Today: A sophisticated supply-chain attack on a widely used open-source package could have compromised a huge number of systems, Anthropic inadvertently leaks Claude Code's source code, and the latest funding rounds in enterprise tech.
About one-quarter of JLL's 110,000 employees are using its internal AI platforms on a daily basis. Those users are researching deals, modeling cash flows, and developing applications for JLL's technology practice, and almost everyone in the company has used the platform at least once.
Today on Product Saturday: Cloudflare rolls out a new service for isolating agent-built code, Linear unveils a new agent for issue tracking, and the quote of the week.
Today: A sophisticated supply-chain attack on a widely used open-source package could have compromised a huge number of systems, Anthropic inadvertently leaks Claude Code's source code, and the latest funding rounds in enterprise tech.
Welcome to Runtime! Today: A sophisticated supply-chain attack on a widely used open-source package could have compromised a huge number of systems, Anthropic inadvertently leaks Claude Code's source code, and the latest funding rounds in enterprise tech.
Please forward this email to a friend or colleague! If it was forwarded to you, sign up here to get Runtime each week, and if you value independent enterprise tech journalism, click the button below and become a Runtime supporter today.
Attacks on software supply chains continue to offer criminals and nation-state adversaries the best bang for their hacking buck because they only have to compromise one code base in order to infect thousands, if not millions of developers who rely on that code. And as more companies experiment with coding agents that will happily download whatever they need to accomplish a task, a successful supply-chain attack could really take off.
Late Monday evening hackers successfully obtained the GitHub credentials of one of the maintainers of Axios and used those credentials to publish two updates to the open-source project that contained sneaky links to malware. Axios (not the smart brevity merchant) is one of the most popular software packages on npm's registry and is downloaded around 100 million times a week by developers who want to connect JavaScript applications to the internet without having to write their own code.
This attack was particularly tricky given that no malicious code was ever inserted into the new version of Axios that popped up last night. Instead, the attackers inserted a new dependency into the package that prompted it to download a remote-access trojan onto developer machines and then wipe those systems of that dependency, covering their tracks.
It will probably take a few days to get a better picture of how many systems and companies were affected by this incident, but it arrived right as coding agents are becoming much more widely used in the software-development process. Some developers experimenting with coding agents and desktop apps like OpenClaw like to give them projects to run overnight, which given the hour of this attack could have had devastating results.
Somebody at Anthropic is really annoyed that the North Koreans didn't target its code base last night, because at least they would have a better excuse for leaking its crown jewels onto the internet. The company confirmed Tuesday that an employee mistakenly included the source code for the popular coding agent in a release of Claude Code published to npm early Tuesday morning.
"No sensitive customer data or credentials were involved or exposed," the company said in a statement to VentureBeat, adding that the leak was caused by "human error, not a security breach." Either way, it allowed pretty much every AI developer on the internet to examine the code for clues as to how Anthropic built Claude Code into the leading coding agent of the current moment.
It also shed light on Anthropic's model roadmap — although a lot of those details were exposed in a separate leak last week — and could give hackers several opportunities to poke holes in Claude Code. VentureBeat also noted that Anthropic appears to have built an "undercover" mode into a future release of Claude Code, which "provides a technical framework for any organization wishing to use AI agents for public-facing work without disclosure."
OpenAI raised $122 billion in new funding that values the frontier model maker at $852 billion post-money — just astonishing figures for a deeply unprofitable company — ahead of an expected IPO later this year that will be a real doozy.
Rebellions landed $400 million in new funding for its AI data center hardware, which includes servers as well as rack and cluster infrastructure.
Starcloud scored $170 million in Series A funding to build data centers in space, which a lot of experts think will be impractical at scale, but, a counterpoint; data centers in spaaaaaaace…
Granola raised $125 million in Series C funding for its AI notetaking app, which it hopes to expand across the enterprise with new features that allow teams to collaborate and set boundaries around sensitive information.
Depthfirst landed $80 million in Series B funding for its application security platform, which uses AI to find problems in applications under development before they ship.
Qodo scored $70 million in Series B funding for its code review software, which looks to help companies solve the review bottleneck created by coding agents.
Oracle's massive layoffs hit Tuesday morning, part of cuts that Bloomberg reported earlier this month would number in the "thousands" as it struggles to keep up with its larger cloud provider rivals during the AI buildout.
Microsoft's stock fell 23% during the first quarter of 2026, in what CNBC said was the worst quarter for its stock since 2008.
Meanwhile, U.K. regulators said they'd take another look at Microsoft's cloud software licensing practices, even after both Microsoft and Amazon said they'd make changes to satisfy earlier concerns.
AWS will waive all charges for customers using its UAE and Bahrain regions after a month's worth of disruption following attacks on those facilities during the war with Iran.
Thanks for reading — see you Thursday!
Today on Product Saturday: Cloudflare rolls out a new service for isolating agent-built code, Linear unveils a new agent for issue tracking, and the quote of the week.
Today: JLL CTO Yao Morin explains how the centuries-old commercial real estate company deployed AI tools across its workforce, GitHub declares control over its customers' Copilot data while struggling to remain online, and the latest enterprise moves.
Today: As agents make their way deeper into the enterprise, security tools are trying to keep pace, Arm steps out from behind the curtain with its own server chips, and the latest funding rounds in enterprise tech.
Today on Product Saturday: Manus gets in on the desktop agent craze three months after joining Meta, Snowflake introduces a new task-competition platform based around user data, and the quote of the week.
