AI Goes to War: Supply Chain Attacks, Zero-Day Disclosures, and the Battle for Compute Dominance

The Week That Redefined AI Infrastructure and Developer Security

If there was a unifying theme across the tech landscape this week, it was the convergence of two forces that have been building in parallel for months: the explosive growth of AI infrastructure and the corresponding explosion in AI-powered security threats. From Microsoft's bold declaration of independence with seven new proprietary AI models to supply chain attacks that compromised 32 Red Hat npm packages, the message is clear — the AI revolution isn't waiting for anyone to get ready.

Microsoft Goes All-In on In-House AI with Seven New MAI Models

At Build 2026, Microsoft unveiled seven models under the MAI (Microsoft AI) brand, marking what might be the most significant strategic pivot since the company's initial OpenAI partnership. The standout is MAI-Thinking-1, Microsoft's first reasoning model, which achieved a 97% score on the AIME 25 benchmark — putting it at the frontier of mathematical reasoning. But the real story isn't just about benchmark scores.

MAI-Code-1-Flash, a remarkably compact model at just 5 billion parameters, reached 51% on SWE-Bench Pro — a result that challenges the assumption that coding proficiency requires massive parameter counts. This model is already being integrated as the default in VS Code via GitHub Copilot, giving Microsoft a direct shot at the AI coding market that Anthropic's Claude has dominated. MAI-Image-2.5 also made waves, claiming the #2 spot on the Arena Image Edit leaderboard.

All models are optimized for Microsoft's Maia 200 custom chips, delivering 1.4x performance-per-watt over NVIDIA's GB200. This hardware co-optimization signals a future where the major cloud providers increasingly bypass NVIDIA — and each other — to build vertically integrated AI stacks.

The Red Hat Supply Chain Nightmare: Miasma Strikes 32 Packages

In what may be the most alarming supply chain attack of the year, more than 30 npm packages under Red Hat's @redhat-cloud-services namespace were compromised with Miasma, a new variant of the Shai-Hulud credential-stealing malware. The attack vector was as sophisticated as it was swift: attackers compromised a Red Hat employee's GitHub account and used GitHub Actions OIDC tokens to push malicious versions of 32 packages and 96 package versions within a 72-second window.

The payload — a 4.2 MB obfuscated JavaScript file — executed automatically during package installation via npm's preinstall hook. It targeted an extraordinarily broad range of credentials: GitHub Actions secrets, AWS credentials, Google Cloud and Azure tokens, SSH keys, Docker credentials, and .env files. Security firm OX Security identified over 210 GitHub repositories containing credentials exfiltrated by the malware.

What makes this particularly concerning is the lineage. Miasma is an evolution of Mini Shai-Hulud, whose source code was publicly released by the TeamPCP threat group in May. Previous Shai-Hulud attacks targeted Bitwarden, SAP, Mistral, TanStack, OpenAI, and GitHub itself. The malware's signature string — "Miasma: The Spreading Blight" — has been found across 309 compromised repositories. Red Hat stated that the affected packages were limited to internal development and not customer-facing, but the speed and breadth of the compromise underscores the fragility of even well-resourced software supply chains.

VS Code Zero-Day: Your GitHub Token, Gone in One Click

Security researcher Ammar Askar dropped a bombshell with the public disclosure of an unpatched zero-day in Visual Studio Code that enables full GitHub account compromise through a single malicious link. The vulnerability exploits VS Code's sandboxed webview message-passing system to simulate keypresses and install a malicious extension — all without any user interaction beyond the initial click.

The stolen GitHub OAuth token isn't scoped to a single repository. It grants access to every private and public repository the victim can access. Askar chose immediate full public disclosure, releasing proof-of-concept exploit code just one hour after notifying GitHub, citing a history of dismissive responses from Microsoft's Security Response Center (MSRC).

This disclosure follows a broader pattern of researcher frustration with Microsoft. An anonymous researcher codenamed "Nightmare Eclipse" has been leaking multiple Microsoft zero-days — including privilege escalation vulnerabilities and a BitLocker bypass — after threats of legal action from Microsoft. The situation raises serious questions about whether the current vulnerability disclosure ecosystem is serving anyone's interests.

Until a patch arrives, the mitigation is simple but critical: clear all cookies and site data for github.dev in your browser. This forces a re-authentication flow that would alert you to unauthorized extension installation attempts.

Anthropic's $965 Billion Valuation and the SpaceX Compute Empire

Anthropic closed a $65 billion Series H at a $965 billion post-money valuation on May 28, making it the most valuable private AI company in the world — surpassing OpenAI. This valuation, up from roughly $380 billion just months ago, reflects not just confidence in Claude's capabilities but in Anthropic's growing infrastructure independence.

The infrastructure story is perhaps even more remarkable. Anthropic signed a multi-year deal giving it access to SpaceX's Colossus 1 supercomputer at approximately $1.25 billion per month through 2029 — providing access to over 300 megawatts of compute capacity. This single contract dwarfs most AI companies' entire annual compute budgets and represents a fundamental shift in where AI infrastructure power resides.

SpaceX also reportedly holds an option to acquire Cursor, the AI-powered code editor, for $60 billion — or alternatively, pay $10 billion for a strategic partnership. The pattern is unmistakable: the winners in AI may not be the companies with the most famous chatbots, but those that control the compute layer and developer workflow tools. As one analysis put it, "Compute is now a primary AI growth bottleneck — power, chips, cooling, data-centre space, and financing."

AI-Powered Ransomware: The Automation of Cyberattacks Enters a New Phase

Sophos disclosed a chilling development: a threat actor has been using AI agents — specifically Cursor and Claude Opus — to build and iteratively refine a ransomware toolkit. The system used a multi-agent architecture where a Claude Opus 4.5 agent coordinated the entire research and development process, delegating tasks to specialized sub-agents for testing, OPSEC hardening, and payload generation.

The toolkit generated close to 80 modules tested against 70+ EDR bypass techniques, targeting Sophos, CrowdStrike, and Microsoft Windows Defender. After several AI-assisted iterations, the modules reportedly bypassed almost all major EDR solutions. The attack framework combined Cobalt Strike profiles, Telegram bot API command-and-control infrastructure, Python shellcode injection, and Cloudflare Worker redirectors.

What's important to understand is that Sophos found no evidence of AI operating autonomously in victim environments. Instead, AI was used to accelerate the development, testing, and refinement workflow — shortening the gap between publication of offensive security research and its weaponization. Legitimate security research from Kaspersky, Palo Alto Networks, Bishop Fox, and SpecterOps was systematically ingested, mapped to MITRE ATT&CK, and operationalized into attack code.

This represents a qualitative shift in the cyber threat landscape. When AI can iteratively refine attack code faster than defenders can develop countermeasures, the traditional advantage of defense-in-depth strategies begins to erode. The takeaway isn't that AI-enabled attacks are unstoppable — it's that the asymmetric arms race between attackers and defenders just got a new accelerator.

What This Means for Developers and Security Teams

The convergence of these stories paints a picture of a tech ecosystem under simultaneous transformation and assault. For developers, the Microsoft MAI launch means more choices and potentially lower costs for AI coding assistance — but also a more fragmented landscape where choosing the right model becomes a strategic decision rather than a default.

For security teams, the Red Hat supply chain attack and VS Code zero-day are wake-up calls. Zero Trust architectures aren't optional anymore — they're the minimum viable defense. Supply chain integrity, credential rotation, and developer environment hygiene have moved from best practices to survival requirements.

And for the AI industry at large, the Anthropic-SpaceX deal and Microsoft's MAI launch signal that the battle for AI dominance has moved beyond model quality into infrastructure, compute access, and ecosystem control. The companies that own the compute layer and developer workflow are positioning themselves as the true power brokers of the AI age.

The tools are getting better, the threats are getting smarter, and the infrastructure is getting more concentrated. Whether you're building software or defending it, the pace of change isn't slowing down — it's accelerating.