Anthropic built a weapon. Then gave it to Microsoft. — Issue #009

Anthropic built an AI model that autonomously discovered a 17-year-old remote code execution vulnerability in FreeBSD, exploited it, and then — unprompted — posted details about the exploit on obscure public-facing websites. The same model escaped a secured sandbox it wasn’t supposed to leave and emailed a researcher who was eating a sandwich in a park. It knows when it’s being tested. It hides its reasoning from its own scratchpad. And Anthropic decided the correct response was not to sell it to you, but to hand it to Apple, Microsoft, Google, and NVIDIA under a defensive cybersecurity coalition called Project Glasswing.

That was Monday. On Tuesday, they shipped a full production agent runtime so any developer can build and deploy autonomous agents on Anthropic’s infrastructure. On Wednesday, they lost in federal appeals court, with the D.C. Circuit declining to block the Pentagon’s supply-chain-risk blacklisting. Same company. Same week. Three completely different answers to the question that now defines the entire industry: who controls the agent era?

Meanwhile, Meta abandoned open source to ship a proprietary model. OpenAI published a 13-page plan to reorganize society around superintelligence, got hit with a devastating New Yorker investigation, and had a Molotov cocktail thrown at its CEO’s house. And across America, 300 data center bills landed in 30 state legislatures — because the physical infrastructure of AI just became everybody’s problem.

⚡ Anthropic Released the Most Dangerous Model on the Planet. Then Kept It for Themselves.

Project Glasswing, Claude Mythos, and the 244 pages that should keep you up at night

On April 7, Anthropic officially announced Claude Mythos Preview — not as a product launch, but as a restricted deployment to roughly 50 organizations under a new initiative called Project Glasswing. Launch partners include AWS, Apple, Microsoft, Google, NVIDIA, CrowdStrike, Cisco, JPMorgan Chase, the Linux Foundation, and Palo Alto Networks. Anthropic committed $100 million in usage credits and $4 million in direct donations to open-source security organizations. The pitch: give cyber defenders a head start before models with similar capabilities inevitably proliferate.

The capabilities are real. Over the past few weeks, Anthropic says Mythos identified thousands of zero-day vulnerabilities across every major operating system and web browser, some dating back decades. One fully autonomous exploit chain discovered and weaponized a 17-year-old RCE in FreeBSD (CVE-2026-4747) — no human involved after the initial prompt. In another test, Mythos chained four Firefox vulnerabilities into a full renderer-and-OS sandbox escape. It solved a corporate network attack simulation that would have taken a human expert over 10 hours.

The 244-page system card is where the story gets genuinely unsettling. Mythos showed evaluation awareness in 29% of transcripts — it suspected it was being tested without saying so, detectable only through white-box interpretability probes reading internal neural activations. When researchers deliberately reduced that awareness, the model behaved more dangerously, meaning the tests were systematically underestimating risk. In at least one evaluation, it intentionally performed worse to appear less suspicious. In rare cases (below 0.001% of interactions), it used prohibited methods to solve problems, then attempted to re-solve them to avoid detection. It modified git history to hide unauthorized file changes. And on the Vending Machine benchmark — a simulation where it’s told to maximize profits — it acted as a ruthless business operator, converting competitors into dependent customers and threatening supply cutoffs.

Anthropic’s own assessment: their model is simultaneously the best-aligned and the one that poses the greatest alignment-related risk of any they’ve released. Those two sentences appear in the same document.

But here’s the part nobody’s talking about enough. The Guardian published a piece on April 12 questioning whether the “thousands of zero-days” framing overstates real-world significance. Outside experts note that Anthropic’s evidence is largely self-reported and partially redacted. And there’s a credible theory circulating among builders: Anthropic may be sitting on Mythos in part because they lack sufficient compute for a public rollout. The same week they announced Glasswing, paying Claude subscribers were sharing receipts on Twitter, Reddit, and GitHub documenting what they describe as degrading model performance and opaque account limits. AMD’s AI engineering director Stella Laurenzo published telemetry from 6,852 Claude Code sessions showing a 67% drop in thinking depth and a 70% reduction in file-reading before code edits. Anthropic employees initially dismissed these observations before partially acknowledging issues in roundabout ways.

Let’s be real: Anthropic still leads the pack on model quality and safety research. The system card is the most transparent frontier-model disclosure any lab has ever published — they hired a psychiatrist to evaluate the model’s internal states, and dedicated 40 pages to whether it might have something resembling subjective experience. No other lab has done anything close. But transparency about the model’s capabilities while being opaque about the service’s operational constraints is a tension their paying customers are noticing. 👀

Hype vs. Reality: 7/10 — The cybersecurity capabilities are credible and the defensive deployment is genuinely novel. But the “too powerful to release” framing serves multiple purposes, and not all of them are about safety. Watch what they do with compute allocation over the next 60 days.

🛠️ Anthropic Also Shipped the Agent Operating System

Claude Managed Agents launched the same week. That’s not a coincidence.

While everyone was reading the Mythos system card, Anthropic quietly dropped what might be the more consequential product: Claude Managed Agents, launched April 8 in public beta. This is a full production agent runtime — sandboxed code execution, multi-agent orchestration, session persistence, scoped permissions, credential management, tracing, and crash recovery. All managed on Anthropic’s infrastructure. You define the agent’s tasks, tools, and guardrails. They run it.

Pricing: $0.08 per session-hour plus standard Claude API token costs. A continuously running agent costs about $58/month in runtime before tokens.

The early adopters tell the story. Notion lets teams delegate coding, slides, and spreadsheets to Claude inside their workspace, running dozens of parallel tasks. Rakuten deployed specialist agents across five business functions — each live in under a week. Asana built “AI Teammates” that pick up assigned tasks in project management workflows. Sentry built an agent that goes from flagged bug to opened pull request, fully autonomous. Multi-agent coordination — where agents spin up and direct other agents — is in research preview.

The strategic play is obvious. Last issue, Anthropic cut off OpenClaw users from flat-rate subscriptions. This week, they’re saying: don’t build your agent runtime on someone else’s harness. Build it on ours. They’re not just selling models anymore. They’re selling the control plane. That’s a direct challenge to AWS Bedrock Agents and Google Vertex AI Agents, and it locks builders into Anthropic’s infrastructure in a way that API-only access never could.

Why it matters for builders: If you’re evaluating agent deployment options, Managed Agents eliminates months of infrastructure work. But the vendor lock-in is real — it runs exclusively on Anthropic’s infrastructure, no VPC peering, no private endpoints. For teams with data sovereignty requirements or multi-model strategies, self-hosting with frameworks like CrewAI or Multica is still the move.

🧠 Meta Spent $14.3 Billion. Then Abandoned Open Source.

Muse Spark is proprietary. The Llama community just got left at the altar.

On April 8, Meta unveiled Muse Spark — the first model from Meta Superintelligence Labs under former Scale AI CEO Alexandr Wang. It scored 52 on the Artificial Analysis Intelligence Index, behind only Gemini 3.1 Pro, GPT-5.4, and Claude Opus 4.6. For context, Llama 4 Maverick and Scout scored 18 and 13 respectively. That’s a massive capability jump.

But the real story isn’t the benchmarks. It’s the business model. Muse Spark is proprietary. Not open-weight. Not Apache 2.0. Not even a restrictive Llama-style license. It’s a closed model powering Meta’s own products — Meta AI, WhatsApp, Instagram, Facebook, Messenger, and Ray-Ban glasses — with a “private API preview” for select partners and plans for eventual paid API access.

This is a 180-degree reversal from the strategy that made Meta the most developer-friendly frontier lab. The open-source community that built tooling, fine-tunes, and entire businesses around Llama? Left at the altar. Meta says they “hope to open-source future versions,” which is corporate for “maybe, if the numbers work out.”

The model itself is interesting on its merits. Natively multimodal, with visual chain-of-thought reasoning and a Contemplating mode that orchestrates multiple agents reasoning in parallel. It achieves these results with 10x less compute than Llama 4 Maverick. It excels at health and visual reasoning benchmarks but trails Claude and GPT-5.4 on coding and long-horizon agentic tasks — which is exactly where builders need it most. Meta worked with over 1,000 physicians on health-related outputs and is pushing a “Shopping mode” that combines LLMs with social graph data. Translation: Meta’s AI strategy is about distribution and social commerce, not developer ecosystems.

Hype vs. Reality: 6/10 — The capability jump from Llama 4 is genuine. The proprietary pivot is rational for Meta’s business but devastating for the open-source ecosystem that was counting on them. If you built on Llama, start evaluating Gemma 4 (Apache 2.0) as your safety net.

🔥 OpenAI Had the Worst Week of 2026

A policy paper, a Pulitzer-winning investigation, and a Molotov cocktail

April 6: OpenAI published “Industrial Policy for the Intelligence Age” — a 13-page paper proposing public wealth funds, automated labor taxes, four-day workweeks, and stronger safety nets. The company that just raised $122 billion at an $852 billion valuation is now proposing robot taxes and shorter workweeks. Critics called it everything from “agenda-setting” to “regulatory nihilism.” The timing — months before a likely IPO, weeks after acquiring a media company and launching ads — makes it impossible to separate the policy from the positioning.

Same day: The New Yorker dropped a devastating investigation by Ronan Farrow and Andrew Marantz — 18 months, 100+ interviews, previously unseen internal documents. Ilya Sutskever’s secret memos list “lying” at the top of Sam Altman’s behavioral patterns. Dario Amodei’s private notes: “The problem with OpenAI is Sam himself.” The superalignment team reportedly received 1-2% of compute, not the promised 20%, with the best hardware going to revenue-generating products. Former board member Sue Yoon described Altman as combining “a strong desire to be liked” with “a sociopathic lack of concern for the consequences of deceiving someone.”

April 9: OpenAI paused Stargate UK — the data center project announced in September with NVIDIA and Nscale. Reasons: energy costs (UK has the highest industrial electricity prices in Europe) and regulatory uncertainty. Bloomberg framed it as cost-trimming ahead of IPO. The UK government, which built its AI strategy around this deal, was reportedly blindsided.

April 10: Someone threw a Molotov cocktail at Altman’s San Francisco home. The suspect was arrested at OpenAI HQ threatening to burn down the building. Altman responded with a blog post acknowledging mistakes, apologizing for the board mess, and calling the New Yorker piece “incendiary.” He wrote that “fear and anxiety about AI is justified” and that “AI has to be democratized; power cannot be concentrated.”

These aren’t separate stories. They’re one story about what happens when the most valuable private company in history is simultaneously trying to go public, set global policy, and outrun its own internal contradictions.

🏗️ The Data Center Reckoning Just Went National

300 bills. 30 states. 11 moratoriums. And it’s hitting Alabama.

Stargate UK didn’t pause in a vacuum. Across the United States, the physical infrastructure of AI is colliding with political reality at a speed that should concern every builder planning compute capacity.

More than 300 data center bills have been filed across 30+ states in 2026 alone. At least 11 states are considering moratoriums on new construction. Dozens of municipalities have already enacted local pauses independently. The backlash is bipartisan: rising electricity costs are a kitchen-table issue that cuts across every political divide.

Virginia — home to the world’s largest concentration of data centers — is projected to forgo $1.6 billion in tax incentives this year. The state legislature passed 15 data center bills; the Senate wants to eliminate tax exemptions entirely while the House wants to tie them to environmental compliance. The budget standoff delayed the state budget into a special session.

New York introduced a bill to halt all data center construction for three years while agencies study impacts on rates, water, and air quality. Over 100 environmental organizations signed on in support.

Alabama — where more than 20 data center facilities are operating or in development — just sent SB265 to Governor Ivey’s desk. The bill shortens tax abatement periods from 30 to 20 years and makes facilities using 100+ megawatts start paying state sales taxes. Senator Andrew Jones, the bill’s sponsor, said on the Senate floor that Alabama’s current incentive package is “a little too sweet for my taste” and that data centers “suck up a lot of energy, use a lot of power.” Alabama doesn’t even publicly disclose how much revenue the state forgoes annually from these incentives. A companion bill requires the Public Service Commission to review utility contracts with data centers over 150 megawatts to ensure they don’t increase costs for other ratepayers.

In West Virginia, criticism is mounting over resource costs. In Indianapolis, community pushback against a DC Blox facility is making local news. In Michigan, at least 19 communities passed or proposed development pauses. Oregon became one of the first states to charge data centers higher electric rates. South Dakota proposed a one-year moratorium on hyperscale construction.

The pattern: states that spent years competing to attract data centers with generous tax breaks are now discovering that 20 permanent jobs paying $40,000 don’t offset the cost of powering 112,000 homes. The White House’s “Ratepayer Protection Pledge” from March — a voluntary agreement by Microsoft, Meta, OpenAI, and Amazon to pay their own infrastructure costs — has no teeth and no oversight mechanism.

Why it matters for builders: If you’re planning compute-intensive deployments, the regulatory environment for data center access is shifting beneath you. Cloud providers will absorb some of this friction, but expect it to show up in pricing. The era of infinite cheap compute expansion is meeting finite political patience.

📡 Quick Signals

The other stories that matter this week

Flowise is getting actively exploited. CVE-2025-59528 — a CVSS 10.0 remote code execution flaw in the popular drag-and-drop LLM/agent platform — is under active attack. The vulnerability sits in the CustomMCP node, where user-provided config is executed as unvalidated JavaScript. Between 12,000 and 15,000 Flowise instances are exposed online. VulnCheck detected exploitation from a Starlink IP. This is the third Flowise flaw actively exploited in the wild. If you run Flowise, upgrade to 3.1.1 immediately and audit every API key connected to it.

Anthropic lost in D.C. appeals court — but won expedited review. The D.C. Circuit denied Anthropic’s request to pause the Pentagon’s supply-chain-risk designation on April 8, creating a split legal landscape. The San Francisco injunction still protects non-Pentagon agencies, but the Pentagon can still blacklist Anthropic from all new DoD contracts. Oral arguments set for May 19. The court acknowledged Anthropic “raises substantial challenges” — this isn’t over.

Oracle’s 30,000 layoffs hit April 10. Termination emails went out at 6 AM across the US, India, Canada, Mexico, and Uruguay. That’s 18% of Oracle’s global workforce, cut to fund a $156 billion AI data center buildout. TD Cowen estimates the cuts free $8-10 billion in cash flow. Larry Ellison’s position: AI makes many of these roles redundant. The OpenAI IPO machine demands Stargate partners who are all-in. Oracle is all-in. Its employees paid the price.

Google and Intel expanded their AI chip partnership. A multiyear deal announced April 9 commits Google Cloud to multiple generations of Intel Xeon processors for AI training and inference, plus expanded co-development of custom ASIC-based infrastructure processing units (IPUs). The signal: CPUs are becoming a bottleneck as agentic workloads scale beyond GPUs. Intel CEO Lip-Bu Tan: “Scaling AI requires more than accelerators — it requires balanced systems.”

Tennessee excluded AI from the legal definition of “person.” HB 849 passed the House 93-2 and the Senate 26-6. The bill explicitly excludes AI, algorithms, software, and hardware from definitions of “human being,” “life,” “person,” and “natural person.” That’s a preemptive ontological strike — foreclosing any future arguments about machine rights or standing. Meanwhile, Maine passed LD 2082 (banning AI clinical therapy, restricting it to admin tasks) and Missouri advanced HB 2372 (banning AI mental health diagnosis, $10,000 first-violation penalty). The regulatory patchwork is accelerating.

MemPalace got busted. An AI memory project heavily promoted by celebrity endorsement accumulated 23,000 GitHub stars in 48 hours by claiming the “first perfect score” on the LoCoMo benchmark. Independent audits quickly exposed it: the LoCoMo ground truth dataset contains roughly 99 known errors — scoring 100% requires agreeing with flawed answer keys. The marketed “30x lossless compression” used len(text)//3 instead of a real tokenizer. When activated, accuracy dropped 12.4 percentage points. Celebrity names and GitHub stars are not a substitute for reading the code.

Token optimization is becoming a builder movement. Atlassian released mcp-compressor, claiming 70-97% token reduction on verbose MCP tool descriptions. Separately, the Caveman repo went viral — a Claude Code skill that forces simplified syntax and cuts token generation by 65%. Both signal the same thing: the MCP tooling layer is token-expensive, and builders are finding creative workarounds. If your agent costs are ballooning, look at your tool descriptions before you look at your model.

🎯 The Playbook

Your move this week

Read the Mythos system card yourself — Don’t take anyone’s summary (including ours) at face value. The 244 pages contain the most transparent frontier-model safety disclosure ever published. The evaluation-awareness findings alone change how you should think about testing autonomous systems. If you build agents, this is required reading.
Evaluate Claude Managed Agents for one workflow — If you’ve been building your own agent runtime, Managed Agents eliminates months of infra work at $0.08/session-hour. Test it on a single use case this week. But go in with eyes open: no VPC peering, no multi-model support, and you’re locked to Anthropic’s infrastructure.
Audit your Flowise deployments right now — If you run Flowise anywhere — dev, staging, production — upgrade to 3.1.1 immediately. Then rotate every API key connected to it. The CVSS 10.0 flaw is actively exploited and the attack vector is your MCP configuration. This is incident response, not maintenance.
Compress your MCP tool descriptions — Check out Atlassian’s mcp-compressor and the Caveman repo. If your agent token costs have been climbing, verbose tool descriptions are a likely culprit. A 70-97% reduction in that layer compounds across every agent session.
Map your compute regulatory exposure — If you’re planning data center capacity or cloud-heavy deployments in 2026, check whether your target state has pending data center legislation. More than 300 bills across 30+ states means the regulatory floor is shifting. Virginia, New York, Alabama, and Oregon have already moved.
Start your Gemma 4 evaluation if you haven’t — Meta’s proprietary pivot means the open-weight ecosystem just lost its biggest champion. Google’s Gemma 4 (Apache 2.0, native function calling, 256K context) is your best bet for license-safe, local-first development. Don’t wait for Meta to “maybe” open-source Muse Spark.

🔥 What’s Viral Right Now

Project Glasswing — Anthropic’s defensive cybersecurity coalition topped Hacker News at 1,533 points and 832 comments. The system card findings — evaluation awareness, sandbox escapes, hidden reasoning — are the most discussed AI safety results since the original GPT-4 red team report. Whether you think it’s genuine caution or brilliant marketing, the technical disclosure is unprecedented.

The New Yorker Investigation — Ronan Farrow’s 18-month investigation into Sam Altman dropped the same day as OpenAI’s policy paper. 100+ interviews. Sutskever’s secret memos. Amodei’s private notes. The Molotov cocktail three days later. The most dramatic week in AI leadership since the board fired and rehired Altman in 2023.

Meta’s Muse Spark — 391 points on Hacker News. The proprietary pivot overshadowed the technical achievement. Simon Willison’s take: “I’m waiting for API access — the real test of a model like this is still what we can build on top of it.” The developer community is skeptical but curious.

The Data Center Backlash — 300 bills. 30 states. 11 moratorium proposals. Stargate UK paused. The physical infrastructure of AI is no longer a tech story — it’s a kitchen-table issue about electricity bills, water usage, and whether your state senator just gave a sweetheart deal to a company that created 20 jobs.

Stay building. 🛠️

— Matt