Week 2026-13
Anthropic had a rough week. Claude Code source code leaked, and everyone's usage limits are burning through suspiciously fast. @vlkodotnet
Week’s Highlight: Claude Code source leak
Anthropic had an unfortunate incident. A new build of Claude Code accidentally published a source map file that pointed to source code stored somewhere on AWS. They managed to take it down after four hours, but by then the Claude Code source was already circulating online.
The leak was caused by a bug in Bun — a tool Anthropic had recently acquired — which, with a misconfigured setup, triggered exactly this kind of exposure. The bug is certainly fixed by now, but what everyone really wants to know is what those sources actually looked like. This page breaks it down visually.
And of course you’re curious what was hiding in those 512,000 lines of TypeScript. Here’s a quick summary — the linked article goes into much more detail:
Claude Code is far more than a wrapper around an AI model. It includes:
40 tools (BashTool, FileEditTool, WebSearchTool, AgentTool…),
a complex permissions and context management system,
modular design, plugins, and features hidden behind feature flags.
Speaking of those feature flags — here’s what’s coming:
Kairos — an autonomous agent that monitors a project and performs scheduled actions, logging daily summaries,
autoDream — automatic memory consolidation and cleanup, keeping it under 200 lines,
Coordinator Mode — multi-agent orchestration,
Agent Triggers — cron-based task scheduling + webhooks,
Voice Mode — controlling Claude Code by voice,
Web Browser Tool — a fully integrated browser via Playwright,
Ultraplan — cloud-based planning sessions running up to ~30 minutes,
Buddy — basically a Tamagotchi in your terminal,
and much more.
Interesting clones have already appeared — including Claude Code rewritten in Rust and Python specifically so Anthropic can’t take them down via DMCA.
There’s also FreeCode — a build with all telemetry removed, no prompt restrictions, and every feature enabled.
While we’re on the topic of Anthropic — many users are reporting that their limits are evaporating faster than usual. Anthropic says they’re looking into it, but the prevailing theory is that they’re throttling load on their infrastructure, since the recent surge in users is clearly straining capacity. Also worth noting: if you were using OpenClaw with your regular account through its internal API calls, Anthropic has announced that era is over. Existing users received extra credits for the transition, but most burned through them within days — so you’ll need to find a different model for OpenClaw.
Security Insights
The popular axios library has been compromised via a supply chain attack using the malicious package plain-crypto-js@4.2.1. Attackers hijacked the library’s maintainer account to publish the poisoned releases. You should check whether your systems contain any of the affected packages: axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1.
OpenClaw has another vulnerability — one that lets any piece of code escalate its privileges to administrative level. The recommendation is to stop using OpenClaw altogether, since it was never designed with security in mind. Not that anyone listens to that these days.
You’d expect government apps to be a model of how software should behave. But an analysis of the most widely used apps in the US found that they’re sometimes worse than their commercial counterparts. The White House App, for example, ships with a Huawei SDK that’s supposed to be banned in the US.
And finally, an interesting tool called Miasma — designed as a defense against aggressive AI web scrapers. It works as a trap, feeding them an endless stream of interlinked poisoned data.
BIZ Insights
Oracle has decided to lay off approximately 30,000 employees. Workers received an early-morning email with no prior warning of any kind. The company is making this move because it’s no longer positioning itself primarily as a software giant — it’s becoming one of the largest AI datacenter builders. That shift creates some cash flow pressure, and it conveniently lets them frame the cuts as AI replacing those roles.
Epic Games has also announced layoffs, as Fortnite no longer drives revenue the way it once did.
Roblox, on the other hand, is thriving. It has successfully evolved into a game creation platform — something Fortnite tried and failed to achieve. Roblox has announced a new AI model that will make it easier for your kids to create assets for their mini-games.
OpenAI has closed another funding round, raising $122 billion and pushing the company’s estimated valuation to $852 billion. That means they’ll be able to subsidize their business for a good while longer.
SpaceX — which recently merged with xAI, which had itself merged with X (Twitter) — is heading for a public offering. The expected valuation is an astronomical $1.75 trillion, which could make it the largest IPO in history.
Good news for anyone who picked an embarrassing Gmail username. For now it’s US-only, but soon you’ll be able to change it (or rather, add an alias) here as well.
GitHub is making the case that GitHub Issues could be the right tool for managing, well, everything — including your household. Which isn’t a terrible idea, actually. You’d just need to get your partner set up with an account.
Robotaxis are great — until they’re not. When the central system goes down, things get messy fast.
AI Insights
Gemma 4 from Google is the latest generation of open models optimized for local use. They’re heavily tuned for code generation, agentic workflows, stronger reasoning, and improved performance in math, OCR, visual understanding, and speech. Ideal for plugging into agentic systems that need local models — and now released under the Apache 2.0 license.
iPhone owners can try running it locally on their device with a dedicated app.
Alibaba has also released Qwen 3.6 Plus, featuring a 1M token context window, performance comparable to today’s top models — but it’s not open. It’s available only through their API.
Cursor 3 is out with a completely redesigned interface, reflecting a shift in how developers work — it’s now built around agents. It also ships with a fully integrated browser and a design mode where you can draw directly into the browser to provide visual context. The downside: their own model is underwhelming, and calling third-party models gets expensive.
Microsoft has introduced MAI-Transcribe-1, its most accurate audio-to-text transcription model yet. Transcribing an hour of audio costs $0.0036. Hopefully it makes its way into Teams soon — transcription there has never been its strong suit.
OpenAI has released a Codex plugin for Claude Code that performs independent code reviews, because two models reviewing your code are better than one.
Lemonade is a local model runner that handles text, image generation, and speech — with an OpenAI-compatible API, making it straightforward to swap out your OpenAI integration for a local one.
If you’ve made it all the way through the AI section, here’s something worth sitting with: how is AI actually changing the way people think? A phenomenon called cognitive surrender is emerging — people stop engaging their own reasoning and simply accept whatever the AI outputs. According to research, as many as 80% of people accept incorrect answers without questioning them at all. Under time pressure, that number climbs even higher. Where do you fall on that spectrum? Do you review the code AI writes, or do you leave that to other AI agents?
.NET Insights
.NET 11 Preview 2 brings union types as part of the C# 15 spec. You’ll now be able to combine multiple distinct types into one. A good example is a OneOrMore<T> generic union class that accepts either a single value or a full array and always outputs an array. Switch expressions over union types won’t allow a default case — every subtype must be explicitly handled.
Don’t want to build a full RAG system when you already have a PostgreSQL database? Here’s a guide to getting PgVector running alongside Dapper.
Links Drop
Apple just turned 50, and behind that company lies quite the pile of iconic products.
Emby is a media server that’s entirely under your own control — and it also supports parental controls, which you don’t see very often.
Wanderlog is a trip planner. I’m not linking it because you necessarily need to use it, but because it’s a great place to browse existing trip plans — handy for surprising your partner with ideas for a weekend getaway.
Linux 7 combined with the current version of PostgreSQL can, under certain conditions, cut database throughput in half — at least on AWS with ARM-based Graviton4 instances. The fix needs to come from the PostgreSQL side, which may take a while.
Can’t decide which programming font is right for you? Let a simple game make the call.
I was a little disappointed that my current font of choice — Cascadia Code — wasn’t in there.
The Artemis II mission is underway. Anyone who ever dreamed of being an astronaut is definitely following along. NASA has put together a special gallery of the best photos from the mission.
April 1st just passed, and here’s a roundup of the best and worst pranks companies pulled this year.
Closing Visual
Git has a solution for every problem.
