Two breaches landed this week with very different vibes but identical implications. Hasbro, a 100-year-old toymaker whose brand equity lives in childhood nostalgia, admitted hackers may have been inside its systems for weeks. Meanwhile, Mercor, an AI recruiting startup, was hit via a compromised open-source dependency, LiteLLM, a reminder that the supply chain is the attack surface now. And trending in the background: Iran-linked hackers breaching Kash Patel's personal email. The adversary is not specializing. Everyone is a target.
Open Source as Infrastructure Risk
The Mercor hack is the more structurally interesting story. LiteLLM is a routing layer used by hundreds of AI companies to abstract across model providers. Its compromise is a supply-chain attack in the classic sense, the kind that has become the dominant threat vector since SolarWinds. The uncomfortable truth: the AI stack is being built fast, on open-source dependencies that receive irregular security auditing. A 2023 paper in IEEE Security and Privacy by Ladisa et al. found that open-source supply chain attacks increased 742% year-over-year between 2019 and 2022, a curve that has only steepened. The lesson the Mercor breach teaches is that your threat model has to extend to every library your LLM wrapper touches. That is a genuinely new and underappreciated attack surface.
Legacy Brands and the Cost of Recovery Time
Hasbro's admission that recovery could take "several weeks" is the more culturally resonant data point. Toymakers are not tech companies. Their operational technology, supply chain systems, and licensing backends are often legacy infrastructure running on decades-old architecture, bolted together across acquisitions. The Raspberry Pi price hike story, a $100 jump on the Pi 5 driven by tariff and supply pressure, lands here as a cousin: hardware dependency creates fragility at every level, from maker hobbyists to enterprise toymakers. Founders building in this space should note that TurboFund's live VC intelligence is tracking increased investor interest in cybersecurity infrastructure tooling, specifically the layer between AI apps and their open-source dependencies. The breach cycle is creating a funding cycle.