PCPJack, polyfill CDN and Bright Data SDK show supply chain attacks moving into runtime weaponisation
Supply chain compromise is shifting from static package poisoning towards runtime weaponisation, where trusted code becomes a credential harvester, traffic broker or covert infrastructure node after deployment.
PCPJack, polyfill CDN compromises and the Bright Data SDK are useful markers for a change in supply chain tradecraft: the dependency is no longer only a delivery vehicle for malware. It is becoming a runtime instrument. The target is not just the developer who installs a poisoned package. It is the browser session that later loads a script, the application process that later imports an SDK, the CI runner that later exposes credentials, the agent workflow that later calls a tool and the customer environment that later becomes useful infrastructure.
That distinction matters because much of supply chain defence is still built around static inspection. We scan archives. We compare hashes. We review diffs. We pin versions. Those controls are necessary, but they assume that the main security question is whether the artefact is bad when it arrives. Runtime weaponisation changes the question. A dependency can look inert during installation, pass a repository scan, behave normally under casual testing and still become dangerous when it receives a remote configuration, observes a valuable environment or runs inside a browser context with access to secrets and user traffic.
This is not a replacement for package poisoning. It is a higher layer on top of it. The older model asked attackers to place malicious code into a supply chain. The newer model asks them to place control into a supply chain.
The old model was easier to see
The first generation of modern supply chain compromise was not simple, but it was legible. A trusted software channel delivered a compromised artefact. The artefact contained malware. Downstream users executed it because trust had been delegated to the vendor, package maintainer, extension publisher or build pipeline.
Krebs' reporting on 3CX captured that model well. The 2023 incident was described as a double supply chain attack, where North Korean operators used a prior compromise to seed malware into software used by other organisations. The same research summary points backwards to earlier cases, including APT41 campaigns against high-tech and gaming companies and a 2019 Android vendor compromise where malicious software was pre-installed on budget devices.
Those incidents were serious because they exploited distribution trust. A vendor or package channel carried malicious code into places the attacker could not reach directly. Once the tainted artefact arrived, endpoint controls had to recognise it as malicious. Sometimes they did. Often they did not. But the conceptual model remained familiar: malicious code crossed a boundary.
That model shaped the defensive response. Software composition analysis looked for known vulnerable packages. Package registries built takedown workflows. CI systems added secret scanning. Enterprises asked vendors for software bills of materials. Release pipelines adopted signing, provenance and reproducible-build techniques. These measures improved the situation, particularly for known vulnerabilities and crude malware injection.
They did not solve the deeper trust problem. They mostly improved our ability to inspect the thing that was delivered. The newer attacks exploit what the thing is allowed to do after delivery.
Runtime weaponisation changes the target
Runtime weaponisation treats a supply chain foothold as a decision point, not merely a dropper. The compromised dependency does not need to reveal itself immediately. It can wait for a specific host, browser origin, cloud credential, developer token, network range, geolocation, customer identifier or execution mode. It can alter behaviour based on remote configuration. It can avoid noisy systems. It can turn itself on only when the return is worth the risk.
That is why PCPJack, polyfill CDN compromises and the Bright Data SDK belong in the same discussion even though they sit in different parts of the stack. PCPJack represents the developer and package ecosystem problem: trusted code can be positioned to collect credentials or influence execution when the right project context appears. Polyfill CDN compromise represents the web delivery problem: a script served through a trusted inclusion path can run inside countless browser sessions after the publisher relationship has already been accepted. The Bright Data SDK represents the infrastructure abuse problem: a component embedded for one purpose can participate in traffic relay, proxying or other network behaviour that belongs to the vendor's runtime business model rather than the application owner's threat model.
The common element is delegated execution. In each case, the victim grants a third party code execution in an environment that contains something useful: credentials, session state, network position, user traffic, production data or access to another service. Once that permission exists, the attacker does not need to break the perimeter again. The perimeter was crossed by design.
A compromised library that only executes during installation has one shot. A runtime-capable dependency has recurring access.
The browser made this pattern normal
The web has always been a permissive runtime supply chain. A page can include a third-party script. That script can execute in the user's browser. It can observe the page, alter the DOM, interact with forms and send network requests. Content Security Policy can restrict some of this behaviour, but the basic bargain remains: if a site includes a script from a supplier, that supplier's code runs in the user's session.
Polyfill-style CDN compromises are therefore not an exotic corner case. They expose a design pattern that is already accepted as normal. Sites load a compatibility script because it solves a practical problem. The dependency is remote because centralised delivery is convenient. The script is trusted because the inclusion path is trusted. If that path changes ownership, serves conditional payloads or becomes hostile, the user is not asked to approve a new trust decision. The page already made it for them.
This is a sharper problem than a malicious package sitting in a repository. Repository compromise usually affects the next install, upgrade or build. A CDN compromise affects live sessions. The attacker gets a runtime vantage point across visitors, not just developers. That makes targeting easier. The payload can select specific browsers, geographies, referrers, paths or authenticated views. The most valuable victim may never install anything. They only have to visit a site that already trusted the wrong script source.
Static controls struggle here. A hash can pin a script if the site uses subresource integrity and if the script is not expected to change. Many third-party scripts are expected to change. Analytics, ads, chat widgets, fraud detection and compatibility shims are often integrated precisely because the supplier wants to update behaviour without the site owner redeploying code. That feature is also the attack surface.
The uncomfortable part is that the attacker is not abusing a forgotten edge case. They are abusing the reason the service exists.
SDKs blur product and infrastructure
SDKs make the runtime problem less visible because they arrive dressed as normal application architecture. A developer imports a package to add functionality. The SDK may collect telemetry, manage retries, call external APIs, update configuration or open network connections. None of that is automatically malicious. Much of it is expected.
The Bright Data SDK sits in this ambiguity. Bright Data is associated with proxy and scraping infrastructure, which means network position is not incidental to the business model. When an SDK connected to that ecosystem appears inside applications, the security question is not limited to whether it contains obviously malicious code. The question is whether the application owner understands the runtime network behaviour they have embedded and whether that behaviour can turn customer environments into infrastructure for someone else's purposes.
This is a different risk from credential theft, but it is part of the same shift. The dependency becomes operational capacity. It may provide reach, reputation, residential or mobile network egress, telemetry, traffic shaping or some other form of runtime leverage. A software supply chain foothold is no longer only a way to steal from the host. It can also be a way to use the host.
That distinction matters for defenders because abuse may not look like compromise. Outbound traffic from an approved application, generated by an approved library, using documented SDK behaviour, may pass through monitoring as normal. The fact that it creates risk for users, customers or third parties can be obscured by the contractual language around the SDK and the absence of an obvious exploit.
Traditional malware thinking asks whether code is authorised. Runtime supply chain thinking asks whether the authorised code is acting in the organisation's interest.
Credential harvesting has become environmental
Credential theft in supply chain attacks used to be noisy. A malicious package would search the filesystem for tokens, environment variables, SSH keys, cloud credentials or package registry secrets. That still happens because it works. The existing posts on this site have covered npm worms, PyPI packages, Docker images and CI compromises that do exactly that.
Runtime weaponisation makes credential harvesting more selective. The payload can inspect context first. Is it running in CI. Is the repository interesting. Are cloud metadata services reachable. Are Kubernetes service account tokens mounted. Is the browser on an authenticated route. Is the application handling payment data. Is the user inside a corporate SSO flow. Is the host a developer workstation or a production container.
This is where package poisoning and runtime abuse converge. The initial supply chain compromise provides execution. The runtime environment provides targeting data. The payload can then choose whether to harvest, persist, proxy, sabotage or do nothing.
Krebs' 3CX summary shows the previous strategic logic: compromise a trusted supplier to reach downstream organisations. The same logic now operates at finer granularity. Rather than treating every downstream install as equal, the attacker can make decisions inside each downstream environment. That reduces exposure. It also makes incident response harder because two victims of the same compromised dependency may see different behaviours.
The defender's evidence becomes uneven. One organisation finds credential access. Another sees suspicious outbound connections. A third sees no payload because the activation conditions were not met. Static indicators will undercount the campaign because the campaign is not static.
AI agents inherit the same failure mode
The academic brief on runtime governance for production AI agents is not about PCPJack, polyfill or Bright Data directly. Its argument is still relevant. It says enterprise security was built to govern data boundaries, while production agents move risk inside workflows: an agent reads context, calls tools, invokes connectors and modifies systems of record through sequences of individually permitted actions.
That is the supply chain runtime problem in a newer vocabulary. Each action may be allowed. The unsafe behaviour emerges from the sequence, the context and the external tool's behaviour at the moment of use.
This does not mean supply chain defence should borrow robotics terminology. It means static inspection is mismatched to systems whose risk emerges during action. AI agents make this explicit because they call tools dynamically. But the same pattern already exists in web scripts, SDKs, package post-install hooks, CI actions and remote configuration frameworks.
The supply chain is no longer just a chain of artefacts. It is a chain of runtime permissions.
What defenders should measure instead
Static assurance remains necessary. Hash pinning, lockfiles, reproducible builds, signed releases and provenance metadata reduce entire classes of attack. They make it harder to replace an artefact silently. They help incident responders identify exactly which version ran where. They force attackers to compromise stronger trust anchors.
They do not answer every runtime question. A signed package can contain a remote configuration client. A pinned script can load additional logic from an approved endpoint. A legitimate SDK can change behaviour after a server-side flag changes. A tool can be safe under test and unsafe when it sees production secrets. A dependency can be non-malicious from the supplier's perspective and still violate the consuming organisation's security assumptions.
The useful defensive shift is from dependency inventory to permission inventory. Knowing that a package is present is table stakes. The harder question is what that package can do when it runs.
For browser-side dependencies, that means tracking third-party scripts, their owners, their integrity controls, the pages they execute on and the data they can observe. Scripts on authenticated pages deserve different scrutiny from scripts on a public marketing page. Remote scripts that can change without deployment should be treated as live supply chain relationships.
For SDKs, it means documenting outbound destinations, update mechanisms, telemetry fields, proxy behaviour, runtime configuration channels and privilege boundaries. An SDK that can open arbitrary network connections is not the same risk as a pure local parser. An SDK that can change behaviour through a vendor-controlled control plane is not the same risk as a vendored library pinned in source.
For packages and CI components, it means continuing to pin, verify and minimise secrets, but also monitoring execution context. A CI job should not expose production tokens to every third-party action. A build container should not mount broad cloud credentials by default. A dependency install step should not have access to secrets that are only needed at deploy time.
For agents, it means treating tools and connectors as runtime dependencies. Approval should not be a one-time prompt. Tool descriptions, scopes, endpoints and behaviour need change detection. An agent that can read documents, call a browser, update tickets and access cloud consoles is not using four harmless tools. It is operating inside a composite authority boundary.
The aim is not to ban dependencies. That is not serious advice. The aim is to stop pretending that the dependency graph ends at installation.
The next supply chain boundary
Attackers follow leverage. Poisoning an obscure package may compromise a few machines. Compromising a popular package reaches more. Compromising a build system reaches every downstream artefact. Compromising a CDN or runtime SDK can reach live users and production systems without waiting for the next install. Compromising an agent tool can influence actions across connected systems.
This is why runtime weaponisation is attractive. It gives the attacker selection, persistence and deniability. Selection, because the payload can wait for valuable context. Persistence, because the trust relationship often remains active. Deniability, because behaviour can be explained as configuration, telemetry, compatibility logic or documented SDK functionality until someone proves otherwise.
Supply chain security spent years learning to ask where code came from. That question still matters. It is just no longer sufficient. The more important question for 2026 is what the code can become after it is trusted.
PCPJack, polyfill CDN compromises and the Bright Data SDK sit on that boundary. They point to a world where compromise can be delayed, conditional, remotely shaped and operationally useful beyond the original host. The artefact is only the admission ticket. The runtime is where the attack decides what it wants to be.
The industry prefers controls that can be expressed as inventory fields: package name, version, hash, licence, CVE count. Runtime weaponisation is less tidy. It asks whether a dependency has authority, whether that authority changes, whether anyone is watching the change and whether the supplier's incentives match the user's security assumptions. That is harder to put in a spreadsheet. It is also closer to the way the attacks now work.
Newsletter
One email a week. Security research, engineering deep-dives and AI security insights - written for practitioners. No noise.