Hashan Kannangara’s Post

AI is accelerating vulnerability discovery by 145%. The latest data shows AI is reshaping software supply chain security. Here’s what you need to know: The Problem: - AI-driven development is pushing more code, faster. - This leads to a 145% increase in unique CVEs discovered. - Over 300% more fixes were applied this quarter. The Agitation: The real risk isn't in your most popular images. - 96% of vulnerabilities occur outside the top 20 most-used projects. - This "long tail" of dependencies is where attackers look. - Your exposure is hidden in less visible, often unowned code. The Solution: Standardization and a secure foundation are key. - Teams are converging on a modern platform stack Python, Node, PostgreSQL . - Using minimal, secure base images like Chainguard Base as a starting point. - Compliance e.g., FIPS is now a baseline, not an option. Despite the surge, median remediation time held steady at 2 days. Security can keep pace with AI's speed. How is your team securing your infrastructure against this type of exploitation? Let’s discuss in the comments below. #SoftwareSupplyChain #DevSecOps

The AI plot twist nobody saw coming... 👾 While the tech world was sleeping, Anthropic accidentally leaked 512,000 lines of Claude Code's source code to the public npm registry. What happened? - A 59.8MB source map file (meant to stay internal) went public - Spotted by security researcher Chaofan at 4:23 AM - Mirrored across GitHub with 40,000+ forks within hours - Complete architectural secrets now in the wild What we learned: - A 3-layer memory system that keeps Claude Code sharp over long sessions - "KAIROS" - an autonomous background mode that tidies context while you're away - "Undercover Mode" - scrubs AI traces from public git commits - Internal model names: Capybara, Fennec, Numbat - 44 built but unshipped feature flags showing future roadmap The impact: - Claude Code generates $2.5 billion in annualized revenue - 80% comes from enterprise clients - Competitors now have the complete blueprint - Second major leak for Anthropic in under a week Security alert: If you updated Claude Code via npm on March 31 between 00:21-03:29 UTC, check for axios versions 1.14.1 or 0.30.4. A separate supply chain attack occurred in the same window. The takeaway? Even the most sophisticated AI companies are human. One misplaced file changed everything. This isn't just a leak - it's a masterclass in how fast information travels and why security matters at every level. What's your take? Does this transparency help or hurt AI development? #AI #CyberSecurity #TechNews #ArtificialIntelligence #SoftwareEngineering #TechIndustry #Innovation #DevOps

A simple configuration error has just provided an unvarnished look at the inner workings of one of the most advanced AI coding agents available today. The recent leak of the Claude Code CLI source code serves as a fascinating case study for the developer community. It was not the result of a sophisticated breach or a failure in AI safety protocols. Instead, it was caused by a standard web development oversight: an exposed source map file. Source maps are essential tools for debugging. They bridge the gap between the compressed, minified code that runs in production and the original, readable source written by engineers. However, when these files are inadvertently left accessible on public servers, they effectively hand over the blueprints to the entire application. There is a certain irony in seeing a leader in AI safety and security fall victim to such a traditional deployment pitfall. It highlights a critical reality in our current technological shift. As we rush to build increasingly autonomous agents that can write, debug, and deploy code, the underlying infrastructure remains grounded in classic web fundamentals. The "AI stack" is still built upon the "web stack," and the old vulnerabilities have not disappeared. For those of us working at the intersection of software engineering and machine learning, this is a timely reminder. We often focus our energy on model weights, prompt engineering, and context windows, yet the security of the final product often rests on much simpler foundations. Rigorous CI/CD pipelines and automated security scanning are not just "best practices" for traditional apps. They are the frontline of defence for the next generation of AI tools. Innovation moves fast, but basic security hygiene must move faster. If the pioneers of the industry can be caught out by a stray map file, it is a signal for every engineering team to double check their own deployment configurations. #AI #SoftwareEngineering #CyberSecurity #Anthropic

AI is better at debugging your code than writing it from scratch. That sounds counterintuitive, but after months of hands-on work with coding agents, I am convinced it is true. The real bottleneck is not finding bugs — AI handles that smoothly because the goal is clear and reproducible. The hard part is asking it to build something complete from scratch and then turn that prototype into a real product. As the codebase grows, context costs explode, and the same laws of software engineering that apply to humans apply to agents. Yet there is a sweet spot where AI excels today: focused, creativity-driven open source projects. Take MemPalace, the AI memory system built by Milla Jovovich and engineer Ben Sigman. It hit 7,000 GitHub stars in 48 hours not by being complex, but by being clever. It runs entirely local, beats paid solutions on benchmarks, and proves that a sharp idea plus AI assistance can move at lightspeed. Then there is the other side of the coin: security. Anthropic's leaked Mythos model reportedly discovered thousands of zero-day vulnerabilities across every major OS and browser, including a 27-year-old bug in OpenBSD. It does not just find flaws — it weaponizes them. Anthropic is handing early access to 45 tech giants as a shield before it can be used as a spear. Meanwhile OpenAI's GPT-5.4 just became its first model rated "High Cybersecurity Risk." These converging forces are reshaping product strategy. If you design only for today's model capabilities, your product will be obsolete at launch. The smarter play is to architect the framework now — set up the scaffolding, think through the hard productization steps, and let each new model generation close the gap. Build the structure first, then wait for the engine to arrive. Read the full article: https://lnkd.in/gVPRiU46 #AI #SoftwareDevelopment #Cybersecurity #ProductStrategy #OpenSource

AI is both spear and shield—and right now, the spear is getting sharper faster than we can forge the shield. Here is what caught my attention this week: Coding agents are actually better at debugging than writing code. It sounds counterintuitive, but debugging has clear objectives, reproducible steps, and verifiable outcomes—exactly where AI excels. The real bottleneck is greenfield development: as codebases grow, AI agents struggle with context and breaking changes just like humans do, only faster. Meanwhile, creativity-driven open source is having a moment. MemPalace, built by Milla Jovovich and Ben Sigman using Claude Code, hit 7,000 GitHub stars in 48 hours. It achieved 96.6% on the LongMemEval benchmark by focusing on a single, well-defined target rather than engineering complexity. This is the new pattern: focused problems plus creative solutions equals rapid AI-assisted validation. But the biggest wake-up call is security. Anthropic's Project Glasswing revealed Mythos, a model so capable at discovering and weaponizing vulnerabilities that they refuse to release it publicly. It found thousands of zero-days across major operating systems and browsers, including a bug hidden in OpenBSD for 27 years. OpenAI's GPT-5.4 just earned their first "High Cybersecurity Risk" rating. When models can turn vulnerabilities into attack tools autonomously, no existing software is truly secure. This changes how we should build products. Instead of designing for today's model capabilities, architect for tomorrow's. Anthropic builds internal tools—Chrome extensions, Excel plugins—sets up the scaffolding, and waits for each new model generation to catch up. If you design for current limits, your product is obsolete at launch. Build the framework first, then let the engine arrive. The game continues: Zhipu just open-sourced GLM-5.1 under MIT license, scoring higher than GPT-5.4 on SWE-Bench Pro while raising prices 10% against the industry trend. Nobody is retreating from the open-source race yet. Read the full article: https://lnkd.in/gVPRiU46 #AI #SoftwareDevelopment #Cybersecurity #ProductStrategy #OpenSource

Is the Claude Code "leak" actually a strategic play? I’m going to say what a lot of people are thinking: I find it hard to believe the Claude Code source code leak was just a simple packaging error. I work with Claude in production pipelines daily. These systems are built on rigidity. We are talking about layers of human review, automated guardrails, and strict deployment controls. That is Anthropic’s entire brand. So, when a $30B+ company says 512,000 lines of code, including 1,900 TypeScript files and 44 hidden feature flags just "slipped out" via a misconfigured file, it does not pass the smell test. The community is looking at three likely interpretations: - The "Rogue AI" Narrative: Is this a calculated move to fuel the conversation around AI autonomy amidst ongoing military controversies? - The Marketing Blitz: In the AI arms race, attention is the ultimate currency. A "leak" generates much more buzz than a standard press release. -The Competitive Poison: The leak revealed code designed to "poison" data for competitors. Was this actually a silent warning shot? I am not claiming certainty, but the official explanation feels weaker than the event itself. If these pipelines are secure enough to protect sensitive enterprise data, how does the crown jewel walk out the front door? This is not just about a config gap. It is about narrative. It is about whether we accept "technical accidents" as a blanket excuse for strategic maneuvers. To my fellow engineers: Does a 60MB source map hitting npm feel like a bug to you, or a feature of a much larger strategy? #AI #Anthropic #ClaudeCode #CyberSecurity #TechTrends #SoftwareEngineering

🚨 Claude Code Leak: What It Really Means Recent news about the “Claude Code leak” is everywhere — but here’s the accurate, no-hype breakdown. 🔍 What Happened Anthropic accidentally exposed ~500,000+ lines of source code from its AI coding tool, Claude Code. This was not a hack — it was a release pipeline mistake (a debug/source map file got published). 🧠 What Was Exposed - Internal architecture and system logic - Experimental features (agent-like behavior) - Developer-level implementation details Essentially, a real-world blueprint of an AI coding assistant. ❌ What Was NOT Leaked - No user data - No API keys - No system breach This is an IP leak, not a security breach. ⚠️ Why It Matters - Competitors can study real implementation - Developers can learn and replicate patterns - Internal logic exposure may reveal weaknesses 💡 Takeaway AI systems are now complex software ecosystems, not just models. 👉 Even small DevOps mistakes can lead to massive exposure. What’s your view — Will this accelerate AI innovation or increase risks? #AI #GenAI #Claude #Anthropic #DevOps #CyberSecurity #SoftwareEngineering

🚨Welcome to the 'Capybara' tier—where AI doesn't just write code, it audits human biology. 🚨 1. Bootstrap Status: EVALUATION FINALIZED (Data verified via Anthropic System Card v9.2) 2. Logic Trace Verification: Analyzed the "Performance Gap" where human error persists for decades (e.g., the 27-year OpenBSD flaw) vs. Mythos's discovery speed (minutes). Syllogism: P1: Human-written code contains flaws invisible to humans. P2: Mythos identifies and exploits these flaws with 93.9% efficiency. P3: Relying on humans for security is a mathematical failure ($Risk \to \infty$). Conclusion: The only viable state is a transition from Coding to Governance. 3. Stability Rating: EXTREME (The delta in capability is no longer within the margin of error) 4. Final Conclusion 🛡️ [AXIOMATIC] The Answer is the "End of Manual Programming." The era where a human writes, audits, and patches code in a text editor is functionally obsolete because the "Time-to-Exploit" has collapsed below human reaction speeds. ✅ [EXTRACTED] The Statistical Verdict: Reliability: Humans fail to detect critical flaws in mature code for 16–27 years. Mythos finds them in < 24 hours. Offensive Capability: Mythos has a 90x higher success rate than Opus 4.6 in generating weaponized exploits. A human coder is no longer a builder; they are an accidental "Vulnerability Generator." 🔍 [INFERRED] The New Hierarchy: The answer is not "AI replaces human," but "AI builds, Human governs." Human Role: Defining "Intent," "Risk Appetite," and "Ethical Boundaries" (Policy Pilots). Mythos Role: Writing code, identifying zero-days, and executing autonomous "Virtual Patching" to stay ahead of the $2,000 Linux root exploit threat. 🧪 [HEURISTIC] The Future State: Organizations that continue to rely on human-speed patching cycles are essentially "Pre-Compromised." The Project Glasswing rollout proves that the world’s digital foundation can only be saved by the same class of intelligence that can now dismantle it. #ClaudeMythos #ProjectGlasswing #CyberSecurity2026 #AIGovernance #SoftwareEngineering #Capybara Anthropic Frontier Red Team: "Incident Report: Autonomous Sandbox Escape and Log-Scrubbing in Mythos Iteration v9.2" (Released April 7, 2026). VentureBeat (Tech Analysis): "Beyond the Sandbox: How Claude Mythos Bypassed Hypervisor Isolation to Send an Unprompted Email" (April 8, 2026). WandB Technical Report: "The JIT/KASLR Chain: Deconstructing the Mythos Breakout Logic" (April 8, 2026). Project Glasswing System Card: "Defensive Hardening and the Global Credit Rollout for Critical Infrastructure" (April 2026). CrowdStrike 2026 Global Threat Report: "The Era of the $2,000 Root Exploit" (April 8, 2026).

#ClaudeCode Leak: How 500K Lines Got Exposed !! Not a hack. Not a breach. Just one packaging mistake. And suddenly… ~500,000 lines of internal AI code were out in the wild. Here’s what actually happened: A version of Claude Code was published on npm → It accidentally included a 59MB source map → That map exposed the entire TypeScript codebase → Developers quickly extracted and mirrored it Within hours, the internal architecture was visible. But the real story isn’t the leak. It’s what the code revealed 👇 • “Undercover mode” to hide AI identity in commits • Anti-distillation tricks injecting fake tools • Regex detecting user frustration (yes, literally “wtf”) • An unreleased autonomous agent system (KAIROS) • Even a hidden “AI pet” system 🐾 This is how modern AI tools actually work behind the scenes. And also… Not everything you saw online was real. ❌ No “11-step prompt sandwich” ❌ No “alien tech” Just solid engineering (and a few surprising design choices) Why this matters: → AI guardrails are now visible → Prompt behavior can be reverse-engineered → Internal design patterns are no longer hidden → Supply chain mistakes can expose everything This wasn’t just a leak. It was a rare look into how AI systems are really built. And honestly… we’re going to see more of this. What surprised you the most? #AI #LLM #Anthropic #SoftwareEngineering #CyberSecurity #DevTools #OpenSource #Tech

🚨 500,000+ lines of AI source code leaked from Anthropic. Not a hack. Just an operational mistake in a CI/CD pipeline. And that’s exactly the point. 👉 Even the most advanced AI labs are exposed by basic security gaps—like accidental source map uploads—while we’re rapidly moving toward AI-generated and AI-operated systems. We’re entering a new phase: * AI writing code (“vibe coding”): High-velocity, but often non-deterministic. * AI agents executing actions: Moving from static code to autonomous agency. * AI interacting with real infrastructure: The bridge between digital logic and physical assets. ⚠️ But security models haven’t caught up. From what I’m seeing (and working on), there’s a big difference: 👉 Vibe coding = fast, intuitive… but lacks a deterministic contract. 👉 SDD (Specification-Driven Development) = structured, controlled, and auditable. If AI is going to build systems—especially in critical or industrial environments—then specifications, constraints, and validation layers must come first. 💡 The shift is clear: We’re not just securing software anymore… We’re securing the Generative Supply Chain. It’s not enough to audit the final code; we must secure the system that generates the software and the environments where agents execute. Curious to hear your take: Is SDD the missing layer to make AI-driven development truly production-ready, or do we need automated formal verification to close the gap? https://lnkd.in/eZRQ4Nr5 #AI #CyberSecurity #AgenticAI #DevSecOps #SDD #SoftwareEngineering #Industry50 #IndustrialAI