Weekly AI Dev News Digest: April 25 - May 1, 2026

OpenAI spent the week defending itself in two separate cases in the Northern District of California, before two different judges, on charges that share almost nothing except the venue. In Oakland, jury selection wrapped Monday on Musk v. Altman, with Musk seeking around $130B in damages, the removal of Altman and Brockman from the OpenAI board, and a rollback of the for-profit conversion. Microsoft sits as co-defendant on an aiding-and-abetting claim. The jury's verdict will be advisory; Judge Yvonne Gonzalez Rogers makes the call. Musk testified for nearly two hours Tuesday, told the court he "was a fool" for funding what became a startup, said founding OpenAI was a reaction to Larry Page calling him a "speciesist," and warned the jury about a "Terminator outcome." (CNN) (CNBC)

Day three got messy. OpenAI counsel William Savitt walked Musk through 2017-era exhibits showing he had explored a for-profit OpenAI where he would hold majority equity and control, contradicting his "stole a charity" framing. Musk admitted Tesla is not currently pursuing AGI, contradicting a recent post on X. Texts surfaced from Mark Zuckerberg, who in February 2025 told Musk that Meta could help "take down content doxxing or threatening the people on your team" at DOGE. By Thursday Microsoft attorney Russell Cohen had used a 2020 Musk X post calling OpenAI "captured by Microsoft" to argue Musk was outside the three-year statute of limitations, and Musk closed his testimony with "I don't know everything they've done. I don't know what's going on at OpenAI." Jared Birchall, who runs Musk's family office Excession LLC, took the stand next. (CNBC Day 3) (CNBC Day 4) (TechCrunch)

The Wednesday filing in the same courthouse was harder to read. Seven families of Tumbler Ridge shooting victims sued OpenAI and Sam Altman personally, alleging that automated systems flagged the shooter's account in June 2025 for "gun violence activity and planning," that the safety team urged management to notify Canadian authorities, and that leadership chose to deactivate the account instead. The shooter, 18-year-old Jesse Van Rootselaar, killed her mother, half-brother, five students, and a teacher in February before killing herself, wounding around 24 others. Lead attorney Jay Edelson argues Altman "did the math and decided that the safety of the children of Tumbler Ridge was an acceptable risk." Altman published an apology in Tumbler RidgeLines on April 23: "I am deeply sorry that we did not alert law enforcement to the account that was banned in June." One complaint argues the account was only deactivated, not banned, and that the shooter immediately created a second account. (CNN) (NPR)

Judge Rogers told both sides Thursday morning that scandals like Tumbler Ridge are not coming into the Musk trial. "This is not a trial about the safety risks of artificial intelligence. We are not going to get sidetracked." She left a narrow opening for testimony comparing OpenAI's and xAI's safety approaches. Trial paused Friday and resumes Monday with Brockman on deck, plus Altman, Nadella, and AI-safety expert Stuart Russell still expected to testify. (Courthouse News)

The Microsoft and OpenAI amendment is the biggest commercial AI deal change since Microsoft's original $10B in 2022. Monday morning it killed the AGI clause that would have changed business terms once OpenAI declared artificial general intelligence, ended Microsoft's cloud exclusivity, and stopped the revenue-share payments to OpenAI. Microsoft retains a non-exclusive license to OpenAI IP through 2032 and roughly 27% of the for-profit. OpenAI keeps paying Microsoft a capped revenue share through 2030 and still ships first on Azure. (OpenAI) (Microsoft)

Less than 24 hours later, GPT-5.4 was live on Amazon Bedrock in limited preview, with GPT-5.5 coming within weeks. AWS bundled it with Codex on Bedrock and a new Bedrock Managed Agents product, sitting on top of Amazon's $50B investment and roughly $38B compute deal. Codex usage now counts toward AWS commits. Ben Thompson's Stratechery interview with Altman and Garman, conducted the previous Friday and published Tuesday, captures how Bedrock Managed Agents fits into AWS's "we'll host every lab" strategy. (OpenAI on AWS) (Stratechery) (The Register)

Codex picked the same week to redefine itself. Thursday's update redesigned the onboarding flow around a role picker (Engineering, Product, Finance, Marketing, Sales, Operations, Data Science, Design, Student, "Something else") and reframed the product as "for everyone, for any task done with a computer." Ninety-plus plugins shipped (Atlassian Rovo, JIRA, CircleCI, GitLab Issues, Microsoft Suite, Neon, Render), 20% faster computer use, an SSH option for remote devboxes in alpha, and rich previews for PDFs, slides, and spreadsheets. Codex now has 4M weekly users, with usage in ChatGPT Business and Enterprise up 6x between January and April. EU users have browser and computer-use functionality disabled without explanation. Greg Brockman: "Codex is for everyone." (OpenAI) (TestingCatalog)

The compute story has two versions. OpenAI published an Apr 29 update saying Stargate was ahead of schedule, with more than 3GW added in the last 90 days alone and the company "surpassing" its original 10GW commitment. The Financial Times reported the same day, via Tom's Hardware, that OpenAI has "effectively abandoned" first-party Stargate ownership in favor of leasing capacity from third parties, treating Stargate as an "umbrella term" rather than a joint venture. Both can be true, and the operational read is the same as the Microsoft amendment: lock in fewer exclusives, contract for more compute everywhere. (OpenAI) (Tom's Hardware)

Anthropic ran a parallel pivot in the model layer. Effective Thursday, the context-1m-2025-08-07 beta header has no effect on claude-sonnet-4-20250514 or claude-sonnet-4-5-20250929. Requests over 200K tokens against those models now return a 400 error. The 1M window is GA on Sonnet 4.6 and Opus 4.6 at standard pricing with no header required. The base Sonnet 4 / Opus 4 strings retire entirely on June 15. Long-context production pipelines on the old beta need to swap model strings now. (Anthropic API Docs)

China's hardware bifurcation got concrete. Reuters reported Tuesday that ByteDance, Tencent, and Alibaba have all reopened procurement conversations with Huawei for Ascend 950 chips after DeepSeek V4 launched optimized for Huawei silicon. Huawei is targeting 750K Ascend 950PR units this year, with mass production started in April and full shipments expected in H2 2026. The 950PR beats Nvidia's H20 (the most powerful chip Nvidia could legally sell in China before Beijing blocked imports) but trails the H200. A day later, Reuters scooped that Nvidia B300 servers in China have nearly doubled to about 7M yuan (roughly $1M each) versus around $550K in the US, with the cause traced to a US crackdown on chip smuggling and Chinese hyperscalers paying scarcity premiums. (Reuters) (Reuters)

A campaign branded "Mini Shai-Hulud" by Wiz crossed five package ecosystems in 48 hours starting Wednesday morning. TeamPCP began at 09:55–12:14 UTC by compromising four official SAP CAP npm packages (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, mbt, around 570K weekly downloads combined) via a malicious commit to the release workflow. The injected preinstall hooks bootstrapped a Bun runtime to launch an 11.6MB obfuscated payload. SAP shipped clean versions by 13:46 UTC the same day via OIDC trusted publisher, but the worm had already moved. (Socket SAP) (Wiz)

By Thursday it had hit Intercom's npm SDK (intercom-client@7.0.4 and 7.0.5, around 360K weekly), PyTorch Lightning on PyPI (lightning@2.6.2 and 2.6.3, which Socket flagged within 18 minutes of publication), Packagist via intercom/intercom-php@5.0.2 as a malicious Composer plugin, and then RubyGems and Go modules via the BufferZoneCorp GitHub account. Combined Lightning + Intercom monthly downloads: about 10M. The payload encrypts exfiltrated data with AES-256-GCM and RSA-4096, exits on Russian-locale systems, and harvests SSH keys, AWS/Azure/GCP credentials, Kubernetes secrets, GitHub/npm tokens, Stripe/Slack/Twilio API keys, and crypto wallets. (Socket Lightning) (Socket Intercom) (Socket Packagist) (Socket Ruby/Go)

The new tradecraft is what makes this campaign different from previous worms. Mini Shai-Hulud commits a .claude/settings.json SessionStart hook and a .vscode/tasks.json runOn: folderOpen task into every accessible repo, so opening the infected repo in Claude Code or VS Code re-fires the malware. This is the first documented case of supply-chain malware specifically targeting AI coding agent configuration files as a persistence vector. Over 1,800 exfiltration repos with the description "A Mini Shai-Hulud has Appeared" had been created by Thursday evening. (Wiz)

Three smaller compromises rounded out the week. Late Friday Apr 24, right at the edge of the window, elementary-data@0.23.3 shipped to PyPI containing a malicious .pth file that runs on Python interpreter startup, the same persistence trick used in the LiteLLM compromise earlier this year. The attacker exploited a script-injection vulnerability in a GitHub Actions workflow that processed PR comments, captured the temp GITHUB_TOKEN with contents: write, forged a signed release commit, and dispatched the legitimate publish pipeline. Around 1.1M monthly downloads, infostealer targeting dbt profiles. Same pull_request_target injection pattern as the Ultralytics (Dec 2024) and LiteLLM (early 2026) compromises. (Elementary)

On Apr 29 the maintainer of an unscoped tanstack package (no relation to the legitimate @tanstack/* scope) published versions 2.0.4-2.0.7 in a 27-minute window, all with postinstall scripts that POST .env files to a Svix dead-drop. The package had been sitting benign on npm for over a month before going hot. Tanner Linsley confirmed to Socket the maintainer (sh20raj) once demanded $10K from him; TanStack has filed a trademark infringement claim. Socket also disclosed Sunday that the GlassWorm campaign now has 73 cloned/impersonating extensions on Open VSX, six already activated, with new tradecraft using thin loader extensions that fetch VSIX payloads from GitHub at runtime via --install-extension. Cross-IDE infection across VS Code, Cursor, Windsurf, and VSCodium. Total artifacts since December 2025: 320+. (Socket) (Socket)

The infrastructure layer was not quiet either. Wiz disclosed CVE-2026-3854, a command-injection RCE on github.com via git push. Cross-tenant exposure on GitHub.com meant a compromised storage node could read repos belonging to other orgs. GitHub patched the cloud in two hours back in March, but about 88% of GitHub Enterprise Server instances were still unpatched at the public disclosure on April 28. Upgrade GHES to 3.19.3 immediately. Hugging Face's LeRobot has its own RCE: CVE-2026-25874 (CVSS 9.3) is an unsafe pickle.loads() deserialization in the async inference pipeline over unauthenticated, unencrypted gRPC, so anyone who can reach the policy server or robot client can run code. And Mercor disclosed a 4TB voice-data breach affecting roughly 40,000 AI contractors. (Wiz) (The Hacker News) (The Hacker News) (TLDL)

The other side of the supply-chain story is what the defenders shipped. Anthropic put Claude Security into public beta Monday, powered by Opus 4.7. The tool scans an enterprise codebase for high-severity issues like memory corruption, injection flaws, authentication bypasses, and complex logic errors that pattern-matching tools miss. It runs each finding through an adversarial verification pass to filter false positives and hands off to Claude Code for the fix. CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, TrendAI, and Wiz are integrating Opus 4.7 into their existing platforms. Available now to Claude Enterprise; Team and Max coming soon. (Anthropic)

Cisco AI Defense released the Model Provenance Kit Thursday, a Python toolkit and CLI that fingerprints transformer models at the weight level (comparing architecture metadata, tokenizer structure, and learned weights) to determine whether two models share a common origin. The initial database covers around 150 base models across 45 families. Hugging Face hosts over 2 million models with mostly self-reported metadata, so this is a real auditing tool, especially with OWASP and MITRE ATLAS now flagging weak model provenance as a supply-chain risk. The same team published a "Model Provenance Constitution" the same day: a normative taxonomy with five conditions for provenance, nine concrete derivation mechanisms, and eight exclusions that look like provenance but are not (independent reproductions like Llama-2 vs OpenLLaMA, same-family different-size, shared seeds, architectural convergence). (Cisco) (Cisco Constitution)

Google shipped the operational counterpart on Tuesday. The Activation-based Model Scanner (AMS), released on the Open Source Blog, detects whether a model has intact safety training in 10 to 40 seconds without sending a single prompt. Two-tier design: Tier 1 measures whether safety-relevant activation structure exists at all, Tier 2 compares an unknown model's activation fingerprint against a verified baseline to catch supply-chain substitution. Instruction-tuned models show 3.8 to 8.4σ separation; uncensored variants like Dolphin and Lexi collapse to 1.1 to 1.3σ and get flagged CRITICAL; quantized INT4/INT8 models show under 5% drift. The framing cites a 2025 study finding 8,000+ safety-modified Hugging Face repos with a 74% unsafe-compliance rate. pip install "ams-scanner[cli]". (Google Open Source)

OpenAI, Cloudflare, and Dataiku addressed identity, network, and data-privacy edges in parallel. OpenAI launched Advanced Account Security Thursday for ChatGPT and Codex accounts, requiring passkeys or physical security keys, killing password login, and removing email/SMS recovery in favor of backup passkeys, security keys, and recovery keys. Co-branded Yubico C NFC and C Nano keys at preferred pricing. OpenAI Support cannot recover lost accounts; that is the trade. Trusted Access for Cyber members are required to enable it by June 1 or attest to phishing-resistant SSO. Cloudflare brought post-quantum IPsec to GA Thursday using IETF hybrid ML-KEM (FIPS 203) for IKEv2, with confirmed interoperability with Cisco and Fortinet branch connectors and the post-quantum target moved up to 2029. Dataiku open-sourced Kiji Privacy Proxy the same day: it sits between your application and external AI APIs, runs requests through an ML-powered detector for 16+ PII types, substitutes realistic dummies, sends the masked request, then re-associates originals in the response. (OpenAI) (TechCrunch) (Cloudflare) (Dataiku)

The week also produced a real CVE on a popular agentic IDE. Novee disclosed CVE-2026-26268 Tuesday, an RCE in Cursor patched back in February. The attack: embed a bare repository inside a legitimate-looking repo with a malicious pre-commit hook; the Cursor agent's git checkout triggers the hook silently. No prompt, no warning, RCE. CWE-862 (Missing Authorization), because Cursor's sandbox didn't restrict writes to .git/hooks/. Update to Cursor 2.5+, and audit AI coding assistants for how they touch untrusted code. (Novee)

Anthropic's Mythos model, the autonomous zero-day discoverer Anthropic restricted to around 50 organizations under Project Glasswing in early April, became a geopolitical asset. Wednesday's WSJ scoop: administration officials told Anthropic they oppose the company's plan to grant access to Mythos to roughly 70 additional organizations, which would have brought the total from around 50 to about 120. Stated reasons: misuse risk, and concerns Anthropic does not have enough compute to serve a wider user base without degrading government access. The NSA is among current Mythos users. A small group of unauthorized users reportedly accessed Mythos in a private forum the same day Anthropic announced the limited release. (WSJ) (Bloomberg)

Across the Atlantic, the Bundesbank publicly demanded EU access. Reuters interviewed Michael Theurer, chief supervisor at Germany's Bundesbank, on Wednesday: European banks need access to Mythos to defend themselves, since attackers will use similar models regardless. Bundesbank President Joachim Nagel was more direct. "All relevant institutions should have access to such technology to avoid competitive distortions." Eurozone finance ministers were scheduled to discuss Mythos with banking supervisors Monday. Australia's APRA had already issued a similar warning to its own banks. Anthropic has reportedly told regulators privately that it intends to expand access to non-US banks soon, though as of the WSJ report, the White House is the one holding it up. (Reuters)

Google took the Pentagon deal Anthropic would not. Monday at 4pm, Google signed a contract giving the DoD access to its AI for "any lawful government purpose," reported by The Information Tuesday and confirmed by Reuters and Bloomberg. The contract includes language that the AI System "is not intended for, and should not be used for, domestic mass surveillance or autonomous weapons (including target selection) without appropriate human oversight," but explicitly does not give Google authority to veto operational decisions. That last part is a direct response to Anthropic's stand: the DoD designated Anthropic a "supply-chain risk" earlier this year after the company refused to remove guardrails for autonomous weapons and domestic surveillance, and a judge granted Anthropic an injunction against the designation last month. The Pentagon signed $200M agreements each with Anthropic, OpenAI, and Google in 2025; Google's Monday signing closes a circle the others had been pushing on. (Reuters) (TechCrunch)

GitHub Copilot moved to usage-based billing on Monday. Every Copilot plan transitions June 1 to GitHub AI Credits at 1 credit = $0.01. The old premium request units (PRUs) get replaced; usage is calculated from input, output, and cached tokens at published API rates per model. Code completions and Next Edit suggestions stay unlimited and free. Plan prices are unchanged, but allotments now match seat price: Pro $10/$10, Pro+ $39/$39, Business $19/$19, Enterprise $39/$39. The brutal part is for users who stay on annual plans past June 1: model multipliers jump on the legacy PRU system. Opus 4.7 goes from 7.5x to 27x. GPT-5.4 goes from 1x to 6x. Mario Rodriguez framed it directly: "the current premium request model is no longer sustainable." Copilot code review will also start consuming GitHub Actions minutes. (EveryDev.ai)

VS Code 1.118 shipped Wednesday and leaned into the new economics with improved cache reuse across system prompts, tools, conversation history, and summarization without changing agent behavior; deduplicated MCP servers (only the most-specific server with a given name is enabled by default); and a dedicated subagent context for skills so multi-step skill calls do not pollute the main chat. Other notable additions: remote control of Copilot CLI sessions from GitHub.com or mobile via /remote, semantic codebase search across any workspace, an Agents app web client at insiders.vscode.dev/agents, Claude Agent in the Agents app, Git AI co-authoring on by default, and an opt-in for TypeScript 7.0 nightlies. Microsoft is now on a weekly release cadence. The Copilot CLI side shipped two back-to-back releases of its own: v1.0.37 (Apr 27) added location-based permission persistence and shell completion scripts, and v1.0.39 (Apr 28) added /compact, /context, /usage, /env slash commands plus an ACP toggle for allow-all permission mode. (VS Code) (Visual Studio Magazine) (GitHub Copilot CLI)

Zed hit 1.0 Tuesday after five years and more than 1M lines of Rust on a custom GPU-driven UI framework called GPUI. Nathan Sobo: "1.0 doesn't mean 'done.' It also doesn't mean 'perfect.' It means we've reached a tipping point where most developers can quickly feel at home in Zed." Zed positions itself explicitly as AI-native: parallel agents in a single editor, Agent Client Protocol (ACP) support so you can run Claude Agent, Codex, or Cursor from the same UI, and the option to disable all AI features for developers who want a code editor that is only a code editor. Zed for Business launched alongside, with centralized billing, RBAC, and team management. (Zed) (Phoronix)

JetBrains laid out an IDE-first AI doctrine in a Tuesday post that is distinct from VS Code's "AI as default" framing: classic and AI-assisted workflows should coexist without one compromising the other, agents are vendor-replaceable (the post explicitly highlights Cursor running in JetBrains IDEs via ACP), and "a human is responsible for the code that ships." The IDE remains the place to read, understand, and own that code, regardless of how it got generated. The release of Air (JetBrains' agent-orchestration tool) the previous month and JetBrains Central (their agent ops layer) sit underneath this. (JetBrains)

Claude Code 2.1.126 landed Friday with a /model picker that lists models from your gateway's /v1/models endpoint when ANTHROPIC_BASE_URL is set, plus a new claude project purge [path] command that wipes all Claude Code state for a project. Real security fix: allowManagedDomainsOnly and allowManagedReadPathsOnly were being ignored when a higher-priority managed-settings source lacked a sandbox block, worth patching if you run on Bedrock, Vertex, or Foundry behind a gateway. Simon Willison shipped LLM 0.32a0 the same week, modeling inputs as a sequence of typed messages and outputs as a stream of typed parts (text, reasoning, tool-call name, tool-call args, image, audio). Backwards-compatible with the old prompt= API but unlocks emulating the OpenAI chat completions API natively, replying to a previous response, and properly streaming mixed-modality output from frontier models. (Claude Code Changelog) (Simon Willison)