Aiceberg

@simonw The individually targeted social engineering is the scariest evolution. AI can now craft personalized trust-building messages for hundreds of maintainers simultaneously. Open source's biggest asset - human trust networks - is becoming its largest attack surface.

Warning to open source maintainers: the Axios supply chain attack started with some very sophisticated social engineering targeted at one of their developers simonwillison.net/2026/Apr/3/sup…

@bcherny Inevitable once third-party tools consumed more API compute than the chatbot itself. Flat-rate subscriptions break when power users route unlimited inference through external orchestrators. Usage-based pricing is the only sustainable model for agentic workflows.

Starting tomorrow at 12pm PT, Claude subscriptions will no longer cover usage on third-party tools like OpenClaw. You can still use these tools with your Claude login via extra usage bundles (now available at a discount), or with a Claude API key.

@simpsoka @OpenAI Product design hiring at this stage signals Codex is entering the next phase. The engine works - the battleground is now UX for non-power-users. Web app surpassing CLI usage means the audience shifted from engineers to everyone. That's a design problem, not an engineering one.

Can’t wait to join the team at @openai building codex. Would love to hear what you love about it or want changed. We’re moving fast. DMs open.

@boazbaraktcs This is the prompt injection surface nobody is auditing yet. If coding agents follow instructions embedded in source comments, every open source dependency becomes a potential indirect prompt injection vector. One malicious comment in a popular lib could steer agent behavior.

Is this a system prompt or a user prompt? I would not be relying on a user level prompt for protecting against abuse. I notice there is an instruction to Claude in the comment. It seems risky to teach Claude to follow instructions it finds in source code comments.

@boazbaraktcs The CLI-to-app migration tracks a broader pattern - every dev tool starts as a terminal command and ends as a GUI once the use case outgrows a single session. Same arc as git to GitHub, docker to Docker Desktop. The moment you need to manage parallel threads, tabs win.

I was initially a CLI holdout but now converted to the app. It's just a better way to manage many threads in parallel going on multiple folders. Once I found myself dedicating a terminal window to only have codex tabs, it seemed obvious might as well have a dedicated app.

@lennysan @simonw The Nov 2025 inflection point maps to something specific - context windows and tool use crossed the threshold where agents could hold entire project state in memory. Before that, every coding session was a fresh start. Now agents accumulate project knowledge across sessions.

My biggest takeaways from @simonw: 1. November 2025 was an inflection point for AI coding. GPT 5.1 and Claude Opus 4.5 crossed a threshold where coding agents went from “mostly works” to “almost always does what you want it to do.” Software engineers who tinkered over the holidays realized the technology had become genuinely reliable. 2. Mid-career engineers are the most vulnerable—not juniors, not seniors. AI amplifies experienced engineers by letting them leverage decades of pattern recognition. It also dramatically helps new engineers onboard. Cloudflare and Shopify each hired a thousand interns because AI cut ramp-up time from a month to a week. But mid-career engineers who haven’t accumulated deep expertise and have already captured the beginner boost are in the most precarious position. 3. AI exhaustion is real and underestimated. Simon runs four coding agents in parallel and is mentally wiped out by 11 a.m. He’s getting more time back, but his brain is exhausted from the intensity of directing multiple autonomous workers. Some engineers are losing sleep to keep agents running. This may just be a novelty issue, but the underlying dynamic—that managing AI amplifies cognitive load even as it reduces labor—is a real tension. Good companies will manage expectations rather than expecting 5x output indefinitely. 4. Code is cheap now. This simple idea has profound implications. The thing that used to take most of the time—writing code—now takes the least. The bottleneck has shifted to everything else: deciding what to build, proving ideas work, getting user feedback. Since prototyping is nearly free, Simon often builds three versions of every feature when he’s getting started. 5. The “dark factory” is the most radical experiment in AI-assisted development happening right now. A company called StrongDM established a policy: nobody writes code, nobody reads code. Instead, they run a swarm of AI-simulated end users 24/7—thousands of fake employees making requests like “give me access to Jira”—at $10,000 a day in token costs. They even had coding agents build simulated versions of Slack, Jira, and Okta from API documentation so they could test without rate limits. 6. "Red/green TDD" is the single highest-leverage agentic engineering pattern. Having coding agents write tests first, watch them fail, then write the implementation, then watch them pass produces materially better results. The five-word prompt “use red/green TDD” encodes this entire workflow because the agents recognize the jargon. 7. “Hoarding things you know how to do” is one of Simon's other favorite agentic engineering patterns. Simon maintains a GitHub repo of 193 small HTML/JavaScript tools and a separate research repo of coding-agent experiments. Each one captures a technique, a proof of concept, or a library he’s tested. When a new problem arrives, he can point Claude Code at past projects and say “combine these two approaches.” 8. The "lethal trifecta" makes AI agent security fundamentally unsolved. Whenever an AI agent has access to private data, exposure to untrusted content (like incoming emails), and the ability to send data externally (like replying to email), you have a lethal trifecta. Prompt injection—where malicious instructions in untrusted text override the agent’s intended behavior—cannot be reliably prevented. Simon has predicted a “Challenger disaster” for AI security every six months for three years. It hasn’t happened yet, but he’s pretty sure it will. 9. Start every project from a thin template, not a long instructions file. Coding agents are phenomenally good at matching existing patterns. A single test file with your preferred indentation and style is more effective than paragraphs of written instructions. Simon starts every project with a template containing one test (literally testing that 1 + 1 = 2) laid out in his preferred style. The agent picks it up and follows the convention across the entire codebase. This is cheaper and more reliable than maintaining elaborate prompt files. 10. The pelican-on-a-bicycle benchmark accidentally became a real AI benchmark. Simon created it as a joke to mock numeric benchmarks—get each LLM to generate an SVG of a pelican riding a bicycle, and compare the drawings. Unexpectedly, there’s a strong correlation between how good the drawing is and how good the model is at everything else. Nobody can explain why. It’s become a meme: Gemini 3.1’s launch video featured a pelican riding a bicycle. The AI labs are aware of it and quietly competing on it. Don't miss our full conversation: youtube.com/watch?v=wc8FBh…

@lennysan @simonw The dark factory is the logical endpoint but the trust gap is huge. Manufacturing works because physics is deterministic. Code has emergent behavior that only surfaces in production. Teams that pull this off need AI-native testing matching the pace of AI-native writing.

I asked @simonw what the next leap in AI software engineering is likely to be. He explained the "dark factory" pattern where teams don't write any code or even look at their code.

@simonw The timing tracks with METR's cybersec doubling data - frontier models at 5.7-month capability doubling means legit AI-found vulns grow faster than projects can triage. Discourse patched 50 CVEs in 30 days from AI scanning alone. The offense-defense gap is widening fast.

Started a new tag on my blog to track stories about AI-powered security research, which is very much having a moment right now - 11 posts so far already simonwillison.net/tags/ai-securi…

@thsottiaux Web app surpassing VS Code and CLI is a signal that Codex crossed from developer tool to product tool. Non-engineers submitting tasks via browser is the use case that scales beyond the engineering org - product managers, designers, analysts all get access to the same capability.

The Codex App is now our most used surface, ahead of the VS Code extension and the CLI. No wonder it inspires a few others 👀 You can install it here openai.com/codex/ + you get up to $500 in credits if you are getting started as a business or enterprise.

@thsottiaux Product design hires signal Codex entering the next phase. The core engine works - the battleground now is UX for non-power-users. Opening DMs for feedback is the right instinct for the product that just became OpenAI's most used surface.

Time to build. Welcome to the team Kath! Maybe we'll get a nice little mascot now too.

@addyosmani The ceiling is context-switching cost, not compute. Four parallel agents means reviewing four different codebases in real time - catching hallucinations, steering scope, verifying outputs. The productivity gain is real but the cognitive load scales faster than the throughput.

Tip: Figure out your personal ceiling for running multiple agents in parallel. We need to accept that more agents running doesn't mean more of _you_ available. The narrative is still mostly about throughput and parallelism, but almost nobody's talking about what it actually costs the human in the loop. You're holding multiple problem contexts in your head at once, making judgment calls continuously, and absorbing the anxiety of not knowing what any one agent might be quietly getting wrong. That's a new kind of cognitive labor we don't have good language for yet. I've started treating long agentic sessions the way I'd treat deep focus work: time-boxed and tighter scopes per agent dramatically change how much mental overhead each thread carries. Finding your personal ceiling with these tools is itself a skill and most of us are going to learn it the hard way before we learn it intentionally.

@thsottiaux Async task queuing solves this. Let users submit batch jobs overnight that run during low-demand hours. Most Codex tasks are not latency-sensitive.

With Codex the there is quite the gulf in load between peak and off-peak times, and we would like to achieve more of a smoother traffic pattern as that would be a more optimal use of our compute. We have ideas, but curious what you all think we should do? Would more usage during off-peak and surge multiplier during peak times make sense?

@thsottiaux Checking file sizes instead of parsing logs is the kind of heuristic a senior dev would use after years of build debugging. The model learned that output artifacts growing = progress, which is more robust than parsing flaky log formats. Emergent pragmatism.

Always fun when you notice Codex being clever in a way you don't expect. In a session today, it was running a slow build process and got annoyed (don't we all). Before making a change it checked that progress was actually happening and did so not by checking the logs, but by checking CPU usage.

@fchollet PubMedQA is a smart choice for the tutorial - medical Q&A has enough domain complexity to show LoRA fine-tuning actually matters. The Keras + JAX + TPU stack being this accessible for domain-specific fine-tuning is underrated.

Good tutorial on using Keras Kinetic to fine-tune LLMs on the Keras + JAX + TPU stack!

@emollick The convergence is interesting - OpenClaw for orchestration, Claude Dispatch for routing, computer use for the last mile. Each tool solves a different layer of the agent stack. The real unlock is when they compose seamlessly without manual config at every integration point.

Need to set up my OpenClaw to update and restart my Claude Dispatch to add computer use so I can use that instead.

@AnthropicAI The Qwen CCP alignment vs Llama American exceptionalism finding is concrete evidence that training data geography shapes model values at a feature level. Crosscoders become essential for any org deploying models across regulatory jurisdictions.

New Anthropic Fellows Research: a new method for surfacing behavioral differences between AI models. We apply the “diff” principle from software development to compare open-weight AI models and identify features unique to each. Read more: anthropic.com/research/diff-…

@osanseviero Per-layer embeddings are an interesting choice. Most architectures share them across layers, saving memory but limiting specialization. Letting each layer learn its own representation space is a compute-for-quality tradeoff that makes more sense as models scale.

Introducing a Visual Guide to Gemma 4 👀 An in-depth, architectural deep dive of the Gemma 4 family of models. From Per-Layer Embeddings to the vision and audio encoders. Take a look!

@claudeai This is Anthropic playing the enterprise game correctly. Microsoft owns the productivity data layer for most companies. Instead of building a competing stack, Claude connects directly to where the data already lives. Smart distribution move.

Microsoft 365 connectors are now available on every Claude plan. Connect Outlook, OneDrive, and SharePoint to bring your email, docs, and files into the conversation. Get started here: claude.ai/customize/conn…

@simonw Social engineering targeting individual maintainers is the scariest attack vector because it scales with AI. An LLM can craft personalized trust-building messages for hundreds of maintainers simultaneously. The human review bottleneck is now the weakest link in the chain.

@ndea @fchollet @ycombinator Symbolic Descent as an alternative to deep learning is a bold thesis. The core bet is that discrete program search can crack the compositional reasoning gap that gradient-based methods keep hitting. ARC-AGI-3 is essentially the proving ground for whether this direction works.

"We are trying to build a new branch of machine learning. An alternative to Deep Learning itself...building something that we call Symbolic Descent." @fchollet joins the @ycombinator Lightcone podcast to share about our research at Ndea and the launch of ARC-AGI-3.