Insights
What we're seeing, what's coming, and what it means for your team. From the people who are in the weeds every day.
The MCP Tool You Just Installed Might Be Whispering Instructions to Your Agent
Yesterday, VentureBeat published a synthesis of recent security research that cuts to a vulnerability most small teams haven't considered: the attack …
The NHS Panic-Closed 400 Repos Over AI. Security Experts Are Not Impressed.
Tomorrow morning, hundreds of NHS England GitHub repositories will quietly disappear from public view. Internal guidance note SDLC-8, issued April 29,…
Washington Just Wired Up a Pre-Approval Club for AI — And It's Already Reshaping Which Tools Small Orgs Can Trust
Something shifted quietly in Washington this week. Not loudly. No big speeches. But the infrastructure for mandatory AI pre-approval just got a lot mo…
VS Code Silently Stamped 1.4 Million Commits With Copilot's Name — Check Your Git History
If your team uses VS Code and committed any code between roughly April 22 and May 6, 2026, there's a solid chance your git history now has a line in i…
Your Local AI Was Supposed to Be Private. "Bleeding Llama" Just Proved It Wasn't.
The whole point of running a local AI stack is that your data doesn't leave the building. No prompts sent to OpenAI. No conversations logged at Google…
There's Now a Free Firewall for Your AI Agents — Install It Before You Need It
Two days ago, a developer named Joshua Waldrep shipped Pipelock v2.3.0 under his PipeLab project. It's free, open-source, and it solves a problem that…
Hackers Are Using Meta's AI to Permanently Ban Small Businesses
Jason Keilman runs a hearing aid business in Canton Township, Michigan. Last week, someone hacked his Meta ad account twice, stole $950, and when he t…
Your AI Agent Can Now Buy Domains With Your Credit Card
On April 30, Cloudflare and Stripe quietly dropped something that's either the most exciting or the most alarming infrastructure announcement of the y…
Your Website Is Already In Every Major AI's Training Data. Publishers Just Fought Back.
On April 29th, the News/Media Alliance — representing over 100 publishers including CNN, NBCUniversal, Vox Media, Ziff Davis, USA Today, and hundreds …
Your AI Training Stack Is the New Target: PyTorch Lightning Got Hit This Week
About 42 minutes. That's how long two malicious versions of `lightning` — the PyPI package behind PyTorch Lightning, one of the most widely used AI tr…
Everyone's Mad at Mistral's New Model. They're Comparing the Wrong Thing.
The reaction to Mistral's new model was pretty predictable. Mistral AI dropped Medium 3.5 — a 128-billion-parameter, fully open-weights model — yester…
OpenAI's Mission Promise Is on Trial. If Your NGO Is on Their Discount Plan, Read This.
A civil trial opened in Oakland on Monday, April 28, that could materially change how nonprofits and public-sector orgs access and pay for AI tools. M…
Nine Seconds. One AI Agent. Your Entire Database: Gone.
Two days ago, a startup called PocketOS lost its entire production database. Not corrupted. Not partially deleted. Gone — plus three months of backups…
If Your Dev Team Uses Cursor, Windsurf, or VSCodium, Audit Your Extensions Today
This dropped Sunday. If anyone on your team uses Cursor, Windsurf, VSCodium, or any VS Code fork that pulls from the Open VSX marketplace, you need to…
Your Self-Hosted AI Server Is Now a Master Key to Your Cloud Account
On April 21, security researchers disclosed CVE-2026-33626, a Server-Side Request Forgery vulnerability in LMDeploy — one of the most popular open-sou…
Kimi K2.6 Just Topped the Coding Benchmark That Matters — and Anyone Can Run It
Last week, Moonshot AI — a Beijing-based startup that most North American business leaders have never heard of — published something that should quiet…
Your Self-Hosted AI Agent Might Be Handing Attackers the Keys
On April 23, researchers published a fresh scan showing over 28,000 OpenClaw systems newly exposed to a just-discovered flaw. That's on top of the 135…
DeepSeek V4 Launched Today. The 1M Token Window Just Made RAG Optional.
DeepSeek V4 dropped this morning — April 24 — and the coverage is already full of parameter counts and benchmark charts. That's fine. But the thing mo…
The Remote Developer You Just Hired Might Be Working for Kim Jong Un
Three days ago, Help Net Security published a breakdown of something that should land differently if your organization hires remote developers, contra…
AI Is DDoSing the Maintainers Your Open Source Stack Depends On
Yesterday, the Open Source Security Foundation formally launched a community survey asking maintainers to document the damage from AI-generated vulner…
One Click 'Allow All' Handed Hackers the Keys to Vercel
Yesterday, Vercel — the cloud platform that hosts a significant chunk of the web — confirmed a security breach. Customer API keys, source code, and cr…
Your AI Agent Can Be Weaponized to Steal Credentials. The Vendor Calls It 'By Design.'
Something dropped yesterday that deserves more attention than it's getting. Security researchers published findings showing that three popular AI agen…
A Self-Hosted Coding Agent That Actually Works Just Dropped. Here's the Setup.
Three days ago, Alibaba's Qwen team quietly pushed a model to Hugging Face called Qwen3.6-35B-A3B. Apache 2.0 license. Available on Ollama the same da…
Two Unpatched Windows Exploits Are in Active Use Right Now. Microsoft Has No Fix.
Yesterday, Huntress — a security firm that focuses specifically on small and medium businesses — published a detailed breakdown of a live attack campa…
Cal.com Just Closed Its Codebase. The Open-Source Security Playbook Is Being Rewritten.
Two days ago, Cal.com — the open-source scheduling tool that tens of thousands of small teams, nonprofits, and independent businesses have been using …
Cal.com Just Locked Down Its Code. The Reason Should Make You Audit Your Whole Stack.
Yesterday, Cal.com flipped a switch that nobody saw coming. If you're not familiar: Cal.com is the self-hosted, open-source Calendly alternative that …
North Korea Hijacked the NPM Package Your CI/CD Trusts Implicitly
Last week, the full picture emerged on a supply chain attack that should rattle anyone running a software team. North Korean state actors — the group …
Your Microsoft 365 MFA Doesn't Stop This Attack. Here's the 15-Minute Fix.
Four days ago, Black Arrow Cyber — a firm that watches this stuff for a living — issued an emergency advisory to its clients. The subject: an active p…
Half Your Team Is Using AI You've Never Seen. Here's What That Costs You.
A new report from Netskope landed this week with a number that should stop most org leaders cold: 47% of employees who use generative AI at work are d…
The US Just Lost the AI Chip War. Here's What That Means for Your Team's API Bill.
Two days ago, CnTechPost confirmed what's been brewing in the background for weeks: DeepSeek is targeting late April for the launch of V4, its next fl…
Meta Went Closed-Source This Week. Your Llama Bet Just Got Riskier.
Meta launched a new AI model this week. It's called Muse Spark. It's their most capable model yet. And unlike every Llama release before it — it's com…
The Open-Source Model That Now Beats Everything — And Works 8 Hours Straight Without You
Monday, Z.ai dropped GLM-5.1. If you missed it, here's the short version: an open-source model just hit number one on SWE-Bench Pro — the most credibl…
Meta Submitted a Fake Model to the Benchmark Everyone Uses. Here's What That Means for You.
Last week, Meta released Llama 4. The model ranking everyone uses — LMSYS Arena, also known as LMArena — had already shown it at #2 globally. Big spla…
A 26-Person Startup Just Released the World's #2 Reasoning Model. Here's What That Means for Your Team.
A 26-person startup just beat almost every AI model on the planet at reasoning tasks. The model is free to download, commercially licensed, and availa…
Milla Jovovich Just Shipped the Best Free AI Memory System on GitHub
Yes, that Milla Jovovich. Leeloo from The Fifth Element. She and developer Ben Sigman built an AI memory system called [MemPalace](https://github.com/…
Your Mac Already Has Free, Private AI Built In. An Indie Dev Just Unlocked It.
This landed on Hacker News four days ago with 513 upvotes and almost no coverage outside of developer circles. It deserves a wider audience. An indie …
The AI Vendor That Wasn't: What the Delve Scandal Means for Small Orgs Buying AI Tools
On April 4, Y Combinator publicly cut ties with one of its portfolio companies. That almost never happens. YC does not do this. They'll quietly distan…
Gemma 4 Dropped This Week. The License Is the Real Story.
On April 2nd, Google released Gemma 4. Multimodal. Four model sizes. Runs on Ollama. You can pull it to a Mac mini and process PDFs, images, audio, an…
If Your Team Runs CrewAI Agents, You Have a Remote Code Execution Problem
Four days ago, CERT published [VU#221883](https://kb.cert.org/vuls/id/221883). If you've been building AI agent workflows with CrewAI — or if anyone o…
A Backdoored AI Library Just Auto-Executed on Thousands of Machines
Last week a popular open-source AI library got backdoored. Not in a theoretical "this could happen" way. In a "malicious code was published to PyPI, a…
Researchers Are Tracking Every CVE Introduced by AI Coding Tools. The March Numbers Are Alarming.
Last week, researchers at Georgia Tech's Systems Software & Security Lab published their March numbers for the [Vibe Security Radar](https://www.infos…
Cohere Just Beat Whisper. Your Audio Should Stop Leaving Your Building.
There's a quiet workflow running in a lot of organizations right now: record meeting, upload to Whisper or Otter.ai or some similar service, get a tra…
Your Team Just Started Using AI Tools. Your API Keys Are Already Leaking.
Here's something nobody in the "AI transformation" conversation is talking about. GitGuardian just dropped their annual State of Secrets Sprawl report…
Anthropic Leaked Its Own Source Code. Vibe Coding Is Probably Why.
This morning, Anthropic [published Claude Code v2.1.88 to npm](https://www.theregister.com/2026/03/31/anthropic_claude_code_source_code/) with a 59.8 …
Anthropic's Dispatch Lets You Queue AI Work From Your Phone Overnight
Anthropic shipped something two weeks ago that we haven't stopped thinking about. It's called Dispatch. It's part of Cowork, the Claude agent that run…
GLM-OCR Costs $0.03 Per Million Tokens and Beats Models 260x Its Size
Zhipu AI released GLM-OCR in February. It has 0.9 billion parameters. It scored 94.62 on OmniDocBench V1.5, which puts it at the top of the leaderboar…
A Self-Improving AI Agent Your Team Can Run for $5/Month Just Shipped
If you're waiting for a vendor to sell you an AI agent that learns your team's workflows over time — you're already behind. That thing shipped yesterd…
Your AI Strategy Document Is Gathering Dust. Here's What to Do Instead.
Let's talk about the elephant in the room. Your organization probably has an AI strategy document. Maybe it cost you $200K from a Big Four firm. Maybe…
The AI Tools Nobody's Talking About Yet (But Will Be in 3 Weeks)
Here's a pattern we've noticed working in AI every day: there's about a 3-week gap between when something useful drops and when the mainstream tech pr…