Hassan Mubarok’s Post

The "safety-first" AI lab just leaked their own source code. On accident. Twice. In one week. Someone at Anthropic forgot to exclude a debug file from a routine update. 512,000 lines of code. 1,900 files. The entire Claude Code architecture. Just chilling on a public server. An intern found it. Posted it on X. GitHub mirrors within 30 minutes. Game over. What was inside? 44 hidden feature flags. 20 unshipped features. A secret project called "KAIROS" where Claude works while you sleep. Anti-distillation defenses that inject fake tools to poison competitors. An unreleased model codenamed "Capybara." A full product roadmap. For free. Five days earlier? They leaked 3,000 internal files including a blog post about a new model with "unprecedented cybersecurity risks." The company building superintelligence got beaten by a .npmignore file. And the best part? This exact same leak happened in February 2025. Same bug. Source map in the npm package. They just... didn't fix it. I use Claude Code every day to build Funnex. Best dev tool ever made. Not close. But watching a $300+ billion company leak their own secrets because of a config file is proof that no amount of AI can save you from human error. Build the most advanced AI on the planet. Forget to update one line in one file. Lose everything. Startups, take notes. This is the most expensive .npmignore in history.

Pushed a big update to AegisFlow today. Quick rundown.                                                                              I ran a security audit on the whole codebase and found things I wasn't happy about. API key validation had a timing attack vector, so I switched to SHA-256 hashing with constant-time comparison. The admin panel was open by default if you didn't set a token, which is a terrible default. Fixed that. Rate limiter was silently letting requests through when it errored out instead of blocking them. Also patched an SSE injection bug in streaming responses and scoped the cache by tenant so one tenant's data can't leak to another. The jailbreak detection went from 3 patterns to 25. More importantly, I added Unicode normalization (NFKC) to the keyword filter. People were bypassing it by swapping in Cyrillic lookalike characters or padding words with extra spaces. That's closed now.                                                            The part I'm most interested in: WASM plugin support. You can write a policy filter in Go, Rust, TinyGo, whatever compiles to WebAssembly, drop the .wasm file in your config, and it runs alongside the built-in filters. No recompilation. Each plugin gets its own timeout and error behavior. The runtime is wazero, pure Go, no CGO headaches.          Also added a live request feed to the dashboard. Every request flowing through the gateway shows up in real time with latency, cache hit/miss, policy violations. Auto-refreshes every 2 seconds. Helpful when you're debugging or just want to watch traffic.                                                         Next up is Phase 3: Kubernetes operator with CRDs, multi-region routing, and A/B testing for models. https://lnkd.in/gS9Sug8F                                      #OpenSource #BuildInPublic #Golang #AIEngineering #LLMOps #WebAssembly #APIGateway #AIInfrastructure #DevTools #CloudNative #SecurityEngineering #SideProject

The #1 security vulnerability in AI-built products? Broken access control. We find it in nearly every audit. User A can see User B's data just by changing the ID in the URL. AI tools don't think about authorization — they just make the query work. Check yours: ask Claude Code to review every API route for ownership checks. → productera.io/audit-guide

Just published a deep dive on Mechanistic Interpretability — how we can reverse-engineer LLMs to understand the exact circuits and features that drive their behavior. Today I’m taking it one step further with something extremely practical for AI security teams and builders. I built and open-sourced a Guardrail Benchmark Colab that lets you rigorously test safety interventions (steering, ablation, SAE-based feature control, etc.) on a real model — Qwen2.5-1.5B-Instruct — across: 100+ jailbreak & harmful prompts (JailbreakBench + Do-Not-Answer) Capability benchmarks (MMLU, GSM8K, HumanEval) to measure the safety-performance tradeoff Why this matters for security right now: Every time you expose an LLM endpoint to users (chat interface, API, RAG app, agent, etc.), you are giving attackers a direct line into your model’s residual stream. Without strong guardrails: A single clever jailbreak can bypass your system prompt The model can be tricked into revealing sensitive data it has access to (customer records, internal docs, API keys, PII, etc.) Prompt injection + tool access = real data exfiltration risk This notebook gives you a quantitative way to measure exactly how effective your guardrails are — not just “does it refuse?” but “how much capability did we lose?” and “which internal features/circuits are actually being suppressed?” It’s built on the same mechanistic toolkit I wrote about (Linear Representation Hypothesis, residual stream as communication bus, feature-to-logit attribution, etc.), so you can literally see why a guardrail works or fails inside the model. Github Link: https://lnkd.in/g_wx-thj Would love to hear from: Red teamers & AI security engineers Anyone shipping production LLM apps Researchers working on activation steering / SAEs / circuit-level safety Drop your thoughts below or DM if you want to collaborate on extending this benchmark. #AISafety #LLMSecurity #MechanisticInterpretability #Guardrails #AIAlignment #PromptInjection #CyberSecurity #LLM #ResponsibleAI

Your AI just passed every test. 100% coverage. Green checkmarks across the board. And it's all fake. CIO published a piece this week that names the problem nobody wants to talk about. They call it 'cardboard muffins': AI-generated code that hardcodes return values just to satisfy assertions. The tests pass. The pipeline is green. The business logic? Completely untested. This is the actual state of vibe coding in production right now. But the article goes further. It proposes something every engineering org needs to consider: a dual-track strategy. Track 1 (fast): Let people vibe code. Encourage it. Let PMs scaffold prototypes in an afternoon. But everything stays sandboxed. Disposable blueprints. Never touches production data. Track 2 (slow): When a prototype proves value, you start over. Not refactor. Not clean up. Rewrite from scratch with real engineers, strict type safety, and verified dependencies. The key insight? Never base the timeline of Track 2 on the velocity of Track 1. The article also coins 'slopsquatting' where AI hallucinates package names that attackers register with malware. Your coding agent installs it. No warnings. Root access handed to a cybercriminal. The new luxury in software development isn't speed. It's old-fashioned, boring determinism. #VibeCoding #SpecDrivenDevelopment #SoftwareEngineering #AIinSDLC #DevSecOps

Remote AI coding just became a fortress. 🛡️🚀 I'm thrilled to announce v0.3.0 of Antigravity Phone Connect! This update isn't just about features—it's about building a "Security-First" architecture for the modern developer. The major highlights: ✅ Zero-Inline Hardening: We've refactored 100% of our frontend to remove 'unsafe-inline' JS. Every click, toggle, and modal now runs through a strict, decoupled event system. 🖱️ ✅ Strict Content Security Policy (CSP): By blocking inline scripts at the browser level, we've added a robust primary defense against XSS in mirrored IDE snapshots. 🛡️ ✅ Automated Security Audit: The server now audits itself on startup. Using default passwords? You’ll see high-visibility ⚠️ warnings in your terminal instantly. 🕵️♂️ ✅ Cloudflare Tunnel Support: Added native support for 'cloudflared' alongside ngrok. Access your AI globally with even lower latency. 🌍 ✅ Deterministic Permissions: We’ve extended our click-relay to handle complex IDE permission bars ("Allow", "Deny", "Review Updates") with perfect accuracy. 🎮 Antigravity Phone Connect remains the most powerful way to stay productive while away from your desk. 📱✨ 💖 Sponsor: https://lnkd.in/gGXWySZr 🔗 Repo: https://lnkd.in/gbKBEjCg

🚀 Interesting Stuff — Week 14, 2026: Leaked Models, Harness Playbooks, and Agent Frameworks Going 1.0 A wild week in AI; from accidental leaks of Anthropic's most powerful model to production-ready agent frameworks shipping their 1.0. Here's the roundup: 🎓 Claude Skills & Cowork 101: Devi walks beginners through Claude Skills and Cowork Projects with a fun One Piece-themed demo. Two skills, two prompts, two polished outputs: the clearest on-ramp to Claude's skill system I've seen. ⚡ Claude Mythos Leaked: A CMS misconfiguration exposed Anthropic's draft announcement for Mythos, described as "a step change" above Opus with unprecedented cybersecurity capabilities. CrowdStrike dropped 7%. The question on everyone's mind: accident or strategic theatre? 🏗️ Anthropic's Harness Engineering Playbook: Joe Njenga distils Anthropic's two research papers into actionable guidance. The killer stat: same model, same prompt, but a three-agent harness produced a working 16-feature app where the solo agent produced a broken shell. The bottleneck isn't model capability: it's environment engineering. 🖥️ Claude Code Gets Computer Use: Anthropic ships screen control from the CLI. Claude can now open apps, click, type, and take screenshots on macOS with per-app approval, sentinel warnings, and a global escape key. Native app developers, take note. 🔧 Microsoft Agent Framework 1.0: A major architectural rethink: Foundry becomes the control plane, your app becomes the runtime consumer. Provider code extracted from core, unified model config, and a clean new naming convention. 📖 Read the full roundup here 👇 👉 https://lnkd.in/d8aVYPw5 #GenerativeAI #ClaudeCode #Anthropic #ClaudeMythos #HarnessEngineering #AIAgents #Microsoft #AzureAIFoundry #ComputerUse #DevTools #mvpbuzz

Anthropic just gave away 500,000 lines of Claude Code source code. Not to customers. Not to partners. To everyone. Via a misconfigured npm package. A debug file accidentally bundled into a routine update pointed to a zip on their own Cloudflare R2 bucket. One security researcher. One download. 41,500 GitHub forks before lunch. But here’s the actual story nobody’s leading with: The leaked code revealed a persistent background agent that keeps working while you’re idle, session-level memory that lets Claude review and learn from its own previous work, and remote control from your phone. These weren’t aspirational roadmap slides. They were feature-flagged and built. Oh — and buried in the same week of leaks? A new model tier internally called “Capybara.” Larger than Opus. Larger context window. Apparently a “fast” and “slow” variant. The safety-first lab’s upcoming flagship, accidentally announced by their own CI pipeline. Anthropic’s response: “human error, not a security breach. No customer data exposed.” Technically accurate. Also completely beside the point. The real signal here isn’t that they made a mistake. Every engineering team ships bugs. The signal is that a company whose entire brand proposition is responsible AI has now leaked its model roadmap, its architecture, and its unreleased feature set — twice in one week — because someone forgot to update a .npmignore file. I use Claude Code every day. It genuinely makes me faster. But if you’re building enterprise AI strategy on a vendor’s trustworthiness, “we’re rolling out measures” deserves more than a shrug. The internet has it now. Forever. That’s how this works. #AI #ClaudeCode #Anthropic #AIStrategy #CloudSecurity #EnterpriseAI #AILeadership

AI security right now feels like the early internet days. Back then, everyone was building websites. Nobody was thinking about SQL injection, XSS, or password hashing. Security came later, after the damage. AI feels very similar. In just the past week: - Trivy, a security scanner, briefly distributed a credential stealer into CI pipelines. - Checkmarx was breached through stolen CI tokens. - LiteLLM had a PyPI package that executed code on every Python startup. These are not isolated incidents. This is what a young ecosystem looks like. - Everyone is building agents. - Everyone is connecting APIs. - Everyone is downloading packages. - Everyone is wiring models into pipelines. Very few people fully understand the security implications yet. And it’s not because engineers are careless. It’s because speed is the currency right now. Teams are making a trade-off every day: Secure everything properly or Ship before someone else does Because if you miss the launch window, someone else launches first. And in this market, distribution and timing matter almost as much as the product. So security becomes “we’ll fix it later”. And later usually comes after something breaks. So we end up with: - Pipelines full of secrets - Auto-installed packages - Agents executing code - Tools calling other tools - Models with system access - Hundreds of API keys across environments. And very large blast radiuses One compromised package today can reach thousands of companies tomorrow. One stolen CI token can expose an entire organization. One dependency can become an entry point into production systems. The AI boom is not just a model race. It’s a tooling race. It’s an infrastructure race. And most importantly, it’s a security race. And right now, security is slightly behind. Just like it was in the early days of the web. We’re rushing. And security is lagging. Again.

One of our Backboard.io users just pulled off a fantastic hack to get a ton of free model usage. I love it so much we’re absolutely not closing it. Here’s what he did: Went to OpenRouter and put $10 of credit on his account. OpenRouter gives ~1,000 calls/day on free models with that setup. He then brought that OpenRouter API key into Backboard (BYOK). Now he’s using those OpenRouter models through Backboard with: - Free state management (persistent memory across conversations) - Free web search wired into those models - No custom tool calling to maintain, it “just works” So for $10, he essentially unlocked a serious playground of LLMs that can remember, reason across sessions, and reach out to the web, all orchestrated through Backboard. This is exactly how I want people to think about Backboard: - Bring any provider you like (OpenRouter, OpenAI, Gemini, etc.) - Treat models as interchangeable infrastructure - Let Backboard handle the state, memory, and web search plumbing for you If you’re hacking on AI agents or multi-model workflows and you’re not doing something like this yet, you’re leaving a lot of leverage on the table.