Today: GitHub and Grafana share more details on how hackers stole their code, Google Cloud booted Railway off its infrastructure for no clear reason, and the latest enterprise moves.
Today: Google unveils new AI models and developer tools as it seeks to get in on the agentic coding race, believe it or not, another supply chain attack targeting npm packages just dropped, and the latest funding rounds on enterprise tech.
Today on Product Saturday: Microsoft unveils an AI harness for security teams, Notion expands into developer tools, and the quote of the week.
Today: GitHub and Grafana share more details on how hackers stole their code, Google Cloud booted Railway off its infrastructure for no clear reason, and the latest enterprise moves.
Welcome to Runtime! Today: GitHub and Grafana share more details on how hackers stole their code, Google Cloud booted Railway off its infrastructure for no clear reason, and the latest enterprise moves.
Please forward this email to a friend or colleague! If it was forwarded to you, sign up here to get Runtime each week, and if you value independent enterprise tech journalism, click the button below and become a Runtime supporter today.
The relentless pace of attacks targeting open-source software package managers in the first half of 2026 is taxing some of the most careful, well-resourced security organizations in enterprise tech. GitHub and Grafana Labs released more details this week on how their code bases were compromised through two separate incidents that can be traced back to the TanStack npm attack from last week, and the eventual fallout of that attack could be much wider than we currently understand.
The reports underscore two truths about defending high-profile targets in the current environment: even well-planned incident-response strategies can fail in the heat of the moment, and all it takes is one bad machine to compromise an entire code base. In Grafana's case, it took nearly a week to realize that its source code was being held for ransom.
The last thing GitHub needed after a horrendous start to 2026 was a major security incident, but that's what it got after one of its developers downloaded one compromised VS Code extension, and 3,800 internal GitHub repositories flew out the window. And that extension was poisoned after just one of the developers working on the Nx open-source project downloaded a bad TanStack package.
Grafana has raised $1.1 billion in funding, and GitHub is, well, GitHub, which makes it really scary to consider how developers working with far less resources will be able to detect and respond to these attacks. This could be just the start: "I think we will continue to see these techniques. Threat actors know they work, and they’re running with it," Palo Alto Networks' Nathaniel Quist told Wired.
Every business operating on cloud infrastructure knows that outages will happen from time to time, and the ones that are particularly concerned with uptime know they need to have a backup plan to ensure they can continue to provide their services. But it seems fair to say that most of those companies haven't considered the possibility that their cloud provider would lock them out of their servers with no warning, and that's exactly what Google Cloud did to Railway on Tuesday evening.
"Railway experienced a platform-wide service disruption due to Google Cloud incorrectly placing our account in a suspended status," the company said in a blog post Wednesday. Railway, which operates a software development and deployment platform, said it had designed its architecture with outages in mind but "there was still a hard dependency on workload discoverability being tied to the network control plane API that was hosted on the machines running in Google Cloud," it said in the blog post.
Google Cloud has yet to release any details on how exactly this happened, but has not disputed Railway's account of the events. At least it's not as bad as deleting a huge pension fund's entire account.
Andrej Karpathy is the new … something at Anthropic, joining the frontier model company's research arm after a legendary engineering career.
Raviv Levi is the new chief product and technology officer at CData, joining the data management company after engineering leadership roles at Sift and Cisco.
The Trump administration announced plans to give quantum computing companies $2 billion with funds from the CHIPS Act in exchange for equity stakes, with IBM set to receive $1 billion to create a foundry for quantum chips.
Workday beat Wall Street estimates for revenue and profit and raised its guidance, sending its stock up 14% in after-hours trading and perhaps putting an end to the SaaSpocalypse.
Zoom pulled off the same trifecta, reporting that paying customers for its Zoom AI product tripled compared to last year, according to Bloomberg.
S. "Soma" Somasegar — partner at Madrona Ventures, longtime Microsoft executive, and one of the nicest people in enterprise tech — died Tuesday at the age of 59.
Thanks for reading — Runtime is off for the holiday weekend, see you Tuesday!
Today: Google unveils new AI models and developer tools as it seeks to get in on the agentic coding race, believe it or not, another supply chain attack targeting npm packages just dropped, and the latest funding rounds on enterprise tech.
Today on Product Saturday: Microsoft unveils an AI harness for security teams, Notion expands into developer tools, and the quote of the week.
Today: Three announcements this week show how enterprise software companies are moving toward "headless" services designed for agents, not people, Cerebras' IPO was almost as big as its chips, and the latest enterprise moves.
Today: Software package managers are under attack once again in a campaign to steal credentials, Instructure appears to have paid off the hackers behind the ransomware attack on the Canvas educational software platform, and the latest funding rounds in enterprise tech.
