GitHub supply-chain attack escalates & AI agents meet app sign-ups - Tech News (May 25, 2026)

First up: a sobering supply-chain security story. GitHub says it investigated a breach that started with a developer installing a malicious Visual Studio Code extension. Researchers tie it to a group known as TeamPCP, which has been stuffing malware into open-source tools at a pace that’s starting to feel relentless. The bigger takeaway isn’t just that developer tools can be booby-trapped—it’s that these campaigns can feed themselves. Once credentials and tokens are stolen, attackers can publish more poisoned updates elsewhere, and the cycle accelerates. If your organization relies on fast, automatic updates, this is the moment to ask whether “latest” is always the safest default.

Staying with the theme of trust and access, WorkOS introduced something called auth.md—an open protocol meant to help AI agents sign users up for apps without the usual sign-up form. The idea is simple: an app posts a standard file on its own domain that tells an agent, “Here’s how registration works, and here’s what I’ll allow.” That matters because more people are experimenting with agents that do things on their behalf, and onboarding is often where automation breaks down or gets risky. If this catches on, it could make agent-driven workflows feel less hacky—and more auditable and revocable, which is what you want when software starts acting in your name.

Meanwhile, the tone around AI from the top of the industry is getting more candid. Google CEO Sundar Pichai told the Hard Fork podcast he understands why people are uneasy about AI’s speed and reach, especially around jobs and social disruption. He also signaled Google wants to shift Search gradually toward more AI-heavy experiences while keeping links and sources central—an attempt to evolve without snapping the web’s traffic model overnight. Read between the lines and you can see the balancing act: moving fast enough to compete, but not so fast that users, publishers, and regulators revolt.

On the frontier-model side, Anthropic is hinting that its high-capability Claude Mythos line may be edging closer to broader availability—if stronger safeguards can be put in place. There are signs in cloud and product references that a preview is being prepared, alongside upgrades to its security tooling. The interesting part here is the message shift: instead of “this stays locked up,” it’s becoming “this might ship, but only with guardrails.” That’s a realistic preview of where the industry is headed—capability launches increasingly tied to security posture, not just benchmarks.

Not everyone is convinced the agent wave is a straight-line win, especially for software teams. Programmer George Hotz argues that AI agents can produce convincing output quickly, but stumble badly on the unglamorous parts—correctness, edge cases, and long-term maintainability. His warning is less “don’t use AI” and more “don’t confuse fluent code with reliable systems.” That’s timely, because as AI-generated code becomes normal, traditional quality cues—clean formatting, confident language—stop being meaningful signals.

Zooming out from code to labor, a new Barclays report is betting big on humanoid robots, projecting the market could reach up to two hundred billion dollars by 2035. Barclays frames humanoids as the next step in automation because they can operate in spaces built for humans and use familiar tools, which could lower the cost of adopting robotics without redesigning entire facilities. The report also paints China as the early leader, driven by manufacturing strength and supply-chain advantages. What makes this more than hype is the claim that humanoids could automate whole roles, not just isolated tasks—especially in logistics and industrial work first, then later in areas like care and hospitality as reliability improves.

Another speculative-to-serious shift: quantum computing. Researchers and investors have talked about it for years, but the story today is that governments are trying to turn it into an industrial base, not just a science project. New U.S. incentives under the CHIPS and Science umbrella are being positioned as a portfolio bet across multiple quantum approaches—basically funding several paths and letting reality decide which one scales. Markets perked up on the news, but the practical importance is longer-term: public money can pull supply chains, talent, and corporate roadmaps into alignment, which is often what it takes to move a technology from “promising” to “purchased.”

In semiconductors, Huawei unveiled a chip design approach it calls LogicFolding, pitching it as a way to keep advancing even while cut off from some leading-edge manufacturing tools due to U.S. sanctions. Huawei is framing it as a strategy to squeeze more capability out of what’s available—potentially helping it compete harder in China’s high-end phones, and maybe later beyond phones. Analysts are cautious, noting that clever architectures don’t magically remove the painful realities of heat, power, and manufacturing yield. Still, it’s another signal that the chip race is increasingly about workarounds and packaging strategies, not just who has the smallest node.

On digital privacy, the Web3 Foundation released a report arguing that major platforms and AI firms extract enormous lifetime commercial value from each user by collecting and monetizing personal data. Whether you accept the exact math or not, the underlying claim resonates: many online services aren’t really “free,” they’re funded through persistent tracking and behavioral profiling. The report’s timing is key—AI increases the value of large, messy datasets, including personal traces. Expect privacy debates to keep shifting from “do you accept cookies?” toward deeper questions about who profits from your digital life, and whether users should get more control—or even a share of the upside.

In health tech, researchers in China described a handheld optical sensor that can spot early lung-cancer signals from a single drop of blood, with results in minutes in lab tests. The headline number is impressive, but the responsible read is that it still needs larger validation and product-level engineering. Even so, this is the direction of travel: smaller, faster diagnostics that can move screening closer to people—clinics, mobile units, maybe one day home testing. If it holds up, the real win is earlier detection without the friction and cost of specialized lab infrastructure.

A smaller, but very relatable web story: developer Susam Pal argues modern websites too often override basic browser behaviors—custom scrolling, custom link handling, fake form controls—and users pay the price in usability and accessibility. It’s a reminder that “polish” can be a downgrade when it breaks expectations, password managers, mobile keyboards, or assistive tech. The boring default browser UI is boring because it’s been tested by billions of interactions. Sometimes the most user-friendly design choice is to stop redesigning.

In space, SpaceX flew an upgraded Starship V3 on a mostly successful uncrewed test, hitting several major objectives including a controlled splashdown after re-entry—though it later failed post-landing, which SpaceX seemed prepared to accept for this flight profile. The significance is momentum: Starship is central to SpaceX’s plans for cheaper launches, more Starlink capacity, and NASA’s Artemis ambitions that rely on complex operations in orbit. Also in space, China is preparing Shenzhou-23 to Tiangong, with talk of a longer possible stay for one crew member and a push toward faster autonomous docking. Put together, it’s a reminder that space capability is now a sustained, competitive program on multiple fronts, not occasional headline stunts.

Finally, in aviation, Merlin Labs says it’s testing AI assistance designed to fit into existing aircraft and help with flying and communications, with a focus on gradual rollout and safety. Passenger use still sounds years away, but military interest—especially around cargo—can accelerate development and certification pathways. The bigger story is that aviation automation is likely to arrive in steps: more assistance first, then more autonomy in narrower use cases, before anything that looks like pilotless passenger flights.

One more quick item: Meta quietly launched an iOS app called Forum that repackages Facebook Groups into a discussion-first feed, complete with optional nicknames and AI-assisted Q-and-A drawn from group conversations. It looks like a direct play for Reddit-style engagement, with Meta betting that communities and conversations—rather than the broad, messy social feed—are where time-on-app can still grow.