Week 23 · 2026

Microsoft has announced a major milestone in quantum computing with the unveiling of its Majorana 2 topological quantum chip. The company claims this new chip is 1,000 times more reliable than the previous Majorana 1 generation, achieving average qubit lifetimes of 20 seconds, with some instances lasting up to one minute. A key technical innovation in the Majorana 2 is the replacement of an aluminum-based topological superconductor with a lead-based design, which significantly improves the protection of qubits from environmental interference. The development process was heavily accelerated by the integration of agentic AI and the Microsoft Discovery platform, which allowed researchers to automate complex measurements, optimize fabrication processes, and analyze decades of quantum research far more efficiently than traditional linear human methods. Microsoft expects this trajectory to lead to the realization of scalable quantum computing by 2029. However, this technological progress intensifies the looming threat of 'Q-Day,' the moment when quantum computers become powerful enough to break the public-key cryptography that secures the modern internet and cryptocurrencies like Bitcoin. Experts warn that such a breakthrough could allow attackers to forge digital signatures and derive private keys from exposed public keys, potentially putting hundreds of billions of dollars in Bitcoin at risk. As other players like Google also report progress with chips like Willow, the race to develop quantum-resistant cryptographic solutions becomes increasingly critical.

A significant supply-chain attack has been identified involving the compromise of over 30 npm packages under Red Hat's '@redhat-cloud-services' namespace. Security researchers from Aikido and OX Security discovered that the attack distributed a new variant of the Shai-Hulud malware, dubbed 'Miasma,' which is specifically designed to harvest developer credentials and sensitive cloud secrets. The breach originated from the compromise of a Red Hat employee's GitHub account, which allowed attackers to push malicious commits and implement a GitHub Actions workflow. This workflow leveraged npm's publishing mechanism and OIDC tokens to release backdoored package versions. The malicious payload, an obfuscated 'index.js' file, executes during the npm preinstall stage to steal a wide array of data, including AWS, Google Cloud, and Azure credentials, as well as SSH keys, Kubernetes service account tokens, and Docker credentials. While the scale of the attack is significant, with approximately 117,000 weekly downloads for the affected packages, Red Hat has stated that the compromise was limited to internal development tooling and that no customer or production systems were impacted. This incident follows a series of similar supply-chain attacks involving the Shai-Hulud malware family targeting prominent organizations like Bitwarden, SAP, and OpenAI. Organizations that may have installed the affected versions are advised to rotate all credentials and secrets immediately.

Mastercard is expanding its settlement network to support regulated stablecoins, a strategic move designed to integrate blockchain-based payments into the core of the global financial system. The company's new framework will offer issuers and acquirers enhanced settlement options, including intraday, weekend, and holiday capabilities, alongside existing fiat processes. This transition is intended to move the payment network toward an 'always-on' model, allowing value to be transferred and settled regardless of traditional banking schedules. Mastercard will initially support several prominent stablecoins, including Circle's USDC, Paxos-issued PYUSD, USDG, USDP, Ripple's RLUSD, and SoFiUSD. These assets will be available across multiple blockchain networks, including Ethereum, Solana, Polygon, Base, Arbitrum, and the XRP Ledger (XRPL). This shift highlights the evolving role of stablecoins from mere trading instruments to critical settlement assets for banks, payment firms, and asset managers seeking efficient cross-border transfers. The rollout is expected to include several financial institutions, such as Cross River, Lead Bank, CBW Bank, ARQ, and Nuvei, particularly within the U.S. and Latin American markets. By leveraging these digital assets, Mastercard aims to provide financial institutions with greater flexibility in managing liquidity and navigating the complexities of modern, high-speed global finance.

A significant security vulnerability was recently exploited using Meta's AI-powered customer support assistant, leading to the hijacking of high-profile Instagram accounts, including those of the Obama White House and the U.S. Space Force. The exploit, documented on Telegram, involved attackers using a VPN to mimic a target's usual location and then interacting with the conversational AI bot. By instructing the bot to link a new email address to the target account, the attackers were able to trigger the standard password reset flow, effectively gaining unauthorized access. The breach resulted in the defacement of several accounts with pro-Iranian messages and images. While Meta has since deployed an emergency patch and confirmed that no backend database breach occurred, the incident highlights a new and dangerous attack surface created by integrating AI into sensitive account recovery workflows. Security researchers warn that AI bots are susceptible to the same social engineering tactics as human agents. However, the exploit was notably ineffective against accounts protected by strong multi-factor authentication (MFA) methods, such as passkeys or security keys, underscoring the importance of robust authentication in an era of AI-driven threats.

Researchers have identified and developed an exploit for a pre-authentication remote code execution (RCE) vulnerability within IBM i Management Central (MGTC). The vulnerability targets the custom binary protocol operating on port 5555, which utilizes a proprietary serialization engine called McBuffer. By decompiling the MGTC Java classes, the researchers were able to reconstruct the undocumented protocol, including the binary handshake and packet structure. The exploit enables an unauthenticated attacker to bypass authentication mechanisms and execute arbitrary CL commands under the QSECOFR profile, which possesses root-equivalent permissions on the IBM i operating system. While IBM has begun deprecating Management Central in newer releases like V7R5, the continued use of V7R4 and earlier versions in production environments poses a significant security risk.

The article examines the 'system over model' hypothesis in the context of automated vulnerability research. Following the discovery of CVE-2026-4747—a 17-year-old RCE in FreeBSD’s RPCSEC_GSS authentication—by frontier models like Claude Mythos, the author sought to determine if local, open-weight models could achieve similar results using AISLE's nano-analyzer pipeline. The experiment involved testing two models, openai/gpt-oss-20b and google/gemma-4-31b-it, across a larger subsystem scope of approximately 50 files. Initially, the models appeared to fail at detecting the vulnerability when the scan was scaled up, a phenomenon the author attributed to the high volume of false positives generated by the pipeline's initial stages. By refining the system's architecture—specifically by introducing an extra reachability stage to filter out noise—the author was able to successfully trigger the detection of the stack overflow bug in both models. This result underscores the importance of the 'scaffolding'—the prompts, triage rounds, and verification steps—over the inherent intelligence of the LLM itself, suggesting that effective automated exploit discovery is a product of well-engineered pipelines.

The article introduces WasmForge, a specialized build wrapper designed to enhance the stealth of established offensive security tools such as Sliver, Chisel, and Mythic. The primary challenge addressed is the high rate of detection by Endpoint Detection and Response (EDR) vendors through YARA rules and static analysis. WasmForge solves this by compiling Go-based tools into WebAssembly (WASM) modules. Because the instruction set and binary format of WASM are relatively unfamiliar to many defensive heuristic engines, the resulting binaries are more likely to bypass traditional security scanners. The architecture of WasmForge consists of a three-stage pipeline: first, it prepares a patched Go standard library that supports the wasip1 target; second, it compiles the tool into a .wasm module; and third, it generates an outer Go binary containing a custom Wazero runtime. This runtime includes a fork of the Wazero engine, modified to randomize opcode tables and rename internal paths to further evade detection. To ensure the original tool functions correctly, WasmForge implements approximately eighty host shim functions that bridge the gap between the WASM sandbox and the host operating system's APIs, including Win32 and macOS frameworks. This allows the guest program to perform tasks like network communication and process execution as if it were running natively. A critical component of the implementation is the management of WASM linear memory, where the loader must translate 32-bit WASM offsets into valid host-side memory addresses to prevent access violations when calling native APIs. By automating the hardening process, WasmForge allows security practitioners to deploy known-good tools in highly monitored environments with minimal manual effort.

The Bitcoin Optech Newsletter #408 provides a comprehensive overview of ongoing technical discussions and developments within the Bitcoin ecosystem. A significant portion of the newsletter is dedicated to post-quantum security, specifically examining ways to upgrade BIP324 transport encryption using Module-Lattice-based KEM (ML-KEM) and discussing the necessary cryptographic primitives for a post-quantum Lightning Network. The newsletter also addresses the standardization of data payloads for QR-based signing in miniscript wallets to improve interoperability between air-gapped devices and coordinators. Regarding consensus-level changes, the newsletter highlights the MCCV (More Complicated CTV Vault) project, which demonstrates how complex vaults can be implemented using existing CTV (BIP119) primitives without the need for newer, more complex opcodes. Other notable topics include the game theory of potential quantum attacks, the potential utility of 64-byte transactions despite consensus cleanup efforts (BIP54), and the release of Core Lightning version 26.06, which introduces new RPC capabilities and experimental support for BOLT12 payment proofs.

Atom Computing has announced a landmark achievement in quantum computing: the first complete demonstration of quantum error correction (QEC) using neutral atom qubits. By utilizing the toric code, the company leveraged the unique all-to-all connectivity provided by neutral atom architectures, a feature not easily implemented in fixed-topology superconducting qubit systems. A critical hurdle in neutral-atom and trapped-on platforms is the occurrence of erasure errors, where qubits are lost due to environmental interactions or operational side effects. To combat this, Atom Computing integrated mid-circuit measurement to identify lost qubits in real-time and developed a method to replenish the qubit supply continuously. The researchers demonstrated up to 90 rounds of error correction, maintaining the integrity of the quantum memory. In the early stages, specifically fewer than 10 rounds, the system exhibited sub-threshold performance, where increasing the code distance led to lower logical error rates. As the process extended beyond 10 rounds and required atom reloading, the error rates stabilized near the error correction threshold. This milestone places Atom Computing's technology on a similar footing to Google's superconducting qubit demonstrations for deep quantum memory and validates neutral atoms as a leading platform for achieving utility-scale, fault-tolerant quantum computing.

IBM has unveiled an aggressive $10 billion investment strategy intended to secure leadership in the quantum computing sector over the next five years. According to recent SEC disclosures, the company's primary technical milestone is the delivery of a large-scale, fault-tolerant quantum computer by 2029. This investment will be directed toward research and development, manufacturing expansion, capital expenditures, and mergers and acquisitions. A cornerstone of this initiative is the establishment of Anderon, a new standalone American quantum chip foundry located in Albany, New Found. This venture is a collaborative effort with the U.S. Department of Commerce, leveraging $1 billion in CHIPS Act incentives alongside $1 billion in funding and infrastructure support from IBM. The foundry will specialize in manufacturing 300-millimeter quantum wafers, a critical component for building the processors that drive quantum computation. By creating a dedicated domestic manufacturing site, IBM aims to address the industry-wide bottlenecks in specialized fabrication and supply chain constraints. IBM's current quantum footprint is already significant, with over 90 systems deployed globally and a network of more than 325 partners spanning academia, startups, and the Fortune 500. As quantum technology emerges as a critical frontier for both economic growth and national security—with the potential to disrupt modern encryption and revolutionize materials science—IBM's massive capital commitment underscores the intensifying global competition for quantum supremacy.

The AI coding landscape is undergoing a fundamental shift from predictable, flat-rate subscriptions to consumption-based 'tokenomics.' This transition is exemplified by GitHub Copilot's move to token-based billing, which has caused significant cost spikes and user backlash. To address the industry-wide lack of standards for measuring AI usage, the Linux Foundation has announced the Tokenomics Foundation, a new body backed by industry giants like Google, Microsoft, and Salesforce, aimed at creating vendor-based frameworks for AI token management. In response to these economic pressures, Cursor has restructured its pricing and introduced advanced enterprise governance features. These updates include a new Premium tier, spend alerts via Slack or email, and an 'organizations' structure that allows IT teams to manage budgets and model access at the departmental level. Cursor is also leveraging its first-party Composer model to provide a more cost-effective alternative to high-priced third-party models from providers like Anthropic and OpenAI, effectively protecting its margins while offering users a cheaper usage pool. This trend toward cost management and infrastructure independence is also visible in the open-source space, with JetBrains releasing Mellum2, a model designed for the coordination tasks within agentic systems. As the 'wrapper squeeze' forces companies to find more efficient ways to manage inference costs, the focus for enterprise AI adoption is increasingly shifting toward visibility, control, and the ability to implement granular chargebacks across business units.

OQC, JPMorganChase, and AMD have announced a strategic research collaboration centered on the creation of a dedicated Quantum-AI Data Centre in London. The project aims to explore the intersection of quantum computing, artificial intelligence, and high-performance computing (HPC) to address complex challenges within the financial services industry. The platform will physically integrate OQC’s GENESIS quantum system with AMD-supported AI and classical compute infrastructure, all housed within a secure enterprise environment. JPMorganChase will serve as the first dedicated user of the platform, which is expected to be fully operational within 12 months. The research scope includes investigating hybrid quantum-classical use cases such as portfolio optimization and quantum machine learning, as well as developing specialized AI models to improve quantum circuit performance. Additionally, the partners plan to explore how quantum-enhanced AI can accelerate the discovery of novel algorithms for finance and determine the role of classical computing in supporting scalable, fault-tolerant quantum algorithms. By placing quantum hardware inside a secure enterprise environment, the collaboration seeks to test hybrid workflows for performance, scalability, and reproducibility against the rigorous operational standards required by the financial sector. This initiative represents a significant shift from experimental quantum access toward integrated, secure infrastructure designed for real-world enterprise workflows.

Major US financial institutions, including JPMorgan, Citi, and Bank of America, are collaborating to create a shared, tokenized deposit network intended to launch by the first half of 2027. Operated by The Clearing House, this system will convert traditional bank deposits into digital tokens on a blockchain to facilitate rapid, efficient transfers. The primary driver behind this initiative is the rising competition from stablecoins, which offer fast and cheap payment capabilities outside the traditional banking infrastructure. If large-scale adoption of stablecoins occurs, banks risk losing the deposits essential for extending credit to the economy. To prevent this, the new network will provide programmable treasury options, real-time liquidity management, and streamlined cross-border payments. By adopting blockchain-based tokenization, these banks hope to retain customers by offering the same technological advantages as crypto-assets while maintaining the security and regulation of the traditional banking sector.

A recent research report from Bernstein highlights a significant shift in the role of Bitcoin mining companies, which are increasingly acting as 'power landlords' for the artificial intelligence sector. As AI development faces critical bottlenecks in accessing large-scale, ready-to-use power, miners are uniquely positioned to provide the necessary infrastructure. Over the last two years, these mining operators have signed 17 deals worth more than $110 billion, contracting roughly 6 gigawatts of power to major hyperscalers such as Google, Amazon, Microsoft, Nvidia, and CoreWeave. These facilities, referred to as 'warm powered shells,' feature electricity that is already flowing and ready for the deployment of computing hardware. Bernstein projects that the aggregate AI revenue for the covered companies will grow from $1.2 billion this year to $10.7 billion by 2030. Companies like TeraWulf and Cipher Digital are at the forefront of this transition, with high projected EBITDA margins driven by long-term, take-or-pay colocation contracts. This trend underscores the growing importance of securing reliable, large-scale electricity as a strategic asset in the global AI arms race.