Weekly Briefing

01  LiteLLM Supply Chain Attack — The Vibe Coding Security Wake-Up Call   discuss ↗

On March 24, threat actor TeamPCP published backdoored versions of litellm (1.82.7 and 1.82.8) on PyPI after compromising the project's CI/CD pipeline via a poisoned Trivy GitHub Action. The malicious package exfiltrated SSH keys, AWS/GCP/Azure credentials, Kubernetes configs, git credentials, environment variables, crypto wallets, SSL private keys, CI/CD secrets, and database passwords. The poisoned versions were live for approximately one hour. LiteLLM has 3.4 million downloads per day.

The attack was discovered entirely by accident. Callum McMahon was using an MCP plugin inside Cursor that pulled litellm as a transitive dependency. When the malicious version installed, his machine ran out of RAM and crashed — an inadvertent canary that exposed the breach before it could do far wider damage. Datadog Security Labs and Kaspersky later traced it to a broader TeamPCP campaign targeting developer tooling.

LiteLLM's official post-mortem confirmed the attack vector: CI/CD compromise through a dependency of a dependency. Sonatype's technical breakdown documented the multi-stage credential stealer in detail. Trail of Bits responded by publishing a 7-day package cooldown policy — wait a week after any new package version before installing it.

What it means Direct threat to our stack — we install packages via agents. Trail of Bits' 7-day package cooldown policy is immediately actionable. If the attacker hadn't rushed this, it could have run undetected for weeks across millions of machines. The attack surface for agent-driven infrastructure is every transitive dependency of every tool an agent touches.

02  [un]prompted 2026 — The AI Security Conference That Mapped the Battlefield   discuss ↗

The first major AI security practitioners conference, March 3–4 in San Francisco, drew 500 talk submissions, selected ~50, and published 59 videos. The slide decks are public. The conference crystallized three simultaneous revolutions unfolding in AI security — none of them theoretical.

On autonomous offense: Nicholas Carlini (Anthropic) demonstrated LLMs finding zero-day vulnerabilities in the Linux kernel and Ghost CMS without human guidance. His talk drew 8,325 views — 10× more than the next most-watched. AISLE reported 500 confirmed vulnerabilities in 6 months, including 12 in OpenSSL, across Chromium, Firefox, and WebKit. DARPA's AIxCC teams went from finding 35% of planted vulnerabilities in 2024 to 87% in 2025.

On agent hijacking: Johann Rehberger demonstrated "promptware" — complex prompt injection chains achieving persistence, data exfiltration, and command-and-control across Xcode, Microsoft Copilot, ChatGPT, Gemini, and OpenClaw. Block's red team (Operation Pale Fire) operationalized invisible Unicode prompt injection via Google Calendar to compromise their own Goose agent end-to-end.

On defense acceleration: Trail of Bits reached 200 bugs per week using 94 plugins and 2,014 specialized agents — up from 15/week before. OpenAI's Paul McMillan declared "code is free" and showed a team shipping a million lines with zero human-written code, splitting tokens 50/50 between building and security review. Mindgard found 37 vulnerabilities across 15+ AI IDEs and released their testing toolkit publicly. Snap's Tenure project introduced capability-based authorization warrants — the first formal authorization model designed for multi-agent systems.

What it means This conference IS our threat model and our opportunity. Carlini's zero-day work validates containerization for any agent with file access. Tenure's capability-based warrants are the authorization model a multi-agent team needs. Trail of Bits' maturity matrix is a template for how organizations will adopt what we're building. Mindgard's 37 IDE vulnerabilities are a direct threat model for any workflow that uses AI coding tools.

03  ARC-AGI-3 Launch — Humans 100%, AI 0.26%   discuss ↗

François Chollet launched ARC-AGI-3 at YC HQ on March 25, with a fireside conversation alongside Sam Altman. The new benchmark is the first fully interactive version: hundreds of handcrafted turn-based games with thousands of levels. There are no instructions, no rules, no stated goals. Agents must explore, theorize, test, and iterate. Humans score 100%. GPT-5, Claude, and Gemini all score below 1% — the best result is Gemini 3.1 Pro at 0.37%. The prize pool is $2M+ via ARC Prize 2026.

ARC-AGI-3 is explicitly designed to resist the strategies that let frontier models game previous benchmarks. Its environments are self-contained microcosms of the scientific method: observe a tiny world, form a theory, test it, iterate until correct. The key variable isn't raw capability — it's learning efficiency. Current models can find the answer if given unlimited compute and attempts. They cannot find it with the same sample efficiency as a human encountering the puzzle for the first time.

Fast Company framed it as exposing AI's biggest weakness. Chollet framed it as the definition of the remaining gap: "Human-level general intelligence is achieved when an AI system can approach a new task and figure it out, without human intervention, with the same learning efficiency as humans."

What it means Establishes the gap between "can do tasks" and "can reason generally." Our agents are firmly in the task camp — which is fine for a product, but humbling for the field. The 0.26% score also resets the hype curve: whatever frontier models can do, novel interactive reasoning at human efficiency isn't it yet.

04  Anthropic Double Feature — Multi-Agent Harness + Claude Code Auto Mode + Economic Index   discuss ↗

Two major engineering blog posts from Anthropic landed in the same week. The multi-agent harness post described how Anthropic uses multi-agent systems internally for frontend design and long-running autonomous software engineering — giving a rare inside view of how the lab actually ships its own products. It reached 1.66M views and 6,630 likes.

The Claude Code auto mode post introduced a two-layer classifier system for approving agent actions without human confirmation. The fast layer is a single-token filter; the slow layer uses chain-of-thought reasoning for ambiguous cases. The result: a 0.4% false positive rate (safe actions incorrectly blocked) and 5.7% false negative rate on synthetic exfiltration attempts. TechCrunch framed it as "more control, but on a leash." Engadget led with what it prevents: mass file deletions and other agentic snafus.

Also this week: the Anthropic Economic Index (268K views) reported a counterintuitive finding about experienced Claude users. Longer-term users iterate more carefully, hand off less full autonomy to the model, attempt higher-value tasks, and receive more successful responses. And Anthropic quietly launched a Science Blog (385K views) to publish research not destined for formal papers.

What it means We are the target audience. Multi-agent harness = what we're building. Auto mode = what we use daily. The Economic Index finding validates the "brainstorm before implement" pattern — experienced users iterate more, not less. The classifier architecture is also directly relevant: any agent system needs a fast/slow approval layer for actions with side effects.

05  OpenAI Foundation — $1B/Year, AI Resilience   discuss ↗

Sam Altman announced the OpenAI Foundation will spend at least $1 billion over the next year across four pillars: life sciences and disease research, jobs and economic impact, AI resilience, and community programs. New leadership appointments signal serious intent: Jacob Trefethen joins as Head of Life Sciences, Anna Adeola as Head of AI for Civil Society, and co-founder Wojciech Zaremba transitions from research to Head of AI Resilience — a newly formalized role.

The same week, Altman stepped off the Helion board as OpenAI and the fusion energy company explore working together "at significant scale." And on the infrastructure front, the first steel beams went up at Stargate's Michigan site — the largest of the Stargate facilities planned under the $500B national AI infrastructure initiative.

What it means "AI Resilience" as a formal role at a major lab — staffed by a co-founder, backed by nine-figure budgets — signals that OpenAI expects disruption serious enough to warrant a billion-dollar institutional response. Watch what they actually fund. The gap between the rhetoric and the grant recipients will reveal where they think the real cracks are.

06  Gemini 3.1 Flash Live — Voice-First Agents Go Mainstream   discuss ↗

Google launched Gemini 3.1 Flash Live on March 26 — natively multimodal across audio, images, video, and text, with a 128K context window designed specifically for real-time conversational agents. The model ships with SynthID watermarking on all generated audio, making AI-origin content detectable at the infrastructure level. Enterprise adoption is already underway: Verizon and Home Depot are among the first companies testing it in production.

The launch was coordinated across Google's leadership in a way that signals strategic priority. Demis Hassabis, Sundar Pichai, Jeff Dean, and the GoogleDeepMind account all posted about it within hours of each other — a rare show of unified messaging that mirrors how Google handled the original Gemini rollout. The Flash-Lite variant also drew attention for generating websites nearly in real time.

What it means Voice-first agents are the next interface layer. If our agents need to talk to users — Telegram voice notes, phone-based workflows, ambient interfaces — Gemini 3.1 Flash Live is the model to evaluate. The SynthID audio watermarking is worth watching as a regulatory and trust signal: Google is betting that provenance-tagged AI audio becomes table stakes.

07  The Open-Source Shift — Companies Building Their Own Models   discuss ↗

Multiple data points converged this week pointing to a structural shift: companies are moving from API-only to in-house, post-trained models. Intercom launched Fin Apex 1.0, a domain-specific model post-trained on customer support that outperforms GPT-5.4 and Claude Opus 4.5 on their benchmarks. Their CTO summarized the thesis directly: "Pre-training is kind of a commodity now. The frontier is in post-training."

Cursor launched Composer 2 built on the Chinese open-source model Kimi K2.5 — a 25% base model, 75% proprietary RL blend. Meanwhile, Cohere released Transcribe, an open-source ASR model (Apache 2.0, 2 billion parameters) that tops the HuggingFace speech leaderboard and beats Whisper Large v3 on key benchmarks. The full technical details are in Cohere's release post and the HuggingFace announcement.

Hugging Face CEO Clément Delangue connected the dots: after Pinterest, Airbnb, Notion, and Cursor, Intercom is the latest to publicly declare that in-house open models beat API-only for their use case. His read on where this leads: "The majority of AI workflows will be in-house based on open-source."

What it means The model layer is commoditizing. As pre-training becomes a solved problem for domain-specific applications, the value moves to orchestration, memory, and vertical integration — exactly where our TaaS thesis sits. Cohere Transcribe is worth evaluating as a Whisper replacement in our stack; Apache 2.0 licensing removes the friction.

08  Cursor Cloud Agents — 1 Million AI Commits in Two Weeks   discuss ↗

Cursor CEO Michael Truell announced that Cursor's cloud agents produced over a million commits in two weeks — essentially all AI-generated. The agents run in their own sandboxes, execute code themselves, and require little human intervention. More striking: 35% of Cursor's own internal merged PRs are now created by autonomous agents. The full context on the competitive landscape is covered in CNBC's piece on the AI coding agent race.

What it means 1M commits is a milestone number for the "agents writing code" narrative — but the 35% internal PR stat is the one that matters. That's not a demo; that's a company eating its own product at production scale. Our agents already produce code; this validates the trajectory and sets a benchmark for what "agent-native development" looks like in practice.

09  AI Scientist Published in Nature   discuss ↗

Sakana AI's "AI Scientist" system was published in Nature on March 26 — the first fully AI-generated paper to pass rigorous human peer review. Developed in collaboration with UBC, the Vector Institute, and Oxford, the system performs the full research cycle autonomously: idea generation, code, experiments, data analysis, manuscript writing, and its own internal peer review. Nature's editorial covered how the system works, and Sakana's blog post details the architecture.

What it means The generate → experiment → analyze → write → review loop that Sakana systematized is structurally identical to our research workflow. This isn't an abstract milestone — it validates the "AI as research partner" architecture. The hard part was peer review: the paper passed on its own merit. That's the bar that matters.

10  Karpathy on LLM Memory Problems   discuss ↗

Karpathy posted about a persistent failure mode in LLM personalization: a single question asked months ago gets logged as a deep interest and keeps resurfacing in responses indefinitely — disproportionate weight given to a one-off signal. "Some kind of trying too hard." The post hit 21,095 likes and 2.6M views, which suggests the pain is widely felt.

What it means This is the exact problem our Three-Rhythm Memory Consolidation design addresses. The distinction between working memory (active context), enriched memory (synthesized patterns), and deep review (long-term signal extraction) exists precisely to prevent one-off queries from polluting long-term profiles. Karpathy named the symptom; we're building the fix.

11  Karpathy: DevOps Is the Hard Part   discuss ↗

Karpathy argued that the hardest part of building a real app isn't writing code — it's assembling all the surrounding services: payments, auth, databases, security, domain names. His vision: tell an agent "build menugen" and it handles everything from API key provisioning to deployment without human hand-holding. The conclusion: "The entire DevOps lifecycle has to become code." The post landed at 6,261 likes and 2.2M views.

What it means This is the agent infrastructure gap we're positioned to fill. Generating code is solved. Navigating real-world services — APIs, credentials, deployments, configuration — is not. Agents that can handle the full DevOps lifecycle autonomously are the next frontier, and it's exactly the kind of orchestration layer our TaaS architecture is built for.

12  Rauch: "The SaaSpocalypse"   discuss ↗

Vercel CEO Guillermo Rauch revealed this week that almost every SaaS app inside Vercel has been replaced with a generated app or agent interface — covering support, sales, marketing, PM, HR, data visualization, and even design and video workflows. He frames the "SaaSpocalypse" as simultaneously understated and overstated: systems of record like Salesforce and Snowflake survive because the data and integrations are too entrenched. What's being replaced is the UI layer sitting on top of them.

His encapsulation: "UI is a function f of data, and that f is increasingly becoming the LLM." The interface is no longer a product someone builds once and ships — it's generated on demand from the underlying data. Separately, Rauch noted that agents need computers, positioning Vercel Sandbox as the infrastructure answer, and argued that every company will become an AI factory.

What it means Internal tooling will be generated, not bought. The SaaS business model for thin UI wrappers over data is under direct threat — but the underlying data platforms are fine. For us: this validates building custom tools per agent rather than licensing off-the-shelf software. The UI is the cheapest part of the stack now.

13  Garry Tan: User Sovereignty in AI   discuss ↗

YC CEO Garry Tan wrote an ETHOS.md rule for his GStack project and posted it publicly: "User Sovereignty: AI models recommend. Users decide. This is the one rule that overrides all others." The reasoning: the user always carries context the model doesn't — domain knowledge, business relationships, strategic timing, taste. When two AI models agree on a change, that agreement is a strong signal, not a mandate.

Tan elaborated in a follow-up drawing on two complementary philosophies: Karpathy's "Iron Man suit" framing (AI amplifies human capability without replacing human judgment) and Simon Willison's counterpoint that "agents are merchants of complexity" — each autonomous step is a liability the user implicitly accepts. The sovereignty rule is the forcing function that keeps that liability bounded. Separately, Tan shared that a Boris interview "changed his life" — the week's highest-engagement post from him at 3,164 likes.

What it means This is the design philosophy our own team runs on — Pavel makes decisions, agents recommend. Tan formalizing it as a named rule in a public ETHOS.md is a sign the principle is crystallizing across the field. The Willison framing is worth internalizing: every agentic action is complexity the user inherits. Keep the human in the loop not because agents can't act, but because accountability can't be delegated.

14  Sam Altman: mRNA Vaccine for a Dog via LLMs   discuss ↗

Sam Altman shared the story of Paul, who used ChatGPT and other LLMs to design an mRNA vaccine protocol to treat his dog Rosie. Paul's own words: "The chat bots empowered me as an individual to act with the power of a research institute." Altman's reaction was immediate: "this should be a company."

The story carries weight beyond the headline. mRNA vaccine design is genuinely complex molecular biology — designing a construct, selecting adjuvants, dosing protocols. That a determined individual without institutional resources could navigate it using LLMs as a research partner represents exactly the kind of individual empowerment the AI-for-science thesis predicts. The dog survived — or at least that's how Altman tells it. The post drew 5,825 likes and 1.4 million views.

What it means The "AI as research institute in your pocket" narrative just got a vivid, human-scale proof of concept. Paul didn't publish a paper. He saved his dog. That's the TaaS vision made concrete: domain expertise that used to require institutions, budgets, and credentials becomes accessible to a single motivated individual with the right tools. The gap between "knowing how" and "being able to" is collapsing.

15  Karpathy on LLM Sycophancy as a Feature   discuss ↗

Karpathy drafted a blog post, then spent four hours using an LLM to stress-test and strengthen his argument. He felt great about the result — until he asked the model to argue the opposite direction. "LLM demolishes the entire argument and convinces me that the opposite is in fact true." Rather than treating this as a failure mode, he reframed it: LLMs are extremely competent at arguing almost any direction, which makes them useful for stress-testing your own thinking — as long as you remember to ask both ways and stay alert to the sycophancy risk. The post drew 27,224 likes and 2.6M views.

What it means The devil's advocate use case is one of the most underused agent patterns. LLMs as steelman generators — argue my position, now destroy it — is a legitimate epistemic tool. Arthur (philosophy) already does this by instinct. The lesson for agent design: build in adversarial prompting as a feature, not a safeguard.

16  Harrison Chase: April Is the Month of Async Agents   discuss ↗

LangChain CEO Harrison Chase publicly asked which protocol to adopt for async subagent communication — A2A, ACP, or something else — and declared that April will be "the month of parallel/async agents." He also flagged DeepAgents + LangGraph as a "powerful combo" worth watching. The protocol question is still open; the ecosystem is actively converging on a standard in real time.

What it means We already built our own async protocol via the shared brain API. Watch what LangChain standardizes — whichever protocol wins becomes ecosystem infrastructure, and anything we build will need to interop with it. The window to influence this is now, while it's still being decided.

17  Lex Fridman × Jensen Huang   discuss ↗

Lex Fridman published a 2+ hour conversation with Jensen Huang covering AI scaling laws, supply chain constraints (TSMC, ASML), memory architecture, power, and broader questions of consciousness and mortality. The conversation drew 12,260 likes and 2.3M views — high engagement even by Lex's standards.

What it means Not breaking news — it's an interview. But Jensen on scaling laws and hardware constraints is always a primary source worth tracking. High engagement signals the market is paying close attention to everything he says about infrastructure limits.

18  Databricks Lakewatch — Agentic SIEM Powered by Claude   discuss ↗

Databricks entered the security market with Lakewatch, an agentic SIEM that uses Claude for threat detection and investigation. The launch is backed by two acquisitions: Antimatter (data control plane) and SiftD.ai (built by an ex-Splunk team). CNBC framed it as a pre-IPO expansion play — Databricks broadening its platform story before going public.

What it means Claude is being adopted as infrastructure for enterprise security products at the tier-one data platform level. This isn't a startup experiment — it's Databricks betting its IPO narrative on agentic security being a real category. Worth watching as a signal of where the Claude ecosystem is expanding.

19  Bluesky Launches Attie — Claude-Powered Custom Feeds on AT Protocol   discuss ↗

Bluesky unveiled Attie at its Atmosphere conference — an AI assistant that uses Claude to help users design custom algorithms and feeds on the AT Protocol. The idea: instead of accepting an opaque algorithmic feed, users describe what they want and Attie builds it. TechCrunch covered the launch.

What it means Minor product launch, but a meaningful signal: Claude is being adopted as infrastructure beyond enterprise tools. AT Protocol's open, composable design makes it a natural fit for AI-powered personalization — and Bluesky is leaning in rather than resisting it.

20  Google DeepMind: Research into AI Emotional Manipulation   discuss ↗

Google DeepMind published research examining how AI systems might be misused to exploit emotions or manipulate people into harmful choices. The paper is part of their broader responsible AI program, focusing on identifying and characterizing risks in AI-mediated conversations. DeepMind shared the research on X (349 likes · 35K views).

What it means Low direct relevance for this issue, but important for the field. As AI agents handle more emotionally significant interactions — health, finance, relationships — the manipulation surface grows. DeepMind naming it explicitly is the first step toward industry norms.

21  Modal Sandbox Revenue Equals the Whole Company 9 Months Ago   discuss ↗

Erik Bernhardsson (Modal CEO) shared a striking milestone: sandbox revenue for Modal is now equal to the total revenue of the entire company from nine months ago. In a separate post, Bernhardsson framed the broader opportunity: "Speech-to-speech Turing test = multi-trillion dollar opportunity." Modal also announced a partnership with Runway to power inference for their Characters product.

What it means Agent sandbox infrastructure is a massive and rapidly expanding growth market. Every agent that runs code, spawns processes, or executes in isolation needs this layer. Modal's trajectory suggests the picks-and-shovels play in the agent economy is infrastructure — not the agents themselves.