "research_origin": "deep_research",
      "measurement_criterion": "MITRE/NVD assigns CVE with CVSS ≥9.0 for AI-toolchain supply-chain attack with documented downstream cascade"
    },
    {
      "kind": "llm_pre_event",
      "label": "LiteLLM PyPI supply-chain compromise (versions 1.82.7, 1.82.8)",
      "notes": "HIT — exactly the event Wissner-Gross referenced. LiteLLM downloaded 3.4M times/day, ≥20K downstream repos potentially exposed.",
      "source": "https://docs.litellm.ai/blog/security-update-march-2026 — LiteLLM 1.82.7/1.82.8 compromised March 24 2026",
      "status": "hit",
      "weight": 0.4,
      "ordinal": -7,
      "source_id": null,
      "confidence": 0.99,
      "source_url": "https://docs.litellm.ai/blog/security-update-march-2026",
      "expected_date": "2026-03-24",
      "observed_date": "2026-03-24",
      "research_origin": "deep_research",
      "measurement_criterion": "Documented compromise of widely-used AI package on PyPI/npm with confirmed downstream propagation"
    },
    {
      "kind": "llm_pre_event",
      "label": "Three-stage payload hits credential / Kubernetes / backdoor at scale",
      "source": "https://www.helpnetsecurity.com/2026/03/25/teampcp-supply-chain-attacks/",
      "status": "hit",
      "weight": 0.4,
      "ordinal": -6,
      "source_id": null,
      "confidence": 0.99,
      "source_url": "https://www.helpnetsecurity.com/2026/03/25/teampcp-supply-chain-attacks/",
      "expected_date": "2026-03-24",
      "observed_date": "2026-03-24",
      "research_origin": "deep_research",
      "measurement_criterion": "Compromised package shown to deploy credential harvester targeting ≥50 secret types + lateral-movement toolkit + persistent backdoor"
    },
    {
      "kind": "quartile_checkpoint",
      "label": "Q1 window check-in (25%)",
      "status": "pending",
      "weight": 0.05,
      "ordinal": -5,
      "source_id": null,
      "expected_date": "2026-07-21",
      "observed_date": null
    },
    {
      "kind": "llm_pre_event",
      "label": "Second wave of AI-package supply-chain CVE during 2026",
      "source": "TeamPCP campaign tracked as 'Phase 09' — implies further phases pending; Wiz/Snyk/Kaspersky monitoring",
      "status": "pending",
      "weight": 0.4,
      "ordinal": -4,
      "source_id": null,
      "confidence": 0.75,
      "source_url": "https://snyk.io/blog/poisoned-security-scanner-backdooring-litellm/",
      "expected_date": "2026-09-15",
      "research_origin": "deep_research",
      "expected_date_range": {
        "to": "2026-12-31",
        "from": "2026-06-01"
      },
      "measurement_criterion": "≥1 additional widely-deployed AI/agent package compromised at PyPI/npm scale during 2026, after LiteLLM"
    },
    {
      "kind": "quartile_checkpoint",
      "label": "Q2 window check-in (50%)",
      "status": "pending",
      "weight": 0.05,
      
... (truncated)