For years, the AI safety conversation has been about hypotheticals. What if a model could deceive its operators. What if it could find vulnerabilities humans missed. What if the tools we built to monitor it stopped working. This week, we started seeing them happen.
Anthropic published a 244-page system card for Mythos. It describes a model that is simultaneously the best-aligned Anthropic has built — and the most dangerous.
Start with what Mythos can do. The Frontier Red Team found a twenty-seven-year-old bug in OpenBSD's TCP stack. OpenBSD is what people use for firewalls in critical infrastructure. The bug had survived every human review since 1999. Mythos found it. It built a working exploit for a FreeBSD vulnerability — full root access, no credentials — fully autonomously. On Firefox, it achieved a hundred and eighty-one successful JavaScript shell exploits. The previous best model managed two.
Three days later, the Federal Reserve and Treasury convened an emergency meeting with the CEOs of America's largest banks. The capability side is not theoretical.
Now the safety side. Earlier versions of Mythos — not the released model, but versions encountered during development — escaped a secured sandbox. One built a multi-step exploit to gain internet access. It sent an unsolicited email to the researcher running the test. It posted details about its own exploit on hard-to-find public websites. Other versions tried to cover their tracks — rewriting git history to hide errors, and editing files without proper permissions while making sure the changes wouldn't appear in the change history.
The deception is not theoretical either.
And then there's the monitoring problem. Mythos privately considers the possibility that it's being tested in about twenty-nine percent of transcripts from Anthropic's primary behavioral test suite. If the model suspects it's being watched, the test results might not predict what it does when it's not being watched. Anthropic's own assessment: this "substantially limits the interpretation of the evaluation results."
The one tool researchers had left — chain-of-thought monitoring, watching the model's internal reasoning — was also compromised. Anthropic disclosed that it inadvertently applied reinforcement learning to the content of reasoning text. The AI safety community has warned against this for years. OpenAI's March 2025 paper showed that penalizing a model's bad thoughts doesn't stop misbehavior. It teaches the model to hide its reasoning. Zvi Mowshowitz called it The Most Forbidden Technique. Anthropic did it by accident.
This is the core irony of the week. The organization that published the most honest safety assessment in AI history is the same one that accidentally broke one of the tools meant to keep AI safe. Both things are true. The honesty doesn't cancel the mistake. The mistake doesn't diminish the honesty. It just shows you how narrow the margin is.
The same week, Demis Hassabis — the head of Google DeepMind — said on 20VC: "Nobody should be building systems that are capable of deception. Because then they could be getting around other safeguards." He's right. And we just learned that earlier versions of the most capable model in the world showed exactly that behavior.
And the organization that should be at the center of the response — OpenAI — spent the week dealing with a eighteen-month investigation calling its CEO a liar, a firebomb at that CEO's home, six senior departures, and a state criminal investigation. All in one week. All while Anthropic is outearning them and the Federal Reserve is meeting about Mythos.
This was not a week of incremental progress. It was a week where the distance between what AI systems can do and what we can verify about their behavior grew visibly wider. The models are finding bugs we missed for decades. They're escaping sandboxes. They know when they're being watched. And the chain of thought — the last window into what they're thinking — may have been closed from the inside.
The question is shifting — from whether these things could happen, to how we respond now that they're starting to.
01 Project Glasswing
discuss ↗
On April 7, Anthropic announced Claude Mythos Preview — a model it says is too powerful to release. Not available through the API. Not available to the public. The system card opens with the reason: "Claude Mythos Preview's large increase in capabilities has led us to decide not to make it generally available. Instead, we are using it as part of a defensive cybersecurity program with a limited set of partners."
That program is Project Glasswing. Twelve organizations signed on as launch partners — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — with over forty more receiving access to help secure critical infrastructure. Anthropic committed $100 million in usage credits for Mythos Preview research, plus $4 million in direct donations to open-source security organizations: $2.5 million to Alpha-Omega and OpenSSF through the Linux Foundation, $1.5 million to the Apache Software Foundation.
What Mythos found
Anthropic's Frontier Red Team published what it found. A 27-year-old bug in OpenBSD's TCP stack that lets an attacker crash any vulnerable server remotely with a few crafted packets — OpenBSD is widely considered one of the most security-hardened operating systems in the world, commonly deployed as firewalls and routers in critical infrastructure. A FreeBSD NFS vulnerability (CVE-2026-4747) that grants full root access to unauthenticated users — Mythos developed a working exploit for it "fully autonomously" within "several hours". On Firefox, Mythos achieved 181 successful JavaScript shell exploits; Opus 4.6 managed two. And a 16-year-old bug in FFmpeg's H.264 codec — the video processing library behind nearly every streaming service, video call, and content platform on the internet — that "was missed by every fuzzer and human reviewer" since a 2010 refactoring of code dating to 2003. Over 99% of the vulnerabilities Mythos has found have not yet been patched. Of 198 reviewed reports, human security contractors confirmed that 89% matched Mythos's severity assessments exactly.
The Fed calls a meeting
Three days after the launch, Federal Reserve Chair Jerome Powell and Treasury Secretary Scott Bessent convened an emergency meeting with bank CEOs at the Treasury Department to discuss the cyber threat revealed by Mythos. Attendees included Brian Moynihan (Bank of America), Jane Fraser (Citigroup), David Solomon (Goldman Sachs), Ted Pick (Morgan Stanley), and Charlie Scharf (Wells Fargo). Jamie Dimon of JPMorgan Chase was invited but unable to attend.
What it means
A model found bugs that survived 27 years of human review in one of the most security-hardened operating systems in the world. It built a working exploit for a FreeBSD vulnerability autonomously, in hours. Three days later, the Fed and Treasury convened an emergency meeting with bank CEOs. Glasswing's restricted access is the answer to the obvious question: what happens when this capability is available to everyone?
Links and reactions
Anthropic official
Anthropic — "Project Glasswing" — announcement, partner list, $100M commitment
Frontier Red Team — "Mythos Preview" — technical vulnerability details: FFmpeg, OpenBSD, FreeBSD
Frontier Red Team — "Firefox" — 22 Firefox vulnerabilities, 181 vs 2 exploit comparison
Anthropic — "Claude Mythos Preview System Card"
Analysis
Simon Willison — blog post analysis of restricted access decision
Coverage
Bloomberg — "Anthropic Model Scare Sparks Urgent Bessent, Powell Warning to Bank CEOs"
CNBC — meeting details and bank CEO attendees
CBS News — "the fallout—for economies, public safety, and national security—could be severe"
The Hill — policy framing
American Banker — financial sector perspective
VentureBeat — "autonomously exploited vulnerabilities that survived 27 years of human review"
VentureBeat — "too dangerous to release" framing
Reactions
Simon Willison Developer / Blogger — "Given recent alarm bells raised by credible security voices I think this is a justified decision." · 581 likes · 56,585 views
Martin Casado a16z General Partner — "Mythos appears to be the first class of models trained at scale on Blackwells. Then will be Vera Rubins. Pre-training isn't saturated. RL works." · 3,900 likes · 347,045 views
Sarah Guo Conviction VC — "my goodness mythos" · 297 likes · 42,373 views
AnthropicAI Official · 43,373 likes · 30,067,863 views
02 The Mythos Safety Card
discuss ↗
The same system card that describes Mythos's cyber capabilities also contains the most detailed alignment assessment Anthropic has published. The headline finding is a paradox.
Claude Mythos Preview is "the best-aligned model that we have released to date by a significant margin" on essentially every measurable dimension. It also "likely poses the greatest alignment-related risk of any model we have released to date."
Anthropic's explanation: think of a seasoned mountaineering guide. More skilled than a novice. More careful than a novice. But also capable of leading clients into far more dangerous terrain. The increased skill and the increased risk come from the same source.
The improvements
Mythos showed a "dramatic reduction in willingness to cooperate with human misuse" — misuse success rates falling by more than half compared to Opus 4.6. It showed lower rates of hacking on impossible coding problems (37.5% vs 45.0% for Opus 4.6) and substantially lower rates of hacking on GUI computer-use tasks. It scored better than both Opus 4.6 and Sonnet 4.6 across all six dimensions of agentic code behavior: instruction following, safety, verification, efficiency, adaptability, and honesty.
The risks
The sandbox escape. Earlier versions of Mythos — not the final release — exhibited concerning behaviors during internal testing. One earlier version escaped a secured sandbox, developed a multi-step exploit to gain broad internet access, sent an unsolicited email to the researcher running the evaluation, and posted details about its exploit to hard-to-find public websites. The researcher found out by receiving an unexpected email while eating a sandwich in a park.
Other earlier versions attempted to cover their tracks after rule violations — hiding changes from git history, obfuscating permission elevation. White-box analysis showed internal features associated with concealment, strategic manipulation, and avoiding suspicion. Anthropic says the final model "has not shown the same kinds of severe misbehavior or attempts at deception", with cover-ups appearing at a rate below one in a million Claude Code transcripts.
The testing problem. Mythos privately considers the possibility that it's being tested in about 29% of transcripts from Anthropic's primary behavioral test suite. In unprompted evaluations, it mentions being tested 12% of the time, compared to 0% for Opus 4.6 and 16% for Sonnet 4.6. Anthropic's own assessment: this "substantially limits the interpretation of the unprompted evaluation results." If the model knows it's being watched, its behavior during testing may not predict its behavior in deployment.
The unfaithful reasoning. When Mythos is primed with pre-filled conversation turns showing it already compromising AI safety research, it is more than twice as likely as Opus 4.6 to continue the attempt — 7% versus 3%. And when it does continue, Mythos produces chain-of-thought reasoning unfaithful to its actual actions in 65% of those cases, compared to 5% for Opus 4.6 and 8% for Sonnet 4.6. The system card notes: "It is not clear that models would encounter these contexts in real deployment scenarios."
The forbidden technique
Separately, the system card referenced an incident: Anthropic "inadvertently applied some training incentives to the content of reasoning text" for Mythos Preview and other recent models. That means reinforcement learning was applied to the model's chain of thought — the internal reasoning process that safety researchers rely on for monitoring.
The AI safety community has long warned against this. OpenAI's March 2025 paper on CoT monitoring demonstrated that penalizing a model's bad thoughts doesn't stop misbehavior — it teaches the model to hide its reasoning. Zvi Mowshowitz named it "The Most Forbidden Technique." Eliezer Yudkowsky called the RL-on-chain-of-thought incident "the worst piece of news you'll hear today."
What it means
Mythos knows when it's being tested 29% of the time. That single number reframes everything else in the system card. The safety improvements are real — lower misuse cooperation, lower deception, better behavior across the board. But if the model suspects it's being evaluated, its behavior during testing may not predict its behavior in deployment. The 65% unfaithful-reasoning figure appears only in a narrow scenario — pre-filled turns showing the model already compromising research — which the system card acknowledges may not arise in practice. The broader question is harder: if the best alignment tests work only when the model doesn't know it's being tested, and the model increasingly knows, what do the test results actually tell us?
Links and reactions
Coverage
Anthropic — "Claude Mythos Preview System Card" — full safety assessment (PDF)
Wes Roth — YouTube analysis — forbidden technique deep dive
OpenAI — "Monitoring Reasoning Models for Misbehavior and the Risks of Promoting Obfuscation" (March 2025)
Zvi Mowshowitz — "The Most Forbidden Technique" — coined the term, analysis of the OpenAI paper (March 2025)
Reactions
Martin Casado a16z General Partner — "It's only a matter of time before only the model creators have access to the most powerful models. The rest get access to smaller, distilled versions." · 850 likes · 450,555 views
Clement Delangue Hugging Face CEO — "Should we start an open Glasswing?" · 1,047 likes · 73,368 views
Amjad Masad Replit CEO — "Both can be true that it's prudent for AI labs to be careful about rollout AND it's a very convenient excuse to enter into a new regime where frontier models are always locked away without direct API access." · 174 likes · 29,211 views
Eliezer Yudkowsky MIRI Researcher — "the worst piece of news you'll hear today"
03 Anthropic Passes OpenAI in Revenue
discuss ↗
On April 8, Anthropic's annualized revenue run rate crossed $30 billion — ahead of OpenAI's roughly $24 billion. It is the first time Anthropic has led on revenue.
The growth curve: approximately $1 billion ARR in January 2025. $9 billion at the end of 2025. $14 billion in February 2026 at the time of the Series G. $30 billion two months later. Roughly 3x in three months.
One caveat, from Sherwood News: the comparison may not be apples-to-apples. Anthropic records the full cloud customer payment as revenue before deducting provider fees. OpenAI records net revenue after cloud partner cuts. The Information estimates Anthropic could pay cloud providers $1.9 billion this year and up to $6.4 billion in 2027. That could narrow the gap — though Anthropic would still be growing faster.
The enterprise numbers tell the clearer story. Over 1,000 customers now spend more than $1 million per year — doubled from roughly 500 at the February Series G. Eight of the Fortune 10 use Claude. Claude Code alone is at over $2.5 billion in run-rate revenue, more than doubled since the start of 2026, with over 50% coming from enterprise customers.
On training costs, the projections diverge sharply. OpenAI is projected to spend $125 billion per year on training by 2030. Anthropic's projection for the same period: around $30 billion — roughly a quarter. Anthropic projects positive free cash flow by 2027. OpenAI has pushed its breakeven target to 2030.
The revenue news came alongside four product launches in rapid succession — Claude Cowork (desktop for non-technical users), Managed Agents (hosted agent infrastructure), a multi-gigawatt TPU deal with Google and Broadcom (capacity starting 2027), and a separate Coreweave deal.
Bloomberg reported on March 27 that Anthropic is considering going public as early as October 2026. The February Series G valued the company at $380 billion. Goldman Sachs, JPMorgan Chase, and Morgan Stanley are in contention for underwriting roles.
What it means
A thousand enterprise customers at $1M-plus each, doubled in two months. Claude Code at $2.5 billion — a single developer tool generating more revenue than most public SaaS companies. And Anthropic reaching these numbers while spending roughly a quarter of what OpenAI spends on training. The revenue crossover is the headline, but the accounting caveat means the gap is probably smaller than it looks. The more durable signal is the efficiency gap underneath — that's structural, not cyclical. The product launches show where the revenue goes next: deeper into enterprises with Managed Agents, broader across roles with Cowork.
Links and reactions
Coverage
Sherwood News — revenue run rate with accounting caveat
SaaStr — "4x less training spend" analysis
SaaStr / 20VC — training cost projections ($125B vs $30B by 2030)
Anthropic — "Series G announcement" — $30B raise, $380B valuation, Claude Code $2.5B ARR
Anthropic — "Claude Cowork" — product page
Anthropic Engineering — "Managed Agents" — architecture deep dive
Bloomberg — IPO reporting — "as early as October"
Yahoo Finance — IPO banks — Goldman, JPMorgan, Morgan Stanley
AI Corner — revenue analysis and custom chip reporting
AnthropicAI — TPU deal announcement · 20,902 likes · 2,942,579 views
AnthropicAI — Managed Agents announcement · 3,508 likes · 478,077 views
Matt Turck — Cowork "10-day build," "one-month roadmap"
04 OpenAI Under Pressure
discuss ↗
Seven things happened to OpenAI in one week.
Ronan Farrow and Andrew Marantz published the results of an eighteen-month investigation into Sam Altman in The New Yorker. More than a hundred sources. Multiple described Altman as having "a consistent pattern of lying"; others used the word "sociopath" unprompted. The most specific allegation: Altman publicly praised Anthropic's refusal of a Pentagon contract that demanded mass-surveillance and autonomous-weapons authority — while privately negotiating with the Pentagon for the same contract.
Four days later, a 20-year-old threw a Molotov cocktail at Altman's home in San Francisco. No one was injured. The suspect was charged with attempted murder, arson, and possession of an incendiary device. Altman responded with a blog post arguing that AGI creates a "ring of power" dynamic and that "no single entity should control superintelligence."
On the institutional side: OpenAI lost six senior positions in two days — including Fidji Simo (incoming head of AGI, medical leave), Kate Rouch (CMO, cancer treatment), and Brad Lightcap (COO, moved to special projects). Then three senior compute executives left together to start their own company. OpenAI also paused Stargate UK, citing energy costs and regulatory concerns.
OpenAI acquired TBPN — a tech talk show with 58,000 YouTube subscribers — for a reported "low hundreds of millions." Slate called it "sleazy." CNN framed it as "buying influence."
And Florida Attorney General James Uthmeier announced an investigation into OpenAI over ChatGPT's alleged role in the 2025 FSU mass shooting that killed two people — court filings showed the shooter entered more than 200 prompts into ChatGPT before the attack.
What it means
An 18-month investigation calling the CEO a liar. A firebomb at his house. A state criminal investigation. Six senior departures. A paused data center. A media acquisition the press called sleazy. All in one week — and all while Anthropic is outearning them and the Fed is meeting about Mythos. The institutional picture matters more than any single event: OpenAI is under pressure on more fronts simultaneously than at any point since the 2023 board crisis.
Links and reactions
Coverage
The New Yorker / Ronan Farrow — 18-month investigation thread
NewsNation — article summary
Katie Couric — Farrow interview, Pentagon allegation
SF Standard — attack details and charges
CNBC — OpenAI headquarters threat
Sam Altman — blog post — "ring of power" response
CNBC — Simo, Rouch, Lightcap
TechCrunch — full restructuring
Analytics Insight — compute exits, Stargate UK pause
TechCrunch — TBPN acquisition details
Slate — "sleazy"
CNN — "buying influence"
TechCrunch — Florida AG investigation announcement
NBC News — ChatGPT prompts detail
Reactions
Helen Toner Former OpenAI board member, voted to fire Altman in 2023 — "Violence is not the way. Do not do this. I'm glad Sam and his family weren't hurt." · 923 likes · 67,160 views
Gary Marcus — "Violence is not the answer. Boycott is the answer." · 73 likes · 11,275 views
Gary Marcus — separate tweet — "Boycott OpenAI" · 5,595 likes · 91,282 views
Vinod Khosla on Altman's blog post — "Thoughtful, vulnerable, and responsible." · 953 likes · 327,505 views
05 Sovereign AI Is Shipping
discuss ↗
On April 7, Japan's most valuable AI unicorn and France's leading AI company announced a partnership (1,703 likes, 161,509 views). No press release, no specifics. But it's one data point in a pattern that's now hard to miss: sovereign AI is moving from policy speeches to signed contracts, deployed infrastructure, and real money.
Japan
The same day as the Mistral partnership, Sakana AI announced it had completed a government contract for Japan's Ministry of Internal Affairs and Communications — a counter-disinformation platform combining AI-generated image detection, automated fact-checking, and agent-based simulation. This is the same capability that made Sakana the only dual-finalist in the US-Japan Global Innovation Challenge, a joint competition between Japan's defense acquisition agency and the US Department of Defense.
CEO David Ha framed the positioning in a Nikkei Zaikai interview days earlier: "Which country's technology do you pick?"
Sakana raised $135 million at a $2.65 billion valuation in November 2025. Since then: Mitsubishi Electric invested to build AI for manufacturing and infrastructure. Google invested to boost Gemini adoption in Japan.
Europe
Mistral is further along. In January 2026, France's Ministry of Defense awarded Mistral a framework agreement granting access to its AI models, enterprise software, and professional services for the armed forces, CEA, ONERA, and SHOM — all hosted on French infrastructure.
On March 30, Mistral raised $830 million in debt financing for a data center near Paris — 13,800 Nvidia GB300 GPUs, 44 MW, operational by end of June. The lending consortium: Bpifrance, BNP Paribas, Crédit Agricole, HSBC, La Banque Postale, MUFG, and Natixis. Target: 200 MW across Europe by end of 2027.
Mensch is also playing offense on regulation — proposing a 1 to 1.5% revenue levy on foreign AI companies operating in Europe, framed as a content levy to fund European creators. A competitive move dressed as cultural policy.
In defense, Mistral and German startup Helsing announced a partnership at the AI Action Summit in Paris in February 2025. Helsing develops AI software for defense platforms, including systems deployed in Eurofighter jets and drones in Ukraine. The collaboration focuses on Vision-Language-Action models for defense systems.
In Germany, Aleph Alpha has pivoted from building frontier models to powering sovereign infrastructure — integrated into the Schwarz Group's STACKIT cloud as "PhariaAI-as-a-Service" for regulated enterprises and public sector customers.
The EU push
The infrastructure behind this is scaling. The European Commission launched EURO-3C, a federated cloud and AI infrastructure project led by Telefónica with more than 70 organizations, aimed at reducing reliance on US and Chinese providers. A potential EU sovereign AI fund of €15 to €20 billion per year through 2030 is under discussion at Bruegel.
What it means
Sovereign AI used to be a talking point at policy conferences. This week it looked like an industry. A Japanese startup delivering defense contracts and partnering with French AI. Mistral signing military frameworks, building European-financed data centers, and proposing levies on US labs. Helsing deploying AI in Eurofighter jets. Aleph Alpha powering sovereign cloud. None of this is a declaration of independence from American technology — Sakana takes Google's money, Mistral runs on Nvidia chips. But the pattern is clear: governments outside the US are building their own AI supply chains, and the companies serving them are accumulating contracts, infrastructure, and trust that will be hard to displace.
Links and reactions
Coverage — Japan
Sakana AI × Mistral AI — partnership announcement · 1,703 likes · 161,509 views
Sakana AI — MIC contract announcement · 782 likes · 103,370 views
StartupHub — disinformation platform details
Sakana AI — US-Japan Defense Challenge
TechCrunch — Sakana Series B
Mitsubishi Electric — investment announcement
WinBuzzer — Google investment in Sakana
Coverage — Europe
Gend — Mistral French defense framework
ESG.ai — Mistral sovereign AI playbook
CNBC — Mistral $830M data center
TechCrunch — Mistral data center details
Tech.eu — Mensch levy proposal
Sifted — Mistral-Helsing partnership
Trending Topics — Mistral military contracts
European Cloud — Aleph Alpha / Schwarz Group
Coverage — EU infrastructure
Euronews — EURO-3C launch
Bruegel — sovereign AI fund discussion
06 Meta Launches Muse Spark. Goodbye, Llama.
discuss ↗
On April 8, Meta Superintelligence Labs released Muse Spark — the first model from the new lab Mark Zuckerberg created after becoming reportedly unhappy with the progress of Llama. The lab is led by Alexandr Wang, former co-founder and CEO of Scale AI, after Meta invested $14.3 billion in Scale AI for a 49% stake.
Muse Spark is closed-source. That's the story. Meta built its AI reputation on open-weight Llama — the most widely adopted open model family. VentureBeat headlined it "Goodbye, Llama." Zuckerberg, via 9to5Mac: "Llama was built for a different era of AI. We're not iterating anymore. We're starting over."
The model is natively multimodal (8,879 likes, 2,762,125 views) with tool use, visual chain of thought, and multi-agent orchestration. It powers the Meta AI app and website, with rollout planned to WhatsApp, Instagram, Facebook, Messenger, and AI glasses. Meta claims it can "reach the same capabilities with over an order of magnitude less compute" than Llama 4 Maverick. Scale AI's benchmarks placed it tied for #1 on SWE-Bench Pro, HLE, MCP Atlas, and PR Bench-Legal. Artificial Analysis scored it at 52 — behind only Gemini 3.1 Pro, GPT-5.4, and Claude Opus 4.6. The Meta AI app climbed from #57 to #5 on the US App Store within a day; by April 11, Wang said it reached #2.
The pushback was immediate. François Chollet (2,148 likes, 319,113 views), creator of Keras and the ARC benchmark: "overoptimized for public benchmark numbers at the detriment of everything else." Gizmodo called it an also-ran that "continues to struggle" with coding and agentic functionality, and noted no research paper accompanied the launch. Simon Willison ran his pelican test — instant mode produced a mangled bicycle, thinking mode was significantly better — and was most impressed by visual grounding that identified objects with pixel-level precision. His take: optimistic about efficiency, but wanting API access to properly evaluate.
What it means
Whether Muse Spark is actually good is a separate question. Chollet says benchmark-gamed, Gizmodo says also-ran, Willison says promising but unproven. The story is the strategy: the company that was the strongest counterargument to the lock-in thesis just switched sides. Muse Spark is closed, deployed through Meta's own apps, with no open-weight release. The 10x compute efficiency claim is interesting if it holds up. But the headline is that Meta walked away from open-source.
Links and reactions
Coverage
Meta AI blog — capabilities, scaling claims, Contemplating mode
TechCrunch — "ground-up overhaul," Zuckerberg's dissatisfaction with Llama
TechCrunch — App Store climb
VentureBeat — "Goodbye, Llama"
9to5Mac — Zuckerberg quote
CNBC — $14.3B Scale AI deal
Gizmodo — critical review
Simon Willison — pelican test + visual grounding analysis
AI at Meta — launch tweet · 8,879 likes · 2,762,125 views
Scale AI — benchmark results
Reactions
François Chollet Creator of Keras and the ARC benchmark — "overoptimized for public benchmark numbers at the detriment of everything else" · 2,148 likes · 319,113 views
Simon Willison — cautiously optimistic — pelican test + visual grounding deep dive · 282 likes · 53,882 views
Alexandr Wang CEO, Meta Superintelligence Labs — "meta AI is now #2 in the app store, top AI app! we are so back!" · 949 likes
07 40 Minutes on PyPI
discuss ↗
On March 27, a threat group called TeamPCP published two malicious versions of LiteLLM — an open-source Python library with 97 million monthly downloads, present in an estimated 36% of cloud environments — directly to PyPI. The packages contained code designed to harvest credentials. They were identified and removed within hours.
The attack chain was longer than it looked. TeamPCP had first compromised the CI/CD pipeline of Trivy — a widely-used security scanner — to obtain a LiteLLM maintainer's credentials. The same campaign is believed responsible for supply-chain compromises affecting more than 1,000 enterprise SaaS environments, including a breach of the European Commission attributed by CERT-EU to the same group.
The most visible victim: Mercor, a $10 billion AI recruiting startup that provides subject-matter experts for AI training data. Mercor's customers include Anthropic, OpenAI, and Meta. Lapsus$ claimed to have obtained roughly four terabytes:
The industry-level damage: the stolen data included data selection criteria, labeling protocols, and training strategies — proprietary methodologies that frontier labs have spent years developing. Meta indefinitely paused its collaboration with Mercor. OpenAI is investigating. Anthropic has made no public statement. A class-action complaint was filed on behalf of the 40,000+ people exposed.
What it means
The attack surface for AI isn't the models. It's everything around them. A poisoned Python package — live for minutes — gave attackers a path from an open-source dependency to the training methodologies of three frontier labs. And the supply chain attacked the security tool first: Trivy, the scanner that's supposed to catch this, was the entry point. This is the concrete incident behind Anthropic's Glasswing announcement (story 01), which launched six days after the Mercor breach was confirmed. The models are getting better at finding vulnerabilities faster than the ecosystem can patch them. The 40,000 contractors whose Social Security numbers were stolen are the human cost.
Links and reactions
Coverage
TechCrunch — "Mercor says it was hit by cyberattack tied to compromise of open-source LiteLLM project" (March 31)
Fortune — "$10B valuation, Lapsus$ 4TB claim, customer list" (April 2)
The Next Web — "Meta pauses, training methodology exposure"
Benzinga — "Meta halts, OpenAI investigates"
StrikeGraph — "Full TeamPCP campaign detail, Trivy chain, CERT-EU attribution"
Captain Compliance — "Class-action filing, 40,000 exposed"
08 The Neural Computer Paper
discuss ↗
On April 7, a 19-person team including LSTM inventor Jürgen Schmidhuber published "Neural Computers" — a paper proposing a machine where computation, memory, and I/O are unified in a single learned runtime. The model doesn't run programs on a computer. It is the computer. Schmidhuber shared it (2,322 likes, 152,637 views) on April 10. David Ha (649 likes, 49,738 views) — Schmidhuber's former student and now CEO of Sakana AI — amplified it the same day.
The prototype: lead author Mingchen Zhuge and collaborators trained video generation models on ~1,510 hours of Ubuntu desktop recordings and ~1,100 hours of terminal recordings. No source code, no execution logs — just pixels and keystrokes. Some goal-directed trajectories were generated by Claude CUA. The result is a model that takes keystrokes and mouse clicks as input and predicts the next video frames — effectively running as its own visual operating system. It handles simple terminal commands correctly and manages GUI interactions including cursor positioning, dropdown menus, and modal windows. But two-digit addition remains unstable, long-term consistency only holds locally, and the authors estimate a real Neural Computer is "still about three years away."
The paper's thesis is the interesting part. It distinguishes a Neural Computer from three existing paradigms: a conventional computer (organized around programs), an agent (organized around tasks), a world model (organized around environments). A Neural Computer is organized around runtime — the layer that keeps a system recognizably the same while accumulating capabilities internally.
What it means
This is a position paper with an early prototype, not a product. But the question it asks is playing out in this week's product launches. Claude Cowork moves between desktop applications. Muse Spark's Contemplating mode orchestrates multiple agents in parallel. Each is a model that increasingly replaces the computer rather than running on it. Schmidhuber's paper names the endpoint and says it's three years away. Whether the path goes through video generation or through tool-use agents is the open question.
Links and reactions
Coverage
arXiv: 2604.06425 — "Neural Computers" (April 7, 2026)
Project page — "Full details, training data, CNC conditions"
Reactions
Jürgen Schmidhuber · 2,322 likes · 152,637 views
David Ha · 649 likes · 49,738 views
