The same trust model that makes open-source package ecosystems productive has made them a reliable attack surface — and recently that surface expanded to include the AI/ML toolchain itself.