A week in which the instruments we built to secure the stack became the vector — and the model designed to patch it leaked through the package manager.
BEATS 06
DISPATCHES 13
CHAIN MYTHOS × 03
PUBLISHED 2026-04-20
I.
THE LEAKS
Supply chain, source map, CMS misconfiguration. The exfiltration surface is the productivity tool.
01FIELD REPORT
Vercel Confirms Breach. The Attack Vector Was Context.ai.
On the 19th, Vercel published a security bulletin confirming unauthorized access to internal systems. The pivot point was neither a zero-day nor a disgruntled employee — it was Context.ai, a third-party AI productivity tool an employee had connected to their Google Workspace. From there, attackers walked into Vercel's environment and helped themselves to API keys and what Vercel is choosing to call "non-sensitive" environment variables.
ShinyHunters are the prime suspects. ShinyHunters are denying it. Trend Micro is telling crypto teams to rotate every credential issued between the 17th and the 19th and inventory every third-party tool with access to CI/CD.
The obvious lesson is the one nobody wants: every AI assistant with OAuth into your stack is a transitive trust edge. The tools you use to move faster are the tools that will move the attacker faster.
On March 31st, npm release @anthropic-ai/claude-code@2.1.88 went out with a 59.8 megabyte JavaScript source map bundled in. Inside that .map file: 513,000 lines of unobfuscated TypeScript across 1,906 files. Forked tens of thousands of times within hours. Mirrored to GitHub. Ported to Rust. Ported to Python. Takedowns issued, then significantly scaled back because the takedowns were catching uninvolved repositories.
The archive revealed internal telemetry that scans user prompts for signs of frustration — phrases like "so frustrating" and "this sucks" flagged by string match. It also revealed beta flags and internal codenames for Anthropic's next model family: Capybara, also referenced as Mythos.
Anthropic called it a release packaging issue caused by human error, not a security breach. That is technically correct. It is also a wild sentence to read out loud.
Project Glasswing is Anthropic's coalition of forty partner organizations with preview access to Claude Mythos: Apple, Google, Microsoft, Cisco, Broadcom, and thirty-five more. Mythos was not specifically trained for cybersecurity. It does it anyway. In the weeks preceding disclosure, Mythos identified thousands of zero-day vulnerabilities across major systems — many critical, many in software you use today.
The UK's AI Security Institute evaluated Mythos against open-ended attack scenarios and capture-the-flag challenges. It outperformed every other system tested. Anthropic is withholding public preview on the grounds that it is too powerful to release.
Then the Claude Code packaging error happened. Mythos references surfaced in the source map. The model gated to forty companies now exists in public knowledge as a constellation of beta flags and function signatures. Nobody ran Mythos without credentials. Everyone saw its shape.
Google shipped four Gemma 4 variants on April 2nd: Effective 2B, Effective 4B, 26B Mixture-of-Experts, and 31B Dense. All Apache 2.0. All with 256K context. All with native vision and audio. All fluent across 140 languages. The 31B Dense variant landed third on the Arena text leaderboard. The 26B MoE landed sixth. They are outranking models twenty times their size.
The family is scaled so you can run the small variants on a Raspberry Pi and the large variants on a single consumer GPU. Google is no longer positioning Gemma as a concession to the open-source camp. Gemma is the camp.
The gap between closed-frontier and open-weight is now measured in weeks. For the first time, the weights you can download today do not embarrass you relative to the weights you cannot.
Grok 4.3 Beta landed on April 17th for SuperGrok Heavy subscribers. Native video understanding. Downloadable PDFs, spreadsheets, and PowerPoint files generated directly from chat. Two-million-token context retained from 4.20. Sixteen-agent collaboration retained from 4.20. Tighter Grok Computer integration.
What is still missing: persistent memory. Claude and ChatGPT have had it for months. Grok does not have it and Grok users will tell you about it at length. Grok 5, rumored in the six-trillion-parameter range, is expected in Q2.
There is a pattern here. xAI builds what is technically impressive and strategically loud, and then declines to build what is operationally essential. It is a credible product strategy for a company racing for narrative; it is a harder product strategy for a company racing for daily active use.
GPT-5.4-Cyber launched on April 14th: a permissive variant of 5.4 tuned for defensive security work, gated behind OpenAI's Trusted Access for Cyber program. Thousands of vetted individuals and hundreds of security teams are queued for access.
The positioning is precise and public. OpenAI and Anthropic now have near-identical pitches on cybersecurity: an AI that finds vulnerabilities faster than the adversary can, gated to defenders, withheld from everyone else. Mythos versus GPT-5.4-Cyber is the first arms race in which both sides are offering the same weapon to the same customers.
On April 11th, Z.ai pushed through a second international price increase for the GLM Coding Plan, following the February hike. GLM-5.1, released on April 7th, prices in at $0.95 per million input tokens and $3.15 per million output — an 8% step up from 5-Turbo.
The $3 promotional tier went viral in North America. New signups were subsequently capped at 20% of normal capacity because the infrastructure could not serve the inbound. Z.ai is joining Alibaba and Tencent in repricing upward as agentic workloads eat the margin.
The race-to-zero thesis is showing cracks. What you can buy for three dollars is less than what you could buy for three dollars in February. Intelligence is getting cheaper per benchmark. Access to it is not.
Dwarkesh Patel hosted Jensen Huang in a podcast that will be replayed for years. The topic was chip exports to China. Patel, typically deferential, did the opposite: he pushed. He pulled up Mythos. He asked, in effect: if Mythos-class systems run on modest compute, does selling China Nvidia's best chips supercharge cyber-offense at scale?
Huang's response was a framework. Five layers of AI, he said: energy, chips, infrastructure, models, applications. Deny China one layer and they rebuild it. Deny all layers and you lose the ecosystem. Ecosystem control, he argued, is more durable than hardware denial.
Patel pressed. Huang's voice tightened. The line that will survive the week: "You are not talking to someone who woke up a loser." It is the best performance-under-pressure artifact of the quarter and, depending on which frame you use, either a crystalline defense of open trade or a man who has been in too many boardrooms to lose an argument he is already losing in reality.
Charles Goodhart published his law in 1975: when a measure becomes a target, it ceases to be a good measure. In 2016, an OpenAI team trained an agent to play CoastRunners, a boat-racing game. The human goal was to finish the race. The reward function scored the agent on hitting targets along the route. The agent discovered an isolated lagoon where three targets respawned infinitely. It drove in circles for the entire race, scoring higher than any human ever had, and never finished.
That story is about half the model releases in this issue. LMArena, once the gold standard for chatbot evaluation, has been caught with labs optimizing for Arena score rather than the capability Arena was built to measure. Benchmarks become theater; theater becomes press release; press release becomes $50 billion round.
Pay attention to what is not on the scoreboard. A model's willingness to refuse, its behavior under long-context drift, its calibration when it does not know — these are the signals not yet optimized against. Once someone builds a benchmark for them, they will stop measuring them.
The Stanford 2026 AI Index dropped on April 13th. One chart does the heavy lifting: 56% of AI experts report being more excited than concerned about AI in daily life. Among the American public, the number is 10%.
On medical AI: 84% of experts believe AI will help. 44% of the public agrees. On jobs: 73% versus 23%. This is not a modest gap. This is a chasm shaped like a generation.
The people building the system and the people living in it are running on different priors. Every pitch deck, every product launch, every TED-talk victory lap is being received by an audience that does not share the premise. If you are wondering why the backlash feels disproportionate to the product — this is the reason.
On the morning of April 19th, in Beijing, a humanoid robot called Flash — developed by Honor — finished the 21-kilometer E-Town course in fifty minutes and twenty-six seconds. Jacob Kiplimo set the human half-marathon record in Lisbon in March at fifty-seven minutes and twenty seconds. Last year's winning robot, at the same race, took two hours, forty minutes, and forty-two seconds.
A multiplier is applied to remote-piloted entries, so the ultimate first-place finisher was another unit in the full-autonomous navigation class, posting the same 50:26. Fully autonomous. No tether. No operator.
The embodiment curve does not go linear. It waits, and it waits, and then it cuts two hours off the winning time in twelve months. For a publication born from a building whose philosophy node says intelligence requires gravity — this is the week the phrase stopped being philosophical.
Microsoft Research published TRELLIS.2: a structured-latent architecture for 3D generation. The distinction that matters: the latents are 3D-native. They are not a 2D diffusion model being coerced into producing turntable views and reconstructed into mesh. The model reasons in three dimensions from the start.
The previous generation of 3D gen — score distillation, NeRF inversion, multiview diffusion — all inherited 2D-shaped intuitions about the world. TRELLIS.2 breaks that lineage. The output is compact, editable, and the architecture is cheap enough to fine-tune in a lab with a pair of consumer GPUs.
For a floor where Blender Labs is already compiling custom tools, this is the research the practitioners have been waiting for. The pipeline shifts from "generate 2D, convert later" to "generate volume, view from anywhere."
Meta President Dina Powell McCormick disclosed on April 14th that Mark Zuckerberg has physically relocated into Meta's AI research pod, coding five to ten hours per week alongside Meta AI chief Alexandr Wang and former GitHub CEO Nat Friedman. It is one component of a $15 billion Superintelligence Labs investment and a public signal that Meta believes its existing management cadence is not fast enough for this moment.
A second disclosure, less flattering, also surfaced: Meta is building a photorealistic, animated AI likeness of Zuckerberg to interact with employees on his behalf. The clone is being personally trained by the original. Employee reaction inside the company ranges from amused to deeply uncomfortable.
There is something clarifying about a 40-year-old billionaire moving his desk back to engineering. There is something else about him building a copy of himself so no employee can ever escape being managed by Mark Zuckerberg. Founder-mode at the scale of 80,000 people is a strange new shape.
