The Infrastructure is Rotting and Nobody's Home

---

The servers are on fire and everyone’s talking about ChatGPT plugins.

Let me connect some dots that should terrify you if you’ve actually worked in tech. Ubuntu infrastructure went down for over a day. A critical Linux vulnerability—described as “the most severe threat to surface in years”—caught the world flat-footed. Checkmarx and Bitwarden got specifically targeted in a supply-chain attack. Chinese hackers planted a backdoor in Daemon Tools and successfully compromised at least a dozen systems. Students had their data stolen from Instructure. And while all this was happening? PayPal announced it’s “becoming a technology company again” by embracing AI to cut $1.5 billion in costs. Etsy launched a shopping app inside ChatGPT. Meta is rolling out AI systems to analyze bone structure and height in photos.

This isn’t coincidence. This is the shape of things to come.

The Foundation Is Cracking

Here’s what I think is actually happening: we’ve collectively decided that maintenance is boring and therefore optional.

The Ubuntu outage didn’t happen because Linux is inherently fragile. It happened because infrastructure—the boring, unsexy, “already works so why touch it” infrastructure—doesn’t attract venture capital or executive bonuses. Nobody gets promoted for keeping systems running. You get promoted for launching new features.

The “most severe Linux threat in years” is more interesting. This isn’t a new vulnerability in some cutting-edge component. This is a foundational issue that apparently caught security teams globally off-guard. When you’ve got thousands of engineers shipping new code every day but only a handful actually thinking about core security architecture, this is what you get: a blind spot the size of a data center.

Photo by Maarten van den Heuvel / Pexels

The Daemon Tools attack is the real tell. This is a piece of software that’s been around since the late 1990s. Millions of Windows users have it installed. It’s the definition of legacy—not in the “abandoned code” sense, but in the “so embedded in workflows that nobody questions it” sense. Hackers exploited exactly that assumption. They knew thousands of people would just… run the installer without thinking. At least a dozen organizations got fully compromised. The thousands of other infection attempts? Those are probably still sitting dormant.

My read: attackers are now specifically hunting for the gap between “things people trust” and “things people actually monitor.”

The AI Distraction Is Real

PayPal’s announcement that it’s “becoming a technology company again” through AI is exactly backwards. It’s becoming a company that’s abandoning being a technology company in favor of being an AI company. There’s a difference.

Cutting $1.5 billion through automation and restructuring sounds efficient until you realize it often means cutting the teams that actually maintain systems. It means fewer engineers per critical service. It means the boring work—patching, monitoring, auditing—gets slower. Exactly when threats are accelerating.

Etsy’s ChatGPT app? Clever product move. But I’d bet dollars to donuts that the team shipping that feature is way more well-resourced than the team auditing their API security. That’s not a criticism of Etsy specifically—it’s how incentives work across the entire tech industry right now.

Everyone’s racing to deploy LLMs because the business upside is obvious and immediate. Maintaining Linux security? Monitoring supply-chain risks? Keeping infrastructure stable? The business case is “things don’t fall apart,” which is invisible until they do.

Photo by UMA media / Pexels

The Supply-Chain Time Bomb

Here’s what genuinely worries me: Checkmarx and Bitwarden both got hit because they’re security infrastructure. They’re the tools that other companies rely on to stay safe.

This is like discovering the fire department’s equipment is sabotaged while you’re in the middle of a fire. When your security vendors get compromised, the attack surface expands exponentially. Every customer of Checkmarx now has to wonder if their code scanning infrastructure was weaponized. Every Bitwarden user has to question whether their password vault was ever actually private.

The attackers knew exactly what they were doing. Targeting security firms is high-difficulty, high-reward. It’s the opposite of spray-and-pray malware. This was surgical.

And Meta’s bone-analysis AI system? That’s launching while we’re still discovering the scope of the Instructure breach, where student data—potentially including minors—got stolen. Meta’s pitch is that they can use visual analysis to identify underage users. Maybe they can. But I’d be shocked if there aren’t seventeen different ways to spoof that system. The fact that they’re even trying to solve this with AI instead of just… enforcement and moderation… tells you something about how much they’re willing to invest in the actually-hard problem.

What The Headlines Aren’t Saying

I think we’re in a weird moment where companies are simultaneously over-confident about AI and deeply under-confident about basic operations.

You’ve got firms shipping conversational shopping and bone-structure detection while their authentication layers are held together with hope and automation. You’ve got infrastructure providers experiencing extended outages. You’ve got supply-chain attacks that are specifically targeting the infrastructure of other companies’ security.

The thing that gets me: Reddit blocked my daily visit to its mobile website. That was apparently interesting enough to make headlines. Reddit—a company with billions in valuation—couldn’t keep a mobile web experience stable enough for regular users. GameStop offered $56 billion for eBay and couldn’t immediately explain how it’d fund the deal. These aren’t unrelated. Both suggest companies operating in a state of organized chaos.

I think the next 18 months are going to be ugly. Some companies will get hit with breaches they didn’t see coming. Others will have AI systems that confidently make decisions on poisoned data. A few will have infrastructure failures that cascade because they cut too deep into maintenance teams.

The winners won’t be the ones with the best AI. They’ll be the ones who kept their foundations boring and boring-expensive.

Photo by Denys Gromov / Pexels

What I’m Watching

• Linux vulnerability disclosure and patch adoption timeline. If major infrastructure providers take more than 30 days to patch the “most severe threat in years,” we’re looking at a window where attacks will be easy. Watch for CVE assignments over the next two weeks and monitor how many Fortune 500 companies confirm patches by mid-quarter. If adoption is <60% by 90 days, we’ve got a problem that extends way beyond Linux nerds.

• Kaspersky’s Daemon Tools attribution confidence. They’re claiming Chinese state actors. Watch whether other firms (CrowdStrike, Mandiant, Microsoft) independently verify this or push back. If there’s disagreement on attribution, that’s a sign the attack was sophisticated enough to mask its origins. That’s worse than state actors—that means non-state groups have this capability.

• PayPal’s infrastructure incidents quarter-over-quarter. They’re cutting deep. Track their incident reports, status pages, and any security disclosures from Q2 2024 forward. If outages or breaches spike, we’ll have real-time evidence that the AI-efficiency play destroyed operational resilience. This is the easiest metric to monitor and the hardest truth for executives to admit.

• Meta’s bone-analysis system false positive rate. Once the system goes broadly live, track reports of adults being flagged as underage or vice versa. Not because the accuracy matters for safety—it does—but because it shows whether companies deploying these systems actually understand their failure modes. If we see reports of the system being routinely wrong, that’s evidence they shipped without sufficient testing.

The boring stuff. Keep watching the boring stuff. That’s where the real failures are happening.