The Infrastructure Is Already Burning

---

The call is coming from inside the house.

While tech executives testify before Congress about hypothetical AI risks and venture capitalists debate which chatbot will achieve sentience first, North Korean hackers just compromised Axios — a JavaScript library downloaded tens of millions of times per week. They’ve been living rent-free in the open source supply chain, planting malware like digital land mines.

This isn’t some theoretical attack vector from a Black Hat conference. This is happening right now, to the code running your apps.

The Quiet Apocalypse

The Axios hack should terrify anyone who understands how modern software gets built. Axios is HTTP client library ubiquity — the digital equivalent of compromising the water supply. Tens of millions of weekly downloads means this malware potentially touched everything from your banking app to that food delivery service you used last night.

North Korean hackers didn’t break into some government database or steal cryptocurrency this time. They went after the fundamental building blocks of the internet itself. The open source libraries that every developer treats as digital Lego blocks, assuming someone else verified they’re safe.

They were wrong.

Photo by Alexandre P. Junior / Pexels

But the Axios attack isn’t alone. Security researchers discovered self-propagating malware that’s been systematically poisoning open source projects, with a particular appetite for wiping machines in Iran. The malware spreads itself, finds new repositories to infect, and executes its payload based on geographic targeting. It’s like watching a digital virus evolve in real time.

Even security tools aren’t safe. Trivy, a widely-used vulnerability scanner that’s supposed to protect us from exactly these kinds of attacks, got compromised in an ongoing supply-chain attack. The irony is so thick you could cut it with a knife.

My read on this: We’ve built a house of cards and convinced ourselves it’s a fortress.

The Microsoft Reality Check

Speaking of houses of cards, federal cyber experts reportedly called Microsoft’s cloud a “pile of shit” — then approved it anyway for government use.

Let that sink in. The people whose job is to protect national infrastructure looked at Microsoft’s security posture, concluded it was fundamentally broken, and gave it the green light because the alternatives were worse or the political pressure too intense.

This isn’t just bureaucratic dysfunction. It’s a perfect snapshot of where enterprise security stands in 2024. We’re not choosing between good and bad options anymore. We’re choosing between different flavors of compromised, hoping our particular pile of shit doesn’t catch fire on our watch.

The federal experts were probably right on both counts — Microsoft’s cloud security has more holes than a screen door, but migrating away would be such a massive undertaking that the cure might be worse than the disease.

Q Day Just Got a Lot Closer

Here’s the kicker: While our current infrastructure burns, Google just moved up their deadline for “Q Day” — the moment when quantum computers can break current encryption — to 2029.

Not 2040. Not 2035. 2029.

Five years.

Photo by UMA media / Pexels

That sound you hear is every CISO’s stomach dropping. Current RSA encryption, the foundation of internet security, becomes worthless the moment someone builds a quantum computer capable of running Shor’s algorithm at scale. Every HTTPS connection, every VPN tunnel, every encrypted database — all of it becomes readable as plaintext.

I’ve been covering quantum computing since Google’s first claims of quantum supremacy in 2019. Back then, the consensus was that cryptographically-relevant quantum computers were still decades away. We had time to migrate to post-quantum cryptography, to upgrade systems, to prepare.

2029 means we have the time it takes to plan and execute one major enterprise software migration. Maybe two if you’re fast and lucky.

Companies still running Windows Server 2012 (and there are more than you’d think) are about to discover what technical debt really costs.

The Automation Mirage

While digital infrastructure crumbles and quantum computers threaten to make encryption obsolete, Silicon Valley keeps selling automation dreams.

Amazon announced that Alexa+ now integrates with Uber Eats and Grubhub, promising an experience “similar to chatting with a waiter at a restaurant.” Because apparently what we needed was more ways to avoid human interaction while ordering food we’re too lazy to cook.

The timing feels almost perverse. Our core digital infrastructure is under sustained attack from nation-states, our encryption has an expiration date, and Amazon’s priority is making it easier to order DoorDash with voice commands.

Uber, meanwhile, just launched robotaxis without human safety operators in Dubai and increased their stake in WeRide. Because if there’s one place you want to beta test autonomous vehicles, it’s a city built on ambition and oil money with a casual relationship to safety regulations.

The pattern here isn’t hard to spot. Silicon Valley keeps pushing automation at the edges — voice assistants, self-driving cars, AI chatbots — while the foundational systems that make modern life possible rot from within.

It’s like renovating your kitchen while termites eat through the support beams.

The Valuation Reckoning

Even the money is getting weird. Whoop, the fitness tracker company, just tripled its valuation to $10 billion in a $575 million Series G round. LeBron James and Cristiano Ronaldo are investors now, because apparently what fitness tracking needed was more celebrity endorsements and a valuation that would make Tesla blush.

$10 billion. For a company that makes wristbands that track your sleep and heart rate.

Meanwhile, Rec Room — once valued at $3.5 billion for building virtual hangout spaces — is shutting down entirely. The social gaming platform will close on June 1st, joining the growing graveyard of companies that raised hundreds of millions of dollars to build virtual worlds nobody wanted to live in.

The contrast is striking. A fitness tracker gets a $10 billion valuation while a virtual reality platform with billions in investment just… dies.

My take: The market is finally starting to separate companies that solve real problems from those that solve problems venture capitalists imagined. Whoop tracks actual human behavior and sells subscriptions. Rec Room built expensive digital playgrounds for an audience that preferred TikTok.

Photo by Monstera Production / Pexels

But even Whoop’s valuation feels disconnected from reality. $10 billion means investors think this company will either IPO at an even higher valuation or get acquired by Apple for a price that would make the Beats deal look conservative.

Good luck with that.

What This All Means

Here’s what I think is really happening: We’re watching the collision between two different technology cycles, and it’s going to get messy.

The first cycle is the infrastructure we built over the past 20 years. Cloud services held together with duct tape and prayer. Open source libraries maintained by volunteers in their spare time. Encryption algorithms from the 1990s protecting trillion-dollar financial systems. It worked fine when the biggest threat was script kiddies and the occasional organized crime syndicate.

The second cycle is nation-states with quantum computers and AI-powered malware that can rewrite itself faster than human defenders can respond.

The collision between these cycles isn’t theoretical anymore. It’s happening right now, in the Axios compromise and the Trivy hack and the self-propagating malware that’s methodically poisoning the open source ecosystem.

The quantum threat makes it worse. Even if we perfectly secure our current systems against conventional attacks, we have maybe five years before quantum computers make all of that security irrelevant.

Companies aren’t prepared for this transition. Hell, most companies are still figuring out basic cloud security. The idea that they’ll successfully migrate to post-quantum cryptography while simultaneously defending against AI-powered nation-state attacks is optimistic to the point of delusion.

The Real AI Risk

Everyone’s worried about artificial general intelligence becoming conscious and turning humanity into paperclips. That’s science fiction.

The real AI risk is much simpler: AI-powered malware that can adapt faster than human defenders can respond, spreading through supply chains we can’t secure, attacking infrastructure we can’t replace, using vulnerabilities we haven’t discovered yet.

We don’t need superintelligent AI to cause chaos. We just need AI that’s slightly better at finding and exploiting vulnerabilities than we are at fixing them.

Based on the supply chain attacks we’re seeing, we might already be there.

The Irony of Innovation

The most frustrating part of all this is how predictable it was. Security researchers have been warning about supply chain attacks for years. The quantum threat has been on the horizon since the 1990s. Everyone knew our infrastructure was held together with digital duct tape.

But fixing infrastructure is boring. It doesn’t generate headlines or unicorn valuations. There’s no TED talk about properly securing your software supply chain. No one gets famous for implementing post-quantum cryptography ahead of schedule.

So instead we got $10 billion fitness trackers and voice-activated food ordering while North Korean hackers methodically compromised the foundations of the internet.

The market rewards innovation over maintenance, disruption over security, growth over sustainability. We built a digital civilization on those principles, and now we’re discovering what happens when the foundation gives way.

What Comes Next

I think we’re about to see a massive correction. Not just in valuations — though that’s coming too — but in priorities.

Companies that have been coasting on infrastructure built by someone else, sometime else, are about to discover that technical debt compounds with interest. The organizations that survive the next five years will be the ones that take security seriously now, before the quantum computers come online and the AI-powered malware gets smarter.

The ones that don’t will become cautionary tales.

We might also see the federal government step in more aggressively. When critical infrastructure starts failing because of supply chain attacks, Congress tends to notice. Expect regulations requiring security audits for open source libraries, mandatory incident reporting, and probably some kind of software liability framework that makes vendors responsible for the security of their code.

The free-for-all approach to software development is ending. The question is whether it ends because the industry grows up and self-regulates, or because governments impose regulations after the first major infrastructure collapse.

My money’s on the latter.

What I’m Watching

• Any major enterprise reporting post-quantum cryptography migration timelines — The companies that start this transition in 2024 might finish by 2029. The ones that wait until 2027 are going to get caught naked when the quantum computers come online.

• Supply chain attack disclosure requirements — Watch for new regulations requiring companies to disclose when their dependencies get compromised. The European Union is usually first to move on this kind of thing.

• Microsoft’s federal cloud contract renewals — If federal cyber experts really called it a “pile of shit,” those contracts are going to face more scrutiny. Any delays or additional security requirements will signal how seriously the government takes the current threat environment.

• Open source funding initiatives — The Linux Foundation and similar organizations are going to start getting serious money to secure critical libraries. When that funding comes with strings attached — mandatory security audits, professional maintenance requirements — you’ll know the industry has finally acknowledged the problem.

The infrastructure is burning. The question isn’t whether we can put out the fire — it’s whether we can build something better from the ashes.