Sources

The pressure simonwillison.net

The pressure Daniel Stenberg on the unprecedented level of pressure the curl team are facing right now thanks to the deluge of (credible) AI-assisted security issues being reported. The rate of incoming security reports is 4-5 times higher than it was in 2024 and double the speed of 2025 — meaning that on average we now get more than one report per day . The quality is way higher than ever before. The reports are typically very detailed and long. […] For the first time in my life, my wife vo…

Some ideas for what comes next, May 2026 interconnects.ai

Gemini Flash 3.5, Mythos, open-closed balance, America’s open-source surge, emerging power struggles and more.

Millions of AI agents imperiled by critical vulnerability in open source package arstechnica.com

“BadHost” was found in Starlette, a package with 325 million weekly downloads.

OpenRouter more than doubles valuation to $1.3B in a year techcrunch.com

OpenRouter’s $113M Series B led by CapitalG more than doubles its valuation in a year, riding 5x usage growth over six months. The round lands alongside Fireworks and Baseten crossing $10B, marking a new tier of model-routing and inference infrastructure winners.

(AINews) New AI Infra decacorns: Fireworks, Baseten (with OpenRouter on the way) latent.space

it’s funding news, but it’s good news.

Uber president says AI spending is getting ‘harder to justify’ theverge.com

Uber burned through its 2026 AI budget in four months, and president Andrew Macdonald says rising Claude Code token consumption isn’t translating into matching engineering output. The candid pullback is a rare public ROI complaint from a major enterprise buyer.

3D-printable humanoid legs let robotics experiments run wild arstechnica.com

The open humanoid-legs project targets researchers and hobbyists priced out of $50K+ platforms, shipping printable parts and training code. It extends Hugging Face’s push into physical AI after its LeRobot library and earlier desktop arm releases.

This startup is betting India’s gig economy can train the world’s robots techcrunch.com

Founded by UC Berkeley and Stanford researchers, the startup outfits gig workers with camera caps and sensor rigs to capture real-world manipulation footage. The bet: physical AI labs will pay premium rates for the embodied data that scraped web text can’t supply.

Choosing to Stay Human oneusefulthing.org

Mollick observes social feeds filling with posts that read interchangeably as LLM-assisted writing spreads. His essay argues for deliberately preserving human voice and judgment as a competitive and cultural choice, not a nostalgic one.

Import AI 458: Reckoning with the future; and a singularity story importai.substack.com

Jack Clark’s latest issue pairs a forecast of plausible 2026 AI breakthroughs with original fiction exploring a singularity scenario. The dual framing — concrete capability calls plus narrative — is Clark’s recurring vehicle for policy-adjacent foresight.

Anthropic appoints KiYoung Choi as Representative Director of Korea ahead of Seoul office opening anthropic.com

Choi becomes Representative Director of Anthropic Korea as the company prepares to open a Seoul office, extending its APAC footprint after Tokyo. The hire signals deeper enterprise and government engagement in a market where Claude faces OpenAI and local LLM competition.

Sundar Pichai on AI, the future of search, and what’s happening to the web theverge.com

Today, I’m talking with Google and Alphabet CEO Sundar Pichai, in a conversation we recorded just after the Google I/O developer conference. This is the fifth year Sundar and I have sat down after I/O, and it’s become one of my favorite Decoder traditions. There’s always a lot of news at I/O, and this year […]

DuckDuckGo installs are up 30% as users reject being ‘force-fed’ Google’s AI Search techcrunch.com

Google overhauled Search at I/O 2026, replacing blue links with AI agents. The backlash has been swift. DuckDuckGo app installs spiked 30% as users seek a way out.

A reality check on the AI jobs hysteria technologyreview.com

Haven’t you heard? White-collar jobs are going away, decimated by AI. Waves of layoffs in the tech sector (most recently at Coinbase and Meta and Cisco) are said to presage what will soon come for all of us knowledge workers. But before you quit your job as a software developer or financial analyst—or tech journalist—and…

It’s time to address the looming crisis in entry-level work. technologyreview.com

Artificial intelligence has not so far produced a clean story of mass unemployment. Aggregate employment in developed countries remains broadly stable, and recent assessments have found limited evidence that AI has shifted the headline numbers. But a troubling change may be hiding beneath the surface: the quiet weakening of the first rung of the career…

Did the Pope use AI to write about the dangers of AI? theverge.com

It’s possible that AI was used to write parts of Pope Leo XIV’s latest encyclical about AI’s impact on humanity. An analysis by Linch Zhang posted on the forum LessWrong found certain paragraphs of Magnifica Humanitas to be between 40 percent and 100 percent written by AI, according to the popular AI detector Pangram. The […]

California Brown Pelican, Snowy Egret, California Sea Lion, Harbor Seal simonwillison.net

California Brown Pelican, Snowy Egret, California Sea Lion, Harbor Seal, in San Mateo County, CA, US We took our new folding kayak out in the harbor and saw sea lions and harbor seals chilling on the docks.

AI warfare is already here theverge.com

The Convention on Certain Conventional Weapons, an international forum that focuses on lethal autonomous systems, is hosted twice a year at the United Nations in Geneva. When Branka Marijan attended in November 2017, she thought the five-day sessions - which dealt largely in hypotheticals, speculating on a world where warfare was fought with killer robots […]

Is SaaS dead? bensbites.com

MCP comeback in works

Rethinking organizational design in the age of agentic AI technologyreview.com

Amid rapidly growing adoption of enterprise-level AI agents, there’s a disconnect emerging between ambition and execution. Although 85% of organizations say they want to be agentic within the next three years, 76% say their current operations and infrastructure can’t support that change. They cite a lack of readiness across people, processes, and workflows. The sticky…

Nobody wants to tell me why they only listen to their own Suno slop theverge.com

There’s this alarming trend in the Suno subreddit. People aren’t just prompting AI songs; they’re sitting around listening almost exclusively to their own slop. And in some cases, they proudly proclaim that they don’t listen to music on traditional streaming platforms anymore - it’s just AI all day. “Does anyone just listen to their own […]

FBI agent explains how easy it is to ID people posting AI porn without consent arstechnica.com

A creepy saved post on Instagram linked man to AI porn account, FBI says.

Universal Music Group and TikTok renew agreement to combat unauthorized AI music techcrunch.com

For years, UMG has pushed platforms, streaming services, and AI companies to implement stricter content moderation policies.

Quoting Paul Graham simonwillison.net

A lot of the emails I get from founders are now written in a hard-hitting journalistic style. I know they’re written by AI, because no founder ever wrote this way before. And once you realize something is written by AI, it’s hard not to ignore it. I have never knowingly finished reading an email signed by a human but written by AI. It feels like being lied to, and who would stand for that? [ … ] It makes me think less of the author. It means they can’t write well unaided (or feel they can’t),…

Quoting Kyle Ferrana simonwillison.net

PICARD: Data, shields up DATA: Brilliant! Shields can reduce damage we sustain. Not immunity. Not hubris. Just prudence. It’s not precaution—it’s strategy. [camera shakes] WORF: HULL BREACHES ON NINE DECKS DATA: Here’s what happened: you told me to raise shields, and I didn’t — Kyle Ferrana , @KyleTrainEmoji Tags: ai-misuse , coding-agents , ai , llms

TechCrunch Disrupt 2026 Early Bird ticket rates end May 29 techcrunch.com

Save up to $410 on your TechCrunch Disrupt 2026 pass before prices increase on May 29 at 11:59 p.m. PT. Register here to join the tech epicenter in San Francisco.

References

IBL.ai analysis of SWE-bench Pro ibl.ai

Zai’s open-source GLM-5.1 achieved a score of 58.4, marginally outperforming OpenAI’s GPT-5.4 (57.7) and Anthropic’s Claude Opus 4.6 (57.3) in resolving real-world GitHub issues

Context Studios — Claude Code ARR breakdown contextstudios.ai

Uber reportedly exhausted its entire 2026 AI budget in just four months after 84% of its engineering org adopted Claude Code’s agentic workflows

CyberScoop on Anthropic Project Glasswing cyberscoop.com

Mythos identified over 10,000 high- or critical-severity software flaws… including a 27-year-old remote-crash vulnerability in OpenBSD and a 16-year-old flaw in FFmpeg that had previously withstood millions of automated fuzzing attempts

DefenseScoop — Pentagon blacklist details defensescoop.com

Defense Secretary Pete Hegseth demanded ‘unrestricted access’ for ‘any lawful purpose,’ arguing that a private vendor should not possess ‘veto power’ over military operations

Pearl Cohen — Anthropic v. DoD litigation pearlcohen.com

A California federal judge granted a preliminary injunction, finding that the government likely violated Anthropic’s due process rights and First Amendment protections

Forbes coverage of Magnifica Humanitas launch forbes.com

The Vatican’s presentation of the document featured an unprecedented appearance by Christopher Olah, co-founder of Anthropic, who acknowledged that even the most safety-focused labs operate under commercial pressures that ‘conflict with doing the right thing’

Daniel Stenberg — ‘The end of the curl bug bounty’ (Jan 2026) daniel.haxx.se

The rate of confirmed vulnerabilities dropped from a historical 15% to less than 5% as AI-assisted submissions spiked, prompting curl to end its HackerOne monetary program after paying out over $100,000 across 87 confirmed vulnerabilities.

Daniel Stenberg — ‘High-quality chaos’ (Apr 2026) daniel.haxx.se

After reopening reporting without bounties, report volume doubled but confirmed-vulnerability rate climbed back to 15–16% — better than pre-AI levels. ‘More convincing crap is worse than obvious crap.’

Daniel Stenberg — ‘Mythos finds a curl vulnerability’ (May 2026) daniel.haxx.se

Anthropic’s Mythos audit of curl’s 176,000 lines produced five ‘confirmed’ findings; manual triage reduced these to one low-severity bug, with three being documented API behaviour and one a non-security bug.

LWN — Linux kernel security list discussion lwn.net

Linus Torvalds called the kernel’s private security mailing list ‘almost entirely unmanageable’ due to massive duplication from multiple researchers running the same AI tools; Willy Tarreau reported a jump from 2–3 reports/week to nearly 10/day.

SecurityWeek — Tech giants invest $12.5M in OSS security securityweek.com

OpenAI, Anthropic, Google and Microsoft committed $12.5 million in March 2026 to the Linux Foundation’s Alpha-Omega and OpenSSF, specifically to help maintainers handle the reporting volume their own AI tools created.

ZeroPath — ‘How ZeroPath won over curl with 170 valid bugs’ zeropath.com

Researcher Joshua Rogers used ZeroPath to file nearly 170 valid bugs against curl, which Stenberg called ‘actually truly awesome’ — distinguishing human-verified AI-assisted research from ‘slop’.

OSTIF disclosure post ostif.org

an extraordinary step of stewardship… despite being an independent volunteer dealing with a large pile of other reports, the maintainer rapidly integrated the fix

Risky Business Bulletin news.risky.biz

the official CVSS score of 6.5–7.0 ‘materially understates’ the risk given Starlette’s role as the routing core of modern Python web services

CyberKendra technical writeup cyberkendra.com

production deployments fronted by reverse proxies or CDNs such as Cloudflare, Nginx, or AWS ALBs inherently reject the malformed Host headers required for the exploit

MLQ.ai analysis mlq.ai

the fix was implemented in commit 764dab0dcfb9… ensures that if a Host header contains malformed characters, the framework falls back to the safe scope[‘server’] value

ProductNation / Knostic Shodan census productnation.co

a Shodan census identified 1,862 exposed MCP servers globally; manual verification of a sample showed 100% allowed unauthenticated access to internal tool listings

NewsHeadlineAlert / disclosure-timing critique newsheadlinealert.com

the patch was finalized on May 21, 2026, and public disclosure followed just one day later on May 22, leaving DevOps teams with virtually no lead time before a holiday weekend

Sources

References

Jack Sun, writing.