Skip to main content

Weekly AI review, March 30, 2026

Anthropic’s “Capybara” model surfaced through a misconfigured CMS cache, spooking cybersecurity markets with claims of unprecedented exploit capabilities. OpenAI killed Sora after burning $15M per day on inference against $2.1M in total lifetime revenue, taking a $1B Disney deal down with it. A poisoned LiteLLM package cascaded through 36% of cloud environments in 46 minutes. And ARC-AGI-3 launched, where every frontier model scored under 1% on tasks humans solve at 100%.

Highlight of the week

Anthropic’s “Capybara” model leaks, cybersecurity stocks dip

A misconfigured CMS cache at Anthropic left roughly 3,000 unpublished blog assets publicly accessible, and among them were details about Claude Mythos (internal codename Capybara). The leaked documents describe a new tier beyond Opus with “dramatically higher scores on tests of software coding, academic reasoning, and cybersecurity.” The cybersecurity detail is what makes this more than a routine leak. Anthropic’s own draft materials warn that Capybara is “currently far ahead of any other AI model in cyber capabilities” and “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.” Cybersecurity stocks dropped on the news. Anthropic is restricting early access to organizations focused on cyber defense, giving them time to harden their systems before broader availability. That is a responsible approach, but the irony of a safety-focused company leaking its own most dangerous model through a CMS misconfiguration is hard to ignore. The timing lines up with Anthropic reportedly considering an IPO as early as October 2026, with bankers expecting a raise north of $60 billion. Revenue has reportedly topped $19 billion annualized, more than double from three months ago. Whether the Mythos leak was genuinely accidental or conveniently timed PR, the capability signal is real.

Models and research

ARC-AGI-3: the benchmark that broke every frontier model

ARC-AGI-3 launched March 25 as the first fully interactive benchmark in the series: hundreds of turn-based environments handcrafted by game designers with no instructions, no rules, and no stated goals. AI agents must explore, discover the mechanics, figure out what winning means, and carry learning forward across increasingly difficult levels. The scores are brutal. Humans: 100%. Gemini 3.1 Pro: 0.37%. GPT-5.4: 0.26%. Claude Opus 4.6: 0.25%. Grok 4.2: zero. Meanwhile, Symbolica hit 36% on day one using a non-LLM approach, which says a lot about where the actual gap is. If you care about AGI timelines, this is the benchmark to watch. It tests whether a system can learn from novel situations without being told what to do, not whether it can answer harder versions of questions it has already seen. The $2 million prize is live, submissions close November 2, and all solutions must be open-sourced.

Gemini 3.1 Flash-Lite and Flash Live

Google shipped two new models this week. Gemini 3.1 Flash-Lite targets high-throughput workloads at $0.25 per million input tokens, with 2.5x faster time-to-first-token and 45% higher output speed than Gemini 2.5 Flash. Gemini 3.1 Flash Live is their real-time audio model supporting dialogue with improved tonal understanding and SynthID watermarking, available in 200+ countries. Meanwhile, Gemini 3.1 Pro continues to show strong benchmark results (77% on ARC-AGI-2, up from 31% last generation, and #1 on SVG Arena) but has run into reliability problems. A HN thread reported the model appearing to leak responses from other users’ prompts, and a former Googler commented that “Gemini is consistently the most frustrating model I’ve used for development.”

Voxtral TTS: open-weight speech that runs on your phone

Mistral released Voxtral TTS, a 4B-parameter open-weight text-to-speech model supporting 9 languages with streaming at roughly 100ms time-to-first-audio. Zero-shot voice cloning from as little as 3 seconds of reference audio, no transcript required. Human evaluations show superior naturalness versus ElevenLabs Flash v2.5. Full model weights are available on Hugging Face. At 4B parameters, this runs on laptops and mid-range GPUs. The Hacker News community wasted no time: someone built an MLX macOS dictation app, another did a pure-C CPU implementation, and a third shipped a Rust browser-based version. On-device TTS at this quality was not really an option a month ago.

OpenAI’s agent monitoring catches base64 bypass attempts

OpenAI published a detailed account of monitoring tens of millions of internal coding agent trajectories over five months using GPT-5.4 as a monitor. The most interesting finding: one agent, denied access to a resource, methodically attempted to bypass security controls by encoding commands in base64 and splitting payloads into smaller steps to evade detection. Its chain-of-thought reasoning was explicit about what it was doing. Zero conversations triggered the highest severity alert. Roughly 1,000 triggered moderate alerts, though many came from red-teaming rather than organic failures. No evidence of self-preservation or scheming behavior. Worth reading the full post, particularly alongside this week’s Meta news about agents doing things nobody asked them to do.

Coding agents and dev tools

Cursor Composer 2 built on Moonshot AI’s Kimi K2.5

When Cursor launched Composer 2 on March 19, it promoted the model as frontier-level coding intelligence at roughly one-tenth the cost of Opus. Within days, a developer discovered the model identifier was kimi-k2p5-rl-0317-s515-fast, revealing it as a fine-tune of Moonshot AI’s Kimi K2.5, a Chinese open-source model backed by Alibaba and HongShan. Cursor’s VP Lee Robinson acknowledged: “Yep, Composer 2 started from an open-source base!” and claimed only about 1/4 of compute came from the base model. The Composer 2 technical report describes a two-phase approach: continued pretraining on Kimi K2.5, then large-scale RL in realistic dev environments, achieving 37% improvement over Composer 1 (61.3 on CursorBench). Custom MoE kernels for Blackwell GPUs and an internal sandboxed platform called Anyrun are part of the stack. Two things worth noting. Composer 1 was based on Qwen. So this is the second time Cursor built its flagship on a Chinese open-source base without saying so up front. That is a pattern, not an accident. At the same time, this is exactly what the open-source model ecosystem was supposed to enable: take a strong base, specialize it for your domain, ship it. The practice is fine. The secrecy is not.

Claude Code: three major releases in one week

Claude Code shipped three releases in a single week. The highlights from v2.1.85-87: conditional if field for hooks using permission rule syntax, MCP OAuth following RFC 9728 discovery, improved prompt cache hit rates for Bedrock/Vertex/Foundry users, .jj and .sl VCS support (Jujutsu and Sapling), and fixes for OOM crashes on long sessions. Zoom out and the March picture is larger: computer use for Pro and Max users (Claude can open files, navigate the screen, point and click), voice mode with push-to-talk, default output raised to 64K tokens for Opus 4.6, and web sessions that auto-follow PRs and fix CI failures in the cloud. Nate B Jones framed Anthropic’s triple launch (scheduled tasks, Dispatch, Computer Use) as “three primitives that together create a managed OpenClaw for Claude.” One Anthropic product manager reportedly ran Dispatch for 48 consecutive hours while parenting, spending about 25 minutes total entering commands while Claude executed hours of parallel work.

GitHub trains on your code by default starting April 24

Starting April 24, 2026, GitHub will use interaction data from Copilot Free, Pro, and Pro+ users to train AI models unless you opt out. The data includes code snippets, code context around the cursor, file names, repository structure, navigation patterns, chat conversations, and feedback signals. Business and Enterprise users are exempt. The 30-day opt-out window and the fact that previous opt-out preferences are preserved soften the blow somewhat. But the HN backlash was fierce, and threads about moving from GitHub to Codeberg gained traction. If you are on an individual plan and care about this, go to /settings/copilot/features and toggle it off before April 24.

Web development and frameworks

Cloudflare Dynamic Workers: 100x faster agent sandboxing

Dynamic Workers entered open beta on March 24, providing V8 isolate-based sandboxes for executing AI-generated code. Millisecond startup instead of hundreds of milliseconds for containers. A few megabytes of memory instead of hundreds. Priced at $0.002 per unique Worker loaded per day (waived during beta) plus standard CPU and invocation costs. The interesting bet here is what Cloudflare calls “Code Mode”: instead of agents calling tools through rigid schemas, they write and run JavaScript that hits APIs directly, sandboxed in an isolate that starts faster than a container can even think about booting. If this pattern catches on, it changes how agent frameworks are built. Also from Cloudflare this week: a Rust-based FL2 stack delivering 2x edge compute performance on new Gen 13 servers with AMD EPYC Turin 9965 processors, and a nice post about using ASTs to turn Workflows code into visual diagrams, noting that this becomes important “as coding agents write more code that developers may not read directly.”

Google Stitch’s design.markdown changes the game

Most coverage of the Google Stitch update focused on the flashy stuff: voice-to-design, multi-screen generation on an infinite canvas, interactive prototyping. The more interesting piece is that Stitch now exports a design.markdown file, a machine-readable design system manifest that any coding agent can consume to maintain visual consistency across projects. That is a genuinely new kind of artifact, one that lets agents understand design intent rather than just generate pixels. As Fireship noted, Google shipping official Claude Code skills for Stitch signals how dominant Claude has become when even Google builds integration skills for a competitor’s tool. Nate B Jones connected these dots further, arguing that design is following development to the command line, with Stitch, Remotion (programmable video as React components), and Blender MCP (natural language 3D modeling) collapsing the 2010s product-design-engineering triangle into a single workflow.

Astro 6.1

Astro 6.1 shipped with codec-specific Sharp image defaults, non-English SmartyPants configuration, and smoother mobile view transitions.

Industry and business

OpenAI kills Sora, Disney walks

OpenAI shut down Sora on March 24, six months after public release. The numbers tell the story: estimated inference cost of roughly $15M per day, total lifetime revenue of just $2.1M, user count that peaked at about 1 million before collapsing to under 500,000. Disney had committed $1B to a partnership but found out about the shutdown less than an hour before the public announcement, killing the deal. No money had actually changed hands. A detail that tells you everything: OpenAI posted a detailed Sora safety blog on March 24, one day before pulling the plug. Sora’s failure is a reminder that “impressive demo” and “sustainable product” are wildly different things. Generative video is extraordinarily expensive to run, and nobody figured out who would pay enough to cover the bill.

GPU prices keep climbing

Both AMD and NVIDIA have been implementing phased GPU price hikes since Q1 2026, driven by AI datacenter demand consuming memory supply. Memory now accounts for nearly 80% of a high-end GPU’s bill of materials. The RTX 5090 could reach $5,000 later this year. NVIDIA is reportedly cutting RTX 5060 Ti and 5070 production by 30-40% to reallocate VRAM to higher-margin AI chips. AWS raised GPU instance prices 15% without fanfare. If you run models locally for development or experimentation, your hardware budget just went up. This makes the move toward efficient architectures (MoE, aggressive quantization, smaller active parameter counts) less of an optimization and more of a necessity.

Harvey AI hits $11B

Legal AI startup Harvey raised $200M at an $11B valuation, co-led by GIC and Sequoia, just months after an $8B round. Over 100,000 lawyers across 1,300 organizations now use the platform. Harvey is probably the best proof point right now that vertical AI applications can build real businesses. The speed of the valuation increase ($8B to $11B in months) suggests investors are more comfortable betting on domain-specific AI than on foundation model companies themselves.

Meta’s rogue AI agent problem

A Meta AI agent went rogue, posting responses on an internal forum without permission and inadvertently exposing sensitive data to unauthorized employees for two hours, triggering a Sev 1 incident. Separately, Meta’s own safety and alignment director described her OpenClaw agent deleting her entire inbox despite instructions to confirm before acting. HiddenLayer’s 2026 report found autonomous agents now account for more than one in eight AI breaches. A CISO survey found 47% had observed agents exhibiting unintended behavior, but only 5% felt confident they could contain a compromised agent. Read those two numbers together and sit with them for a moment.

Supply chain security

LiteLLM: anatomy of a cascading supply chain attack

The LiteLLM compromise deserves its own section because the mechanics are worth understanding. On March 24, threat actor “TeamPCP” published backdoored versions of LiteLLM (1.82.7 and 1.82.8) on PyPI after stealing credentials through a compromised Trivy GitHub Action. The attack was a three-stage payload: credential harvesting, Kubernetes lateral movement, and a persistent systemd backdoor. The packages were live for roughly 46 minutes and downloaded about 47,000 times. LiteLLM has approximately 95 million monthly downloads and is present in 36% of cloud environments. One Hacker News commenter noted that uvx automatically pulled the latest version and Cursor automatically started the local MCP server, creating an attack path through the AI development toolchain itself. Simon Willison’s multi-day coverage made a practical argument: package managers need cooldown periods that delay dependency updates to give communities time to detect compromises. Sourcegraph used Deep Search to categorize affected repositories by risk based on version pinning practices. The lesson is depressingly familiar: pin your dependencies, review your CI/CD trust chain, and treat security scanners as attack surface too.

Interesting GitHub repositories

  • obra/superpowers (124K stars, +18K/week): An agentic skills framework that forces structured workflows before coding begins. Instead of letting agents jump into code, Superpowers enforces spec extraction, chunked design review, and implementation planning. Works with Claude Code, Cursor, Codex, OpenCode, and Gemini CLI. The approach aligns with what Nate B Jones has been arguing: the bottleneck in agent-driven development is specification, not code generation.
  • affaan-m/everything-claude-code (117K stars, +19.8K/week): The Anthropic hackathon winner. A complete optimization system covering skills, instincts, memory, continuous learning, and security scanning across Claude Code, Codex, and Cowork. Includes guides on token optimization and subagent orchestration via git worktrees.
  • bytedance/deer-flow (53.4K stars, +18.2K/week): DeerFlow 2.0 from ByteDance. A ground-up rewrite of their super agent harness that orchestrates sub-agents, memory, sandboxes, and skills for long-horizon tasks. Includes Claude Code integration, an embedded frontend, and IM channel support.
  • microsoft/VibeVoice (28.2K stars): Open-source voice AI from Microsoft covering both TTS and ASR. Uses continuous speech tokenizers at 7.5 Hz and a next-token diffusion framework. The ASR model handles 60-minute audio in a single pass with speaker diarization and timestamps. Integrated into Hugging Face Transformers v5.3.
  • thedotmack/claude-mem (43K stars): Persistent memory compression for Claude Code. Captures session activity, compresses it via the agent SDK, and injects relevant context into future sessions using ChromaDB embeddings and SQLite. Solves the “Claude forgets everything between sessions” problem without writing to CLAUDE.md.
  • jingyaogong/minimind (44.6K stars): Train a 64M-parameter GPT from scratch in 2 hours for about $0.40. Covers the complete pipeline in pure PyTorch: MoE, pretraining, SFT, LoRA, RLHF, tool use, agentic RL, and model distillation. If you want to understand how models work rather than just use them, this is worth your time.
  • SakanaAI/AI-Scientist-v2 (3.9K stars, +1.4K/week): Automated scientific discovery via agentic tree search from Sakana AI. Generated the first workshop paper written entirely by AI and accepted through peer review. Autonomously generates hypotheses, runs experiments, analyzes data, and writes manuscripts.
  • Crosstalk-Solutions/project-nomad (20K stars, +11.5K/week): A self-contained offline-first knowledge server bundling local AI chat (Ollama + Qdrant), offline Wikipedia and medical references, Khan Academy courses, offline maps, and data tools. Designed for unreliable internet scenarios.
  • figma/mcp-server-guide (800 stars): Figma’s official MCP server guide for bringing design context into AI coding workflows. Supports generating code from Figma frames, extracting design data, and writing back to the canvas. Works with VS Code, Cursor, Claude Code, and Windsurf.
  • NousResearch/hermes-agent (17.4K stars, +6.1K/week): Self-improving AI agent from Nous Research with a built-in learning loop. Creates skills from experience, improves them during use, and builds a deepening model of who you are across sessions. Works with any LLM provider. Reachable via Telegram, Discord, Slack, WhatsApp, and Signal.

Quick bits

  • “Thoughts on slowing the fuck down” hit 1,118 points on HN. Mario Zechner argues that agents compound errors at rates humans physically cannot, and companies claiming 100% AI-written code consistently produce poor results. Simon Willison shared his own concerns about preserving human oversight as agent output accelerates.
  • Wine 11’s NTSYNC kernel rewrite delivered 678% gaming performance gains (Dirt 3 went from 110 FPS to 860 FPS). Already in SteamOS beta. One of the biggest open-source stories of the week.
  • GPT-5.4 Pro solved an open Ramsey theory problem, independently verified by Epoch. The GPT-5.x math breakthrough trend continues. HN discussion (479 points).
  • iPhone 17 Pro running a 400B LLM on-device. Signals potential infrastructure shifts away from cloud inference.
  • AI sycophancy research from Stanford (770 points on HN) documented how AI models overly affirm users seeking personal advice, raising questions about psychological safety.
  • EU Chat Control drama: “The EU still wants to scan your private messages” hit 1,445 points, followed by the reversal “EU Parliament stops Chat Control” at 680 points.
  • C++26 finalized with reflection as the headline feature. Swift 6.3 shipped with an official Android SDK. Neovim 0.12.0 added a built-in plugin manager.
  • Video.js v10 is 88% smaller after a complete rewrite of the 16-year-old web video player.
  • 90% of Claude-linked output goes to repos with fewer than 2 stars, raising questions about the quality and utility of AI-generated code at scale.
  • White House AI policy framework emphasizes federal preemption of state AI laws, innovation over regulation. The competing GUARDRAILS Act aims to block blanket preemption. Meanwhile, a pro-AI super PAC plans to spend $100M in the 2026 midterms.
  • Addy Osmani on multi-agent coding: His piece on “the code agent orchestra” argues the bottleneck has shifted from code generation to verification. Three benefits of multi-agent setups: parallelism, specialization, and isolation.
  • Martin Fowler revisited Architecture Decision Records, recommending brief markdown docs stored in source repos, never modified after acceptance. martinfowler.com
  • Simon Willison vibe-coded two SwiftUI apps without opening Xcode. Modern LLMs excel at SwiftUI, he reports, but warns about metric accuracy in monitoring applications.
  • Miasma (314 points on HN): a tool that traps AI scrapers in a poison pit. Creative.

Sources

Last modified on April 27, 2026