Anthropic built an AI model so good at finding security vulnerabilities that they won't let anyone use it. Claude Mythos Preview autonomously discovered a 17-year-old remote code execution bug in FreeBSD that gives anyone root access over NFS. Not a contrived benchmark. Not a CTF challenge. A real exploit in real infrastructure that every security team on the planet missed for nearly two decades.
That alone would be the story of the month. But Mythos has found thousands of high-severity vulnerabilities — in every major operating system and every major browser. Anthropic's response was to restrict the model entirely. No public API. No general availability. Instead, they launched Project Glasswing, giving defensive access only to Apple, AWS, Google, Microsoft, and a handful of others.
Meanwhile, Cursor shipped version 3 and deleted VS Code. Not forked it differently — rebuilt the entire product from scratch as an agent orchestration platform. The editor is now the fallback. Agents are the default. And Cloudflare released EmDash, an open-source TypeScript CMS built on Astro that they're calling "the spiritual successor to WordPress."
The common thread: the tools we've relied on for years are being rebuilt from first principles. Whether it's your IDE, your CMS, or the security model protecting your infrastructure — someone decided the old version wasn't good enough anymore.
Here's everything else worth your time.
The Big 3
Anthropic announced Claude Mythos Preview alongside Project Glasswing, a coalition with Apple, AWS, Google, Microsoft, Nvidia, and others to use the model exclusively for defensive security research. Mythos autonomously found thousands of high-severity vulnerabilities across every major OS and browser — including a 17-year-old FreeBSD RCE that grants root via NFS. Anthropic says it has no plans to make Mythos publicly available until new safeguards exist. This is the first time an AI lab has deemed a general-purpose model too dangerous for public deployment — and then proved why by shipping the receipts.
Cursor's biggest release since forking VS Code in 2023 isn't an update — it's a replacement. Cursor 3 rebuilds the entire product around an Agents Window that lets developers run multiple AI agents in parallel across local machines, worktrees, SSH, and cloud. The IDE is now a fallback, not the default experience. The pitch: you're the architect, agents are the builders. Early users praise the speed but flag costs — one developer spent $2,000 in two days. This comes as Claude Code captures 54% of the AI coding market.
Cloudflare released EmDash, a full-stack TypeScript CMS built on Astro that targets WordPress's biggest weakness: plugin security. Where WordPress plugins have full database and filesystem access (causing 96% of its vulnerabilities), EmDash sandboxes each plugin in its own V8 isolate with declared permissions. Built largely by AI agents over two months, it includes a built-in MCP server, Agent Skills for autonomous site management, and x402 micropayments for AI content access. WordPress co-founder Matt Mullenweg called the Skills strategy "brilliant."
Articles & Tutorials
Pretext: 500x Faster DOM-Free Text Layout (8 min)
Former React Core member Cheng Lou built a TypeScript library that measures and lays out multiline text without ever touching the DOM — turning a 94ms, 6-dropped-frame operation into 0.05ms with zero reflows. It hit 14,000 GitHub stars in 48 hours.
The Axios Supply Chain Attack Used Targeted Social Engineering (5 min)
The Axios team published a full postmortem — the attack vector wasn't code, it was a fake Teams meeting that prompted a maintainer to install a RAT disguised as a missing update.
Ship jQuery and React with the Browser (8 min)
Patrick Meenan makes a compelling case for bundling popular libraries directly into Chrome — if everyone's shipping the same 40KB anyway, why not let the browser cache it once?
CSS Multi-Column Layout Gets Wrapping Features (6 min)
Chrome 145 introduces column-height and column-wrap properties, finally giving developers control over how content flows in multi-column layouts.
Alternatives to the !important Keyword (9 min)
Cascade layers, specificity tricks, smarter ordering, and selector hacks that can often replace !important entirely.
Parse, Don't Validate — in TypeScript (5 min)
A practical walkthrough of encoding constraints in your type system so invalid states are unrepresentable rather than checked at runtime.
The Uphill Climb of Making Diff Lines Performant (10 min)
GitHub's engineering team explains how they optimized diff rendering for millions of diffs a day — the path to better performance was found in simplicity.
Your Options for Preloading Images with JavaScript (5 min)
Alex MacArthur lays out the different approaches to preloading images — when each one works, when they don't, and which one you should probably be using.
Career & Takes
"I Read AI-Generated Production Code for a Week. It Was Fine. That Was the Problem." (5 min)
A developer audited 8 months of AI-generated code — it passed tests and handled edge cases, but nobody on the team could explain why half the patterns existed. 610 upvotes on r/node.
Bram Cohen: The Cult of Vibe Coding Is Insane (8 min)
The creator of BitTorrent argues that shipping AI-generated code without understanding it isn't innovation — it's negligence.
Kent Beck & Martin Fowler: Cycles of Disruption (11 min)
Two of software engineering's most influential voices draw parallels between past technology shifts and what's happening with AI — including what the industry consistently gets wrong.
"We Didn't Need a Union When the Market Was Great" (5 min)
A Reddit thread exploring whether layoffs, AI anxiety, and RTO mandates have made developer unionization inevitable — 468 upvotes and counting.
Tools & Releases
Turborepo 2.9 — 96% Faster (5 min)
Vercel's monorepo build tool gets a massive performance boost through AI agents, sandboxes, and human optimization.
S3 Files — AWS S3 Buckets Accessible as File Systems (8 min)
AWS now lets you mount S3 buckets as high-performance file systems on compute resources — bridging object storage and traditional filesystem APIs.
TanStack Router Ships Signal Graph (5 min)
Replaces the broad router.state with granular signal stores for faster client-side navigation and fewer unnecessary re-renders.
Inertia.js 3.0 (5 min)
The monolith-friendly SPA framework ships v3 — if you're building Laravel + React/Vue/Svelte without a separate API layer, this is the upgrade to plan for.
Docker Offload Now GA (4 min)
Docker Desktop's cloud build feature is now generally available — offload container builds to remote infrastructure when your laptop isn't cutting it.
GitHub Copilot CLI Gets "Rubber Duck" (5 min)
Copilot CLI now uses a second AI model family to give you a different perspective on your coding agent's recommendations.
Watch
Cursor Ditches VS Code, but Not Everyone Is Happy (10 min)
Fireship breaks down Cursor 3's pivot away from VS Code and why some developers are pushing back hard.
It's Been A Hell Of A Week (10 min)
Scott and Wes from Syntax recap a chaotic week — the Claude Code source leak, the Axios npm attack, and a stack of releases.
The Language Holding Our Agents Back (10 min)
Theo argues that bash is a bottleneck for AI agents and explores what a purpose-built agent language could look like.
HTML in Canvas API Is NUTS (10 min)
Wes Bos explores what's now possible with the Canvas API's HTML rendering capabilities.
Other Links
Meta's AI Crawler Scraped My Site 7.9 Million Times in 30 Days — 900+ GB bandwidth before noticed
Caveman: Why Use Many Token When Few Token Do Trick — compression-first LLM approach
How Microsoft Vaporized a Trillion Dollars — breakdown of Azure's strategic missteps
Cloudflare Targets 2029 for Full Post-Quantum Security — encryption migration timeline
AI May Be Making Us Think and Write More Alike — USC research on homogenization
Malicious npm Packages Targeting Strapi Plugins — active supply chain attack
Vulnerability Research Is Cooked — Thomas Ptacek on AI's impact
Ex-Microsoft Engineer Blames Azure on Talent Exodus — internal brain drain
Dropping Cloudflare for Bunny.net — one developer's migration story
You Probably Don't Need to Lift That State — React state simplification
Toasty: Async ORM for Rust Hits crates.io — from the Tokio team
Ghost Pepper: Hold-to-Talk Speech-to-Text for macOS — open-source, privacy-first dictation
The foundations are shifting under everything this week. Your IDE is an agent manager now. Your CMS was built by agents. And the model finding all the bugs in your infrastructure is too dangerous for you to use. Whether that last part makes you feel safer or more nervous probably says a lot about your relationship with trust in this industry. Either way — if any of this changes how you're thinking about your stack, hit reply.
Until next week,
Niall