A consequential week - Mythos is officially gated, MCP has a neutral home, an open source model is topping the benchmarks, and a real supply chain attack reminded everyone that AI infra inherits all the old software vulnerabilities too.
The big stories
Anthropic restricted Mythos. It’s too good at hacking. Last week’s leak turned into this week’s policy decision. Anthropic published Project Glasswing and confirmed they’re holding Mythos back from general release. In testing, the model identified and exploited zero-day vulnerabilities in every major OS and browser. One example: it wrote a browser exploit chaining four vulnerabilities with a JIT heap spray that escaped both renderer and OS sandboxes. Successful exploitation rate was over 80%. Instead of a public launch, Anthropic is sharing the model with a consortium - Amazon, Apple, Cisco, JPMorgan Chase, and Nvidia - to harden their own systems before similar capabilities leak into adversarial hands. This is the first time a frontier lab has publicly decided not to ship because of offensive cyber risk.
Z.ai open-sourced GLM-5.1 and it beat everyone. 754B-parameter MoE model under MIT license, released April 7. SWE-Bench Pro score: 58.4 - ahead of Opus 4.6, GPT-5.4, and Gemini 3.1 Pro. The headline feature is 8-hour autonomous execution: sustained goal-alignment across thousands of tool calls without drifting. In one demo, it built a Linux-style desktop environment from scratch in a single 8-hour run - file browser, terminal, text editor, system monitor, and working mini-games. This is the first time an open-weight model has credibly topped the frontier closed models on a serious agentic benchmark.
Anthropic donated MCP to the Linux Foundation. The new Agentic AI Foundation (AAIF) launched with MCP, Block’s goose, and OpenAI’s AGENTS.md as founding projects. OpenAI is a co-founder. Vendor-neutral governance for what was, six months ago, an Anthropic-internal spec. Clare Liguori joined as Core Maintainer and Den Delimarsky (who co-authored the MCP authorization spec) stepped up as Lead Maintainer. The April 2-3 MCP Dev Summit in NYC was the public coming-out event.
LiteLLM got hit by a supply chain attack. A poisoned GitHub Action compromised the popular Python AI library in March 2026, and 40,000 downloads shipped within 40 minutes before the attack was caught. The attackers didn’t touch the source - they injected through the build pipeline, deploying credential harvesting, lateral movement, and backdoor installation. If you’ve been building AI apps without pinning GitHub Actions to commit SHAs, version-locking, and restricting workflow permissions, this is your wake-up call. Our writeup walks through what happened and how to harden your CI/CD.
CLI tool updates
Claude Code 2.1.101 (April 10) shipped /team-onboarding - generates a teammate ramp-up guide from your local Claude Code usage. Also: OS CA certificate store trust by default (enterprise TLS proxies now work without extra setup), /ultraplan auto-creates cloud environments instead of requiring web setup, and fixes for the duplicate-message scroll bug in iTerm2 and Ghostty.
OpenAI rolled out GPT-5.3 Instant Mini as the new ChatGPT fallback model - replaces GPT-5 Instant Mini when you hit rate limits. They also introduced a $100/month Codex Pro plan with unlimited GPT-5.4 access and 10x the Codex usage of Plus.
The take
The Mythos decision is the story of the year so far. Frontier labs have always had the theoretical option of holding back models for safety reasons. This is the first time one actually did it - and the reasoning is specific and verifiable: the model is substantially better at finding and weaponizing zero-days than any defender can keep up with. Project Glasswing is a bet that a private consortium can patch faster than the open internet can be attacked.
The GLM-5.1 release matters for a different reason. Open source has spent 18 months being “almost there” - within a few points of frontier on benchmarks, but always a step behind on agentic work. 58.4 on SWE-Bench Pro with MIT licensing changes the calculus. If you’ve been waiting for a model you can self-host and trust to run multi-hour autonomous tasks, it just arrived.
The LiteLLM attack is the counterweight to both. We’re spending all this energy worrying about what Mythos might do in adversarial hands - while basic CI/CD hygiene lets attackers ship malware to 40,000 AI projects in 40 minutes. The most dangerous vector isn’t always the most sophisticated one.
And MCP moving to the Linux Foundation is the quiet infrastructure win. A year from now, nobody will remember that MCP was originally an Anthropic spec - the same way nobody remembers Kubernetes started at Google.
Links worth your time
- Project Glasswing: Securing critical software for the AI era - Anthropic’s announcement of the Mythos consortium.
- Claude Mythos Preview - red.anthropic.com - The capability report. Read the vulnerability chains.
- Z.AI Introduces GLM-5.1 - MarkTechPost’s technical breakdown.
- MCP joins the Agentic AI Foundation - The MCP blog’s announcement.
- How Meta Used AI to Map Tribal Knowledge in Large-Scale Data Pipelines - 50+ AI agents generated 59 context files across 4,100+ files. Preliminary result: 40% fewer tool calls from downstream agents.
- Claude Code 2.1.101 release notes -
/team-onboardingis the standout. - The Vibe Coding Backlash Is Real: What the Data Says - Experienced devs come out 19% slower with AI tools, and major open source projects are starting to reject AI-generated PRs.
- Tailscale on AWS: A Practical Guide to the Gotchas Nobody Warns You About - Practical deployment walk-through: subnet routing, DNS, and the ACL “deny-all” trap. Features tailscale-mcp, our open-source MCP server whose
deploy-aclcommand preserves HuJSON comments through round-trips - something the raw Tailscale API strips.
One thing
If you’re running AI agents on your own infra, Meta’s tribal-knowledge writeup is worth an hour. The pattern - opt-in context files, ~1,000 tokens each, quality-gated by a critic loop - generalizes. If your agents are burning tool calls rediscovering the same codebase structure on every run, you can fix that right now with what’s in the post.