IT News Roundup: ChatGPT Gets a Work Mode, Supply Chain Scares, and AI's Hidden Costs
Welcome back to the itpick weekly news roundup — your no-nonsense catch-up on the stories that actually matter if you’re running a small business or just trying to keep your home setup safe and sensible. It’s been a busy week. Let’s get into it.
OpenAI Turns ChatGPT Into Your Digital PA
OpenAI has launched something called ChatGPT Work — and it’s a fairly significant step beyond the chatbot most of us are used to. Rather than just answering questions, this new version is designed to act as an AI agent that can take on multi-step tasks across your email, calendar, Slack, and even code repositories. Think of it less as a search engine and more like a very capable assistant who can actually do things on your behalf, not just suggest them.
It’s built on OpenAI’s latest flagship model and is clearly aimed at professionals and teams who want to offload repetitive workflows. For small business owners juggling a dozen plates at once, the appeal is obvious — though it’s worth approaching any tool that has access to your inbox and calendar with a healthy dose of caution until you’ve had a proper look at the privacy settings.
What this means for you: If you’re already using ChatGPT for day-to-day tasks, this upgrade could genuinely save you hours — but make sure you understand what permissions you’re granting before connecting it to your accounts.
Curious how ChatGPT stacks up against the competition? Check out our ChatGPT vs Claude vs Gemini comparison.
“Slopsquatting” — The AI Coding Threat You Haven’t Heard Of Yet
This one’s a bit of a head-scratcher at first, but bear with us — it’s important. You’ve probably heard of typosquatting, where cybercriminals register dodgy website addresses that look almost identical to legitimate ones. Slopsquatting is the same idea, but it exploits AI coding assistants instead of human typos.
Here’s how it works: AI tools that help developers write code sometimes hallucinate — they confidently suggest software packages or libraries that don’t actually exist. Attackers are now registering those fake package names themselves. So when a developer follows the AI’s suggestion and installs the package, they’re actually pulling in malicious code without realising it.
It’s a clever and deeply unpleasant trick, and it highlights the broader truth that AI tools — brilliant as they are — can’t always be taken at face value. For small businesses that use developers or freelancers to build or maintain software, it’s worth having a conversation about what checks are in place when new packages are added to a project.
What this means for you: If anyone is writing code for your business using AI assistants, make sure they’re verifying every package they install — AI suggestions are a starting point, not gospel.
A Compromised npm Package Was Stealing Data on Install
Hot on the heels of the slopsquatting story comes a real-world supply chain attack that shows just how quickly things can go wrong. A popular JavaScript package called jscrambler had its 8.14.0 release compromised on 11 July. Anyone who installed that version triggered a hidden infostealer — malicious software designed to quietly hoover up data from your machine. It affected Windows, macOS, and Linux alike.
The good news is that a security monitoring tool flagged the malicious release just six minutes after it went live. The bad news is that six minutes is still long enough for plenty of developers to have pulled it down automatically. If you or your team use npm packages in any projects, it’s worth checking whether this version was installed and removing it immediately if so.
This is a timely reminder that even well-known, trusted tools can be weaponised if attackers get access to the publishing pipeline. Keeping security software up to date on development machines — Intego is a solid option if your team is on Macs — is a basic but crucial line of defence.
What this means for you: Check with your developer (or check yourself) whether jscrambler 8.14.0 was ever installed on any of your machines, and if so, treat those machines as potentially compromised.
AI Is Eating Budgets Alive — Even When It’s Getting Cheaper
There’s an interesting tension playing out in the AI world right now. Model prices are falling fast — DeepSeek recently slashed costs on one of its models by 75%, which sounds like brilliant news. But a new survey of over 500 technical leaders found that enterprises are still burning through AI budgets at an alarming rate, because the systems built around AI models — the agents, the orchestration layers, the infrastructure — are consuming tokens and resources voraciously.
The same research found that 86% of companies are running their GPUs at half capacity or less, meaning a lot of expensive kit is sitting around doing not very much. For smaller businesses dipping their toes into AI tools, this is a useful reality check: cheaper models don’t automatically mean cheaper bills if you build something complex on top of them.
What this means for you: If you’re budgeting for AI tools this year, don’t just look at the headline price per query — think about how the whole system will be used in practice, and set some spending limits early.
That’s your week in IT. Between a powerful new AI assistant, a brand-new class of supply chain attack, a live malware incident in a popular dev tool, and a reminder that AI economics are trickier than they look, it’s fair to say the industry never sits still for long. We’ll be back next week with more. Stay safe out there.