Ali Lakdawala
News

Automation Ate Trust

8 stories · ~7 min read

Automation Ate Trust

If You Only Read One Thing

Automated trust is failing at opposite ends of the stack. Passive Money Gets Active shows index providers turning rules into IPO demand; Provenance Passed the Malware shows Red Hat's npm packages carrying a signed credential-stealing worm. The uncomfortable link is that both systems were built to remove judgment. When authority gets captured, automation distributes the mistake.

Passive Money Gets Active

The oddest part of the SpaceX IPO story is not the valuation. It is that index methodology is moving before the stock trades.

Bloomberg reported, via Techmeme, that Nasdaq, FTSE, and other index providers are shortening entry timelines as SpaceX targets a $75 billion public offering and broader retail participation. The primary documents are more important than the headline. FTSE Russell confirmed that IPOs exceeding the Russell Top 500 breakpoint can be added after the fifth trading day, and that companies below the usual free-float or voting-rights minimums may still qualify if lockups resolve within 12 months. Nasdaq's February consultation proposed fast entry after 15 trading days for newly listed Nasdaq companies ranking in the top 40 by market cap, with seasoning and liquidity requirements waived.

Why it matters: Passive investing is supposed to outsource judgment to rules. That works when the rules are slow, public, and indifferent to any single issuer. SpaceX is testing a different bargain: if a private company is already large enough to matter to the index, the index provider says excluding it creates tracking error. The issuer, bankers, and exchange then know that index inclusion is no longer a neutral end state. It is part of the listing package.

This shifts bargaining power up the market-structure stack. In the old model, public investors discovered the price, and indexes admitted the company after the market had digested it. In the new model, the expected index demand helps create the price the market is asked to digest. FTSE Russell says it will use free-float market cap, which limits the mechanical weight of a low-float IPO. Nasdaq's proposal goes further by allowing low-float securities to be included at adjusted weights rather than excluded. That is not necessarily corrupt. It is a rational response to trillion-dollar private companies. But it does make passive money less passive at exactly the moment retail investors are being invited into a low-float mega-listing.

Room for disagreement: The strongest counterargument is that indexes should represent the market as it exists, not as it looked under an older IPO regime. FTSE Russell is right that a benchmark excluding SpaceX, OpenAI, or Anthropic for months could become less representative than one that admits them early. The problem is not early inclusion by itself. The problem is that methodology changes made around a specific class of IPOs turn benchmark governance into a distribution channel.

What to watch: Watch the first post-pricing inclusion notices. The key variable is whether index providers treat SpaceX's actual free float as the constraint, or whether adjusted weighting lets benchmark demand outrun the tradable share base.

Provenance Passed the Malware

The Red Hat npm incident is the cleanest warning yet that signed provenance can prove the wrong thing perfectly.

StepSecurity found that packages in the @redhat-cloud-services namespace shipped malware that ran automatically during npm install. Aikido counted 96 compromised versions across 32 official packages with roughly 116,991 weekly downloads. Wiz reported that malicious orphan commits were pushed through Red Hat GitHub repositories, creating packages with valid SLSA provenance attestations through GitHub Actions OIDC trusted publishing.

Provenance is a receipt: it tells the package registry which workflow built and published an artifact. That helps when an attacker uploads a fake package from outside the release path. It fails when the attacker captures the authorized release path itself. The receipt is true, but the package is malicious. The handle for this incident is simple: true receipt, bad package.

Why it matters: The software supply-chain consensus since SolarWinds has been that stronger identity, signed artifacts, and attestations would restore trust to build pipelines. The Red Hat compromise shows the limit of that model. If the publishing workflow is too broadly trusted, a compromised employee account or orphan branch can mint legitimacy at machine speed. Two-factor authentication, token rotation, and provenance checks may all pass because the attacker is no longer pretending to be the publisher from outside. The attacker is using the publisher's own automation.

The payload made that asymmetry worse. StepSecurity says the worm targeted GitHub Actions secrets, AWS, GCP, Azure, Kubernetes, Vault, npm, and CircleCI credentials, tried to republish packages through npm's bypass_2fa path, and used api.github.com as command-and-control cover. The lesson is not that provenance is useless. It is that provenance answers an origin question, not an authorization question. For high-value packages, the next trust layer has to ask whether the specific branch, workflow, commit, and human review path were allowed to publish this version.

Room for disagreement: The ecosystem did respond quickly: Wiz said most malicious versions had been revoked within hours, and security vendors published indicators fast. It is also possible that the affected packages sit inside a narrower Red Hat frontend ecosystem rather than the broadest open-source dependency graph. That limits blast radius, but it does not soften the strategic point. The compromise hit an official namespace and used valid trust signals.

What to watch: Watch whether Red Hat, GitHub, or npm publish a root-cause postmortem that names the branch/ref and workflow-policy gap. Without that specificity, the ecosystem will rotate secrets and leave the trust model mostly unchanged.

The Contrarian Take

Everyone says: The day's biggest stories are about AI capital: Anthropic filing to go public, Alphabet raising $80 billion, and OpenAI getting sued over chatbot harms.

Here's why that's wrong, or at least incomplete: The deeper story is that automated trust mechanisms are becoming distribution systems for concentrated power. Index rules can turn a private mega-company into mandatory exposure for passive investors. Provenance rules can turn a captured CI pipeline into a signed malware distributor. AI capital and AI liability matter, but they sit downstream of the same institutional move: replace discretionary judgment with rules, then discover that the rule-maker or trusted identity now holds the power.

Under the Radar

  • Free float is the new lockup fight. FTSE Russell's release sounds procedural, but the low-float clause is where the economics sit. If an issuer can sell only a small slice of shares and still receive benchmark demand quickly, the IPO becomes less about broad public ownership and more about using index eligibility to support a scarcity premium.

  • SLSA passed the paperwork test. The Red Hat packages reportedly carried valid attestations because the release identity was real. That is precisely why this incident matters: the industry spent years teaching scanners to ask whether an artifact was signed, and the attacker answered yes with the publisher's own machinery.

Quick Takes

  • Anthropic picked the public clock. Anthropic's confidential IPO filing gives it optionality before OpenAI and after a valuation run-up that already strained private-market capacity. The public-market test is not whether Claude is useful; it is whether investors will underwrite frontier-model capex without the control rights private rounds carried. (Source)

  • Alphabet made AI capex dilutive. Alphabet plans to raise $80 billion, including a $10 billion Berkshire Hathaway investment, to fund AI infrastructure. The signal is that even the strongest cash-generating platforms are moving from "AI pays for itself through operating cash flow" toward "AI competes for shareholder capital." (Source)

  • Florida chose product liability. Florida sued OpenAI and Sam Altman in a first-of-its-kind state case over alleged harms linked to ChatGPT. The important move is naming the chatbot as a defective consumer product, not merely as speech or software; that invites state attorneys general to become AI product regulators. (Source)

  • Salesforce bought content plumbing. Salesforce agreed to acquire Contentful, a headless CMS once valued near $3 billion, as enterprise software vendors re-bundle content, workflow, and customer data for AI agents. Cheapened software infrastructure is becoming attractive precisely because agents need governed content systems to act inside enterprises. (Source)

The Thread

Today's throughline is not "AI changes everything." It is that automated trust makes old gatekeepers more powerful while making their failures more contagious. Index providers decide which assets passive investors must own. CI systems decide which packages developers can trust. AI platforms decide which conversational products are safe enough for minors and consumers. The common failure mode is not bad intent. It is over-delegation. A rule can be transparent and still shift risk onto people who never made the underlying judgment.

Predictions

New predictions:

  • I predict: By 2026-07-31, at least one major asset manager or index provider will announce a SpaceX-excluding, mega-IPO-screened, or delayed-entry passive product for investors who do not want immediate fast-entry exposure. (Confidence: medium; Check by: 2026-07-31)

2026-06-02 03:16 EDT

Tomorrow morning in your inbox.

Subscribe for free. 10-minute read, every weekday.