The Supply Chain Is the Product Now

Two separate attackers poisoned popular open source packages this week. North Korean state hackers hijacked Axios. Another group industrialized supply chain compromise against widely-used tools. Meanwhile, your AI coding agent just pulled those same dependencies into your production stack without blinking. If you are a CTO or founder reading this, that sentence should make your stomach drop.

Everyone is celebrating that AI writes 80% of the code now. Conferences. Keynotes. LinkedIn thought leaders clapping like seals. But here is the thing nobody wants to say out loud: AI-generated code inherits trust from open source dependencies it cannot vet. And this week, right now in May 2026, we have proof that attackers already understand this better than most engineering leaders do.

The Attack Surface Just Changed Shape

Let me be concrete. The Register reports today that two different groups successfully compromised popular open source tooling. Not with zero-days. Not with exotic exploits. With supply chain poisoning. They changed the code upstream, where everyone trusts it, and let the downstream consumption do the rest.

Separately, Yahoo Tech reports that North Korean state hackers specifically targeted the Axios library. Axios. The thing that basically every JavaScript project on earth uses for HTTP requests. The thing your AI coding agent reaches for by default when it needs to make an API call.

This is not a new attack vector. Supply chain attacks have existed for years. What is new is the amplifier. When a human developer pulls in a dependency, there is at least a theoretical moment of consideration. Maybe they check the package. Maybe they look at the maintainer. Maybe they do nothing, but the possibility exists. When an AI agent writes code, it pulls from training data and pattern matching. It does not evaluate trust. It does not check if a maintainer account was recently compromised. It optimizes for function, not provenance.

The supply chain is the product now. If you are building software in 2026, your dependency tree is not a support structure. It is the main attack surface. And AI is making it wider every day.

What AI Coding Agents Actually Do (And Don't Do)

I run a tech company in Jönköping. We build AI agents for clients. We use AI tools internally. I am not anti-AI. I am building my company on this technology. But I refuse to pretend the tooling is something it is not.

Look at what is trending on GitHub right now. Repos like everything-claude-code (176k stars) and opencode (157k stars) are blowing up. People are building agent harnesses, optimization systems, coding agents that write full applications. The tooling is getting better fast. That is real.

But these agents share a blind spot. They are trained on patterns of what works. "Working" means functionally correct code. It does not mean supply-chain-verified code. When an AI agent decides to use a package, it is making a functional decision, not a security decision. It does not know that the maintainer of a popular npm package had their credentials phished last Tuesday. It does not know that a typosquatted package with a similar name was uploaded yesterday.

The automation tools like n8n (187k stars) that connect AI agents to deployment pipelines make this faster and more efficient. That is the point. But speed without verification is just faster failure.

Here is my take: the industry has built an incredible engine for generating code and a basically nonexistent engine for validating the trust chain of that code. We are shipping faster than ever into a minefield we are not mapping.

The Swedish Angle: Are We Better Off or Just Quieter?

From Jönköping, the view is different than from San Francisco. Sweden has a strong open source culture. We have a high baseline of engineering competence. Our companies tend to be smaller, leaner, more careful by temperament. That is an advantage right now.

But we also have problems. Swedish software development has embraced AI coding tools at roughly the same pace as the US. The difference is that Swedish and Nordic companies tend to have smaller security teams. Sometimes no dedicated security team at all. A Swedish startup doing MVP development moves fast because it has to. That speed, combined with AI-generated code and thin security resources, creates real exposure.

The EU AI Act is in effect but it says almost nothing about supply chain integrity for AI-generated code. It is focused on model risk, bias, transparency. Those things matter, but they are not the thing that will get your company breached this quarter. Swedish regulators at MSB (the Civil Contingencies Agency) have been talking about supply chain security for critical infrastructure, but the guidance does not extend to how AI agents select and integrate open source dependencies. There is a gap the size of a barn door.

Compare this to the US. CISA has been pushing Software Bill of Materials (SBOM) requirements since 2023. Progress is slow, but at least the framework exists. In the EU, CRA (Cyber Resilience Act) will eventually require better software composition tracking, but "eventually" is a dangerous word when attacks are happening today.

Sweden gets a lot right. Our engineering culture values quality. Our companies tend not to ship garbage just to hit a funding milestone. But on this specific issue, we are not ahead. We are in the same boat as everyone else, and the boat has a hole in it.

Oracle, OpenAI, and the Timeline Problem

Here is the other piece of context that matters right now. Oracle's stock is dropping because OpenAI's infrastructure buildout is slipping to 2028. The grand AI scaling story that every tech company has been building against is arriving on a different timeline than promised.

Think about what this means. Companies have been making architectural decisions, building dependency stacks, choosing tooling, hiring, all based on an assumption about where AI capabilities would be by 2027. If that timeline stretches, those decisions do not unwind cleanly. You are stuck with the choices you made.

And those choices increasingly include deep dependency on AI-generated code that nobody fully audited. You built fast. You shipped. Your AI agent pulled in 400 packages across 12 microservices. Now the scaling assumptions shift, the business model needs to pivot, and you need to trust that codebase. Can you?

This is where software development in Sweden and everywhere else needs to get honest. Speed is not free. AI-generated code is not free. The cost is deferred, and it shows up as security debt.

Where This Goes: 2027-2030

Let me lay out what I think happens next.

Short term (2026-2027): We will see a major incident. Not a library compromise that gets caught in a few days. A supply chain attack specifically engineered to exploit AI coding patterns. Attackers will publish packages that are optimized to be suggested by AI agents. Typosquatting will evolve into what I would call "pattern squatting," where packages are designed to match the patterns AI models have learned. This is coming. It is probably already happening.

Medium term (2027-2028): The market will demand a new layer. Call it dependency attestation, supply chain verification, provenance scoring, whatever. It will become as standard as CI/CD is today. Companies that build this infrastructure will be acquired fast. If you are a founder looking for a real problem to solve, this is it.

Longer term (2028-2030): As we move closer to something resembling AGI, the irony is that more capable AI could solve this problem. An AI that can actually reason about trust chains, evaluate maintainer behavior, detect anomalous commits. That is a real application of advanced AI. But until we get there, we are in the danger zone. AI capable enough to generate enormous amounts of code, not capable enough to verify the safety of what it generates.

The regulatory picture will lag, as it always does. The EU will update CRA. Sweden will issue new guidance. It will arrive two years after the worst incidents. Builders cannot wait for regulators. They never could.

What to Look At

If you are making decisions today, here is where I would focus attention:

1. OpenSSF Scorecard: The Open Source Security Foundation's tooling for evaluating the security posture of open source projects. It is not perfect, but it is the best automated trust signal we have. If your CI pipeline does not run this, fix that this week.

2. SBOM generation in every build: Tools like Syft and Grype from Anchore. Generate a Software Bill of Materials for every deployment. When the next Axios-level compromise happens, you need to know in minutes, not days, whether you are affected.

3. Pin your dependencies and audit your lockfiles: This sounds basic because it is. But I guarantee that most teams using AI coding agents are not reviewing what those agents add to package.json or requirements.txt. Start reviewing. Treat dependency changes like you treat database migrations. With attention.

4. opencode: Worth watching as an open source coding agent that you can self-host and inspect. The trend toward open, auditable AI tooling matters more when the alternative is a black box that picks your dependencies for you.

What We Are Doing at HEIMLANDR

At HEIMLANDR, we build AI solutions and fullstack applications for companies that need to move fast. We use AI tools. We are not Luddites. But every project we ship now includes dependency auditing as a first-class concern, not an afterthought. We treat the supply chain as part of the product, because it is.

When we do AI agent development for clients, we build in constraints around dependency selection. The agent can suggest packages. A human reviews the trust chain. It adds a small amount of friction. That friction is the difference between shipping software and shipping a backdoor.

A Challenge

If you are a CEO or CTO reading this, I have a simple ask. Go ask your engineering lead right now: how many dependencies did we add in the last 30 days that were suggested by an AI tool? How many of those did a human explicitly approve? If nobody can answer that question, you have a problem. Not a theoretical future problem. A right-now problem. This week's attacks prove it.

The celebration around AI-generated code is real. The productivity gains are real. But productivity without supply chain integrity is just building faster on sand. We can do better. We have to.

Fredrik Brunnberg is the CEO of HEIMLANDR.IO, building AI and software solutions from Jönköping, Sweden. This is the daily HEIMLANDR briefing. If you found this valuable, share it with someone who builds things.