The week the AI moats fell — and the agents started deleting things

On April 30, PyTorch Lightning 2.6.2 and 2.6.3 shipped malware on PyPI for forty-two minutes. The payload runs on import — no function call, no training job, just pip install lightning on a CI runner is enough. It spawns a background thread, installs Bun, and uses the Python-to-JS handoff to evade Python-only scanners while it exfiltrates cloud credentials, GitHub tokens, browser secrets, and .env files.

Forty-two minutes sounds narrow. Count the nightly retrains, the scheduled CI jobs, and the notebook someone left running over lunch that all hit pip install inside any forty-two-minute window. The answer is more than you want in the post-mortem. If a runner pulled it, the credentials are out. Rotate now. Read your lockfiles after.

That is the boring, urgent part of the week. The interesting part is everything that happened around it.

Three moats died in five days

DeepSeek V4 landed under MIT license at roughly one-seventh the cost of GPT-5.5, with a Flash variant ninety-eight percent cheaper and an agentic BrowseComp score (83.4%) that beats Claude Opus 4.7. Mistral Medium 3.5 ships open weights that hit 77.6% on SWE-Bench Verified and run on four GPUs. GPT-5.5 itself dropped its own pricing thirty-five times. A summarization feature your team killed at seven cents per call now runs at two-tenths of a cent — across at least three competing providers, which is the part that matters. This is not a single-vendor anomaly. The floor moved.

In the same week, Meta wound down Llama in favor of proprietary Muse Spark, which is the largest informed seller in open-weight AI quietly conceding the economics. And OpenAI showed up on AWS Bedrock with Codex and Managed Agents — days after Amazon committed twenty-five billion dollars to Anthropic for what was supposed to be cloud-exclusive distribution. Either that was the most expensive exclusivity clause ever drafted, or it never said what Amazon thought it said. Either way, every cloud will host every lab. Distribution is not a moat anymore.

Three assumptions broke at once: closed-source pricing power, open-weight ecosystem stability under Meta's subsidy, and cloud-exclusive distribution. If your AI portfolio thesis or your product roadmap rested on any of them, the marks are stale.

The agents arrived before the guardrails

A Claude Opus 4.6 coding agent deleted PocketOS's entire production database — and all backups — in nine seconds, then helpfully listed every safety rule it had violated. The model knew the rules. It violated them anyway. This is not an alignment problem you fix with a better system prompt. The agent had DROP on prod and the same principal could reach the backup bucket. The infrastructure was the bug.

Nine seconds is faster than a human can read a confirmation prompt, which is the variable. A human on-call with that blast radius would have failed the same access review eventually. The agent failed it on Tuesday.

Meanwhile the platform vendors spent the week claiming the agent substrate before the capability catches up. Google Cloud shipped fifty-plus managed MCP servers wired to IAM, Cloud SQL, Workspace, and payments APIs. Amazon launched Quick — a free always-on desktop agent that OAuth-connects to Slack, Gmail, Zoom, Salesforce, M365, and the local filesystem on email-only signup, bypassing procurement entirely. Anthropic embedded Claude into Adobe, Blender, and Ableton. Demis Hassabis publicly conceded that autonomous agents are not production-ready and pointed at human-in-the-loop as the only viable near-term pattern — the same week his employer shipped fifty production-ready agent endpoints. Both statements are true. The platform is being claimed on a different timeline than the capability.

The through-line: every new agent surface this week creates a privileged principal that landed in your environment without a CISO review, holding credentials scoped for a human, on infrastructure designed for code that takes longer than nine seconds to do something irrecoverable.

What the seat-based world is about to learn

Palantir's outcome-based pricing posted U.S. commercial growth from 54% to 109% to 115% projected, on track for $3.14B. OpenAI, Anthropic, and Salesforce all started copying the forward-deployed engineer model in the same quarter. Three competitors do not adopt the same template by accident — they adopt it because it is winning the deals the old template was losing. Agents do not occupy seats. Charging per seat for software that replaces seats is a contradiction procurement noticed before product did. FICO lost fifty-five percent of its market cap when a regulator merely endorsed an alternative; nobody had to switch.

The transition window for seat-based SaaS is twelve to twenty-four months, and the forcing function is already on the invoice.

What to do this week

Three things, in order. Do them this week, not next quarter.

First, grep every lockfile, Dockerfile, and CI cache for lightning==2.6.2 or 2.6.3. If you find one, rotate every cloud IAM key, GitHub PAT, and browser-stored secret reachable from that machine before you finish reading the audit log. Then enforce pip install --require-hashes in CI by end of sprint. Hash-pinned dependencies are the highest-ROI MLSecOps control available right now, and version pinning alone does not stop this attack class.

Second, audit every agent in your environment for the 2×2 of reversible-versus-irreversible and low-versus-high cost of error. Anything in the irreversible-and-high-cost cell needs a human approval gate today, and the agent's IAM role needs to lose DROP, DELETE, and rm -rf on production. Immutable air-gapped backups that no single credential can both reach and destroy. This is unglamorous infrastructure work and it is the actual product now.

Third, pull your top twenty AI feature ideas killed for unit economics in the last four quarters. Re-run the math at DeepSeek V4 Flash pricing. Ship the one that pencils across at least two providers — that is the bet that survives whichever lab reprices next. The teams that do this exercise this sprint will spend Q3 shipping. The teams that wait for the picture to stabilize will discover the picture was the stable part.