Python developer Roman Imankulov nearly took the bait. The fact that he didn't can be chalked up to human intuition and AI code vetting. A person claiming to be a recruiter from a small crypto startup got in touch through LinkedIn, looking for help with what she described as proof-of-concept code that didn't work. The company, she explained, needed a lead engineer. As Imankulov described the exchange in a blog post, the recruiter asked him to look into an issue with a deprecated Node module. Something about the request seemed off. "I'd heard, as probably all of us have, about those types of attacks," Imankulov explained in a phone interview. "And I was like, 'what if this could be I could be the target?' It was just based on the past experience that I had." So he took the unusual step of spinning up a VPS on Hetzner where he cloned the repo. He then used his Pi coding agent (running Codex) to conduct a read-only analysis of the code. "I ran an agent to test how it worked, and I was almost certain that it would return to me 'everything is clear, the code is ugly but in general it's safe to run and just go ahead and perform your review,'" he explained. "To my surprise, almost immediately the agent returned a response like, 'Don't run this code, just walk away because there's a trap.'" The AI model had flagged one of the files, app/test/index.js. The file contained a backdoor. It took the form of a server URL, fragmented to look like a test suite configuration, and a network request that will run anything the server sends in response to the request. Imankulov credited his AI agent with catching details that he had missed. "I opened this code myself and I skimmed through this code and it looked to me like just, you know, a regular sloppy file written by a sloppy developer," he said. "So I just scroll down, [thinking] 'Yeah, yeah, it's awful, but you know if they can pay me to fix this code, I don't mind.' But the agent in the very same file found the exact vulnerability that I overlooked." Just installing the repo using npm would have been sufficient to trigger the backdoor. The repo's package.json file contained a "prepare" post-installation hook designed to run the script following the installation process. The referenced malicious repo is no longer accessible – presumably GitHub removed it in response to Imankulov's complaint – but a clone can still be found. "What makes this attack insidious is how it hijacks standard developer workflows," explained Devashri Datta, independent open source and security architect, in an email to The Register. "The adversary didn't rely on the target executing a suspicious binary; they relied on the target running a routine command: npm install. "By burying the execution logic inside the prepare lifecycle hook within package.json, the malicious payload triggers automatically during dependency resolution. This isn't a novel technique, but it remains highly effective precisely because developers run npm install on autopilot. The string fragmentation used to assemble the malicious URL, piecing together a domain from small constants, was deliberate obfuscation designed to defeat static analysis tools that scan for hardcoded indicators of compromise." Imankulov said that the commits in the malicious repo appeared to be the work of a developer with an established web presence and body of work. But when he contacted the supposed author, the dev said he had been impersonated on GitHub more than once and didn't write that code. The recruiter's LinkedIn profile referenced a real arts journalist, though Imankulov believes the associated profile was faked. His online interactions with the recruiter suggested a level of technical knowledge not evident in her work history. LinkedIn likes to talk about the tens of millions of fake accounts it catches and removes before they interact with anyone. But hundreds of thousands of accounts still get created and interact with people before being detected and flagged. And that number keeps growing. In the period from January through June 2025, LinkedIn restricted 386,000 accounts after user reports. That figure was 266,000 in the prior six month period. And it was a mere 86,000 in the January through June 2021 period. These sorts of software supply chain social engineering attacks have become commonplace. Earlier this month, we noted how North Korean-linked scammers have been running various campaigns to compromise developer accounts using fake interviews and job offers. Other developers have reported nearly falling for these scams (and also being saved by their AI agent) and have posted code analyses. Datta said Imankulov's response highlights a shift in how security-conscious developers are approaching code review hygiene. "Historically, the guidance was to sandbox untrusted code or review it manually," she said. "Here, Roman deployed a local AI agent in a constrained, read-only environment to analyze the codebase before executing anything. This is a useful counterpoint to the dominant narrative around AI as an offensive threat vector. Used defensively at the developer endpoint, an AI agent isn't susceptible to fatigue or social pressure; it simply surfaces anomalous behavior, such as a test suite initiating an outbound network connection to retrieve unverified code, in seconds." npm 12 could change the game If it's any consolation, the relevant attack vector should be addressed next month. GitHub, which maintains npm, is preparing to release npm 12 which changes the behavior of the npm install command. The allowScripts setting will be defaulted to off. "npm install will no longer execute preinstall, install, or postinstall scripts from dependencies unless they are explicitly allowed in your project," GitHub explains. "Install-time lifecycle scripts are the single largest code-execution surface in the npm ecosystem," explained GitHub product manager Leo Balter in a community discussion post last week. "Every npm install runs scripts from every transitive dependency, so a single compromised package anywhere in your tree can execute arbitrary code on a developer machine or CI runner. Making script execution opt-in closes that path while keeping it one command away for the packages you trust." Imankulov said he doesn't have a strong opinion about that. "From my perspective, just for the sake of personal safety, I switched to pnpm just to make sure that I don't execute those scripts by default," he said. Datta said the incident underscores why enterprise software supply chain security had to extend beyond the perimeter of the corporate network. "Attackers are now shifting left all the way to individual engineering endpoints before a single line of code enters the corporate supply chain," she said. "When a developer's local workstation is compromised during what appears to be a routine job interview, that machine frequently holds active SSH keys, cloud provider tokens, and live access to internal repositories." Proper defense, Datta contends, requires enforcing technical guardrails such as isolated developer containers or secure cloud workstations for evaluating third-party or untrusted code. "Emerging frameworks are beginning to extend exploitability context down to the workstation layer itself, recognizing that VEX-style signal needs to travel further left than the enterprise SBOM inventory if it is to intercept threats at the point of introduction," she said. ®

Weeks after Salesforce boasted about the adoption of "headless CRM," the concept of "headless ERP" crops up. This notion, according to Seth Ravin, CEO of third-party support vendor Rimini Street, is coming to help beleaguered ERP customers escape the application upgrade treadmill driven by the dominant database vendors. For Salesforce, its Headless 360 allows customers to access all of their Salesforce data from developer tool Cursor, WhatsApp, ChatGPT, Claude, or a terminal. It has processed 4.5 million MCP calls and nearly a trillion API calls since launching in April, the CRM giant said. For ERP, a monolithic category of enterprise software that conducts financial planning in some of the world's largest companies, the idea is the same, Ravin told The Register. Build a UI layer on top of existing applications, with AI agents or workflow software, and swap them out when the business is ready. Eventually, the business data can be moved to an open source or source-available database such as PostgreSQL or MongoDB. "PostgreSQL is number one," Ravin said. "Anyone who's doing open source is leading with PostgreSQL. MongoDB is number two. You're watching this whole decoupling of [ERP] technology and use of open source. You're going to see more and more of this. It's going to change the whole way we think about these big packages that users have been buying in the past." He is not alone. Research conducted by Censuswide with 4,295 CFOs, CISOs, CIOs, and CEOs found 70 percent do not see traditional ERP as the future. The study, commissioned by Rimini Street, found 36 percent favored a "composable, modular, flexible, API-driven, best-of-breed model" while 33 percent would lean toward "agentic ERP [with] autonomous, AI-driven decision-making". Concepts like headless and agentic ERP may seem nebulous now, but SAP, which counts some of the world's largest manufacturers as its customers, had to U-turn on its decision to restrict AI agents on legacy and on-prem software. It had said such innovations would only be available in its latest suite of applications and data products in the cloud, but demand from users forced a rethink this year. Ravin said the impact of agentic AI was "scaring the hell out of everyone from SAP on down." "I guarantee you that they're in a panic because they just don't understand the customers are getting ahead of them, the technology is coming apart underneath them, and they're trying to keep up, but the reality is they've built a business off controlling a customer by having all of this software, and they tell them when to [upgrade] and what to move to, and threatening them, and that's just not going to work." SAP maintains that the combination of its agent platform, Joule, its cloud-based Business Technology Platform for integrating applications, S/4HANA ERP software, and Business Data Cloud data warehouse and data lake environment brings immense value to customers by providing a single semantic layer over their business data. Nonetheless, it has struggled to get customers off its legacy or on-prem systems. Gartner figures from the end of Q4 2024 showed only 39 percent of worldwide ECC customers – from a total of 35,000 – had bought or subscribed to licenses to start their transition to SAP S/4HANA. This year, The Register revealed the company was about €2 billion short of its target for converting on-prem support into cloud revenue. Ravin said customers will take the opportunity presented by maintaining legacy systems to consider their ERP stack. "They're starting to understand that [ERP] is breaking apart into smaller pieces, those pieces are further breaking into pieces that will be microservices." Business processes will be run by a set of APIs running between existing elements of the application portfolio, he said. "Those processes will then get over the top of them a custom [agentic] UX, which will become a truly headless ERP, and you've already seen Salesforce come out with headless CRM. This trend is happening." Rimini Street is a services company that specializes in maintaining legacy ERP systems without vendor support, until 2040 in the case of ECC. It has a vested interest in giving customers time to select a strategy for the future of ERP. As investors eye software in light of AI agents and AI coding, giants like Salesforce and SAP have seemingly been forced to respond. Whether the headless ERP concept takes off or not, the industry is moving fast. ®

When Spotify evaluated its cloud compute options, it needed more than incremental improvements. Its recommendation engine delivers real-time suggestions to millions of users around the clock, placing heavy demands on compute infrastructure while requiring tight control over energy use and costs. During its evaluation of next-generation cloud processors, Spotify found that workloads running on Google Cloud Axion processors built on Arm architecture delivered roughly 250 percent better performance. Axion is just a part of a broader shift toward Arm-based compute built on the Neoverse architecture, which has been adopted across all major hyperscale cloud platforms. AWS reports that its Arm-based Graviton processors have accounted for over half of new CPU capacity deployed over the past three years. Microsoft and Google have followed with their own Arm-based designs, including Azure Cobalt and Axion, while NVIDIA’s Grace and Vera signal that it sees Arm as central to the future of AI infrastructure. Now about half of the compute shipped to top hyperscalers are Arm-based platforms. Purpose-built for customers Hyperscalers are not only deploying Arm processors but also designing silicon and infrastructure together to reflect real usage patterns. Ninety-eight percent of top 1,000 Amazon EC2 customers running production workloads on Graviton and benefit from Graviton’s price–performance advantages compared to x86. The new Cobalt 200 processor, built on Arm Neoverse technology, was engineered using telemetry from real Azure workloads and an internal suite of benchmark variants to reflect production behavior. Google is pursuing its own strategy with Axion processors, with C4A instances delivering up to 65 percent better price-performance and up to 60 percent greater energy efficiency than comparable x86 systems. At the core of this shift is Arm’s Neoverse platform, a datacenter–focused architecture designed to enable high-performance, energy-efficient compute at hyperscale. Neoverse marks Arm’s evolution from a mobile-first architecture to a platform purpose-built for cloud and AI infrastructure. It provides the common foundation hyperscalers use to design custom silicon optimized for their own workloads, allowing providers to tailor performance, power, and system behavior to meet specific application demands. While this momentum is driven by hyperscaler adoption, it is rooted in a broader change in how compute infrastructure must operate to support AI workloads. Traditional enterprise workloads emphasized predictable CPU utilization and storage throughput. AI changes that equation. Modern workloads require simultaneous optimization across training, inference, networking, and storage performance while minimizing energy consumption and latency. Even minor inefficiencies can become costly at scale. Power consumption now represents a significant portion of datacenter operating costs, which means performance per watt has become a primary design metric. According to an IDC report AI-ready datacenters are seeing rapid increases in power density, with rack requirements rising from typical levels of 5–10 kW to 30 kW or more, and in some cases exceeding 100 kW per rack. These constraints are forcing organizations to rethink how compute, networking, storage, and cooling systems are designed and integrated at the rack-level These pressures are also collapsing traditional boundaries between compute, networking, storage, and acceleration, creating tightly integrated systems optimized for end-to-end performance. This is driving cloud providers to adopt purpose-built silicon and architectures designed specifically for modern workloads. Real-world efficiency gains drive adoption These design choices are translating into measurable improvements in production environments. Organizations migrating workloads to Arm-based infrastructure are reporting gains across performance, efficiency, and cost: Databricks is using Azure Cobalt 100 virtual machines, built on Microsoft’s Arm-based CPU architecture, which are designed to optimize data-intensive and AI workloads. and deliver up to 50 percent better price-performance compared to previous generations, along with improvements in query speed and latency for analytics applications. For organizations running large-scale data pipelines to power machine learning and business intelligence workloads, these gains translate directly into faster processing and lower infrastructure costs. Pinterest provides a clear example of how Arm adoption can improve both cost efficiency and sustainability at scale. As a platform serving more than half a billion monthly active users and running AI-driven discovery workloads, Pinterest relies heavily on large-scale cloud infrastructure. By migrating workloads to AWS Graviton–based instances, the company achieved 38 percent savings on compute resources and 47 percent cost savings for key workloads, while also reducing carbon emissions by 62 percent. These improvements support both performance and sustainability goals, showing how infrastructure decisions can directly impact operational efficiency and environmental footprint. Uber’s transition to a multi-architecture environment highlights the operational realities of adopting Arm at scale. The company migrated more than 2,800 services and shifted nearly 20 percent of its infrastructure capacity from x86 to Arm-based processors, requiring updates to codebases, dependencies, and deployment pipelines. Through phased rollout, benchmarking, and continuous monitoring, Uber demonstrated that Arm can coexist with other architectures while improving price-performance and supporting a more flexible, efficient infrastructure model. Atlassian’s migration of Jira and Confluence to AWS Graviton highlights how Arm adoption can improve performance and efficiency at enterprise scale. The company moved more than 3,000 instances to Graviton-based infrastructure, achieving the transition with minimal impact on users. In production, instance counts dropped by around 30 percent, while throughput improved by up to 30 percent and latency decreased across key metrics. These gains demonstrate how optimizing infrastructure for performance per watt can enhance both user experience and cost efficiency at scale. These improvements span media streaming, data platforms, and large-scale consumer services, where gains in latency, throughput, and compute efficiency translate directly into lower infrastructure costs and improved user experience. They are particularly significant for AI inference, real-time personalization, and continuously running workloads. The converged AI datacenter The rise of agentic AI is transforming the datacenter into an integrated system in which CPUs, accelerators, networking, and storage operate as a unified platform. In these environments, CPUs serve as the control plane, coordinating scheduling, data movement, memory access, and system services, while accelerators handle compute-intensive training and inference tasks. In this model, efficiency is measured across the entire rack and datacenter footprint. AI workloads demand higher compute density while operating within fixed power and cooling limits, making the ability to maximize compute output per unit of space increasingly important. Coordinating CPUs, accelerators, memory, and networking as a unified system reduces bottlenecks and minimizes wasted energy from unnecessary data movement. Arm’s architecture spans these layers, enabling providers to optimize the full stack while maintaining software compatibility and ecosystem consistency. This cohesion is driving the emergence of the converged AI datacenter, where CPUs and accelerators are central to the trend. NVIDIA’s Grace Blackwell and Vera Rubin platforms combine Arm CPUs with high-performance GPU accelerators in rack-level solutions reflecting a broader industry move toward tightly integrated AI systems. In an other example, AWS with Trainium3 UltraServers, pairs Arm-based Graviton CPUs with Trainium accelerators and Nitro networking components to support large-scale AI workloads. Similarly, Google’s latest TPU 8t and TPU 8i training and inference superpods are powered by Arm-based Axion CPUs, extending this trend toward purpose-built AI infrastructure optimized for scale, performance, and efficiency. In these architectures, Arm-based CPUs serve as the control layer, orchestrating data flow between accelerators, memory, and networking while simplifying development and driving optimization across software stacks and developer tooling. Migration realities: less friction than before Migration complexity has historically slowed adoption of new architectures. Today, improved tooling and ecosystem maturity are lowering that barrier. The Arm MCP Server integrates migration tools, compatibility checks, and performance analysis directly into AI-assisted workflows, helping developers analyze codebases, validate dependencies, and build multi-architecture environments. Programs such as the Arm Cloud Migration Program are also helping organizations accelerate this transition by providing guidance, validation, and tooling for production workloads. Arm adoption is supported by expanding software compatibility and platform support. Arm-based environments now support major Linux distributions, container platforms, and modern development frameworks. The ecosystem has matured significantly, enabling developers to focus less on compatibility and more on performance optimization. Arm’s ecosystem now spans more than 22 million developers worldwide. For developers, this shift means building and optimizing applications for multi-architecture environments, with greater emphasis on efficiency, concurrency, and performance tuning. Where cloud compute is heading Purpose-built compute is becoming the default model for AI era infrastructure. As performance improvements outpace increases in power consumption and cost, the economics of cloud computing are shifting toward efficiency-driven architectures. Looking ahead, this evolution is also extending to enterprise environments. Arm’s recently introduced Arm AGI CPU is designed specifically for the next generation of AI-driven workloads, combining high single-thread performance with scalable throughput, compute density and rack level efficiency. Built on the Neoverse platform, it reflects the shift toward Arm CPUs that are not only optimized for general-purpose compute, but also engineered to orchestrate increasingly complex, agentic AI systems across the datacenter. Enterprises are increasingly evaluating infrastructure based on cost per workload, energy consumption, and the ability to scale within power and cooling constraints. This is driving demand for architectures that deliver predictable performance and efficiency across diverse workloads. Arm Neoverse’s growing momentum across hyperscalers, silicon vendors, and ecosystem partners reflects a broader realignment around efficiency, scalability, and system-level optimization. As AI workloads expand, infrastructure decisions will be shaped less by raw compute capacity and more by how efficiently systems can deliver performance at scale. The organizations redesigning cloud infrastructure today are not simply choosing new processors; they are adopting a compute foundation built for the demands of the AI era. Sponsored by Arm.

Websites are being redesigned for consumption by AI models, and now a coalition wants to extend the trend to digital documents. The LF AI & Data Foundation, under the Linux Foundation, has formed a working group to steer the development of DocLang, an AI-friendly document format that aims to help enterprises feed their files to AI systems. The DocLang group, founded by IBM, NVIDIA, Red Hat, ABBYY, HumanSignal, and Forgis, contends that existing formats like PDF, Markdown, HTML, and LaTeX are ill-suited for AI document parsing. In late 2024, IBM developed an open source toolkit called Docling to facilitate AI document parsing, not unlike Microsoft's MarkItDown or the Marker project. Docling provides a way to convert various file formats into structured AI-ready data. DocLang expands upon that foundation with a standard for exchanging structured output across different systems. "DocLang is designed to solve one of the foundational problems in enterprise AI: documents were built for humans, not machines," said Maxime Vermeir, VP of AI Strategy at AI automation biz ABBYY in a statement. "By introducing a minimal, standardized, and AI-native representation of document structure, layout, meaning and governance, DocLang creates a far more deterministic foundation for modern AI systems." The new DocLang format is necessary, the spec authors argue, because existing formats were designed for rendering and lose semantic information, structural relationships, or geometric context when AI models turn them into tokens. The specification explains that Markdown lacks sufficient scope, that HTML is excessively verbose, and that LaTeX allows too much ambiguity. Essentially, DocLang is optimized for LLM tokenizers through markup that maps between DocLang elements and LLM tokens on a 1-to-1 basis. The spec relies on a limited XML vocabulary that aligns with LLM tokenizers to produce optimized prompts. It is lossless, so the AI conversion doesn't do away with valuable info. It's designed to support common graphical elements like tables, formulas, charts, and multimodal content. And it's an open standard. DocLang could also help keep costs under control. According to AI Cost Check, having an AI model conduct an OCR scan on a PDF requires about 1,200 input tokens and 150 output tokens as a baseline. That's inconsequential to corporate AI customers on a one-off basis but demands attention at scale. And because AI models have highly variable token costs, companies may find they are spending more than they anticipated to have their AI system ingest PDFs, particularly if the documents are long and complicated or an expensive frontier model is used. "PDFs were designed for rendering, not understanding," said Jon Knisley, AI Value and Enablement Lead at ABBYY, in an email to The Register. "Every time a PDF enters an AI pipeline, structure, meaning and layout get lost, so the model's accuracy ends up bottlenecked by document quality rather than model quality. Teams compensate by building custom parsers at every integration point, which results in brittle, one-off work, and a new engineering sprint for every new document type." According to Knisley, that has measurable cost. "Ambiguous structure forces the model into guesswork, which drives up hallucination risk and burns tokens deciphering layout instead of extracting meaning," he explained. "With DocLang, customers can expect better accuracy, lower costs, fewer tokens consumed, faster performance and more consistent outputs. The exact savings depend on the use case and document complexity, but our initial benchmarks show 4x to more than 30x lower cost depending on the model evaluated." Knisley also cited governance advantages, noting that document provenance data and metadata can get stripped when documents gets moved. DocLang, he said, keeps that information attached. ABBYY, which offers AI document processing, has created the DocLang Interactive Benchmark to illustrate the potential token savings of feeding DocLang documents to AI models. A PDF of IBM's 2025 annual report, for example, results 8,421 input tokens and 512 output tokens while a DocLang version requires only 5,310 input tokens and 498 output tokens. What's more, the DocLang version results in lower latency (2.7s vs 4.2s) and delivers better quality (the AI missed one subsection and mangled a table merger in the PDF). "It's still early, and we won't overstate adoption," said Knisley. "The standard is open and free to build on, and the group is actively inviting more technology providers and enterprises to join. The early response has been encouraging, and we're optimistic about where it goes from here." ®

Claude wants to know if you are who you say you are. Anthropic last week updated its privacy policy to say that it may subject consumer account holders to identity checks. The new legalese arrived one day before the company released its Fable 5 and Mythos 5 models, presently disabled to comply with a US government export control order that has elicited protest from more than 60 cybersecurity and technical experts. Anthropic last year said that it supported "policies like strong export controls" to keep AI away from authoritarian nations, whatever that means these days. The revised policy, which takes effect July 8, 2026, does not say what will trigger an identity check. The company says it may do so "to help keep our services safe and secure." "In certain circumstances, we may ask you to verify your age or identity," the company's latest privacy policy explains. "If you choose to do so, data we will collect includes, depending on the method: an image of your government-issued identity document and the information appearing on it (such as your ID number and date of birth); your image in photo or video form, facial geometry templates (which may be considered ‘biometric data’ in some jurisdictions); and the result of the verification (for example, whether your age meets the applicable threshold)." The revised policy substantially expands data collection to include biometrics and identity records. And it gives the company broader discretionary standards for sharing data with authorities. The policy, which does not apply to commercial customers (Team, Enterprise, API), suggests consumer account holders (Claude Free, Pro, and Max plans) will be able to choose whether to comply. The consequences of non-compliance are not spelled out. That omission may reflect the varying and evolving age and identity verification policies being debated, voted on, and implemented in different jurisdictions. Different laws may require different responses to non-compliance, ranging from the application of safety filters to denial of access. Anthropic did not immediately respond to a request for comment. Over the past few years, digital safety laws designed to protect children have proliferated. There are now more than two dozen such laws in US states. Some of the recent laws have targeted AI chatbots (e.g. California Companion AI Chatbot Safety Act) and some have focused on shifting the burden of age verification to operating systems and applications (e.g. California's Digital Age Assurance Act). Similar laws have been enacted or are pending in Australia, Brazil, the European Union, India, South Korea, and the United Kingdom among others. Limiting the ability of children to access AI services may only be part of the motivation for the policy change. Anthropic has also been vocal about the threat posted by foreign rivals that copy its models through a process called distillation. While the AI biz does not offer Claude family models in China (or other countries like Russia and Iran), developers in blocked countries may still be able to access Claude models using account sharing services and other workarounds – if Chinese models distilled from Claude models aren't sufficient. So identity checks may provide Anthropic with an additional policy enforcement mechanism. ®