The Infrastructure is Rotting and Nobody's Paying Attention

---

We’re living in a strange moment where the flashiest security disasters get the least attention.

Iran-linked hackers just disrupted operations at US critical infrastructure sites. Russia’s military has thousands of consumer routers compromised. A zero-day in Adobe PDFs was actively exploited for months before anyone noticed. And somehow we’re still talking about whether Nvidia GPUs can be remotely owned via Rowhammer attacks like it’s an academic curiosity instead of a national problem.

The pattern isn’t hard to see if you look. But most of the tech industry is looking the wrong direction.

The Quiet Crisis Nobody’s Naming

Let’s start with what actually happened. Iran-linked actors disrupted US critical infrastructure. Not theoretically. Not in a simulation. In real infrastructure, right now. That’s the headline that should’ve stopped everything for 48 hours, but it landed between funding announcements and GPU architecture discussions and mostly disappeared.

Around the same time, thousands of consumer routers—the devices sitting in American homes and small offices—were compromised by Russia’s military. Not some Chinese APT group or random cybercriminals. The Russian state, weaponizing the cheapest attack surface in your network.

Then Adobe quietly patched a zero-day that’d been getting actively exploited since at least November 2025. A researcher had to tell us how long it’d been happening. Nobody caught it themselves.

This isn’t a series of isolated incidents. This is what happens when three conditions align: attackers have strong motivation, defenders are stretched thin, and the attack surface keeps expanding faster than anyone can defend it.

Photo by Maarten van den Heuvel / Pexels

The GPU Problem That Isn’t Going Away

Here’s where the Rowhammer story fits in, though probably not how you think.

New attacks give complete control of machines running Nvidia GPUs. Okay. Now imagine that capability sitting in a server farm that runs critical systems. Or in a cloud provider’s infrastructure. Or, let’s be honest, in the datacenter running some AI startup’s latest model.

The thing about hardware vulnerabilities is they don’t get patched like software. You can’t just ship an update. Rowhammer has existed since at least 2014, and we keep discovering new variants because the fundamental physics of DRAM hasn’t changed. Every new generation of GPU, every new density of memory, creates new angles of attack.

I think we’re going to see this used in the wild more aggressively over the next 18 months. Not as a headline-grabbing exploit, but as a quiet persistence mechanism. Get Rowhammer access to a GPU, establish yourself deep in the infrastructure, and you’re nearly impossible to evict. That’s the move.

The Enterprise Software Crisis Nobody Wants to Admit

Meanwhile, Broadcom’s acquisition of VMware created a different kind of disaster—one playing out in spreadsheets instead of exploit code.

Thousands of customers are actively migrating away from VMware because they don’t trust Broadcom’s direction. That’s not normal. Enterprise migrations take months or years. When companies start doing them in parallel, it signals genuine panic about the vendor’s future.

My read: this is worse than people think. VMware is the virtualization backbone for millions of corporate systems. If those migrations go wrong—if there’s data loss, incompatibility issues, or security gaps during the transition—the fallout will make the MOVEit vulnerability look quaint. We’re talking about potential weeks of downtime across financial services, healthcare, and government.

I’m genuinely uncertain whether Broadcom can recover from this. They’ve got the money and talent to fix the strategic missteps, but they’ve already lost customer trust. That’s the harder thing to rebuild.

Photo by UMA media / Pexels

Where the Money Still Flows Anyway

In the middle of all this, Pillar raised $20M seed funding led by a16z, with backing from Dara Khosrowshahi and other heavy hitters.

Pillar is building financial risk management platforms. In other words, they’re helping institutions model what happens when things go wrong. The investors bankrolling them clearly believe things are going to go wrong—or at least that the cost of preparing for it justifies $20M.

That’s a rational bet. Given everything above, any financial institution not modeling infrastructure failure scenarios aggressively right now is running blind. Pillar’s timing is almost suspiciously good.

The OpenClaw Thing

Then there’s OpenClaw, which apparently gives users “yet another reason to be freaked out about security.”

I can’t find detailed description of what OpenClaw actually does in the materials, which tells you something about the current state of security disclosure. The headline exists. The severity is implied. The fix is… unclear. This is how modern vulnerabilities work now—announced with enough alarm to scare people but not enough detail to actually understand the attack.

That’s not sustainable. Either we get more transparency about what’s actually vulnerable, or security theater continues to become more theatrical while the actual attacks get more sophisticated.

Tesla’s Gamification Play

Then there’s Tesla, which added “streaks” and stats tracking to Full Self-Driving subscriptions.

This is genuinely interesting because it’s a different kind of security concern. Tesla’s not being hacked here—they’re deliberately making the software more addictive, nudging users to enable autonomous features more often. The feature itself might be safe (or might not), but the behavioral design is creating more aggregate exposure to unproven technology.

When you weaponize gamification against your users’ risk assessment, you’re creating a vulnerability of a different type. Not in the code. In human judgment.

What I’m Actually Worried About

Here’s my honest take: we’re not prepared for the cascading failure this infrastructure is heading toward.

The defenses are good in places and nonexistent in others. The attackers are well-funded, well-motivated, and learning faster than defenders can adapt. And critically, we’ve outsourced huge portions of security to vendors we no longer trust—VMware, Adobe, various router manufacturers.

When those vendors have security incidents or strategic failures, the blast radius is enormous. It’s like having fire exits that randomly lock themselves.

I think 2025 is the year this becomes impossible to ignore. Not because one thing will be catastrophically bad, but because three or four things will fail simultaneously in ways that expose how connected everything is.

What I’m Watching

• VMware migration completion rates through Q2 2025 — Track how many enterprises finish their moves off Broadcom’s platform. If it’s >60% of announced migrations by June, that’s a signal the company’s enterprise business is genuinely broken, not just bruised.

• Critical infrastructure incident frequency — Watch whether Iran-linked attacks remain isolated or start showing coordinated campaigns. If we see three more disruptions in the next eight weeks, that’s a pattern, not luck.

• Rowhammer exploits in breach disclosures — The forensic evidence of what was actually used in real attacks. When researchers find Rowhammer as a persistence mechanism in a major breach, that’s the moment the threat stops being theoretical.

• a16z’s next three infrastructure security investments — If they’re betting big on financial risk management, they’re seeing something in the portfolio data. Watch where they deploy capital next. It’s a leading indicator of institutional concern.

The routers are compromised. The PDFs are being exploited. The enterprise is fleeing in panic. And we’re still shipping new features instead of stopping to ask if the foundation actually holds.