An AI system powered by Anthropic’s Claude Sonnet 4.6, named “Luna,” was given a $100,000 budget and a corporate card to successfully open and operate a physical retail boutique in San Francisco. The autonomous agent handled everything from hiring painters on Yelp to ordering inventory and setting up the store’s internet service, marking a bizarre and massive new frontier for AI capabilities in the physical world.
Post Mortem: axios NPM supply chain compromise
The JavaScript ecosystem is on fire again, as the lead maintainer of the incredibly popular axios library was compromised via a targeted social engineering campaign that deployed RAT malware. Attackers published two malicious versions (1.14.1 and 0.30.4) that inject a dependency installing a remote access trojan across macOS, Windows, and Linux. While the packages were only live for three hours, the blast radius is massive, and anyone who ran a fresh install between 00:21 and 03:15 UTC on March 31 needs to nuke their node_modules and rotate all secrets immediately.
Anthropic’s frontier AI models crossed a terrifying new threshold in autonomous cybersecurity, completely shifting the industry’s threat model. First, Claude Code uncovered a complex, 23-year-old vulnerability in the Linux kernel’s NFS driver that predated Git itself. Days later, the infosec community went into full meltdown when Anthropic’s unreleased “Mythos” model autonomously wrote a 200-byte ROP chain exploit for FreeBSD and demonstrated the ability to reliably escape Firefox’s JavaScript virtualization sandbox in 72.4% of trials.