The Big Picture

Power is consolidating at every layer of the stack — in the servers, in the money, in the air we breathe — while the systems meant to protect working people are being patched too slowly, regulated too softly, or captured entirely. This week: a 12-year-old security hole sat in plain sight on nearly every Linux machine while corporations did nothing; a Fed chair announced he's staying precisely because a sitting president tried to illegally remove him; and an AI company discovered it can find critical vulnerabilities in any software on Earth for fifty dollars, then handed the keys to the same corporations that built the vulnerable systems in the first place. The gap between who bears the risk and who holds the power has never been wider.

Today's Stories

A 12-Year-Old Security Hole Sat in Your Linux Server. Nobody Told You.

A privilege-escalation vulnerability dubbed "Pack2TheRoot" has lived in PackageKit — software installed by default on virtually every major Linux distribution — for over 12 years. Any unprivileged local user can claim full root access in seconds. Affected systems include Ubuntu Desktop and Server, Debian, Rocky Linux, and Fedora. The fix, version 1.3.5, was available since April 22. The question nobody in the corporate press is asking: who knew, and when? PackageKit is not obscure software. It ships on the machines running hospitals, universities, and the public infrastructure working-class communities depend on. A separate Linux kernel bug, "Copy Fail," disclosed within 24 hours by an unrelated research team, is equally severe — a 732-byte Python script achieves root on every major Linux distribution shipped since 2017, and also escapes container boundaries, meaning cloud infrastructure is exposed. Two critical, cross-distro root bugs in 24 hours. Both found with AI tools. Both affecting systems that have been in production for years. This is not bad luck. This is what systematic underinvestment in public-interest security research looks like.

Anthropic Found Thousands of Critical Bugs — Then Gave the Keys to Apple, Google, and JPMorgan

Anthropic built an internal AI model it calls "Claude Mythos" that can autonomously read codebases, form exploit hypotheses, run debuggers, and chain vulnerabilities into working exploits. The company says it found thousands of high-severity vulnerabilities across every major operating system and browser — including a 27-year-old flaw in OpenBSD — for roughly $50 in compute per successful run. Here is what Anthropic did with that capability: it created a "defender-only" program called Project Glasswing and handed founding access to AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, and Palo Alto Networks. The same corporations whose products contain the vulnerabilities. The same corporations whose shareholders profit from the security industry built around those vulnerabilities. Anthropic says fewer than 1% of the disclosed bugs have been patched as of April 30. Independent researcher Heidi Khlaaf of the AI Now Institute warned against accepting Anthropic's results at face value without false-positive data. The public — whose infrastructure runs on this software — gets no seat at the table. The corporations get a head start.

The Fed Chair Is Staying Because the President Tried to Illegally Remove Him

Jerome Powell held what was supposed to be his final press conference as Federal Reserve chair on Wednesday and announced he is not leaving. Powell stated he intends to remain on the Board of Governors after his chair term ends May 15, citing what he called "a series of illegal attacks on the Fed" from the Trump administration — the first outgoing Fed chair to stay on the Board since 1948. The FOMC vote to hold rates at 3.5%–3.75% was its most divided in 34 years, with four members dissenting. The practical consequence for working people: buy-now-pay-later platforms, personal loan originators, and neobank credit products all calibrate their unit economics to rate expectations. A harder-to-move Fed board is a direct headwind for any relief on consumer borrowing costs in 2026. Meanwhile, Kevin Warsh — whose nomination cleared the Senate Banking Committee 13–11 — now steps into a board where Powell remains, complicating whatever rate agenda the White House had planned. The president tried to capture the central bank. The chair said no. That is the story.

Biometric Data You Can Never Change Was Stolen. The Company Was Worth $10 Billion.

Mercor, an AI staffing platform valued at $10 billion that connects contractors with OpenAI, Google DeepMind, and Meta, suffered a breach in which the hacker group Lapsus$ stole 4 terabytes of data — including studio-quality voice recordings and verified government ID documents from approximately 40,000 contractors. Modern voice-cloning tools require roughly 15 seconds of clean audio. Mercor's stolen recordings run two to five minutes each. These contractors cannot rotate their voices the way they can rotate a password. The intrusion began March 24 with a compromise of a third-party software pipeline; malicious packages were live and spreading within 13 minutes. Five federal lawsuits have been filed as of April 30. The workers whose biometric data was harvested — contractors doing piece-rate AI training work for the largest technology corporations on Earth — are now permanently exposed. The corporations whose products were built on that labor face, at most, civil litigation. This is what the gig economy's data extraction model looks like when it fails: the workers carry the permanent cost; the platforms carry the legal fees.

Maryland Banned Algorithmic Grocery Surge Pricing. The Loopholes Are Bigger Than the Law.

Governor Wes Moore signed the Protection From Predatory Pricing Act, making Maryland the first state to ban dynamic pricing and the use of personal data to raise grocery prices. Prices must remain fixed for at least one business day. Violations carry civil penalties up to $25,000 for repeat offenses. Consumer advocates and legal analysts immediately identified the structural problems: the ban applies only to using personal data to raise prices for individuals, not for "hyper-specific consumer segments." Loyalty and membership programs — the primary mechanism through which grocery chains already collect behavioral data and offer differential pricing — are entirely exempt. There is no private right of action; only the Maryland Attorney General can sue, and must give companies 45 days to cure violations before further action. The corporations that spent years lobbying against any pricing regulation got a law that bans the version of algorithmic pricing they weren't using anyway, while protecting the version they are. California, Colorado, Illinois, New Jersey, and New York are reportedly drafting copycat bills. If they copy the loopholes too, this is regulatory theater dressed as consumer protection.

What to Watch

• [CONFIRMED] If the "Copy Fail" Linux kernel bug is chained with a public web-facing exploit in the next 48–72 hours — a scenario operator forums are already discussing — defenders face a clean internet-to-root path on a vast installed base of servers running public infrastructure. (Confirmed: PoC is public, chaining potential documented in source reporting)
• [ASSESSED] If the Maryland algorithmic pricing law is replicated in larger states without closing the loyalty-program exemption and without adding a private right of action, corporations will shift surveillance pricing operations entirely into loyalty program infrastructure, rendering the regulatory wave functionally meaningless. (Assessed: structural loopholes identified by Consumer Reports)
• [ASSESSED] If the product-liability theory in AI chatbot suicide cases survives a motion to dismiss, discovery would expose training datasets, internal red-team findings, and safety-team communications at every major frontier AI lab — creating the first real accountability mechanism for design decisions that have so far been made entirely in private. (Assessed: legal theory is novel but grounded in established product-liability doctrine)
• [SPECULATIVE] If the Trump family's World Liberty Financial stablecoin, USD1, reaches sufficient circulation while Congress debates crypto legislation, the conflict-of-interest pressure on that legislation becomes structurally impossible to separate from the family's direct financial interest in the outcome — a corruption dynamic with no modern precedent in U.S. financial regulation. (Speculative: USD1 at $4.6B circulation; legislative timeline uncertain)

The Closer

The through-line this week is not technology. It is accountability deferred. Bugs sit for 12 years. Biometric data gets stolen from gig workers who had no say in how it was stored. A president tries to capture the central bank and is stopped only because one man decided to stay in a building. The systems that are supposed to protect people — regulators, courts, security researchers, democratic institutions — are all running on patches, workarounds, and the individual courage of people who were never supposed to be the last line of defense. That's not a technical problem. That's a power problem. And power problems have political solutions.