# The Vulnerability Wasn't Hidden. It Was the Point. - Date: 2026-04-02 - Category: Agentics The Mercor breach was a symptom. A backdoored PyPI package, harvested CI/CD credentials, and 1,000+ affected SaaS environments later, the real problem is that AI industry infrastructure runs on a GitHub Actions design that security researchers have warned about for years. ---