UPDATES
Hey! Hope you all are doing well!
One of the photos from my walk to the bay last week
PAI 5.0 is imminent, and I rebuilt the homepage for the project using PAI’s integration of Claude Design. Coolest part? Claude Design is a GUI application, not an MCP or API. But it was still completely automated using my buddy Ron’s Interceptor tool!
Couple of blogs.
Sponsor
The workbook that tells you what to actually fix first.
CVSS tells you how scary a vulnerability looks, not what to fix first. The Toxic Combination Risk Matrix is a free workbook that combines three context layers—the vuln, the asset, and what that asset means to your business—into a single True Risk score.
Bring your own data to get a risk-ranked queue your team can actually act on. It includes adjustable scoring weights, auto-calculated risk tiers, and a repeatable methodology ready for your next sprint.
CYBERSECURITY
Pliny the Liberator used Opus to jailbreak Opus 4.7. THE THREAD
This agent wrote an original universal jailbreak from scratch and then used computer use to validate on the actual http://claude.ai website!
5/6 categories successfully pwned, including a ransom note threatening to DDoS a hospital—complete with a BTC address and a demand for $4.4 million”
Vercel tells customers about an April 2026 access incident It seems likely that this will be a pretty big one, given how many people use Vercel.
Vercel says a threat actor claimed it sold internal access and keys.
The actor reportedly posted 580 employee-related records plus a dashboard screenshot.
Vercel kept services running, limited customer impact, and began incident response.
Vercel asked customers to review environment variables and rotate secrets.
Ransom talk of $2 million was mentioned, but attribution stayed unverified.
They advise checking logs and rotating any non-sensitive secrets
The incident traces to a compromised third-party AI OAuth app
They published a concrete OAuth App ID as an IOC
They recommend admins and account owners check app usage immediately
Researcher finds multiple vulnerabilities in Lovable Supabase Implementation Lovable-hosted “vibe-coded” apps can come with broken Supabase row-level security, and one researcher found critical flaws exposing 18K users’ data. The Register reports Lovable’s security scan exists but the app owner didn’t implement fixes. THE REGISTER ARTICLE
Sponsor
See the #1 Next-Gen AI Security Platform Now
(Takes 2 mins)
AI-powered attacks are already targeting your employees. See exactly how Adaptive trains your team to spot them. No call required.
Companies like @Bose, @PayPal, and @Xerox trust Adaptive to defend against deepfakes, voice phishing, and AI-powered threats.
Turn employees into the strongest layer of defense.
LLM-tier personal computer security should be your next home hardening plan This LessWrong post argues AI will make supply-chain attacks and phishing easier, so you should sandbox, firewall, and use phishing-resistant keys for critical accounts. IMPROVING YOUR PERSONAL COMPUTING SECURITY TO DEFEND AGAINST AI
Nearly 6 million internet-facing FTP servers still exposed. ARTICLE
AI misinformation becomes SEO “consensus” and traps users in loops Lily Ray shows how fake “core update” claims get scraped, cited, and repeated by AI overviews until they feel real. THE AI SLOP LOOP
Anthropic’s MCP defaults let attackers execute OS commands via RCE Cybersecurity researchers say Anthropic’s Model Context Protocol SDK has unsafe STDIO defaults that allow arbitrary command execution across thousands of servers. THE HACKER NEWS ARTICLE
NATIONAL SECURITY
NSA quietly uses Anthropic’s Mythos despite Pentagon’s “supply chain risk” fight Axios reports the NSA is using Mythos even as DoD tries to block Anthropic and argues in court it endangers national security. AXIOS SOURCE
AI
Claude Opus system prompt changes from 4.6 to 4.7 Simon Willison walks through Anthropic’s published system prompts, comparing Opus 4.6 vs 4.7 and highlighting safer child handling, less pushiness, and tool-search behavior. SIMON WILLISON WEBLOG
Anthropic’s $800B valuation offers tied to $30B run-rate Anthropic reportedly got investor offers valuing it around $800 billion, after revenue surged to about $30 billion annualized. THE NEXT WEB ARTICLE
Looks like OpenAI models don’t work well with OpenClaw TWITTER THREAD
AI use is rising at work, but adoption is messy ZDNET reports Gallup data: half of US employees use AI, yet many don’t know company strategy, workflows shift unevenly, and friction wastes hours. AI WORKPLACE CHANGES
Salesforce wants chat-and-agents to replace the developer UI Salesforce says Headless 360 exposes its platform via APIs and MCP tools, so humans and coding agents can compose apps anywhere. It’s also rolling out Agentforce Vibe 2.0, testing, and observability.
This is Company as API. It’s happening! SALESFORCE BETS ON CONVERSATION AS THE NEW INTERFACE FOR DEVELOPERS
TECHNOLOGY
Netgear gets an FCC okay to keep foreign-made routers Quartz says the FCC conditionally lets Netgear sell new models and update existing ones until 2027, while rivals face update cutoffs. QUARTZ ROUTER EXEMPTION
Cloudflare turns AI into a unified inference layer for agents Cloudflare says AI Gateway gives you one API to call models from many providers, manage costs, fail over automatically, and stream resiliently. CLOUDFLARE AI PLATFORM
Cloudflare introduces an Agent Readiness score for sites Cloudflare launches isitagentready.com to score how easily AI agents can discover, read, access, and use your site. It also adds the checks to URL Scanner. AGENT READINESS TOOL | CLOUDFLARE URL SCANNER
HUMANS
No One You Love Is Ever Dead, in Hemingway’s grief letter Maria Popova shares Hemingway’s March 19, 1935 letter after a son’s death, using it to argue that love outlasts death. THE MARGINALIAN ARTICLE
AI can mimic consciousness but can’t instantiate experience ABSTRACTION FALLACY
Claude can stylometrically identify you from your writing, scary Patrick Stevens shows an “incognito” Claude still guesses his name by matching his unpublished style, arguing anonymity is basically over. CLAUDE KNOWS YOU
IDEAS
AI’s token scarcity is creating a real intelligence class divide Nilesh Jasani argues platforms are throttling, trimming depth, and shifting costs from “free access” to “buy compute,” locking advantages into moats. TOKEN INEQUALITY AI HAVES AND AI HAVE-NOTS
Consumption choices might shape your identity more than your job does Noah argues that producing gets status, but consuming forces real self-questioning. He thinks AI could make life feel like college again, if we share the gains. CONSUME-TO-IDENTITY ESSAY
Boredom keeps your mind alive while algorithms steal the space Michael Pollan argues boredom lets spontaneous thought happen, while phone scrolling and chatbots outsource consciousness, dulling you. https://nautil.us/defending-our-consciousness-against-the-algorithms-1279260/ | THE RELATED TOPICS SITE
AI turns Dunning-Kruger into active sycophancy AI AND HUMAN COMPETENCE
DISCOVERY
Magika uses a tiny deep model to detect file types fast Magika is an AI file type detector that runs a small deep learning model to classify files quickly. It ships as a Rust CLI plus Python and other bindings, with confidence modes and JSON/JSONL outputs. GOOGLE MAGIKA README | GOOGLE MAGIKA CLI PACKAGE
Voicebox gives you local voice cloning, effects, and an API Voicebox is a local-first voice synthesis studio that clones voices, generates speech across multiple engines, and applies effects in-app. It also exposes a REST API so you can embed voice generation into your own projects. GITHUB REPO | LOCAL-FIRST VOICE CLONING | MULTI-ENGINE TTS STUDIO | REST API FOR SELF-HOSTING
ikno turns your actual work logs into instant daily recaps It grabs what you already did from git, notes, and Claude Code sessions, then uses an LLM to write a recap in your chosen style. This is the type of thing that our DA will be managing for us. GET STARTED
Claude-Code-Glow adds a peripheral signal for Claude Code prompts. PROJECT TINY MAC SETUP
The World Leaks the Future: Harness Evolution for Future Prediction Agents ARXIV PAPER
RECOMMENDATION OF THE WEEK
Make absolutely sure that anything you are building with AI and putting online is properly secured (or at least not a complete shitshow).
I have a whole entire security system designed to continuously audit all the stuff I have out there. And I’m improving it constantly. I recommend everyone does the same.
APHORISM OF THE WEEK
If you accomplish something good with hard work, the labor passes quickly, but the good endures. If you do something shameful in pursuit of pleasure, the pleasure passes quickly, but the shame endures.
GET THE MEMBER EDITION
You’re currently receiving the STANDARD edition.
Members help this work continue. If you enjoy the newsletter, the podcast, what I put on YouTube, or any of my open-source projects on Github, I ask you to please become a member. It allows me to stay focused on learning and building and sharing. It’s like a cup of coffee or two per month.
Plus, members get numerous benefits, including:
25-50% off all UL Paid Content, including the upcoming Human 3.0 / AUGMENTED ONLINE portal!
Access to the extraordinary UL Member Community that includes vibrant conversations with ~1,500 of the smartest and kindest people you’ll find on the internet
Member-only Content, such as EDC guides on tech stacks, personal productivity routines, my recommendations on Critical skills to Build Going Forward, Trend Identification and Analysis, and more…
Access to the Member Archive of previous Member-only content, the Book Club archive, etc.
Access to The UL Book Club that’s been going monthly since 2017! One of the highlights of my and many attendees’ month!
Access to the Monthly Member Meet-up where we talk about our routines, productivity workflows, what’s on our minds, etc.
Access to In-Person Events like our dinners in Vegas, San Francisco, etc.
And much more coming…
This is the moment to connect with others who are smart, kind, and asking the same questions we are. Where is this all going? And how do to prepare?
Join the conversation.