Anthropic's AI pause offer 🤖, 1-click repo theft 🔑, Meta's hidden face-rec 📱

Nadella opened Build with Windows front and centre for the first time in years, showing off the Surface RTX Spark Dev Kit he calls a 'dream machine', days after Nvidia returned to Windows on Arm with its RTX Spark chips. The pitch reframes Gates's old mission as 'unmetered intelligence on every desk and in every home': hardware you own handling AI locally, with the cloud only for overflow.

Cloudflare acquired VoidZero, Evan You's company behind Vite, Vitest, Rolldown and Oxc. Vite is the build tool under Vue, SvelteKit, Nuxt, Astro, Solid, Angular, React Router and TanStack Start, which makes this the JavaScript ecosystem's shared foundation changing hands. Everything stays MIT-licensed and vendor-neutral, the VoidZero team keeps leading the projects, and Cloudflare is putting $1 million into a Vite ecosystem fund.

Ideogram's first open-weight foundation model is out: a 9.3B single-stream diffusion transformer trained from scratch, with weights on Hugging Face and code on GitHub. Two choices set it apart from peer releases, a vision-language text encoder (Qwen3-VL-8B) and structured JSON prompts that give you direct control over layout. If you pay per call for image generation, you can now self-host instead.

Supabase raised $500 million at a $10.5 billion valuation, roughly double its October mark, in a round led by GIC with Stripe along for the ride. The structural fact buried in the fundraise: AI coding tools now create the majority of databases on the platform, with Claude Code the largest contributor in 2026. Vibe coding has a default backend, and investors just priced it.

Morgan Stanley will let autonomous agents from client corporations pull data directly from ShareWorks and Equity Edge, its stock-plan platforms, bypassing the interfaces built for human users. A handful of clients already have agentic access, and all 3,400 administration clients get it by next year. Its product chief expects corporate clients to simply stop logging in, among the first such moves by a major Wall Street bank.

University of Toronto researchers built a worm that spreads autonomously through an enterprise test network using a small, free, open-weight model running on a single GPU. It targets known unpatched bugs and misconfigurations rather than zero-days, because that is what real attacks use. The team withheld the model name and code, warning that the underestimated threat is not frontier models but the cheap ones.

Cloudflare data shows automated traffic now makes up 57.5 percent of HTTP requests, the first time bots have passed humans in the internet's history. CEO Matthew Prince had pencilled in the crossover for late 2027; his reaction was 'welp, that happened faster than I predicted'. The growth is not crawlers or fraud bots, it is agents browsing on behalf of humans: comparing flights, checking prices, reading product pages.

Ramp's agent closes the books, and design-partner feedback was too slow and too easy to overfit. So the team built a benchmark instead: complex synthetic businesses, real book-close tasks, and grading criteria developed with working accountants. The offline dataset let them pick a frontier model, tune the harness and catch regressions before customers hit them. A useful template for any vertical agent.

Ammar Askar dropped a working zero-day for github.dev: opening the browser editor hands it an OAuth token covering every repository you can reach, and his proof of concept steals it by simulating keystrokes that silently install a workspace extension. He skipped responsible disclosure after MSRC shipped one of his earlier fixes without credit. Microsoft acknowledged the flaw and patched it a day later.

An engineer built an app with a hardened API but a wide-open Firebase backend, a misconfiguration he keeps finding in real audits, then paid nine models to break in. GPT-5.5 succeeded on seven of ten runs at $9.46 per solve, DeepSeek-V4-Pro managed three at 62 cents each, both Claudes got two, and five models scored zero. The capability gap on offensive work is enormous.

A researcher decompiled Meta's smart-glasses companion app and found three face-recognition models totalling roughly 100MB, wired end to end: detect a face, build a 2048-dimension biometric embedding, search a local index, fire a 'Person Recognized' notification. He ran the whole pipeline on a test image. None of it is active for ordinary users; the apparatus sits assembled, functional and gated by Meta.

Chiang opens on Anthropic, whose real specialty, he writes, is anthropomorphism: an 84-page constitution written 'with Claude as its primary audience' and executives openly entertaining machine consciousness. His case is that an LLM generating a helpful assistant is doing exactly what it does generating a Caesar-Khan dialogue, writing fiction. Confusing fluent text with moral agency assigns responsibility to precisely the wrong parties.

Anthropic published its evidence on recursive self-improvement: more than 80 percent of code merged into its codebase is now authored by Claude, and the typical engineer merges 8x as much per day as in 2024. The unusual part comes at the end. Anthropic says it would slow or temporarily pause frontier development if other labs verifiably did the same, and its Institute will build the verification systems a credible pause requires.

Ashby's EMEA engineering head lays out the operating model behind a notable stat: since August, more than half the new code hitting production at the 100,000-weekly-user recruiting platform is AI-generated, with customer issues broadly stable. Two ground rules survive the shift: empathy cannot be delegated to a model, and you are responsible for what you ship, whoever typed it.

Carson Gross (htmx creator) concedes AI has made code genuinely cheap, then maps what that does to the job. Generated code arrives without understanding, which must now be bought back by reading it, and LLMs are prolific coders with no fear of complexity. His answer is the subtractive engineer who prides themselves on the code they remove, not the code they create.

Vin Vashishta argues the app layer is being disintermediated the way AI Overviews gutted websites: clicks on top results fell from 15% to 8% and zero-click searches hit 69%. Microsoft, Meta and Tencent all shipped agent surfaces in one week, with Siri's App Intents next. Apps compress into function calls; only hard logic and the data layer keep their value.

Kerman Kohli's 8,000-word essay argues the AI-bubble framing is backwards: demand for machine labour is effectively infinite and the binding constraint is a semiconductor supply chain controlled by fewer than 20 companies. He works through lithography, advanced packaging, HBM and power, sourcing earnings calls to show each layer is booked out for years.

Anthropic put the reference implementation behind its security work on GitHub: a Claude-powered pipeline covering the full recon, find, triage, report and patch loop, distilled from deployments with security teams since Mythos Preview launched. It is explicitly a fork-and-customise artefact rather than a product (the hosted option is Claude Security), and it runs on whatever Claude API access you already have, including Bedrock and Vertex.

KV-cache quantisation usually trades throughput and accuracy for capacity, which is why almost nobody turns it on in production. Huawei's KVarN is a native vLLM attention backend claiming all three: 3-5x cache capacity, up to 1.3x FP16 throughput, and FP16-level accuracy on Qwen3-32B at 16K context. One flag, no model changes, no calibration. Worth a benchmark if you serve long-context or agentic workloads.

An open-source rebuild of Google's NotebookLM that you run yourself: load sources into notebooks, query them, and generate the podcast-style audio overviews that made the original famous, without handing your research corpus to Google. The repo promises 'more flexibility and features' than the original, and at roughly 25,000 stars with 482 added in a single day, it is trending hard.

Alibaba open-sourced the AI code review agent it has run internally for two years, serving tens of thousands of developers and flagging millions of defects. It pairs deterministic engineering (file selection, bundling, rule matching, comment positioning) with an LLM agent for judgment, targeting the coverage gaps and position drift that plague general-purpose reviewers. Installs via npm; bring an OpenAI or Anthropic key.