Ali Lakdawala
News

Build American AI Hits TikTok, cPanel Exposes the Long Tail

7 stories · ~7 min read

Build American AI Hits TikTok, cPanel Exposes the Long Tail

If You Only Read One Thing

The AI race is moving from policy memos into ordinary feeds, while old web infrastructure is reminding everyone how much of the internet still runs on neglected control panels. Build American AI's influencer campaign and cPanel's emergency security patch look unrelated. Both show the same structural fact: hidden intermediaries become powerful when everyone else treats them as background.

Build American AI Turns the China Race Into Paid Distribution

The important part of the Build American AI story is not that tech money wants lighter AI regulation. That was already obvious. The new part is that the industry's China argument is being converted into lifestyle content.

Wired reported that Build American AI, a nonprofit tied to the pro-AI super PAC network Leading the Future, is funding an influencer campaign that first used lifestyle creators to praise American AI and is now recruiting creators to frame Chinese AI as a threat. One marketing-agency pitch offered roughly $5,000 per TikTok video. Wired identified posts from family and lifestyle influencers that were labeled as ads but did not clearly disclose Build American AI as the sponsor. Build American AI's own site says its mission is to advance pro-innovation AI policy, competitiveness, and U.S. leadership, while Axios reported that Leading the Future had raised more than $125 million from backers including OpenAI president Greg Brockman, Joe Lonsdale, Andreessen Horowitz, Ron Conway, and Perplexity. NOTUS reported that the network entered 2026 with $70 million in cash on hand and that Build American AI is harder to trace because nonprofits do not disclose donors the way super PACs do.

Why it matters: AI politics is becoming a demand-generation problem. The industry does not merely need to persuade lawmakers that federal preemption is better than state-by-state AI rules. It needs voters to hear that argument as common sense before regulation becomes a kitchen-table issue around jobs, data centers, children, utility bills, and China. Influencers solve a distribution problem that white papers and Hill meetings cannot: they put the national-security frame inside family, lifestyle, and local identity content.

That matters because the legislative prize is not an abstract "pro-AI" mood. It is a national regulatory framework that limits the ability of states to write stricter rules. The China-race frame is well suited to that goal. If the question is "how should AI systems be tested, licensed, taxed, or constrained," state lawmakers have room to act. If the question is "how do we beat China," delays become unpatriotic and preemption becomes the responsible center.

The more important shift is from lobbying to ambient politics. Crypto's Fairshake model was direct: spend heavily in races, scare candidates, reward allies. The AI version adds a softer layer. Paid creators can make the desired worldview feel socially native before a voter ever sees an ad naming a candidate. That is not a side tactic. It is regulatory capture adapted to the algorithmic feed.

Room for disagreement: There is a legitimate national-security argument here. China is not an invented competitor, and U.S. policymakers are genuinely split over export controls, model diffusion, and whether state AI laws would weaken American firms. It is also possible that disclosures such as "paid partnership" satisfy the legal minimum even when the sponsor is obscure.

What to watch: The test is whether Build American AI or Leading the Future becomes a disclosure fight rather than just a messaging story. A letter from Congress, an FTC inquiry, or state attorney-general scrutiny would mean the political-risk surface has shifted from campaign spending to influencer provenance.

cPanel Shows the Internet's Forgotten Control Plane

There are modern cloud outages, and then there are old-web outages. cPanel's problem is in the second category, which is why it matters more than a normal critical CVE.

On April 28, cPanel issued emergency fixes for CVE-2026-41940, an authentication-bypass vulnerability affecting cPanel & WHM, DNSOnly, and WP Squared versions after 11.40. Rapid7 says the bug carries a 9.8 CVSS score, allows unauthenticated remote attackers to gain administrative access, and a basic Shodan query shows roughly 1.5 million exposed cPanel instances. It also says KnownHost reported active exploitation, with speculation of targeted zero-day use as early as February 23. watchTowr's technical analysis put the scale in plainer terms: cPanel and WHM run somewhere north of 70 million domains, with WHM acting as the root-level administration layer for servers and cPanel as the account-level interface.

Why it matters: cPanel is not glamorous infrastructure. That is the point. It is the control panel for shared hosting, small-business sites, local agencies, hobby projects, email boxes, WordPress installs, and the long tail of the web that never moved to managed cloud. In a cloud account, identity and permissions are explicit products. In the shared-hosting world, a control panel often bundles server administration, website files, databases, mail, SSL, backups, and user accounts behind one login. If that login layer fails, the blast radius is not one website. It can be every site and account on the host.

This is the forgotten control-plane problem. The visible internet has been remade by hyperscalers, CDNs, app platforms, and SaaS. The administrative internet underneath it is much older. The economics explain why. Shared hosting is cheap because many customers sit on common infrastructure, and many of those customers do not have security teams, patch windows, or incident-response retainers. Centralization lowers cost until the central interface becomes the attack path.

The cPanel advisory also shows why long-tail security is harder than enterprise security. cPanel can publish fixed versions, detection scripts, and mitigations such as blocking ports 2083, 2087, 2095, and 2096. Large providers can force updates or temporarily disable access. The weak link is the population of pinned, unsupported, self-managed, or abandoned systems. That long tail is where an authentication bypass becomes a mass-compromise campaign rather than a patch-management exercise.

Room for disagreement: The exposed-instance number is not the same as confirmed compromise, and managed hosts moved quickly. Namecheap, KnownHost, and other providers treated the issue as critical, while cPanel has shipped patched versions across supported release tiers. It is possible the worst-case internet-wide language overstates the realized damage.

What to watch: The signal is post-exploitation evidence. If security firms begin publishing ransomware, web-shell, credential-theft, or mass-defacement campaigns tied to CVE-2026-41940, this becomes a web-hosting systemic-risk story rather than a severe vulnerability story.

The Contrarian Take

Everyone says: The AI influence story is about dark money, and the cPanel story is about patching.

Here's why that's incomplete: Money and patches are the surface. The deeper issue is control over low-attention interfaces. Build American AI is trying to own the interpretive interface between voters and AI policy before the midterms. cPanel owns the administrative interface for a large part of the unglamorous web. In both cases, the intermediary was easy to ignore precisely because it sat between the real actors and the visible outcome.

Under the Radar

  • Apple already gave yesterday's memory-tax thesis a SKU-level test — Apple has stopped selling the $599 256GB Mac mini, so the line now starts at $799 with 512GB of storage. Tim Cook said this week that Mac mini and Mac Studio are constrained because they are strong platforms for AI and agentic tools, while Apple expects significantly higher memory costs. This is not a list-price hike on an existing SKU; it is a floor-raising move through configuration. (Source)
  • AI data centers are getting project-financed like infrastructure — Hut 8 closed $3.25 billion of senior secured notes for its River Bend AI data center in Louisiana, with a 6.192% coupon, BBB- ratings from S&P and Fitch, a 16.5-year amortizing tenor, and contracted cash flows tied to a 15-year Fluidstack lease backed by Google obligations. The notable thing is not another data center. It is capital markets treating contracted AI compute capacity more like a toll road than a speculative crypto-miner pivot. (Source)

Quick Takes

  • Meta bought a robot-brain team, not a robot company — Meta acquired Assured Robot Intelligence, whose cofounders Lerrel Pinto and Xiaolong Wang will join Superintelligence Labs and work with Meta's robotics effort. The strategic read is that Meta is buying physical-world model expertise before humanoid hardware economics are settled; if the next interface is embodied, model control may matter more than owning the first consumer robot. (Source)
  • Congress is taking the AI export fight to Silicon Valley — House Foreign Affairs members plan to meet companies including Google, Anthropic, Meta, Tesla, Intel, Applied Materials, and Nvidia next week about AI and export controls. The meeting matters because the Hill is trying to build its own industry map while the White House and Congress diverge over how much advanced-chip access China should get. (Source)
  • The Pentagon broadened classified AI access without Anthropic — The Defense Department now has deals with Google, Microsoft, AWS, Nvidia, OpenAI, Reflection, and SpaceX for AI use on classified networks, while Anthropic remains outside after its public fight over usage terms. The procurement lesson is that the Pentagon is treating vendor diversity as the answer to safety resistance: if one lab says no, build around it. (Source)

The Thread

Today's throughline is interface power. The AI industry wants to control the public interface through which voters understand regulation. cPanel's vulnerability exposed the administrative interface through which millions of sites are actually controlled. Apple raised the entry point through a configuration interface, while Hut 8 turned AI capacity into a debt-finance interface. The visible story is AI, security, hardware, or data centers. The structural story is who owns the layer everyone else must pass through.

Predictions

New predictions:

  • I predict: By 2026-06-30, Build American AI or Leading the Future will face at least one formal congressional letter, FTC inquiry, FEC complaint, or state attorney-general request focused on influencer sponsorship disclosure. (Confidence: medium; Check by: 2026-06-30)
  • I predict: By 2026-05-31, at least one security firm or major hosting provider will publish evidence of a mass-compromise campaign tied to CVE-2026-41940, not just isolated exploitation attempts. (Confidence: medium; Check by: 2026-05-31)

May 2, 2026, 3:15 AM ET.

Tomorrow morning in your inbox.

Subscribe for free. 10-minute read, every weekday.