AI Coding Tools Are Now the Attack Surface

A self-replicating worm hit 73 Microsoft GitHub repositories by triggering automatically when developers open infected code in an AI coding assistant.

Why it matters: Teams that rely on Claude Code, Cursor, Gemini CLI, or VS Code to review and work with unfamiliar repositories now have a new exposure. The Miasma worm does not exploit a flaw in those tools. It exploits the habit of opening an unknown repo inside them. A developer who clones an affected project and opens it in an AI assistant hands the worm their credentials for AWS, Azure, GCP, Kubernetes, npm, and GitHub. Those credentials then spread the worm to every repo the developer can write to.

The GTM angle: If your sales or revenue team uses AI coding tools to stand up integrations, demo environments, or internal tooling, update your acceptable-use policy now to require source verification before any repo is opened inside an AI assistant.

• The disabled repositories include azure-search-openai-demo and several Azure infrastructure packages that appear in thousands of downstream projects. Scope of affected users is still unknown.
• Miasma is a variant of the Mini Shai-Hulud worm, which first appeared in the npm ecosystem in September 2025 and has since spread to npm, PyPI, and now direct source repositories. GitHub contained this wave in 105 seconds.

Go deeper: https://thenextweb.com/news/miasma-worm-microsoft-github-supply-chain

AI Agents Now Find 21 Security Holes for $1,000

A startup's autonomous AI agent found 21 previously unknown vulnerabilities in FFmpeg for roughly $1,000 in compute, some of them hiding in the codebase for over 20 years.

Why it matters: Finding software vulnerabilities used to require expensive specialists. The cost has dropped to the equivalent of a monthly software subscription. That cuts both ways: your security team can use the same tools to find problems before attackers do, but so can anyone with a credit card. The harder problem now is fixing bugs faster than they can be found. Google just patched a record 429 bugs in Chrome in a single release; Mozilla patched 271 Firefox vulnerabilities in a single AI-driven pass.

The GTM angle: Any vendor in your AI stack that has not published a recent security audit is now a meaningful risk question to raise in procurement. The cost of not looking is no longer excusable on budget grounds.

• The startup depthfirst published proof-of-concept code for all 21 bugs. Nine have CVE identifiers (CVE-2026-39210 through CVE-2026-39218). One stack overflow dates to 2003.
• For context: Anthropic's Mythos system found a similar set of FFmpeg bugs for about $10,000. Depthfirst claims comparable results at one-tenth the cost.

Go deeper: https://thenextweb.com/news/ai-agent-21-zero-days-ffmpeg-chrome-429

Trump and OpenAI Are Discussing a Government Equity Stake

The Trump administration and OpenAI are in early talks about the US government taking an equity stake in the company, potentially seeding a public wealth fund.

Why it matters: Government ownership of a leading AI company would be a structural shift in how AI development is governed and funded in the United States. OpenAI, Anthropic, and xAI are all expected to go public this year. A government stake in any of them creates a new set of political and regulatory relationships that would affect how those companies build products, who they serve, and what constraints they operate under.

The GTM angle: A revenue leader building a long-term AI deployment strategy should watch whether this creates new procurement channels or compliance requirements around government-adjacent AI tools. It may also accelerate IPO timelines, giving public market access to AI infrastructure plays.

• Senator Bernie Sanders separately proposed a one-time 50% stock tax on OpenAI, Anthropic, and xAI as a different route to public ownership.
• The Trump administration took a 10% stake in Intel last year; former AI czar David Sacks has warned a government-OpenAI deal could "accelerate the corporate-government fusion we're already sliding toward."

Go deeper: https://techcrunch.com/2026/06/06/the-trump-administration-might-take-an-equity-stake-in-openai/

The Power Grid Cannot Keep Up With AI Demand

Bank of England Governor Andrew Bailey warned that AI capabilities will soon outpace the available power supply, forcing governments to ration which applications actually get to run.

Why it matters: Every major AI deployment plan assumes that compute will be available when you need it. Bailey's warning, backed by concrete data, points to a coming constraint on that assumption. The EU already asked households to cut electricity use during peak hours because AI data centers are straining the grid. US utilities plan to spend $1.4 trillion on infrastructure by 2030 just to keep pace with data center demand.

The GTM angle: Companies building AI into their revenue operations should factor energy availability into vendor due diligence, particularly for compute-intensive workloads. Data center geography and power contracts are no longer just infrastructure details.

• Bailey framed the problem as a trade-off between competing priorities: breakthroughs in healthcare versus military applications versus commercial AI. Governments, not companies, will likely make those calls.
• UK infrastructure investment timelines are running behind current AI capability growth. Bailey has previously said productivity benefits from AI will take years to materialize.

Go deeper: https://thenextweb.com/news/bailey-bank-of-england-ai-rationing-energy