NPM is on fire, SAP has emergency homework, and AI-powered attackers are becoming everybody’s problem.

GM IT pros!

Happy Tuesday. This was going to be a normal roundup, and then npm decided to become a live-fire supply-chain exercise.

Short version: if you or your devs pulled fresh packages today, especially around TanStack, OpenSearch, Mistral AI, Guardrails AI, UiPath, or similar AI/dev tooling, stop and inspect before you casually run another install. “Just uninstall it” is not the fix if the malware planted persistence in your dev environment.

-Stetson

Today’s IT and tech chaos in 5-minutes-ish or less

Because sleep is overrated anyway...

🚨 NPM supply chain attack hits TanStack, Mistral, OpenSearch, and friends
A fresh “Mini Shai-Hulud” campaign compromised packages across npm and PyPI, with reporting naming TanStack, Mistral AI, Guardrails AI, OpenSearch, UiPath, and others. The ugly part: the payload reportedly targets developer tooling and can persist through Claude Code and VS Code config hooks, so uninstalling the package may not clean the machine. Read more

🧯 Checkmarx Jenkins plugin was compromised with an infostealer
Checkmarx says a rogue Jenkins AST plugin version landed in the Jenkins Marketplace. If your CI pipeline can pull secrets, build artifacts, or deploy tokens, this is exactly the kind of plugin compromise that turns “developer tool” into “keys to the kingdom.” Read more

🧱 SAP patches critical Commerce Cloud and S/4HANA flaws
SAP’s May security updates fix 15 vulnerabilities, including critical issues in Commerce Cloud and S/4HANA. Translation: if your business runs on SAP and your patch window is “eventually,” today is a good day to become annoying in the change-management meeting. Read more

🕳️ cPanel flaw is being actively exploited
Attackers are exploiting CVE-2026-41940 in cPanel/WHM to deploy a Filemanager backdoor, according to security reporting. Hosting panels are basically the snack drawer for attackers: one login surface, a pile of sites, and usually a scary amount of customer data. Read more

🐧 Linux gets another severe vulnerability warning
Ars reports Linux has been hit by its second severe vulnerability in two weeks, with production patches rolling out. Linux admins get the smug uptime jokes, but they also get the joy of emergency kernel patching. Balance in all things. Read more

Where your data goes to party without you

🧊 Google Cloud launches faster object storage for AI and analytics
Google announced Cloud Storage Rapid, a high-performance zonal object storage family aimed at AI and analytics workloads. Cool if you need speed; less cool if your finance team discovers “AI experiment” now means “storage tier with a gym membership.” Read more

🗄️ Google’s Database Center gets Gemini-powered fleet intelligence
Google Cloud is adding Gemini-powered fleet intelligence to Database Center to help manage sprawling database estates. Every vendor is selling “AI will fix your ops pain,” which is great right up until the AI tells you your architecture is the problem. Read more

💸 AWS previews managed payments for AI agents
AWS highlighted Bedrock AgentCore payments, built with Coinbase and Stripe, so agents can pay for APIs, MCP servers, web content, and other services. Neat capability, terrifying expense report. Give those agents budgets before they discover SaaS subscriptions. Read more

🌐 Cloudflare explains a QUIC performance bug caused by Linux idle logic
Cloudflare dug into a QUIC issue where congestion windows could get pinned at the minimum floor, wrecking performance. It’s a good reminder that “the network is slow” can mean anything from app code to kernel behavior to one cursed timeout nobody wants to own. Read more

Corporate chaos you need to know about

🎓 Canvas maker Instructure says it reached an “agreement” after ShinyHunters breach
Instructure says it reached an agreement with ShinyHunters to stop stolen Canvas-related data from leaking. “Agreement” is doing a lot of work there. Schools and universities now get to play the vendor-breach notification game, everyone’s favorite semester project. Read more

🚗 GM settles California driver-data case for $12.75M
GM agreed to a proposed California settlement over allegations it sold drivers’ data in violation of privacy law. Modern cars are computers with wheels, microphones, apps, and a legal department explaining why your commute is analytics. Read more

🧑‍💻 GM reportedly laid off IT workers to hire stronger AI skills
TechCrunch reports GM laid off hundreds of IT workers while hiring for AI-native development, data engineering, cloud engineering, agents, models, and prompt workflows. Nothing says “future of work” like telling the current work to pack a box. Read more

🦊 EU browser choice rules send more users to Firefox
Mozilla says the EU’s Digital Markets Act browser-choice rules brought millions more users Firefox’s way. Turns out when users are actually shown a choice, some of them choose something besides the default shoved into the OS. Wild concept. Read more

Our future robot overlords are getting smarter

🧠 Google says attackers used AI to build a zero-day exploit
Google Threat Intelligence says a threat actor likely used AI to develop a zero-day exploit for a web admin tool. The “AI helps defenders and attackers” talking point is no longer conference filler; it’s now an incident-response calendar invite. Read more

🛡️ OpenAI launches Daybreak for AI-powered vulnerability detection
OpenAI announced Daybreak, a cybersecurity initiative focused on finding and validating patches for vulnerabilities before attackers get there first. Good idea. Also, every security team now gets to answer, “So why can’t AI patch everything by Friday?” Read more

📎 Microsoft makes Copilot harder to ignore in Office
Microsoft is making Copilot easier to summon across Office, because apparently Clippy’s ghost demanded a cloud budget. Expect more user questions that begin with, “Why is this button here now?” Read more

🪙 Amazon employees are “tokenmaxxing” under AI pressure
Ars reports Amazon workers are using internal AI tools to automate non-essential tasks while feeling pressure to show AI usage. If your company measures “AI adoption” as a number instead of an outcome, congratulations: you invented token theater. Read more

🧪 Frontier AI safety tests may create some of the risk they’re meant to prevent
A think tank warned that outside access to powerful AI models for safety testing is governed by patchy controls. “Please test if this dangerous thing is dangerous” is reasonable; “please do it with vibes and a shared spreadsheet” is less ideal. Read more

The weird stuff that doesn't fit anywhere else

🔐 iPhone-to-Android RCS encryption is finally happening
Apple released iOS 26.5 with beta support for end-to-end encrypted RCS between iPhone and Android. Somewhere, a green bubble just got a security budget. Read more

🪟 A Windows update prompt trapped Post Office customers in line
The Register spotted the most IT-coded public-service failure possible: a Windows update prompt on a customer-facing screen with no keyboard, mouse, or hope. Somewhere an admin whispered, “I told them not to ignore maintenance windows.” Read more

🚙 FleetWave says attackers accessed customer data after outage
Chevin confirmed crooks accessed FleetWave customer data after a nasty outage, potentially including operational data, contact details, and payroll numbers. SaaS incident reports are never fun, but fleet-management data has a special “please don’t put that on the internet” flavor. Read more

Shameless plug, zero regrets: I’m building Shell Samurai, a hands-on way to learn Linux without pretending another 900-page book is going to fix your command-line anxiety. If you want practice that feels like actually doing the job, check it out.

Mark Spitznagel, who made $1B in a single day during the 2015 flash crash, warned markets are mimicking 1929. Seems extreme but we did just see the worst quarter for the S&P since 2022.

So it’s not so surprising that Vanguard and Goldman Sachs forecasted 5% and 3% annual S&P returns respectively for 2024-2034.

Late last year, Apollo’s chief economist Torsten Slok put it this way: "expect zero in return in the S&P 500 over the coming decade."

So, what’s something investors can actually do to diversify this week?

Almost no one knows this, but postwar and contemporary art appreciated 10.2% annually with near-zero correlation to equities from 1995–2025 overall.*

And sure… billionaires like Bezos can make headlines at auction, but what about the rest of us?

Masterworks makes it possible to invest in legendary artworks by Banksy, Basquiat, Picasso, and more – without spending millions.

29 exits. Net annualized returns like 16.5%, 17.6%, and 17.8% on works held over 1 year+. $1.3 billion invested. 500+ offerings.*

Shares in new offerings can sell quickly but…

👉 My subscribers skip the waitlist.*

^{*According to Masterworks data. Past performance is not indicative of future returns. Investing involves risk. Important Reg A disclosures: masterworks.com/cd.}

That’s the roundup for today. If your dev team is touching npm today, maybe buy them coffee and ask very calmly what they installed.

Stay paranoid. Stay patched. See you next Friday 🤠