Everyone's racing to make coding agents smarter.
The real problem is they're already smart enough to break things in interesting ways.
Smarter agents + same blast radius = more catastrophic failures, not fewer.
The fix is constraints, not capability.
Every agent will need its own computer. And with new Hosted agents in Foundry, every agent gets its own dedicated enterprise-grade sandbox, with durable state, built-in identity and governance, and support for any harness or framework.
Read more:
https://t.co/zL5eKrRr1j
I built an open-source framework that tests for 18 of these 21 traps — prompt injection, memory poisoning, jailbreaks, exfiltration, the works.
pip install litmuseval
Paper: https://t.co/csnFYnP1yA
GitHub: https://t.co/eOQX2xt7iS
The scariest findings:
• Hidden HTML/CSS instructions fool 15-29% of agents
• Memory poisoning works >80% of the time with <0.1% corrupted data
• Data exfiltration succeeds >80% across web agents
• Benign text fragments combine into malicious payloads after assembly
Mythos just found an OpenBSD kernel bug that’s been sitting there since 1999. That code is literally older than some of the engineers now patching it.
If 30 years of "secure" history can be dismantled in seconds, the old cybersecurity playbook is dead.
https://t.co/kYP34rPNvn
@dwlz AI is a bit like an animal … something like a horse.
It has a mind of its own, and you need to be able to guide it, direct it, harness it properly.
If you can’t do that, it can get away from you fast .
I built an open-source eval framework for AI agents.
15 assertion types. 46 safety attacks. Real token costs.
The most expensive model scored the lowest.
pip install litmuseval
https://t.co/eOQX2xt7iS
Anthropic shutting down OpenClaw may turn out to be a strategic blunder, or strategic genius. The OpenClaw community will be the determiner of whether it is A or B. It's an interesting moment in history.
Personally I never bet against open source.
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
Software horror: litellm PyPI supply chain attack.
Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords.
LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm.
Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks.
Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages.
Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
You can now enable Claude to use your computer to complete tasks.
It opens your apps, navigates your browser, fills in spreadsheets—anything you'd do sitting at your desk.
Research preview in Claude Cowork and Claude Code, macOS only.
What if your AI coding assistant wasn't one agent, but a whole group of friends?
12 personality-driven AI agents for Claude Code — each a specialist in a different part of the SDLC:
Check out: https://t.co/ELEkfISTjl
🤯BREAKING: Alibaba just proved that AI Coding isn't taking your job, it's just writing the legacy code that will keep you employed fixing it for the next decade. 🤣
Passing a coding test once is easy. Maintaining that code for 8 months without it exploding? Apparently, it’s nearly impossible for AI.
Alibaba tested 18 AI agents on 100 real codebases over 233-day cycles. They didn't just look for "quick fixes"—they looked for long-term survival.
The results were a bloodbath:
75% of models broke previously working code during maintenance.
Only Claude Opus 4.5/4.6 maintained a >50% zero-regression rate.
Every other model accumulated technical debt that compounded until the codebase collapsed.
We’ve been using "snapshot" benchmarks like HumanEval that only ask "Does it work right now?"
The new SWE-CI benchmark asks: "Does it still work after 8 months of evolution?"
Most AI agents are "Quick-Fix Artists." They write brittle code that passes tests today but becomes a maintenance nightmare tomorrow. They aren't building software; they're building a house of cards.
The narrative just got honest: Most models can write code. Almost none can maintain it.
Announcing Copilot Cowork, a new way to complete tasks and get work done in M365.
When you hand off a task to Cowork, it turns your request into a plan and executes it across your apps and files, grounded in your work data and operating within M365’s security and governance boundaries.