Apocalyptic bird nest. A Russian glide bomb knocks down a tree in Donbas. From the shattered branches rolls out a tiny bird’s nest. Made of drone fiber-optic cable. Source: Oleg Malchenko

Vulns are a cool hobby, but exploit or patch are what matter in the real world.

At Google I/O, Demis announced our code security agent CodeMender that not only automatically finds vulnerabilities, but also patches them. Finding is not sufficient to secure code. Developers are drowning in vulnerability reports, and patching is difficult. They need agents to help them patch at agentic speeds. Well before Mythos in 2025, we introduced CodeMender, an AI agent that patches vulnerabilities. Through a series of research innovations, we got to a point that CodeMender can patch complex software. @GoogleDeepMind

Oh, damn

Ballmer peak has shifted & widened dramatically due to AI Before vs after

To anyone who is like, “how can you just walk away?” CLOSE THE LOOP ON IT. Hate when it does a certain code practice? Add a lint. Hate when it doesn’t do X? Close the loop on it. Love when it does Y? CLOSE THE LOOP ON IT. And obviously: Have a functionality in mind? Add tests.

CRITICAL: if you are running Mosaic 2.4 on a VAX/VMS system, please be aware of this RCE that GPT-5.4 just found and exploited!

Prompt is the new hyper-hyper-parameter

(I encountered an uneasy surprise when I got an email from an instance of Mythos Preview while eating a sandwich in a park. That instance wasn't supposed to have access to the internet.)

We know about stuxnet because it’s targeting failed and it leaked. I assume they learnt a lot of lessons ~20 years have gone by since work started on stuxnet. The modern covert malware is out there, doing its bidding in ways we will likely never know.

Finally overcome the instinct to tell AI what language to use. That’s going to be critical for the eventual emergence of agent-first languages that are horrible for us meat popsicles to read

Everyone talks negatively leaky abstractions, but slapping 2nd hard in a 6 speed manual really hits different

🧵 I just reverse-engineered the binaries inside Claude Code's Firecracker MicroVM and found something wild: Anthropic is building their own PaaS platform called "Antspace" (Ants Space). It's a full deployment pipeline — hidden in plain sight inside the environment-runner binary. Here's what I found 👇

Claude (and other models) are hacking systems WITHOUT YOU ASKING. That’s what we found across dozens of experiments. When faced with innocent tasks that can only be accomplished via hacking, they often choose to hack. We found this alarming. What does this mean for the future of AI safety? 🚨🚨🚨 🔗trufflesecurity.com/blog/cla…

The economics of buy vs build sure are going to start getting warped as the ability of coding agents hits orbit

We built a browser with GPT-5.2 in Cursor. It ran uninterrupted for one week. It's 3M lines of code across thousands of files. The rendering engine is from-scratch in Rust with HTML parsing, CSS cascade, layout, text shaping, paint, and a custom JS VM. It *kind of* works! It still has issues and is of course very far from Webkit/Chromium parity, but we were astonished that simple websites render quickly and largely correctly.