The AI stack is moving in a circle, and the perimeter is on fire

Three things landed this week that are unrelated on the surface and load-bearing together. Anthropic committed $200B to Google Cloud while Google was putting up to $40B of equity back into Anthropic. OpenAI's stack of cloud commitments now totals $688B against the same hyperscalers holding $88B+ of its equity. CVE-2026-0300 in PAN-OS is being exploited in the wild with no vendor patch until mid-to-late May. And North Korean APT crews are now registering the package names that coding agents hallucinate — a technique cute enough to be called slopsquatting and serious enough that the registration is already paying.

If you only have an hour this week, the hour goes to the firewall. Everything else is strategy. PAN-OS is a fire.

The fire: PAN-OS, DAEMON Tools, and a trust model that keeps failing

The management plane is the entry point on CVE-2026-0300. Active exploitation, no patch, two more weeks on the long end. The mitigation is not subtle — ACL the User-ID Authentication Portal to named source ranges, pull management interfaces off the public internet, rotate any credential that terminates on the appliance, and pull device logs for admin sessions and outbound connections originating from the firewall itself. If the firewall is the foothold, downstream telemetry is suspect from the moment of compromise. Apache HTTP/2 CVE-2026-23918 is the parallel emergency in the same maintenance window.

DAEMON Tools is the other half of the same lesson. Signed installers, real AVB Disc Soft certificate, backdoored since April 8, with a QUIC RAT pushed selectively to about a dozen high-value targets after thousands of stage-1 infections profiled the field. This is the third iteration of the same Chinese supply-chain playbook in nine years — CCleaner, then Notepad++, now this — and the control that failed each time is publisher-based allowlisting. Code signing proves provenance, not intent. If your trust model treats a valid certificate chain as a green light, it is the same trust model that just failed again.

Query EDR for DAEMON Tools across the estate. Quarantine installers dated after April 8. Search NDR for QUIC outbound — most monitoring still treats it as "UDP/443, probably Chrome." Treat any hit as a credential-reset event.

The new attack surface: your coding agent

Slopsquatting is the cleanest example of a pattern that's going to define the next year. An LLM emits import requests-auth-helper at some non-zero rate across millions of users. The package doesn't exist. An attacker registers it. The next agent run installs it. The developer never typed the name. Registration is free; detection requires noticing a dependency you never intended to depend on.

Hallucination rate was a quality metric last quarter. This week it became a security metric.

The fix is three controls and none of them are default. A pre-commit hook that fails on any new dependency not in the lockfile, with AI-generated additions specifically gated. A registry allowlist at the network layer for any agent that can install. Install-time sandboxing so a malicious setup.py can't reach ~/.aws/credentials on first run. The same week, OX Security published an RCE-by-design finding in MCP STDIO across 150M+ downloads, ten-plus CVEs from one root cause. The protocol pipes untrusted bytes to a local shell before any model code runs. Every Claude Code, Cursor, and IDE plugin in the building inherited the design, not a bug.

The strategy: a trillion dollars in a circle, and a model layer that just got squeezed

The loop is now actually quantifiable. About half of the $2T+ disclosed cloud backlog at the four hyperscalers is OpenAI and Anthropic spending money the same hyperscalers gave them. Anthropic's $330B of compute commitments runs at roughly 10x its current revenue. Oracle's backlog is up 438% YoY on essentially one customer. The bull case is that revenue catches up. The empirical problem is that capability scaled hard over 18 months and reliability barely moved — Opus-4.5 with web search still produces ~30% ungrounded claims in multi-turn, and that compounds every turn after the first.

The labs noticed. OpenAI launched a $4B Deployment Company and is already at $100M in ad ARR six weeks in, projecting $100B by 2030, building a 30M-unit phone with MediaTek silicon. Anthropic launched a $1.5B JV with Goldman, Blackstone, and H&F, named finance as its number-two segment, and committed to staying ad-free. They picked opposite futures in the same week and both admitted that API revenue alone won't service the cloud commitments. Apple, having paid $250M to settle the Siri suit, opened iOS 27 to third-party AI providers — a billion users will pick a default once and never revisit the screen.

If your product's value is "we use the good model," that value now lives in someone else's settings menu. The only durable layers are the ones the platform shifts don't intermediate: vertical workflow, owned data, the orchestration logic, and the reliability infrastructure that turns a 30%-ungrounded model into a shippable feature.

What to do this week

In order: lock down PAN-OS management today and assume compromise on anything that's been internet-reachable. Hunt DAEMON Tools across endpoints and treat any hit as credential rotation. Add a lockfile gate to CI that fails on AI-introduced dependencies — this is a same-day pre-commit hook, not a quarter of work. Inventory MCP servers and pin versions. Then, separately and on a longer clock, decide whether your AI workload sits on the OpenAI trajectory or the Anthropic one, because the answer determines who your vendor competes with in 18 months.

Multi-token prediction shipped production-ready across vLLM, SGLang, llama.cpp, and Ollama this week. A 78M-parameter draft head, ~75% acceptance, 1.3-1.5x real throughput on loaded servers — not the 2-3x headline, but real. It's the cheapest inference win available and it takes hours to integrate. Do that after the firewall.