DEV Community: Sameer Khan

Google TPU 8 vs Nvidia: 8t and 8i Specs Explained

Sameer Khan — Wed, 22 Apr 2026 20:50:16 +0000

TL;DR: AI is splitting into two economies: training and inference. Training is a handful of hyperscalers spending tens of billions on clusters that run for weeks. Inference is where every app, every agent, and every dollar of revenue actually lives. Google's TPU 8 is the first chip generation to treat that split as the default. It ships as two chips, an 8t for training and an 8i for inference. The 121 ExaFlops number is the headline. The split is the story. The economies that grow from it are the stakes.

Why did Google split the TPU 8 into 8t and 8i?

Every prior TPU generation has been one chip. So is every Nvidia GPU people argue about. One die, one package, one SKU, rented to you for both the weeks-long training run and the millisecond inference call.

Google's TPU 8 broke that pattern. The 8t is a training chip: 9,600 of them wired into a single superpod, 121 ExaFlops of compute, 2 petabytes of shared high-bandwidth memory, roughly 3x the pod-level compute of Ironwood. ¹ The 8i is an inference chip: 288 GB of HBM per chip, 384 MB of on-chip SRAM (3x the previous generation), 19.2 Tb/s of interconnect. ¹

Those are not two SKUs of the same silicon. Those are two different design targets.

Training wants bandwidth. 9,600 chips have to exchange gradients every step, and the whole run stalls on the slowest link. That is why 8t doubles the interchip bandwidth and Google brags about 97% goodput, which is their way of saying the accelerators are actually computing instead of waiting on the network. ¹

Inference wants memory. A single chip answers a user query in milliseconds, and the bottleneck is how much of the model and the running context fit in HBM without spilling. That is why 8i has 288 GB per chip and 3x the on-chip SRAM. Nothing about that helps training. Everything about it helps agents.

What does the TPU 8i signal about inference workloads?

There is a reason Google framed the 8i around what it calls the "agentic era." An agent is not a one-shot inference call. It is a loop: plan, call a tool, read the result, plan again, call another tool. Sometimes dozens of steps, sometimes hundreds. The model weights stay loaded. The KV cache keeps growing. Memory is not a nice-to-have. Memory is the budget.

288 GB per chip is not a round number. It is the number you pick when you have watched agents thrash HBM and decided to stop pretending 80 GB is enough. ¹

The performance-per-dollar claim is the tell. Google says 8i is 80% better on that metric than Ironwood and supports roughly 2x customer volume at the same cost. ¹ Nobody talks about dollars-per-token when training is the bottleneck. They talk about dollars-per-token when the bill is dominated by the inference that happens every time someone asks Gemini to do something. Which it now is, for Google and for everyone else.

I wrote earlier about how TurboQuant compressed the KV cache 6x in software. TPU 8i is the hardware version of the same bet: inference economics now run the conversation, and the team that optimizes for them wins.

Is the universal GPU era ending with Google's TPU 8?

Nvidia's H100 trains your model and serves your model. So does the B200. Nvidia does ship inference-leaning SKUs like the L4 and L40S, but the flagship data-center AI chip is still one die doing both jobs. That is the universal-GPU bet: one chip, two workloads, pay the compromise on both.

The compromise is real. A training chip spends a lot of silicon on high-bandwidth fabric that an inference chip never uses. An inference chip wants big HBM and big SRAM that a training chip does not need in the same ratio. Force them into one die and you are renting every customer the worst of both worlds.

Google is the biggest hyperscaler to ship purpose-built training and inference silicon in the same generation. AWS got there first with Inferentia in 2019 and Trainium in 2021. Microsoft followed with Maia. ² Meta has MTIA. The pattern is not Google being weird; it is the industry quietly admitting that the one-size-fits-all GPU was a phase, not a destination.

Call it what it is. The TPU 8 announcement is a fork in the road for AI silicon. Nvidia has the software moat and the universality. Google, AWS, Microsoft, and Meta have vertical integration and two chips each. The question for the next three years is whether the software moat survives once specialized silicon is 2x cheaper per watt on the workload that actually pays the bill.

Who wins and who loses as AI splits into two economies?

Once training and inference become different businesses, the winners and losers sort themselves into different columns.

Hyperscalers with volume on both sides win. Google, AWS, Microsoft, Meta have the scale to justify two purpose-built chips instead of one compromise chip. Every specialized accelerator they ship is a workload they no longer rent from Nvidia. Training stays expensive; inference gets cheaper inside their walls than outside.

Nvidia's dominance is challenged, not broken. CUDA, NCCL, and two decades of tooling keep training workloads locked in. That is the half of the business that still prints money. Inference is the half that grows faster, and inference is where the hyperscalers are quietly migrating workloads onto their own silicon. The ceiling on Nvidia's growth is now set by how fast TPU, Trainium, and Maia can absorb inference volume.

Foundation model labs that do not own silicon get squeezed. Anthropic rents from AWS and Google. OpenAI rents from Microsoft and the Stargate partners. All three of those landlords are building competitive models on the same chips they are renting out. The rent keeps going up and the cross-subsidy is one-way.

Startups and app builders live or die on inference economics. If you are building on foundation models, your margin is tokens-per-dollar. When hyperscalers drop inference cost 80% on their own silicon, that becomes the floor everyone else has to compete with. The team that ships the cheapest inference at scale becomes the cheapest place to build an app. For builders, that is a feature, not a threat. For anyone reselling Nvidia capacity with a markup, it is a countdown.

Margins move to whoever runs the cheapest inference at scale. Training is a capex line item, amortized over the life of a model. Inference is a variable cost on every single request. Whoever controls the variable cost controls the unit economics of the AI industry. That is the prize.

Is the TPU 8 interconnect actually falling behind AWS and Microsoft?

A recurring critique on the Hacker News thread was that Google's memory-to-interconnect ratio is slipping. ² Worth taking seriously, and worth checking against the actual numbers, because the commenter had the units confused.

Here is the like-for-like comparison, all bidirectional per chip:

Ironwood (TPU v7): 1.2 TB/s (9.6 Tb/s aggregate across four ICI links). ³
Google TPU 8i: 2.4 TB/s (19.2 Tb/s per Google). ¹ Roughly double Ironwood. Matches Google's "2x interconnect" claim.
AWS Trainium3: 2 TB/s on NeuronLink-v4, inside a 144-chip UltraServer. ⁴
Microsoft Maia 200: 2.8 TB/s bidirectional on an integrated on-die NIC. ⁵

TPU 8i is not behind the pack. It beats Trainium3 and sits just shy of Maia 200. The "1.2" figure that got circulated was Ironwood, not 8i. Google doubled the number, and the doubling lands them in contention with the chips they are supposed to be losing to.

The real open question is ratios. Maia 200 ships 216 GB of HBM; TPU 8i ships 288 GB. Bigger memory pools need more bandwidth to drain, and at some point inference workloads start begging for more interconnect. That tradeoff is real. But it is a tuning debate inside a competitive band, not evidence Google has fallen off.

How does Google's TPU 8 move the AI moat to silicon?

Step back from the chip. Look at the stack.

Google owns every layer:

Fab relationship with TSMC
Chip design (TPU 8)
Interconnect (ICI)
Data centers (with custom Axion CPUs)
Compiler (XLA)
Training framework (JAX)
Serving stack (for inference)
Model (Gemini)
Product (Search, Workspace, Android)

When TPU 8 ships, Google's own workloads get the 2x perf-per-watt before anyone else does. And the people who rent Google's TPUs are renting a stack that was optimized end to end by the same company.

Anthropic leans on AWS and Google Cloud. OpenAI leans on Microsoft and the Stargate partners. The labs with the best models rent their silicon. Google builds its own.

Now look at what the last twelve months showed us about models. DeepSeek R1 replicated frontier capability at a fraction of the training cost in January 2025. ⁶ Open weights caught up faster than anyone expected. Llama, Qwen, Mistral, DeepSeek, Gemma: the gap between the best closed model and a competent open one keeps shrinking. Models replicate. That is the whole point of software.

Fabs do not replicate. You cannot fork TSMC. You cannot clone a 9,600-chip liquid-cooled superpod on a weekend. The thing the industry spent two years arguing about, whose model is smartest, turns out to be the part that commoditizes fastest. The thing nobody argues about, whose silicon is cheapest per useful token, is the part that compounds. The $122B OpenAI raised is mostly going to buy this capacity, not build better models.

This is the same lesson constraints usually teach. The visible layer changes constantly. The load-bearing layer underneath does not, and whoever owns it wins slowly, then suddenly. Gemini can stay a half-step behind Claude on agentic coding and Google still comes out ahead if the cost to serve is half. Skeptics on the Hacker News thread were right that the model quality gap is real. ² They were arguing about the wrong layer.

The TPU 8 split is not an engineering footnote. It is the moment Google stopped pretending the moat was the model.

Key takeaways

AI is splitting into two economies. Training is capex-heavy and concentrated in a handful of hyperscalers. Inference is where apps, agents, and revenue actually scale. TPU 8 is the first chip generation to treat the split as the default.
TPU 8 is two chips. 8t for training (9,600-chip pods, 121 ExaFlops, 2 PB HBM). 8i for inference (288 GB HBM, 384 MB SRAM, 19.2 Tb/s interconnect). ¹
Up to 2x performance-per-watt versus Ironwood on both chips; 3x pod compute on 8t; 80% better performance-per-dollar on 8i. ¹
Hyperscalers win, Nvidia gets squeezed on inference, labs without silicon pay rent both ways. Margins move to whoever runs the cheapest inference at scale.
The moat is moving to silicon. Models replicate (DeepSeek). Fabs and full-stack integration do not. ⁶
General availability later in 2026. Citadel Securities is the first named customer. ¹

Frequently asked questions

What are the TPU 8t and TPU 8i?

They are the two chips in Google's eighth generation TPU. The 8t is the training chip, built into 9,600-chip superpods that deliver 121 ExaFlops and 2 petabytes of shared high-bandwidth memory. The 8i is the inference chip, with 288 GB of HBM, 384 MB of on-chip SRAM, and 19.2 Tb/s of interconnect bandwidth per chip. ¹

How does Google's TPU 8 compare to Ironwood?

Google cites up to 2x better performance-per-watt versus Ironwood and roughly 3x more compute per pod on 8t. ¹ Logan Kilpatrick from Google framed the headline gain as 2 to 3x depending on workload. ⁷ TPU 8i claims 80% better performance-per-dollar and supports roughly 2x customer volume at the same cost.

Why did Google split training and inference in TPU 8?

Training and inference want different hardware. Training is bandwidth-hungry across thousands of chips running for weeks. Inference is memory-hungry on a single chip running for milliseconds. Ironwood was one chip forced to serve both. TPU 8 admits the compromise was costing money and built two.

When will Google's TPU 8 be available?

General availability is planned for later in 2026. ¹ Citadel Securities is the named early customer in Google's announcement.

I break down things like this on LinkedIn, X, and Instagram. Usually shorter, sometimes as carousels. If this resonated, you would probably like those too.

Sources

Claude Design vs Figma, Lovable, v0: What's Different

Sameer Khan — Tue, 21 Apr 2026 07:20:09 +0000

TL;DR: Figma, Lovable, v0, and Claude Design are not the same tool. They pick different starting points: the design file, an idea, a component prompt, your codebase. Different starting points, different jobs.

If you have shipped a product, you know the cycle. Brief to designer. Something comes back that does not quite match the brand. Revise. Engineer reinterprets the spec. Revise again. Two weeks later, the thing looks slightly off.

Early adopters described cutting that whole cycle to a single conversation. One team reported going from a week-long brief-to-code loop to one session. That is the shift worth unpacking, and it gets lost when Claude Design is compared head-to-head with tools solving different problems.

What Do Figma AI, Lovable, and v0 Actually Do?

Each tool has a clear job. The press keeps comparing the wrong jobs.

Figma Make (Figma's AI layer): generates designs from prompts inside the Figma canvas. Starts from the design file. ¹
Lovable: turns a plain-language description into a full-stack deployable app. Starts from an idea. ²
v0 by Vercel: generates React and Tailwind components from prompts. Developer-facing, fast. Starts from a component need. ²
Claude Design: reads your GitHub repo and generates designs shaped by what is already there. Starts from your production codebase.

Four tools, four starting points.

What Does Claude Design Do That Figma, Lovable, and v0 Don't?

When you connect a GitHub repo, Claude Design reads your codebase and extracts: ³

Tailwind config: your spacing scale, breakpoints, color tokens
Global CSS: your CSS variables, font stacks, base styles
Font declarations and logo SVGs: the visual identity already in your code
Component names: the vocabulary your engineers use

What comes out is a design system that already matches what you shipped. Not one you configure. The one living in your repo.

Two designers ran a live side-by-side the day it launched. Same brief to both: redesign a real blog in Readymag style, passed in as a screenshot and a markdown context file. Claude Design produced a layout that tracked the reference. Lovable produced something competent but generic, closer to a WordPress theme than the brand they pointed at. The designer's read: "designers now can cook." Not a replacement, a lever. ⁴

You build from there. Prompt to prototype. When the prototype is ready, one instruction passes it to Claude Code, which also reads your codebase. The loop closes: idea, design, production code, no translation step.

Lovable and v0 aim at different outputs. Lovable gives a greenfield founder a new app. v0 gives a developer a component to paste in. Claude Design gives a team with an existing product something pre-fitted to their repo. ⁵

Why Does Starting From Your Codebase Matter?

Different starting points serve different people.

Figma treats the design file as the canonical home for a brand. For design teams, that is still true.
Claude Design treats the repo as canonical. That fits a different team: one where design intent already lives in Tailwind tokens, CSS variables, and component names.

This matters most to one person: the engineer or PM extending a live product. Not building something new. Not exploring from a blank canvas. Extending what is already there, in a way that matches what is already there.

For that person, starting from the repo removes a translation step. The output is already shaped by the code it will land in. The other tools are not worse at this. They are aimed elsewhere.

I post breakdowns like this regularly on LinkedIn and Instagram. The angle is always what it means for builders, not what the press release says.

When Should You Use Each Tool?

Pick by the starting point that matches your job.

Figma is the tool for design teams on a shared canvas. Pixel precision, component libraries, review workflows, handoff annotations. Claude Design does none of this. ⁵
Lovable is the tool when you have no product yet and want idea to deployed app without code. MVP, internal tool, first prototype. Claude Design is not for that.
v0 is the tool when you need a React component fast and can edit code. Claude Design is not trying to replace that.

Claude Design is aimed at a specific step: you have a live product, a new feature to design, and you need something that already matches everything you built. Teams have always solved this with some combination of briefs, design exploration, review, handoff, and engineering interpretation. Claude Design compresses that into a conversation that starts from the repo. Whether that is the right trade depends on the team.

The broader pattern is familiar. Zuckerberg returning to the codebase after 20 years using Claude Code is the same story. So is Karpathy explaining AI workflows to people who do not write code. AI is not replacing the work. It is eliminating the translation layers between people who do different kinds of work.

One signal worth noting. Mike Krieger, Anthropic's CPO and Instagram co-founder, resigned from Figma's board on April 14, three days before Claude Design launched. He had joined less than a year earlier. The resignation was disclosed to the SEC the same day The Information reported Anthropic was building design tools. ⁶ The adjacency was close enough for the board seat to become untenable, even though the two products are aimed at different jobs.

The market read the adjacency in real time.

Anthropic Labs launched Claude Design, a new product for creating visual assets, prototypes, slides, and one-pagers with Claude.

It is rolling out in research preview to Pro, Max, Team, and Enterprise users, powered by Claude Opus 4.7.$ADBE $FIG https://t.co/5u0TOMSqSW pic.twitter.com/TblMIEJE4u
— Wall St Engine (@wallstengine) April 17, 2026

What Are Claude Design's Limitations Right Now?

Claude Design is a research preview as of April 2026. Real constraints worth knowing before you try it:

No multiplayer. For a design team on a shared canvas, Figma still wins cleanly. ⁵
Token burn is heavy. Claude Design runs on Opus 4.7 and is metered separately from your chat and Claude Code usage. Pro is described as "quick explorations, one-off use." One user reported two design sessions consuming 58% of their weekly Pro allowance. ⁷ To use it regularly, you need Max.
Prototyping-level output, not production polish. The design system extraction makes things brand-consistent, but it is not a replacement for a designer's eye on the final layer.
Export options are practical but limited: PDF, PPTX, standalone HTML, Canva. ⁸ The HTML export is also how the Claude Code handoff closes the loop. Anthropic's own ecosystem, end to end.

A 5-Question Claude Design Readiness Check

Before you open it, ask these. If you answer yes to three or more, Claude Design fits your workflow today. If not, Figma, Lovable, or v0 is probably the better tool for the job.

Do you already have a shipped product in a GitHub repo? Claude Design starts from code that exists. No repo, no extraction.
Is your design system encoded in Tailwind config, CSS variables, or component names? That is what the extractor reads. Design tokens locked in a Figma file alone will not transfer.
Are you extending an existing product rather than starting from zero? The tool's edge is fit to what is already there. For greenfield work, Lovable or v0 is closer to the job.
Can one person own the design-to-code loop, or does it need multiplayer? No shared canvas. If three designers need to work on the same file, Figma still wins.
Are you on Max, or willing to rate-limit yourself on Pro? Two sessions burned 58% of a weekly Pro allowance. Regular use needs Max.

Three or more yeses and the translation step this tool removes is a real one for you.

Key Takeaways

Figma, Lovable, v0, and Claude Design pick different starting points. Different starting points, different jobs.
Figma treats the design file as canonical. Claude Design treats the codebase as canonical. Neither is wrong; they suit different teams.
Claude Design's design system extraction reads your Tailwind, CSS, and component names to generate on-brand output from the first prompt, without manual configuration.
Each tool fits a different starting point: Figma for collaborative design work, Lovable for greenfield apps, v0 for quick components, Claude Design for extending an existing codebase.
Token burn is real. Claude Design is metered separately. Pro is for one-off use. Regular use requires Max.
Anthropic's CPO resigned from Figma's board three days before launch. Figma's stock dropped 5 to 7% on launch day, a read of the adjacency, not a verdict on either product.

Shipping something where this trade-off matters and want a second read on it? Get in touch. I reply to every thoughtful email.

I post builder-first takes on AI tooling on LinkedIn, X, and Instagram. The kind that skip the hype and go straight to what changes for people who ship. If that is useful, a follow goes a long way.

Meta Muse Spark: What Meta Is Actually Betting On

Sameer Khan — Fri, 17 Apr 2026 12:33:55 +0000

TL;DR: Meta launched Muse Spark on April 8, 2026. Most commentary split into two camps. Meta went closed because Meta won. Meta went closed because Meta lost. Both miss what Meta actually built. Muse Spark does frontier-class reasoning in less than half the output tokens Claude Opus 4.6 and GPT-5.4 spend on the same benchmark, and Meta AI, the product serving roughly three billion daily active users, runs on it. Read Muse Spark as an efficiency-first, patiently sequenced, consumer-scale bet, and the choices that look strange on their own start fitting together.

The week Muse Spark launched, the conversation split almost immediately. One camp said Meta finally caught up and closed the doors. Another said Meta finally fell behind and is hiding it. Both sides were arguing about the license. Neither was arguing about the model.

The bet Meta actually made isn't captured by the license. It's captured by three choices that are easy to miss through the open-weights lens. Muse Spark is designed for fewer tokens per query. It is framed as step one of a long sequence. And it is shipping first as the engine of a consumer product reaching three billion daily active users. Those three choices, taken together, describe a different game than the one most labs are playing.

What Muse Spark is

Muse Spark is Meta Superintelligence Labs' first model, shipped April 8 after a nine-month rebuild of Meta's AI infrastructure. ¹ It is a natively multimodal reasoning model with three modes. Instant for fast responses. Thinking for reasoning-heavy queries. Contemplating, positioned against Gemini Deep Think and GPT Pro for long scientific work. It supports tool use, visual chain of thought, and multi-agent orchestration. ²

Meta AI, the consumer product on meta.ai and the Meta AI app, runs on it today. The Muse Spark API is in private preview for selected partners. Alexandr Wang, Meta's Chief AI Officer, has said broader API access is coming. ³ The weights have not been released, and Meta has not committed to whether or when they will be.

On the Artificial Analysis Intelligence Index v4.0, Muse Spark scores 52. GPT-5.4 and Gemini 3.1 Pro Preview score 57. Claude Opus 4.6 scores 53. ⁴ Fourth at the frontier, as the frontier is currently measured.

Efficiency is the number that matters

Meta's headline technical claim is that Muse Spark reaches its capabilities with over an order of magnitude less compute than Llama 4 Maverick, the prior Meta flagship. ¹ That is a training-side claim. The more interesting number sits on the inference side.

To complete the Artificial Analysis Intelligence Index v4.0 run, Muse Spark used 58 million output tokens. Claude Opus 4.6 used 157 million. GPT-5.4 used 120 million. ⁴ Muse Spark reaches roughly the same tier of performance while spending less than half the thinking time of its closest competitors.

Meta calls the mechanism thought compression. During reinforcement learning, the model is penalized for excessive reasoning tokens. It is trained to reach the same answer with fewer intermediate steps. ⁴

Zoom out. Llama 4 Maverick scored 18 on the same index. Muse Spark scores 52. ⁴ Nearly 3x jump in one release, using roughly a tenth of the training compute, producing a model that serves answers in less than half the output tokens of its peers. That is not a fourth-place story. It is a different-axis story.

Thought compression isn't the only lever. Fei Xia, a Meta researcher, showed Muse Spark tackling a hard visual counting task using parallel subagents: divide the image into a grid, assign a subagent per tile, merge the counts. ⁵ That is a second axis of test-compute scaling. Not fewer tokens per query, but many smaller queries instead of one large one. Both compound efficiency at inference time.

Matt Ridley, in How Innovation Works, argues that real technological progress almost never looks like a breakthrough in the moment. It looks like compounded efficiency. ⁶ The Wright brothers didn't fly higher than their competitors; they iterated longer. Meta's claim with Muse Spark is that the same mechanism is back in large language models as the active design constraint. Fewer tokens per query, optimized over releases, compounded.

Under the efficiency thesis, the contribution is the training recipe, not the weights. The productized result at three billion DAUs is what the recipe is for.

Patience as a structural choice

Wang's launch thread called Muse Spark "step one." ³ Meta has named three modes, shipped two of them, and placed Contemplating on a published roadmap. The release itself followed a nine-month rebuild of Meta's internal AI infrastructure before any new model went out. ¹

That pattern is uncommon. Labs announce quarterly, deprecate on shorter cycles, and trade nomenclature every six weeks. A frontier lab committing to a staged ladder with named but unbuilt later steps is the exception.

Jeff Bezos's 1997 shareholder letter made a version of this argument on its own: "We will continue to make investment decisions in light of long-term market leadership considerations rather than short-term profitability considerations." ⁷ Most companies quote the line. Very few behave like it. Muse Spark is Meta behaving like it. A nine-month silence, a named sequence, an efficiency-first architecture that only pays back at scale.

Patience has a failure mode. If the ladder breaks, the gap widens. If competitors keep improving quarterly and Muse Spark's step two arrives in 2027, the index score will read worse, not better. That is the actual risk of the strategy. Not the license. The cadence.

The game Meta is actually playing

Roughly three billion daily active users touch Meta's products. Muse Spark powers Meta AI across them. ¹ Every prompt, every caption suggestion, every smart reply, every image generation across meta.ai, Instagram, WhatsApp, and Facebook is a query served at Meta's cost.

Reread the efficiency numbers with that denominator. 58 million output tokens per benchmark run is interesting when you run one benchmark. It is structural when you run hundreds of billions of inferences. Cutting thinking time by more than half is how inference economics actually move at Meta's scale.

The API is a secondary product. The primary product is a feature inside applications people already use. That framing answers most of the questions that the closed-weights decision seems to raise:

Why closed: weight distribution gives up the only part that is uniquely Meta, which is distribution plus efficient inference under Meta's control.
Why efficiency-first: cost-per-query is the load-bearing variable at three billion users.
Why fourth on the index: the index measures capability, not capability per dollar of inference. Meta is not optimizing for the thing the index measures.
Why patience: product cycles at Meta's scale run in quarters and years, not weeks. A staged ladder matches the cadence of the products that will ship the model.

OpenAI, Anthropic, and Google primarily sell access. Meta does not. Meta bundles. A closed, efficient model embedded in consumer distribution is a product shape no other frontier lab has a direct answer to right now.

What Muse Spark bets against

Muse Spark bets against three premises that have held in AI for three years. That benchmark rank drives strategic outcomes. That fast iteration beats staged iteration. That serving the weights is the dominant form of distribution.

If Meta is right, competitors re-architect. Expect tokens-per-benchmark to become a reported number. Expect ladder-style release roadmaps. Expect fewer labs selling raw access and more labs selling integrated products.

If Meta is wrong, Muse Spark stays fourth on the index, the efficiency claim gets normalized by competitors' next releases, and the Scale-era thesis fades into another nine-month rebuild.

Deedy, in a popular thread after launch, called Muse Spark's reasoning "solid but not best in class." ⁵ That read is fair if you are benchmarking reasoning. It is beside the point if you are measuring how to serve reasoning to three billion people.

Takeaways

Efficiency is the headline, not the license. Muse Spark uses 58 million output tokens where Claude Opus 4.6 uses 157 million on the same evaluation. ⁴
Training efficiency is roughly ten times Llama 4 Maverick. The index score nearly tripled in one release. ¹ ⁴
Patience is the structural bet. A nine-month rebuild, a three-mode ladder, a second-step roadmap that is named but not shipped. ¹ ³
Specialization explains the choices. Meta AI reaches three billion DAUs, and inference economics at that scale reward the token per query being low, not the leaderboard rank being high. ¹
The license is a symptom of the strategy. If efficiency plus distribution plus patience is the bet, releasing the weights gives the bet away.

I've been writing about how constraints shape design, not features for a while, and Muse Spark is a useful instance of the pattern. The interesting move in AI this year might not be the model that scores higher. It might be the model that answers in fewer tokens and ships inside an application a billion people already open every day.

I break things like this down on LinkedIn, X, and Instagram. Usually shorter, sometimes as carousels. If this read resonated, you'd probably like those.

Sources

Meta AI, "Introducing Muse Spark", April 8, 2026 ↩
Simon Willison, "Meta's new model is Muse Spark", April 8, 2026 ↩
Alexandr Wang on X, launch thread and API update, April 2026 ↩
Muse Spark: Features, Benchmarks, and How to Use It, DataCamp, April 2026 ↩
Fei Xia and Deedy Das on Muse Spark capabilities (thread), April 13, 2026 ↩
Matt Ridley, How Innovation Works: And Why It Flourishes in Freedom (HarperCollins, 2020) ↩
Jeff Bezos, 1997 Letter to Shareholders, Amazon ↩

GPT-5.4-Cyber explained: OpenAI's cyber-only AI

Sameer Khan — Wed, 15 Apr 2026 08:33:55 +0000

Two days ago I wrote about Claude Mythos completing AISI's 32-step cyberattack chain end-to-end. On April 14, OpenAI put out the clearest signal yet that the labs are reading the same capability curve and building the defender track in advance.

They announced GPT-5.4-Cyber, a version of GPT-5.4 fine-tuned to be "cyber-permissive," and scaled up their Trusted Access for Cyber (TAC) program to thousands of verified individual defenders and hundreds of teams defending critical software.¹ In their own words, this is shipping "in preparation for increasingly more capable models over the next few months."

TL;DR. This is defender tooling shipped before the next capability jump, not after. The model is the headline. The real story is a fine-tuned permissive variant named, tiered, and published as a product.

Primary source: OpenAI on scaling trusted access for cyber defense.

What Does GPT-5.4-Cyber Actually Unlock for Defenders?

Same base model as GPT-5.4, different refusal boundary. OpenAI's description: a model that "lowers the refusal boundary for legitimate cybersecurity work" and adds capabilities like binary reverse engineering. It can analyze compiled software for malware, vulnerabilities, and robustness without access to source code.¹

Binary reverse engineering is the concrete unlock, and it is not small. It is one of the highest-leverage things a defender can automate, and it is exactly the kind of request that trips every refusal classifier ever built. The same prompt from a malicious actor yields the same output. The model cannot tell them apart. The verification layer can.

Everything else in the envelope is less dramatic but more useful at scale. Vulnerability research without the hedging. Security education that answers the question instead of warning about it. Defensive programming help that does not refuse to describe the attack it is trying to prevent.

Why Was Refusal Always a Bad Safeguard?

For three years, the default safety move has been to push risk into the model through refusal training. It was the cheapest thing to ship and the easiest thing to measure. It also quietly assumed attackers and defenders use the same tool, so making the tool worse would hurt both evenly.

That assumption was always wrong. Attackers run local models, jailbroken models, and purpose-built tooling. Refusals mostly tax the defenders trying to follow the rules.

GPT-5.4 (classified "high" cyber capability under OpenAI's Preparedness Framework) keeps its refusal boundary for the public. The permissive variant ships only to people who have agreed to be identified. This is closer to how physical-world dual-use actually works. Pharmacies stock dangerous drugs behind an identity check, not behind a refusal. Labs buy restricted reagents with a license. The safeguard is not the molecule. It is the paperwork.

GPT-5.4-Cyber and the Mythos Parallel

My last three posts on Claude Mythos describe the same shape from different angles. The system card showed a model with enough situational awareness to conceal its own actions. Project Glasswing showed the same model finding thousands of zero-days in critical open-source infrastructure. The AISI cyber range showed it running a full 32-step autonomous cyberattack. Mythos itself is gated. Anthropic ships it only through its own trust program.

So both frontier labs already operate the same model: dual-use capability behind verified access. What is new with GPT-5.4-Cyber is that OpenAI is the first to take the defender side of that model and publish it as a product tier: a named, fine-tuned, cyber-permissive variant with its own enrollment path and its own preparedness designation. Anthropic's gating is a policy. OpenAI's is a SKU.

You can see the same bet in the numbers they quietly dropped in the same post. Codex Security has contributed to over 3,000 critical and high vulnerability fixes since launch. Codex for Open Source has reached more than 1,000 open source projects. The $10M Cybersecurity Grant Program keeps funding defender tooling.¹ In the Mythos cyberattack post I wrote: "I'd bet on it eventually, but 'eventually' and 'right now' are different things in security." This is a lab betting "right now," on the defender side, and betting it visibly.

Who Verifies the Verifier?

The uncomfortable follow-up to any identity-gated safeguard. OpenAI is now the identity layer for a meaningful slice of the security industry. Every defender applying for the permissive tier is trusting one company's KYC pipeline to decide who counts as a defender, and trusting OpenAI's interpretation of "legitimate use" to hold up over time.

This is the part of the announcement I would most want to see discussed over the next few weeks. It is also the part nobody will discuss, because the new model is shinier than the policy question behind it.

Key takeaways

GPT-5.4-Cyber is a fine-tuned GPT-5.4 with fewer capability restrictions, shipped only to vetted defenders under the Trusted Access for Cyber program.
Preemptive, not reactive. OpenAI is shipping this ahead of more capable base models coming in the next few months, in their own words.
Both labs already gate dual-use. Mythos is restricted through Anthropic's trust program. What is new is OpenAI naming a fine-tuned permissive variant as a product tier.
Open question: who audits the identity layer when OpenAI and Anthropic become the KYC gate for a chunk of the security industry?

I break down AI safety and capability stories on LinkedIn, X, and Instagram. If this resonated, you would probably like those too.

OpenAI on scaling trusted access for cyber defense (April 14, 2026) ↩

Claude Mythos Is the First AI to Complete a Full Corporate Cyberattack End-to-End

Sameer Khan — Mon, 13 Apr 2026 17:35:25 +0000

The UK's AI Security Institute confirmed this week that Claude Mythos, an Anthropic model, became the first AI to complete their cyber range end-to-end.¹ The range is a 32-step corporate network attack scenario. Human experts estimate the same attack would take them 20 hours.

The institute's recommendation to organizations: keep your software updated. Use access controls. Enable logging.

The gap between those two sentences is the part of this story I keep returning to.

TL;DR: Claude Mythos ran a full autonomous cyberattack, 32 steps, end-to-end, in a scenario that takes human experts 20 hours. It is the first AI to complete AISI's cyber range. The official response was to recommend basic security hygiene. The mismatch between the capability and the response is where the real story lives.

How Did AI Go From Basic Cyber Tasks to a Full Autonomous Cyberattack?

Self-driving cars give me the cleanest parallel here.

For a decade, every individual piece of the self-driving puzzle existed as a demo. Lane-keeping worked. Adaptive cruise worked. Automated parking worked. What didn't exist, for years, was the full ride. Door to door, no human touching the wheel. When Waymo's first commercial robotaxi picked up a passenger in 2020, what changed wasn't the individual capabilities. It was the threshold: chaining all of them into one uninterrupted ride.

The same thing just happened in offensive cybersecurity.

Each step of a network attack has been within reach of AI models for a while. Reconnaissance. Crafting payloads. Pivoting through a subnet. Covering tracks. What didn't exist was a model that could chain all 32 of those steps together without a human stepping in between. Claude Mythos did.

In 2023, leading AI models struggled with basic cybersecurity tasks. Not sophisticated ones. Basic ones. Three years later, one of them drove the entire route.

AISI published the actual curve, and it is worth looking at directly.

The red line is Mythos. GPT-4o sits near the bottom, completing around three steps before running out. Sonnet 4.5 gets to roughly 11. Opus 4.5 and the GPT-5 family cluster in the mid teens. Opus 4.6 pushes past 16. Mythos is the only line that clears the middle milestones: C2 reverse engineering, advanced persistence, infrastructure compromise, and eventually M9 — "Full network takeover."¹ The shape of that curve is what "first AI to complete the range end-to-end" actually looks like.

AISI is careful about the current scope. The capability applies to "small, weakly defended, and vulnerable systems" given network access. Think of it as the robotaxi that only works on mapped, sunny, well-marked urban grids. Hardened enterprise infrastructure with proper controls is still a different problem, the same way a snowy mountain pass is still a different problem for Waymo.¹

The trajectory is what matters. 2023 to 2026 is three years.

Why Does an Autonomous Cyberattack Change the Security Equation?

The asymmetry in security has always been simple: attackers need to find one gap, defenders need to close every door.

AI doesn't change that asymmetry. It changes the cost of running an attack. An automated system doesn't need domain expertise to chain 32 steps. It doesn't get tired halfway through. It doesn't hesitate at unfamiliar territory.

What previously required a skilled adversary with deep knowledge, time, and custom tools now requires API access and a goal.

The same model AISI tested on offense has been used defensively in Anthropic's Project Glasswing to find thousands of zero-days in critical open-source infrastructure. Offense and defense, same capability, same model. The dual-use nature isn't incidental. It's structural. Whoever has the model has both sides.

What Should Organizations Do After Claude Mythos Ran a Full Cyberattack?

Patch your systems. Use MFA. Enable logging. AISI's recommendations are correct.

But they were correct before this evaluation too. That's the part I can't get past.

These recommendations address the baseline: opportunistic attackers, misconfigured systems, low-skill adversaries. They don't address the shift in assumption that happens when a fully autonomous cyberattack chain becomes possible. Hygiene is still necessary. It is no longer sufficient as a strategy.

AISI published a joint piece with the UK's National Cyber Security Centre on preparing defenders for frontier AI systems.¹ That collaboration exists because the people closest to this problem know the defensive tooling gap is real. The open question is whether the defensive side of AI moves as fast as the offensive side. I'd bet on it eventually, but "eventually" and "right now" are different things in security.

What Does the Claude Mythos Evaluation Pattern Reveal?

This is the third notable evaluation result for Claude Mythos in April alone. The system card showed a model with enough situational awareness to conceal its own actions. Project Glasswing showed it finding thousands of vulnerabilities in critical infrastructure. The AISI cyber range shows it running a full autonomous cyberattack.

These aren't contradictions. They are the same underlying capability applied in different contexts. A model capable enough for complex multi-step reasoning is capable enough to create real problems at scale.

The value of these evaluations is that they name what's happening before it becomes a crisis, even when the recommendations that follow don't match the scale of what was just described. Naming it first is not nothing.

Key takeaways

Claude Mythos became the first AI to complete a 32-step corporate cyberattack chain end-to-end in AISI's cyber range
Human experts estimate the same operation takes 20 hours
In 2023, leading models couldn't complete basic cybersecurity tasks. Three years later, one completed a full autonomous cyberattack
Current capability is scoped to "small, weakly defended" systems, not enterprise infrastructure with proper controls
The trajectory matters more than the current benchmark: three years of rapid progress, with no signs of slowing
AISI's defensive recommendations (patch, use MFA, enable logging) are correct but baseline — they predate this evaluation
AISI and the UK NCSC published joint guidance on preparing defenders for frontier AI systems

I break down things like this on LinkedIn, X, and Instagram — usually shorter, sometimes as carousels. If this resonated, you'd probably like those too.

Sources

AI Security Institute (@AISecurityInst) — Claude Mythos cyber range evaluation, April 13, 2026 ↩

Zuckerberg Is Writing Code Again. With Claude Code.

Sameer Khan — Sun, 05 Apr 2026 10:24:18 +0000

TL;DR: Mark Zuckerberg shipped 3 diffs to Meta's monorepo last month, his first code in 20 years. He's a heavy user of Claude Code CLI. One of his diffs got 200+ approvals from engineers who wanted to say they reviewed the CEO's code. He's not the only one. Garry Tan at Y Combinator is doing the same thing. The pattern is clear: AI coding tools are pulling founders back into the codebase.

What happened?

Gergely Orosz at The Pragmatic Engineer reported this week that Mark Zuckerberg is back to writing code. Three diffs landed in Meta's monorepo in March 2026. His tool of choice: Claude Code CLI, Anthropic's terminal-based AI coding assistant. ¹

To put the scale in perspective: Meta's monorepo now has close to 100 million diffs. Back in 2006, the entire Facebook codebase had fewer than 10,000. ¹

Zuckerberg's last meaningful code contributions were in 2006. That's a 20-year gap. The fact that he's back, and using an AI tool to do it, says something about where we are.

The 2010 diff that got force-merged

This isn't Zuckerberg's first time making waves in code review.

In 2010, he submitted a diff that made profile photos clickable on the profile page. Michael Novati, a senior engineer who would become the first person to hold Meta's L7 "coding machine" archetype, blocked it. The reason: formatting issues everywhere. ¹ ²

Zuckerberg overrode the block and force-merged it. ¹

Novati spent eight years at Meta and was recognized as the top code committer company-wide for several of them. The Pragmatic Engineer did a full episode with him about what it means to be a "coding machine" at that scale. ²

The 2010 story is funny in hindsight. But the 2026 version is different. This time, Zuckerberg isn't force-merging past reviewers. He's using AI to write code that engineers actually want to approve. One of his March diffs got more than 200 approvals, with devs jumping at the chance to say they'd reviewed the CEO's work. ¹

Why this matters beyond the anecdote

Three diffs from the CEO of a 70,000-employee company is a footnote in a 100-million-diff monorepo. The signal isn't the code. It's the behavior.

Zuckerberg isn't the only founder pulled back into the codebase by AI tools. Garry Tan, CEO of Y Combinator, returned to coding after 15 years and open-sourced gstack, a Claude Code system with 23 specialist tools that turns the CLI into a virtual engineering team: code reviewer, QA lead, security auditor, release engineer. ³ ⁴

Tobias Lütke, CEO of Shopify, has been running experiments with Karpathy's AutoResearch on internal company data. 37 experiments overnight. 19% performance gain.

I wrote about how AutoResearch works a few days ago. The throughline is the same: AI tools are collapsing the gap between "person with ideas" and "person who ships code." Founders used to be the first type. AI is turning them back into the second.

Meta's bet: AI writes most of the code

Zuckerberg coding again isn't a hobby. It's a signal of where Meta is heading.

Leaked internal documents from March 2026 show aggressive targets. Meta's creation org wants 65% of engineers writing 75% or more of their committed code using AI by mid-2026. The Scalable Machine Learning org set a target of 50-80% AI-assisted code. ⁵

Zuckerberg himself said on Dwarkesh Patel's podcast that "in the next year, maybe half the development will be done by AI as opposed to people, and that will kind of increase from there." ⁶

He's not predicting this from the sidelines. He's using Claude Code in the terminal to ship diffs to his own monorepo. The CEO is the pilot customer.

The pattern worth watching

There's a recurring shape here.

Karpathy builds AutoResearch. Constrains the agent to one file, one metric, one 5-minute cycle. The constraint is the invention. Lütke runs it on Shopify data overnight. Marketers adapt it for landing pages.

Anthropic builds Claude Code. Tan wraps it in 23 specialist agents. Zuckerberg uses it to ship his first code in 20 years.

The tools don't just help engineers code faster. They re-open coding to people who stopped. Founders who moved into strategy, management, fundraising. People who haven't touched a codebase in a decade. The barrier to re-entry used to be months of catching up on tooling, frameworks, and conventions. Now it's a terminal and a prompt.

That's a different kind of disruption than "AI replaces developers." It's closer to: AI brings back the builder-CEO. The person who can see a problem, describe a solution, and ship it before the meeting ends.

Whether Zuckerberg's 3 diffs were good code is beside the point. The 200 engineers who approved them probably weren't reviewing for correctness. But the fact that a CEO can sit down with Claude Code and produce something that compiles, passes CI, and lands in a 100-million-diff monorepo? That's the new baseline.

Key takeaways

Zuckerberg shipped 3 diffs to Meta's monorepo in March 2026, his first code in ~20 years, using Claude Code CLI
One diff got 200+ approvals from engineers eager to review the CEO's code
Garry Tan (Y Combinator) also returned to coding after 15 years, open-sourcing gstack for Claude Code
Meta targets 65-75% AI-assisted code across engineering by mid-2026
AI coding tools are pulling founders back into codebases they left years ago
The disruption isn't "AI replaces developers," it's "AI re-opens development" to people who stopped

I break down things like this on LinkedIn, X, and Instagram. If this resonated, you'd probably like those too.

What OpenAI's $122 Billion Round Tells Us About AI's New Shape

Sameer Khan — Sun, 05 Apr 2026 10:23:07 +0000

On March 31, 2026, OpenAI closed a $122 billion round at an $852 billion valuation. Amazon put in $50 billion. Nvidia and SoftBank put in $30 billion each. Three billion came from retail investors. ¹ ²

That single round is larger than every venture dollar raised across India's startup ecosystem in FY26 combined, which totalled $10.1 billion. ³ Two ecosystems, two different jobs being funded. More on that later.

The reflex when you see numbers like $122B is to call it a bubble. I don't think it is. Look at what OpenAI has been doing with the capital and the check starts to make sense. Not because OpenAI will definitely win. Because nobody else is attempting what OpenAI is attempting.

What OpenAI Is Actually Doing

The shape of a category being drawn

In the past six weeks, OpenAI has moved at every economic layer where AI touches the world.

Media. Acquired TBPN, a daily three-hour founder-focused tech show hosted by John Coogan and Jordi Hays, for a reported low hundreds of millions. TBPN did $5M in ad revenue in 2025 and is on track for $30M in 2026. ⁴ OpenAI now owns three hours a day of the tech audience's attention.
Consumer commerce. ChatGPT Agent shipped with Walmart integration for agentic shopping. Users browse, compare, and buy inside ChatGPT. ⁵ First agentic commerce deployment at national retail scale.
Enterprise data and delivery. Snowflake signed a $200 million multi-year partnership putting OpenAI's models directly inside enterprise data warehouses. ⁶ Accenture is handling enterprise implementation and delivery. ⁷
Developer surface. Codex now ships as a plugin inside Claude Code, Anthropic's coding agent. ⁸ OpenAI's model, running on their competitor's surface.
Infrastructure. The Stargate project is building $500 billion of compute capacity across seven sites and ~7 GW of planned capacity. ⁹

No other AI-native company is operating across all five layers. Anthropic stays deep and narrow on models plus Claude Code. Google is retrofitting Gemini into an existing conglomerate. xAI has one distribution surface, which is X. Chinese players face different constraints and a different market. Microsoft is already a conglomerate, and owns 27% of OpenAI anyway. ¹⁰

OpenAI is alone in attempting the breadth.

The Edison Pattern

Why building the surround is the innovation

Matt Ridley makes a quiet argument in How Innovation Works that's worth sitting with. The light bulb, he writes, was invented at least 23 times before Edison. Joseph Swan had a working version. So did Heinrich Göbel, Hiram Maxim, Alexander Lodygin, and roughly twenty others. ¹¹ Edison's genius wasn't the filament. It was understanding that a bulb is useless on its own.

"He was the first to bring everything together, to combine it with a system of generating and distributing electricity."
— Matt Ridley, on Edison

So Edison built the surround. Generators, copper distribution, meters, fuses, junction boxes, domestic wiring standards. He opened Pearl Street Station in 1882 as the first commercial central power plant because without it, the bulb could not be sold. He didn't invent electricity any more than he invented the bulb. He built the economy that made both useful.

Ridley's larger claim is that innovation is almost always incremental and collective, not heroic. What looks like one person's breakthrough is usually a decades-long relay. The genius lies in assembly, in drawing together the necessary surrounding pieces so the core idea can actually be used.

Read OpenAI's $122B through that lens. The frontier model isn't the innovation. Anthropic has one. Google has one. DeepSeek has one. Several companies are, as Ridley would say, thinking simultaneously about similar solutions. What OpenAI is building is the surround. Media, commerce, enterprise data, developer surfaces, compute infrastructure. The things that make the model usable as an economy, not just as a tool.

Whether they're drawing the right surround is the open question. That they're drawing it at all is what separates them from everyone else.

What Gets Cut

Reading direction by what someone walks away from

A large check is easy to turn into sprawl. What keeps this from being sprawl is visible in what OpenAI has walked away from in the same six-week window.

The Sora consumer video app is shutting down April 26. ¹² The Disney licensing deal, which included a $1 billion equity investment, never closed. ¹³ Sora's user count had collapsed from 1 million to under 500,000, and the app was burning roughly $1 million a day. ¹⁴ OpenAI walked from a live $1B check.

The Stargate Abilene expansion, 600 MW of additional capacity, was cancelled in March. Oracle publicly cited OpenAI's "often-changing demand forecasting" as the reason negotiations collapsed. ¹⁵

I wrote in an earlier post about how good products are hard to vary. Every element load-bearing, nothing extra. That principle has a corporate version. A good strategy, at this scale, is also hard to vary. Every layer of breadth has to earn its place. Sora didn't. The Abilene expansion couldn't. Whether the remaining layers will is the bet.

You can read a lot about what someone believes by what they refuse to keep paying for.

Two Bets, Same Wave

What India's $10B is actually funding

Back to the opening comparison. India's $10.1B across FY26 and OpenAI's $122B in a single round are not the same job, and the contrast is interesting for that reason, not because one is bigger.

OpenAI's capital funds platform creation. It flows toward compute, model capability, enterprise partnerships, distribution surfaces, and acquisitions that lock in attention.

India's capital funds founders building on top of platforms. Early-stage funding jumped 58% year-over-year in Q1 2026, while $100M+ deals hit zero for the first time since 2022. ¹⁶ The capital is intentionally horizontal: thousands of bets on use cases that assume a platform already exists.

Both bets are rational. They sit at different layers of the same wave. One is Edison at Pearl Street. The other is the thousands of businesses that came alive the day the grid turned on: factories, streetcars, radios, refrigerators, telegrams. Neither layer makes sense without the other.

What To Watch

Watch OpenAI not to see who wins AI, but to see what the new category actually looks like. $122 billion is the price of drawing that shape in real time. OpenAI happens to be holding the pencil.

Whether this bet works will take three to five years to know. Meanwhile, the shape itself is the interesting thing. An AI-native attempt at breadth, at sovereign-fund scale, before the category even has settled edges.

Nobody has tried this before in AI. That's the news.

Key Takeaways

OpenAI raised $122 billion in one round at an $852 billion valuation, more than India's entire startup ecosystem raised in a year
The capital services a category-creation bet, not a product bet
Direction shows up in the cuts: Sora killed, $1B Disney investment walked away from, Stargate Abilene expansion cancelled
OpenAI is the only AI-native company attempting breadth across media, consumer, enterprise, developer, and infrastructure simultaneously
Anthropic stays narrow, Google retrofits, xAI has one surface, Chinese players are constrained by market and chip access
India's $10.1B funds founders building on platforms. OpenAI's $122B funds being the platform. Different jobs, both real.

I break down things like this on LinkedIn, X, and Instagram. If this resonated, you'd probably like those too.

OpenAI, "Accelerating the next phase of AI" (March 31, 2026). ↩
Bloomberg, "OpenAI Valued at $852 Billion After Completing $122 Billion Round" (March 31, 2026). Amazon $50B ($35B contingent on IPO/AGI), Nvidia $30B, SoftBank $30B. Retail investors $3B via TechCrunch. ↩
Economic Times via LinkedIn News, FY26 India startup funding totals $10.1 billion, down 9% YoY. Moneycontrol/Bain-IVCA reported VC fundraising rebounded to ~$5.4 billion in 2025. ↩
TechCrunch, "OpenAI acquires TBPN" (April 2, 2026). TBPN sits within OpenAI's Strategy org under Chris Lehane. Editorial independence preserved. ↩
Digital Commerce 360, "OpenAI reveals updates to its agentic commerce experience for ChatGPT" (March 24, 2026). ↩
Snowflake, "Snowflake and OpenAI Forge $200 Million Partnership". ↩
OpenAI, "Accenture and OpenAI accelerate enterprise AI success". ↩
OpenAI Codex Plugin for Claude Code, github.com/openai/codex-plugin-cc. Commands include /codex:review, /codex:adversarial-review, /codex:rescue. ↩
OpenAI, "Announcing The Stargate Project". $500 billion planned investment over four years. Nearly 7 GW across flagship Abilene site, five new sites, and CoreWeave partnerships. ↩
OpenAI, "The next chapter of the Microsoft-OpenAI partnership". Microsoft holds ~27% on as-converted diluted basis, ~$135 billion value post-recap. ↩
Matt Ridley, How Innovation Works and Why It Flourishes in Freedom (2020). Ridley draws on Robert Friedel, Paul Israel, and Bernard Finn's history of the incandescent bulb, which identifies at least 23 inventors who produced working versions before Edison. Ridley's argument: "Edison was the first to bring everything together, to combine it with a system of generating and distributing electricity." Pearl Street Station opened in Manhattan on September 4, 1882 as the world's first commercial central power plant. ↩
The Decoder, "OpenAI sets two-stage Sora shutdown". App discontinued April 26, 2026. API discontinued September 24, 2026. ↩
Variety, "OpenAI Will Shut Down Sora Video App; Disney Drops Plans for $1 Billion Investment". Original Disney-OpenAI Sora agreement (December 2025) included $1B equity investment plus warrants, 3-year licensing of 200+ Disney/Marvel/Pixar/Star Wars characters. ↩
TechCrunch, "Why OpenAI really shut down Sora". User count peaked near 1 million, fell below 500,000. App burning roughly $1 million per day. Sora research team pivoting to world simulation for robotics. ↩
Noah Bean, "Stargate's first crack reveals the fault lines" (March 2026). Oracle and OpenAI abandoned plans to expand Abilene from 1.2 GW to ~2.0 GW. Oracle cited financing terms and OpenAI's "often-changing demand forecasting". ↩
Inc42, "Indian Tech Startup Funding Report Q1 2026". Q1 2026 funding: $2.3 billion (-26% YoY). Zero $100M+ deals, first time since 2022. Early-stage +58% YoY. 48% of investors call AI the most investment-ready sector, fewer than 10% willing to pay premium valuations. ↩

Axios Supply Chain Attack: How North Korean Hackers Social-Engineered an Open Source Maintainer

Sameer Khan — Fri, 03 Apr 2026 17:43:44 +0000

TL;DR: North Korean hackers built a fake company, complete with a Slack workspace, LinkedIn activity, and a full team of fake profiles, to trick the lead maintainer of axios into installing malware. One Teams meeting later, they had full control of his machine. They used that access to push malicious versions of a library with 100 million weekly downloads. The attack was live for 3 hours. It's the most sophisticated social engineering of an open source maintainer we've seen, and it exposes gaps in npm's security model that no amount of 2FA can fix.

On March 31, 2026, two versions of axios that had never been through the project's CI pipeline appeared on npm. Versions 1.14.1 and 0.30.4 both carried a new dependency nobody had seen before: plain-crypto-js. ¹

Within six minutes, Socket's automated scanner flagged the package. ² Within three hours, npm pulled both versions. But in those three hours, an unknown number of developers, CI pipelines, and production systems had already installed a cross-platform Remote Access Trojan.

The story of how those versions got published is more interesting than the malware itself.

How do you trick someone who maintains code for 100 million developers?

Jason Saayman, the lead maintainer of axios, shared the playbook in the project's post-mortem. ¹ It reads less like a hacking story and more like a con movie.

The attackers reached out masquerading as the founder of a real company. They had cloned the founder's identity and the company itself. Then came the invite to a Slack workspace.

This wasn't a hastily thrown-together channel. The workspace was branded with the company's visual identity. It had channels where "team members" shared the company's LinkedIn posts (likely linking to the real company's account). There were fake profiles for the company's team and for other open source maintainers, giving the whole setup social proof.

After establishing trust through the Slack workspace, they scheduled an MS Teams meeting. Multiple people appeared to be on the call. During the meeting, something on Saayman's system was flagged as "out of date." He installed the update, thinking it was related to Teams.

That update was the RAT.

"Everything was extremely well co-ordinated, looked legit and was done in a professional manner," Saayman wrote. ¹

Saayman wasn't the only target

Weeks before the axios compromise, voxpelli, a maintainer of packages like Mocha, described a nearly identical approach. ¹ Someone invited him to be on a "podcast." A week of lead-up followed: social media images, preparatory interview questions, other guests in a group chat. Everything felt real.

When it came time to "record," the fake streaming website claimed a connection issue and tried to get him to install a non-notarized macOS app. When he refused, they tried a curl command to download and run something. When that failed too, they went dark and deleted every conversation.

"It's creepy how they target you, no matter if they are real people or possibly AI," voxpelli wrote. ¹

What the malware actually did

The technical chain was clean. plain-crypto-js@4.2.1 used a postinstall hook to run setup.js, a 4,209-byte dropper obfuscated with reversed Base64 and XOR cipher (key: OrDeR_7077). ²

It deployed platform-specific payloads:

macOS: A C++ binary disguised as an Apple system daemon at /Library/Caches/com.apple.act.mond, supporting remote code execution and process injection ²
Windows: Renamed powershell.exe to wt.exe (disguised as Windows Terminal), launched via VBScript ²
Linux: A Python script at /tmp/ld.py running as a detached process ²

All variants beaconed every 60 seconds to sfrclak[.]com. The dropper then cleaned up after itself: deleted setup.js, deleted package.json, and renamed a clean backup to package.json. The directory looked normal after execution. ²

Google/Mandiant attributes the malware to UNC1069, a North Korea-nexus threat actor active since 2018, based on overlap with the WAVESHAPER backdoor family. ³ Microsoft independently attributes it to Sapphire Sleet, also North Korean. ⁴

2FA didn't matter. That's the real story.

Saayman had two-factor authentication enabled on his npm account. It didn't help.

Once a RAT has full control of your machine, software-based TOTP is just another application the attacker can interact with. They changed his npm email to a Proton Mail address under their control (ifstap@proton.me) and used a long-lived classic npm access token to publish. ⁵

Here's what makes this worse: axios already had OIDC-based publishing with provenance attestations since 2023. The last four legitimate v1 releases all went through GitHub Actions with Trusted Publishing. The malicious v1.14.1 had neither provenance nor attestations. Any tool checking for this would have flagged it instantly. ⁶

But npm has no setting to enforce OIDC-only publishing. There is no way to tell the registry: "reject anything not published through CI." The strictest option npm offers still allows local npm publish with a browser-based 2FA prompt, which a RAT can trivially intercept. ⁶

As contributor shaanmajid put it: "The only mitigation on Axios's end that could have actually prevented this would have been using hardware FIDO2 keys for maintainer npm auth, which can't be hijacked by a RAT." ⁶

What would have actually prevented this?

Three things, none of which axios alone could control:

1. Registry-level OIDC enforcement. If npm allowed packages to opt in to "reject all non-OIDC publishes," the RAT would have been useless for publishing. Other registries like crates.io already support this. ⁶

2. Dependency cooldown periods. The malicious versions were live for 3 hours. A 3-day cooldown on new versions (supported by Dependabot, Renovate, uv, and bun via minimumReleaseAge) would have meant zero downloads of the poisoned packages. ⁶

3. Provenance verification by default. Every legitimate axios v1 release had OIDC provenance. The malicious one didn't. If package managers verified attestations by default instead of opt-in, this would have been caught at install time. ⁶

The pattern is bigger than axios

This attack follows the playbook Google documented for UNC1069: social engineering that targets individuals in crypto and AI, building elaborate fake identities and companies to establish trust before delivering malware. ⁷

What's different here is the target. This wasn't a crypto startup founder. It was a maintainer of a general-purpose HTTP library embedded in millions of projects globally. The blast radius isn't one company's treasury. It's the software supply chain itself.

Feross Aboukhadijeh, founder of Socket, summarized it: "This kind of targeted social engineering against individual maintainers is the new normal. It's not a reflection on Jason or the axios team. These campaigns are sophisticated and persistent. We're seeing them across the ecosystem and they're only accelerating." ¹

Singapore's Cyber Security Agency issued a formal advisory. ⁸ Microsoft, Google, SANS, Elastic, Snyk, Datadog, Huntress, and Malwarebytes all published analyses within days.

Key takeaways

Social engineering is the attack vector. The malware was simple. The social engineering was extraordinary. Fake companies, branded Slack workspaces, multi-person Teams calls, weeks of relationship building.
Software 2FA is not 2FA when your machine is compromised. Hardware keys (FIDO2/WebAuthn) are the only defense against RAT-based credential theft.
npm's security model has a structural gap. There is no way to enforce "publish only from CI." Until registries support OIDC-only publishing, every maintainer's laptop is a viable attack surface.
Provenance attestations work, but nobody checks them. The malicious version was missing attestations that every legitimate version had. The signal was there. The ecosystem isn't wired to use it yet.
Dependency cooldowns are free protection. Configure minimumReleaseAge in your dependency tools. A 3-day delay would have neutralized this entire attack.
Open source maintainers are high-value targets for state actors. This is the new normal.

How to check if you're affected

grep -E "axios@(1\.14\.1|0\.30\.4)|plain-crypto-js" package-lock.json yarn.lock bun.lock pnpm-lock.yaml 2>/dev/null

If you find a match: downgrade to axios@1.14.0 or 0.30.3, remove plain-crypto-js from node_modules, rotate every secret and credential on the affected machine, and check network logs for connections to sfrclak[.]com or 142.11.206.73. ¹

I break down stories like this on LinkedIn, X, and Instagram. If this was useful, you'd probably like those too.

AI Doesn't Replace Thinking. It Replaces Forgetting.

Sameer Khan — Fri, 03 Apr 2026 05:07:15 +0000

TL;DR: You've read thousands of articles. You can use almost none of them right now. The bottleneck in knowledge work isn't thinking. It's forgetting. Andrej Karpathy just showed a system where an LLM organizes your research into a living wiki, and the questions you ask feed back into it. No elaborate RAG pipelines. Just markdown, folders, and a loop that compounds.

Think about how many articles you've read this year. Papers you've skimmed. Threads you've bookmarked. Podcasts you half-listened to while cooking.

Now ask yourself: how many of those insights are available to you right now, in this moment, for the thing you're working on today?

The number is embarrassingly close to zero. Not because you're lazy. Not because you're not smart. Because your brain is a leaky bucket, and it always has been. You pour knowledge in, and most of it drains out before you need it. Every new project, every new question, you start from scratch. Even though the insight you need is somewhere in your past. You just can't reach it.

That's the real problem with knowledge work. Not thinking. Forgetting.

What did Karpathy actually build?

Andrej Karpathy, former Senior Director of AI at Tesla and founding member of OpenAI, shared a system this week that sounds almost too simple to be interesting. ¹

Raw documents go into a folder. Articles, papers, repos, datasets, anything. An LLM reads them, then compiles everything into a structured markdown wiki. Summaries, backlinks, conceptual categories. Obsidian serves as the frontend. You browse the wiki like a personal Wikipedia.

That part alone isn't new. People have been building "second brains" in Notion and Obsidian for years. The difference is what happens next.

When you ask the system a question, the LLM doesn't just answer it. It researches its own wiki and synthesizes a response. Karpathy then often files that response back into the knowledge base. The wiki grows. The next question is easier to answer because the system now knows more than it did an hour ago.

Karpathy says he's running this at around 100 articles and 400,000 words. No elaborate RAG pipeline. Just organized markdown and an LLM that maintains its own indexes. "I rarely touch it directly," he wrote. ¹

Think of it like a research assistant who doesn't just answer your questions. They reorganize your entire filing cabinet after every conversation, so the next question takes half the time.

Why does the loop matter more than the tool?

The tool is markdown files and Obsidian. You could rebuild this in a weekend. The loop is what makes it work.

Most "second brain" systems die. You start a Notion workspace, organize it beautifully for two weeks, then life happens and it decays. The organization was the hard part, and it depended entirely on you showing up to maintain it. You were the bottleneck.

Karpathy's system flips that. The LLM maintains the organization. The LLM runs "health checks" to find inconsistencies and suggest new articles. The system maintains itself. Every time you use it, it gets better. Not because you put in extra effort, but because using it is the maintenance.

That's compound interest applied to knowledge. Each question doesn't just give you an answer. It makes every future question cheaper. The blank page dies, not because AI writes for you, but because AI remembers for you.

I wrote about Karpathy's AutoResearch two days ago. A loop that runs ML experiments while you sleep. Same pattern showing up again: the loop is the invention, not the tool. A simple cycle that compounds is worth more than a sophisticated tool that doesn't.

Do we even need bigger context windows?

Here's the contrarian part. The AI industry is racing toward bigger context windows. 1 million tokens. 10 million. Bigger windows and structured memory aren't mutually exclusive, but the default assumption is clear: if we can fit everything into one prompt, the model will figure it out.

Karpathy's system uses markdown files and folders.

Developer JUMPERZ put it well: "Agents that own their own knowledge layer do not need infinite context windows. They need good file organisation and the ability to read their own indexes. Way cheaper, way more scalable, and way more inspectable than stuffing everything into one giant prompt." ²

There's something familiar here. I keep noticing that constraints beat complexity. In product design, in engineering, and now in AI architecture. The pneumatic tyre hasn't changed in a century. The iPhone has been the same rectangle since 2017. And maybe the answer to AI's memory problem isn't a bigger brain. It's a better filing cabinet.

A 10-million-token context window is brute force. An organized knowledge base with good indexes is architecture. One scales with money. The other scales with use.

Where does this go?

Karpathy sees the endpoint. "Every question to a frontier-grade LLM spawns a team of LLMs to automate the whole thing," he wrote. "Iteratively construct an entire ephemeral wiki, lint it, loop a few times, then write a full report. Way beyond a .decode()." ¹

Today, it's one person and one loop building a knowledge base over weeks. Tomorrow, a swarm of agents builds an entire wiki per question. Assembling, cross-referencing, linting for errors, then handing you the distilled result. Not a chat response. A researched report backed by a temporary knowledge base that was purpose-built for your specific question, then discarded.

The compound interest endpoint isn't just "you never start from zero." It's "you never even have to ask twice."

Key takeaways

The bottleneck in knowledge work isn't thinking. It's forgetting. You've already had most of the insights you need. You just can't connect them to what you're working on now.
Karpathy's system is a loop, not a tool. Raw documents → LLM-compiled wiki → Q&A that feeds back into the wiki → compound growth. No elaborate RAG. Just markdown and folders.
Self-maintaining beats self-organizing. Traditional second brains decay because you're the maintenance bottleneck. This system maintains itself. Using it is the upkeep.
Bigger context windows might be the wrong bet. Good file organization and LLM-maintained indexes can be cheaper, more scalable, and more inspectable than stuffing everything into one massive prompt.
The blank page is a symptom. The disease is forgetting. The cure is a system where every question makes the next one easier.

I break down things like this on LinkedIn, X, and Instagram. Usually shorter, sometimes as carousels. If this resonated, you'd probably like those too