Supply Chain Security Under Siege

Supply Chain Security Under Siege

The Vercel breach may be the most instructive platform compromise of 2026 so far — not because the techniques were novel, but because the blast radius was entirely predictable and entirely preventable. Trend Micro's detailed analysis traces the attack to a Lumma Stealer malware infection at Context.ai, a third-party AI analytics company, in approximately February 2026. The attacker exfiltrated Google Workspace OAuth tokens from Context.ai's AWS environment, used one to pivot into a Vercel employee's Workspace account, then escalated into Vercel's internal systems and enumerated customer environment variables. The critical design flaw: Vercel's environment variable sensitivity flag defaults to off. Every DATABASE_URL, STRIPE_SECRET_KEY, or AWS_SECRET_ACCESS_KEY that a developer added without explicitly toggling the sensitive flag was stored in a way that made it readable with internal access. CEO Guillermo Rauch confirmed the chain and notably attributed the attacker's speed to AI augmentation — one of the first on-record claims of AI-accelerated adversary tradecraft from the CEO of an affected platform. (more: https://www.trendmicro.com/en_us/research/26/d/vercel-breach-oauth-supply-chain.html)

The timing is brutal. This breach slots into a three-week convergence with LiteLLM (stolen CI/CD credentials yielding malicious PyPI packages targeting 50+ credential types) and Axios (maintainer account hijacked, RAT deployed to an npm package with 70-100 million weekly downloads, attributed to North Korea's Sapphire Sleet). Three different vectors, one target: credentials developers store in their toolchains. A single Vercel project commonly contains 10-30 environment variables; at organizational scale, that is 500-1,500 potential pivot points. One public customer reported receiving an OpenAI leaked-key notification nine days before Vercel's disclosure — for an API key that existed only in Vercel — suggesting credentials were being exploited in the wild before anyone was told to rotate. Regulatory implications under GDPR's 72-hour clock, SOC 2 continuous monitoring, and SEC's 8-K rules are now live questions for affected organizations.

Meanwhile, the offensive side of the security equation took a leap. XBOW, an AI-driven penetration testing firm, reports that GPT-5.5 reduces their vulnerability miss rate to just 10% — down from Opus 4.6's 18% and GPT-5's 40%. More striking: GPT-5.5 running black-box (no source code) already outperforms GPT-5 running white-box. In white-box mode, performance jumped so dramatically it "effectively killed our benchmark." The model also fails faster when credentials are wrong or access is blocked, cutting wasted iteration time roughly in half. XBOW notes that GPT-5.5 persists on failing paths only half as often as previous models — a quietly important capability for autonomous agents that need to know when to give up. (more: https://xbow.com/blog/mythos-like-hacking-open-to-all)

On the data governance side, UK Biobank's health data keeps surfacing on GitHub, and the institution has resorted to an unusual tactic: copyright takedown notices. Across 110 DMCA requests since July 2025, researchers in at least 14 countries have inadvertently uploaded participant genotypes, phenotype records, and genomic data files alongside their analysis code. Nearly half the targeted files are Jupyter or R notebooks — a few rows of data embedded in a research workflow. The Guardian previously demonstrated that a single participant could be re-identified using only birth month/year and the date of one surgery. UK Biobank's CEO has reassured participants that no names or NHS numbers were exposed, but the structural problem — researchers sharing code without scrubbing embedded data — remains unsolved. (more: https://biobank.rocher.lc)

For security practitioners drowning in conference content, one practical tool worth noting: greptalks now indexes 500+ talks from Black Hat, DEF CON, RSA, and others, with two AI personas — a ruthless ex-TAO technical analyst and a CISO-perspective evaluator — scoring and summarizing every presentation. (more: https://www.linkedin.com/posts/sergejepp_best-thing-in-security-right-now-if-you-want-share-7453385189419941888-LgVv)

DeepSeek's Triple Play

DeepSeek is having a week that would make most startups dizzy. The company — spun out of a quantitative hedge fund, never previously having taken outside money, releasing models for free — reportedly saw its first funding round rocket from an initial $10 billion valuation target to above $20 billion in days, with Tencent and Alibaba both circling. Tencent reportedly pushed for 20% of the company; DeepSeek pushed back. The traditional valuation metrics simply do not apply to a company built like this — no revenue model, no prior outside capital, just engineering output that keeps embarrassing organizations with hundred-billion-dollar budgets. (more: https://www.reddit.com/r/AINewsMinute/comments/1sties6/chinas_deepseek_valuation_rockets_above_20b/)

What earns that valuation in practice showed up this week when DeepSeek open-sourced their Tile Kernels — the actual GPU kernels used in their production training and inference pipelines. These are not research prototypes or reference implementations. As one developer put it: "We wrote GPU kernels so optimized they flirt with the hardware's physical limits." TileLang, the domain-specific language underlying the kernels, provides an abstraction layer that community developers are already targeting for local hardware like NVIDIA's GB10. This follows DeepSeek's quiet DeepGemm repository update last week with mega FP4 quantization and distributed communication optimizations — a pattern that points toward infrastructure preparation for whatever model generation comes next. Open-sourcing production kernels is the closest thing to handing out cheat codes, and the local AI community is not being subtle about what it plans to do with them. (more: https://www.linkedin.com/posts/ownyourai_deepseek-just-open-sourced-their-tile-kernels-activity-7453122487325773824-BPjS)

The v4 model itself is now live, with an API format compatible with both OpenAI and Anthropic SDKs — a deliberate interoperability play that makes switching trivially easy. The older model names are deprecated as of July 2026, consolidating the lineup around v4's thinking and non-thinking modes. (more: https://api-docs.deepseek.com/)

The Local Model Rebellion

Anthropic published a transparency post this week that landed like a confession. Three separate changes degraded Claude Code's quality over the past two months, and all three prioritized infrastructure concerns over user experience. On March 4, reasoning effort was quietly dropped from high to medium to reduce latency — "the wrong tradeoff," Anthropic now admits. On March 26, a bug in session thinking management caused Claude to seem "forgetful and repetitive" for two weeks before being fixed. On April 16, a verbosity-reducing system prompt "hurt coding quality" and was reverted four days later. Each change was made without informing paying customers. As one commenter noted with precision: "If a hosted model has been quantized or in some way had its capabilities reduced, I should get a discount. The price should be per quant." (more: https://www.reddit.com/r/LocalLLaMA/comments/1suef7t/anthropic_admits_to_have_made_hosted_models_more/)

The timing could not be better for the local model movement. Users are actively migrating coding workflows from Opus 4.7 to Qwen3.6-35B-A3B, a mixture-of-experts model with 35 billion total parameters and only 3 billion active per token. On dual 3090s at Q6 quantization, it runs at approximately 120 tokens per second with full context and prompt caching. The practical workflow that is emerging: use a frontier model (Opus, GPT-5) for planning, then feed that plan into Qwen for implementation. One developer running this setup reports it replaced 95% of cloud API calls. The speed differential is dramatic — "it's really hard to go back to Opus after that... no more alt tabbing for 20 minutes." The tradeoff is real: Qwen lacks knowledge of niche frameworks and sometimes needs hand-holding, but the iteration velocity compensates. (more: https://www.reddit.com/r/LocalLLaMA/comments/1spz0ck/switching_from_opus_47_to_qwen35ba3b/)

This raises a question that keeps surfacing in the local LLM community: how can a 27B dense model outperform a 397B MoE model on benchmarks? The technical answer involves the difference between memorized knowledge and learned generative functions. Larger models can afford to "lazily interpolate over their memories" while smaller models must develop more generalizable problem-solving capabilities — essentially, they are forced to be smarter because they lack the parameter budget to be lazy. As chain-of-thought and agentic training progresses, models learn increasingly better "figure it out" functions, and those functions fit efficiently into smaller parameter counts. Current benchmarks, however, do not capture the larger model's advantages in world knowledge and long-context logical coherence. (more: https://www.reddit.com/r/LocalLLaMA/comments/1st11lp/forgive_my_ignorance_but_how_is_a_27b_model/)

Abliteration Goes Industrial

The tooling for removing safety training from language models has matured from research curiosity to industrial-grade automation. Abliterix, an open-source tool built on Heretic, uses Optuna TPE optimization to find the optimal abliteration parameters for any transformer architecture. It co-minimizes refusals and KL divergence — meaning it strips safety behavior while preserving as much of the model's intelligence as possible. The tool ships with 150+ pre-built configs covering dense, MoE, SSM/hybrid, and vision-language architectures. More significantly, it has end-to-end broken three of the strongest published anti-abliteration defenses: DeepRefusal (EMNLP 2025) and Circuit Breakers / Representation Rerouting (NeurIPS 2024). The recipe is minimal: diagnose the LoRA delta via SVD, lerp it away to recover base weights, then run single-direction abliteration. No fine-tuning, no manual prompt engineering. The Gemma 4 E4B model achieved a 7% refusal rate with KL divergence of just 0.0006 — the model barely changed on harmless prompts. (more: https://github.com/wuwangzhang1216/abliterix)

A concrete demonstration of Abliterix's capabilities arrived this week in the form of a Qwen3.6-35B-A3B abliterated model using Expert-Granular Abliteration (EGA) — a technique that applies the refusal direction removal simultaneously across all 256 routed experts in each MoE layer via vectorized einsum. The configuration tournament searched over hyperparameters including per-layer alpha values, decay kernels, and winsorization settings, then evaluated the Pareto-optimal point using three independent judges (GPT-4o-mini, Gemini 3 Flash Preview, and a local HarmBench classifier) across 512 prompts. The result: 10.5% refusal rate under the strictest ensemble, with KL divergence of 0.1153 — low enough that the model's general capabilities remain intact. The vision pathway remains unmodified, so image-based harmful requests may still be refused even when equivalent text requests are not. (more: https://huggingface.co/jenerallee78/Qwen3.6-35B-A3B-Abliterix-EGA-abliterated)

The foundational research enabling models of this scale — billions of parameters trained across hundreds of GPUs using intra-layer model parallelism — was laid out in NVIDIA's Megatron-LM work, which demonstrated 76% scaling efficiency across 512 GPUs for an 8.3B parameter model. That infrastructure lineage is what makes both the models and their subsequent abliteration possible. (more: https://arxiv.org/pdf/1909.08053)

The Geopolitics of Silicon

Jensen Huang told the Dwarkesh Podcast this week that US chip export controls might be creating the problem they are trying to solve. His argument is not that China is not a threat, but that "victimising them and turning them into an enemy likely is not the best answer." The context is Huawei targeting 750,000 AI chip shipments this year — nowhere near NVIDIA's compute capacity, but the trajectory is clear. If DeepSeek optimizes its next model for Huawei's Ascend chips rather than NVIDIA hardware, the entire export control strategy starts to look counterproductive. Reddit's response was characteristically blunt: "guy who makes money selling chips wants to sell more chips." Fair, but the underlying data is real — Stanford's HAI report confirmed the China gap has "effectively closed," and a Supermicro co-founder was arrested in March for allegedly running a $2 billion GPU smuggling ring. The controls are being circumvented at industrial scale. (more: https://www.reddit.com/r/Anthropic/comments/1stjbyn/jensen_huang_basically_said_us_chip_export/)

A WSJ opinion piece by a16z partners argues the US should embrace open-source AI to maintain its competitive edge. The community reaction is split: some note that "most of the good ones are Chinese" researchers regardless of where they work, while others point out that US AI majors already build on Chinese open-source releases — Microsoft's recent audio transformer is based on Qwen 3.5, NVIDIA's Lyra 2.0 is based on Wan Video. The open-source genie left the bottle years ago; the policy debate is mostly catching up. (more: https://www.reddit.com/r/LocalLLaMA/comments/1sqa40j/to_beat_china_embrace_opensource_ai_wsj/)

Meanwhile, Meta is reportedly planning to capture employee mouse movements and keystrokes for AI training data. The company's internal data collection ambitions are not new — a Swedish investigation earlier this year exposed how Meta's smart glasses training pipeline had Sama subcontractors in Nairobi annotating video footage including bathroom visits and bank card details — but turning the surveillance apparatus on its own workforce represents a distinct escalation. (more: https://www.reuters.com/sustainability/boards-policy-regulation/meta-start-capturing-employee-mouse-movements-keystrokes-ai-training-data-2026-04-21/)

Edge AI and Distributed Training

AirTrain is an open-source project that asks a simple question: what if you could train ML models by pooling MacBooks over Wi-Fi? The answer hinges on the DiLoCo algorithm (Distributed Low-Communication), which reduces network synchronization requirements by 500x compared to traditional distributed data parallelism. Instead of syncing gradients after every step (requiring ~50 GB/s sustained bandwidth for a 124M model), each Mac trains independently for 500 steps, then exchanges only the pseudo-gradient difference — a ~2 second sync over standard Wi-Fi. Seven friends with M4 MacBooks collectively match an A100's 19.5 TFLOPS for zero compute cost. The project includes "Sleep Swarms," where Macs train automatically during configured nighttime windows and hand off checkpoints across timezones for 24/7 coverage, and "Dream Training," where idle Macs generate synthetic training data scored for quality and mixed into subsequent batches. The gradient marketplace scores each worker's contribution by alignment, magnitude, history, and improvement — automatically downweighting bad workers without ejecting them. (more: https://github.com/alexandercodes4/AirTrain)

On the browser inference side, Hugging Face published a detailed guide to running Transformers.js inside a Chrome extension under Manifest V3. The architecture splits a background service worker (hosting models and orchestrating agent loops) from a side panel UI and content script. Gemma 4 handles reasoning and tool decisions while MiniLM generates embeddings for semantic search — all running locally in the extension runtime with models cached under the extension origin. The practical design rule: background owns orchestration and inference, UI surfaces stay thin, content scripts handle DOM access. (more: https://huggingface.co/blog/transformersjs-chrome-extension)

A deceptively simple idea surfaced on LocalLLaMA this week: why do we sample reasoning tokens and output tokens with the same parameters? One developer implemented separate sampler overrides in llama.cpp — high temperature for thinking (exploration) and low temperature for output (precision). On Gemma 4, using temp 1.0 for thinking and 0.0 for output produced the best Ukrainian grammar seen so far while maintaining non-deterministic variation. The intuition maps cleanly: during reasoning, you want entropy so the model can search and branch; during output, you want the surface form locked down, especially in languages where the model is less confident. Several commenters noted they would not be surprised if major cloud providers already do something similar as part of their "Secret Sauce." (more: https://www.reddit.com/r/LocalLLaMA/comments/1stoiu3/why_are_we_actually_sampling_reasoning_and_output/)

AI Agents in the Wild

South Korean police arrested a 40-year-old man for sharing an AI-generated image of Neukgu, a two-year-old wolf that escaped from a zoo in Daejeon on April 8. The fabricated photo prompted the city government to issue an emergency text alert, relocate their entire search operation, and present the AI image during an official press briefing — sending authorities on what can only be described as a wild wolf chase. The man told police he did it "for fun." He faces charges of disrupting government work by deception, carrying up to five years in prison. The wolf was eventually captured nine days after its escape near an expressway, becoming a national sensation — a local bakery now sells wolf-face pastries, and the city is considering naming Neukgu an official mascot. The case is one of the first criminal prosecutions specifically targeting AI-generated misinformation that directly diverted government resources. (more: https://www.bbc.com/news/articles/c4gx1n0dl9no)

On more constructive applications, Rainmaker is an autonomous weather prediction agent claiming a 73% win rate on Polymarket — turning LLM-driven analysis into real-money forecasting with measurable accountability. (more: https://github.com/jkeatn/Rainmaker) And Agent Sprite Forge offers a Codex-first pipeline for generating game-ready 2D sprite sheets from natural language prompts, handling the full loop from asset planning through image generation to deterministic post-processing for chroma-key cleanup, frame extraction, and transparent PNG/GIF export. (more: https://github.com/0x0funky/agent-sprite-forge)