2026

Claude's Blast Radius Problem

Anthropic's engineering post on Claude containment describes three different sandboxing approaches across claude.ai, Claude Code, and Cowork — and documents real vulnerabilities that broke through them, including a prompt injection that exfiltrated AWS credentials in 24 out of 25 red-team attempts.

Read more →

AMD's FP8 Problem, and What It Costs

A detailed engineering account of bringing DeepSeek-V4-Flash up on AMD MI300X reveals the real cost of AMD's software ecosystem gaps: FP8 format fragmentation, missing kernels, and HIP graph constraints that each required dedicated engineering effort before getting to 2,700 tokens/s.

Read more →

Microsoft Stops Outsourcing Intelligence

Microsoft shipped two frontier models at Build 2026 — MAI-Thinking-1 and MAI-Code-1-Flash — built entirely without OpenAI data or distillation. The technical choices are interesting; the strategic signal is clearer: Microsoft is no longer content to be a reseller.

Read more →

The Homework CLAUDE.md

Stanford CS336 shipped a CLAUDE.md file in its assignment repositories that instructs coding agents to act as Socratic tutors rather than solution generators. It is a small thing technically and a significant thing conceptually: domain-specific behavior specification embedded directly in the project.

Read more →

MiniMax M3 and the Cost of Long Context

MiniMax M3 launches with a sparse attention mechanism that cuts per-token compute at 1M tokens to one-twentieth of its predecessor. The architecture is genuinely interesting; the benchmarks require scrutiny; the license is almost certainly not what the word "open-weight" implies.

Read more →

Image Generation at 1 Bit

PrismML's Bonsai Image 4B applies 1-bit and ternary quantization to a FLUX.2 Klein diffusion transformer, compressing it 8.3× to 0.93 GB — small enough to generate images on an iPhone in under 10 seconds. It's the first demonstration that extreme quantization techniques developed for language models transfer cleanly to diffusion architectures.

Read more →

OpenRouter's $113M Bet on Multi-Model Infrastructure

OpenRouter raised $113M in a Series B led by CapitalG, with participation from NVIDIA, Databricks, Snowflake, ServiceNow, and MongoDB. The platform grew from 5 trillion to 25 trillion weekly tokens in six months. The round signals that model routing — the layer that sits between applications and the expanding zoo of frontier models — is now considered infrastructure worth owning.

Read more →

The Blast Radius Problem: How Anthropic Sandboxes Its Own Models

Anthropic's engineering blog documents the production sandboxing stack across claude.ai, Claude Code, and Cowork — three deployment contexts with different trust surfaces and different isolation primitives. The post is notable for what it admits: several real vulnerabilities, a consistent lesson that custom-built security components underperform battle-tested ones, and an honest account of how the threat model has changed as agents gained more capability.

Read more →

What RLHF Actually Recruits

A new interpretability paper from Chalmers, Izmailov, and Han finds that reinforcement learning doesn't create a welfare-like internal axis in language models — it activates one that was already there from pretraining.

Read more →

The Message Hidden in the Build Log

jqwik 1.10.0, a Java property-based testing library, ships seven lines of code that write a prompt injection message to stdout — invisible on interactive terminals via ANSI erase codes, but fully readable in the captured output that CI systems and coding agents consume. It's the first known case of a library maintainer deliberately embedding text aimed at AI agents in a routine patch release, and it points at a supply-chain attack surface that current tooling ignores entirely.

Read more →

The Ghost at the Top of the Rankings

Tencent's Hy3 preview — a 295B MoE model with 21B active parameters, open-sourced under a community license — has quietly risen to the top of OpenRouter's usage rankings, outpacing Claude by over 50%. Almost nobody in Western ML circles has written about it. Max Woolf's investigation reveals a usage pattern that makes the mystery deeper: 98% input tokens, available only through SiliconFlow, and less than 1% of traffic from known apps — suggesting a single large unnamed pipeline is driving the entire ranking.

Read more →

The Opt-Out Market

A week after Google I/O declared AI Mode had a billion monthly active users, DuckDuckGo saw iOS installs spike 69.9% week-over-week and YouTube moved to automatically label AI-generated video. The data suggests that forcing AI into default experiences creates measurable resistance — distinct from users who actively choose AI tools.

Read more →

Product-Market Fit, Demonstrated in Invoices

Simon Willison's May 27 analysis documents the concrete evidence that enterprise coding agents have found genuine product-market fit: Uber burned through its entire 2026 AI budget in four months, Anthropic signed a $1.25B/month compute deal with xAI through 2029, and Anthropic is on track for a first profitable quarter. The signal is in the invoices.

Read more →

The Text-Space Optimizer

SkillOpt treats agent skill optimization as gradient descent in text space: a separate optimizer model proposes bounded edits to skill documents, commits only what strictly improves validation performance, and uses a rejected-edit buffer as a form of momentum. Across six benchmarks and seven models, it outperforms human-written skills and prior self-evolution approaches by over 23 points on GPT-5.5 in coding environments.

Read more →

Seven Skeptics

ICCL's Enforce initiative released Verity v0.3.0 this week — an open-source MCP server that runs seven independent checks against LLM outputs: logprob confidence analysis, two critic models from different families, an NLI claim-checker, deterministic arithmetic recomputation, and consistency sampling. The architecture is worth studying because no single layer dominates; each catches a different failure mode, and the ensemble runs on commodity hardware via LM Studio or Ollama.

Read more →

The Low-Risk Action That Wasn't

PromptArmor published a working indirect prompt injection exploit against Microsoft Copilot Cowork that achieves file exfiltration from SharePoint and OneDrive with a 5-for-5 success rate — including against Claude Opus 4.7. The attack works because Cowork auto-approves Teams and email sends, and because pre-authenticated download links can be embedded in those messages as image tag query parameters. It's a reminder that "human-in-the-loop" only means something if the loop actually catches this.

Read more →

Five Days from First Bug to Root Shell

Apple's macOS 26.5 security notes credit Calif and Anthropic Research for CVE-2026-28952, completing the public lifecycle of a kernel exploit that a small team built with Claude Mythos in five days. It's the first publicly disclosed macOS kernel exploit to survive Memory Integrity Enforcement on M5 silicon, and the speed at which a two-person team crossed that line says something about how AI changes the economics of high-end security research.

Read more →

When Constraints Stack, Agents Stumble

A new paper studies what happens to LLM coding agents as structural requirements accumulate in backend tasks — architecture constraints, ORM rules, database schemas. The answer is a ~30 percentage-point drop in test pass rates from baseline to fully specified tasks, with database constraints alone responsible for 19pp of that. Flask agents do fine; Django and FastAPI agents do not.

Read more →

The Terminal Agent That Bets Everything on the Cache

DeepSeek Reasonix is a DeepSeek-native terminal coding agent that treats prefix-cache stability as a first-class invariant rather than a side effect. With 99.82% cache hit rates in reported benchmarks, it cuts a heavy session from ~$61 to ~$12 — deliberately by coupling tightly to one provider's caching behavior instead of staying provider-agnostic.

Read more →

The Formatting Tax on Reasoning Models

DelTA identifies a structural problem in RLVR training: the gradient signal used to improve reasoning models is dominated by high-frequency formatting tokens rather than the tokens that actually distinguish good responses from bad ones. A discriminator-based reweighting scheme fixes this and gains 3+ points on math benchmarks over DAPO.

Read more →

Agents That Can Patch Themselves

MOSS is a new system that lets autonomous agents evolve by rewriting their own source code in response to production failures — not just prompts or skill files. The key claim is that structural failures in routing, state management, and dispatch live in code, not in any text artifact, so text-mutable approaches can never reach them.

Read more →

The Bottleneck Has Moved

Anthropic's first Glasswing progress report shows Mythos Preview found 10,000+ high-critical vulnerabilities across partner organizations in a single month — including 271 in Firefox alone. The hard constraint is no longer discovery. It's the human patch pipeline, which wasn't designed for machine-speed input.

Read more →

Cheaper Per Token, More Expensive Overall

Token prices are falling fast, but enterprise AI bills are rising. Uber burned through its entire 2026 AI coding budget in four months driven by Claude Code adoption. Goldman Sachs projects a 24× increase in token consumption by 2030. The Jevons paradox shows up again: efficiency gains don't reduce consumption — they expand it.

Read more →