AI Developer Toolchain Attack | AI Field Notes #33

AnalysisA cybercrime group called TeamPCP (UNC6780) trojanized the Nx Console VS Code extension on May 18 and kept the malicious version live on the marketplace for 18 minutes. That window was enough. The extension had 2.2 million installs; the payload silently harvested 1Password vaults, Anthropic Claude Code configurations, AWS keys, and GitHub tokens from anyone who launched it during that window. GitHub confirmed roughly 3,800 internal repositories were accessed. The broader campaign, codenamed Mini Shai-Hulud, started May 11 with a worm spreading through TanStack's router ecosystem across 170 npm packages, eventually reaching OpenAI, Mistral AI, and Grafana Labs as additional confirmed victims.

AnalysisGoogle's Gemini Interactions API (v1beta) forces a breaking schema change this week. Starting May 26, the API defaults to a new steps array that replaces the existing outputs array; on June 8, the legacy schema disappears entirely. The change also removes response_mime_type in favor of a polymorphic response_format object. Developers who have not migrated are already behind: any Gemini feature released after May 7 only appears in the new steps format. A temporary escape hatch, the Api-Revision: 2026-05-07 header, works until June 8. After that, unmigrated code breaks completely with no fallback.

AnalysisAnthropic shipped two new features for Claude Managed Agents at its London developer event on May 19. Self-hosted sandboxes, now in public beta, move tool execution from Anthropic's servers to the customer's own environment or to managed providers including Cloudflare, Daytona, Modal, and Vercel. The agent orchestration loop stays with Anthropic. MCP tunnels (Model Context Protocol tunnels, encrypted connections to private services), in research preview, let agents reach internal databases, private APIs, knowledge bases, and ticketing systems through an outbound-only encrypted gateway with no inbound firewall rules and no public endpoints required. The combination addresses the two main enterprise blockers for deploying Claude agents: data residency and private system access.

AnalysisAn OpenAI reasoning model disproved the planar unit distance problem on May 20, an open question in discrete geometry that Paul Erdős first posed in 1946. The problem asks how many pairs of points placed in a plane can be exactly distance 1 apart; mathematicians had long believed square grids were near-optimal. The model produced a 125-page proof using algebraic number theory, demonstrating that configurations can grow faster than previously thought. Princeton mathematician Will Sawin independently verified and refined the result. External reviewers including Noga Alon and Thomas Bloom, who maintains the Erdős Problems site, confirmed the proof. OpenAI describes it as the first time an AI autonomously solved a prominent open problem in a subfield of mathematics.

AnalysisAn executive order on AI and cybersecurity that Trump was scheduled to sign on May 21 was killed hours before the ceremony. The order would have created a voluntary AI model testing program and given the Treasury Department a role in identifying AI security vulnerabilities. It collapsed after separate phone calls from Elon Musk and Mark Zuckerberg to Trump between Wednesday night and Thursday morning. Trump told reporters he worried it could undermine American AI leadership against China, adding he did not want regulations that would get in the way of that lead. AI adviser David Sacks had also opposed the order. No revised version has been announced.

AnalysisAnthropic co-founder Jack Clark, speaking at Oxford's Institute for Ethics in AI, put 60%+ probability on recursive self-improvement (where an AI model autonomously designs a better version of itself) by end of 2028. He also predicted an AI-assisted Nobel Prize within 12 months. The Anthropic Institute published a research agenda in parallel describing current AI as already contributing to speeding up AI research and development itself, which it frames as early-stage recursive acceleration. Clark did not hedge: he said we have not ever encountered a technology with this property. He added a non-zero extinction risk caveat and forecast more disruption in the next few years than in any living memory.

AnalysisA recording from an April 30 Meta all-hands meeting, published May 19 (the same day roughly 8,000 layoff notices went out), revealed that the company's Model Capability Initiative (MCI) logs real-time mouse movements, click coordinates, window transitions, and periodic screenshots across VS Code, Google Workspace, Microsoft apps, and Metamate. Meta CTO Andrew Bosworth told employees there was no opt-out on company laptops. Mark Zuckerberg defended the program as collecting examples of really smart people doing complex digital tasks so autonomous AI agents could learn to replicate those workflows. Employees organized protests, pasted flyers in meeting rooms, and filed a formal petition under the National Labor Relations Act.

AnalysisSpotify released a beta of its ElevenLabs-powered audiobook creation tool on May 21, embedded in Spotify for Authors. Authors pay no narration fees, record nothing, and retain the right to distribute on any platform, since Spotify requires no exclusivity. The tool supports English only at launch and is invite-only. ElevenLabs separately licensed 200,000 human-narrated audiobooks from major publishers to improve voice quality, and is competing with Audible for the self-publishing market. Professional audiobook narrators, who typically earn $100 to $400 per finished hour, are the most direct group to feel the cost pressure.

AnalysisOpenAI will revoke the code-signing certificate for its macOS ChatGPT application on June 12, 2026, following TeamPCP's supply chain campaign, which compromised two OpenAI employee machines. A revoked certificate means macOS Gatekeeper (Apple's app verification system) will flag the current app as untrusted. Users who do not reinstall from a freshly signed build will see security warnings or, depending on their macOS settings, find the app refuses to launch. OpenAI confirmed no customer data was accessed in the breach.

AnalysisGoogle set Gemini 3.5 Flash as the default model for Search's AI Mode globally during I/O week and shipped a new capability alongside it: Search can now build custom interface components on demand. Ask about a nutritional comparison and it may render a side-by-side table; query an investment concept and it might build an interactive chart. Google describes this as the system generating the right interface for the question rather than returning a ranked list. The feature runs entirely within a single query response. Usage of Gemini across Google properties crossed 3.2 quadrillion tokens in the quarter.

AnalysisGoogle announced partnerships with Adobe, Canva, and CapCut at I/O 2026, letting users generate content in Gemini and edit it directly inside those tools without copying across tabs. Canva's Magic Layers integration, now in early rollout, delivers Gemini output as an editable layer in Canva's editor. Adobe and CapCut integrations are expected in the coming weeks. The move follows similar patterns from OpenAI, which built Figma and Canva plugins earlier this year, and frames Gemini as an intelligence layer that generates content where it is consumed. The partnerships are announced but not yet generally available.