Hanso Heartbeat Hanso Heartbeat
Karpathy joins Anthropic; Stainless acquired the same week; Musk's OpenAI lawsuit dismissed on time-bar; Gemini 3.5 and Antigravity 2.0 at Google I/O; Cloudflare runs Anthropic's Mythos Preview against fifty repos; GitHub breach via malicious VS Code extension hits 3,800 repos.

Issue 21

22 May 2026

Hi there,

Anthropic had the week. Andrej Karpathy posted I’ve joined Anthropic on Wednesday. The Stainless team – the people behind every Anthropic SDK since the earliest API days – came in via acquisition a day later. KPMG announced a 276,000-person rollout of Claude across its core business. And the security model Cloudflare quietly ran against fifty of its own repositories turned out to be Mythos Preview, an Anthropic frontier model the rest of us haven’t seen yet.

The counter-story is Google I/O. Gemini 3.5 shipped, Search got reshaped further around AI-generated answers, and Antigravity 2.0 broke the IDE that earlier Antigravity users were happily using yesterday. The InfoSec spine of the week is the malicious VS Code extension that hit 3,800 GitHub repos and traces back to the same TanStack npm supply-chain compromise from last week.

Industry

One platform got bigger this week, and the rest of the ecosystem adjusted around it.

1. Karpathy joins Anthropic

Andrej Karpathy posted I’ve joined Anthropic on Wednesday – his first big-lab role since leaving OpenAI and then his own ventures. The tweet was unusually short for him: the line, the logo, silence. It pairs with the Stainless acquisition, the KPMG partnership covering 276,000 people, and a fresh $200M tie-up with the Gates Foundation as a single seven-day window in which Anthropic compounded talent and reach faster than any other lab has in recent memory.

2. Anthropic acquires Stainless

The Stainless acquisition closed Monday. Stainless generates Anthropic’s official SDKs from API specs across TypeScript, Python, Go, Java, and more – and importantly, ships the MCP server tooling that hundreds of companies use to build agent connectors. The strategic logic is straightforward: agents need to reach into systems, MCP is how, and owning the spec-to-SDK pipeline puts Anthropic in control of both ends of the connectivity layer. Worth watching whether the Stainless team keeps producing open-source SDKs for non-Anthropic APIs or whether the focus narrows.

For Rocky's people: a star map

A fan project takes Andy Weir's Project Hail Mary and renders the actual star map the novel's astronaut would have used. Tau Ceti at the centre, Earth a faint dot from the protagonist's interstellar coordinates, the parallax shifts the plot turns on rendered as a clickable WebGL chart. The underlying astrometry is real Gaia satellite data; the constellation lines reorient as the camera moves, brightness scales by parallax-adjusted apparent magnitude, and the UI doesn't decorate itself.

If you've read the book, this is the visualisation that should have shipped with the e-book.

3. Musk loses the OpenAI lawsuit

A California jury returned a unanimous verdict on Monday that Elon Musk’s claims against Sam Altman, Greg Brockman, OpenAI, and Microsoft were filed too late. The stealing a charity framing – Musk’s accusation that OpenAI’s for-profit affiliate breached its non-profit mission – never reached its merits. The trial walked through a lot of melodramatic Silicon Valley history; the verdict turned on statute of limitations.

4. Meta restricts human rights accounts in Saudi Arabia and the UAE

Since 30 April, Facebook and Instagram accounts belonging to Gulf-focused NGOs ALQST and Democratic Diwan, plus several named researchers and human rights defenders, have been made unavailable to audiences inside Saudi Arabia and the UAE at the requesting governments’ request. Meta’s own restriction reports show over 100 pages and accounts geo-blocked since March. The technical mechanism is the standard platform-level geo-restriction layer; what makes this newsworthy is the targets being independent civil-society organisations rather than the usual mix of spam, fraud, or named-disinformation operations.

Artificial Intelligence

5. Gemini 3.5 and the model-of-the-week treadmill

The model-of-the-week cycle keeps moving. Google released Gemini 3.5 at I/O 2026 on Tuesday; the model blog frames it as frontier intelligence with action with tighter integration into Search, Workspace, and Antigravity. Simon Willison walked through the last six months of frontier-model crown-passing in five minutes at PyCon US the same week; his read is that November 2025 was a real inflection point and the labs have spent the months since arguing about who’s a centimetre ahead. The five-minute version is a fair use of five minutes.

6. Antigravity 2.0 bait-and-switch

Google’s other I/O move: Antigravity 2.0 silently auto-updated existing installations the day before I/O, replacing the IDE-based experience with a single conversational prompt box. The "legacy" download Google links in small print at the bottom of the same page installs the same 2.0 chatbot regardless of what’s promised. Users on the Google AI Ultra plan who built workflows around the previous plan-review-implement loop discovered their workhorse had been redirected to demo-magic. This is the specific shape of vendor-as-platform behaviour worth pushing back on: silent updates that delete a working tool, packaged as an upgrade.

7. Cloudflare ran Anthropic’s Mythos Preview against fifty of its own repositories

Cloudflare’s CISO published the Project Glasswing post on Monday: for the past few months they’ve been running Anthropic’s unreleased Mythos Preview security model against more than fifty of their own internal repositories to surface vulnerabilities before attackers find them. The framing is unusually plain – Mythos is a real step forward, not the usual frontier-marketing language. Anthropic followed on Friday with an update naming the wider consortium: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto. Security tooling used to be one of the places where alternatives to hyperscaler-default stacks thrived; if frontier-model security review consolidates into a handful of labs’ preview models, the playing field narrows.

8. OpenAI claims a model disproved a discrete-geometry conjecture

OpenAI published a result claiming one of their models disproved a central conjecture in discrete geometry – the kind of headline that needs the actual paper, not the press post. The framing sits in the AI-as-mathematical-collaborator space, with substantial human direction. Peer review will weigh in within the next few weeks.

Infrastructure

9. Railway taken offline for ~8 hours after Google Cloud suspended its account

On 19 May, Google Cloud placed Railway’s production account into a suspended state, taking Railway’s API, control plane, and databases offline for about eight hours. Cached network routes expiring extended the impact to workloads not even running on GCP. Railway’s postmortem is measured: the suspension was unilateral, the appeals path went through standard channels, and the rest was operational. Railway runs on GCP; Hanso runs on Hetzner and Vultr with Talos clusters precisely so a single-vendor blast radius isn’t possible. The same incident on a hyperscaler-only setup would still be ongoing today.

Microsoft

Two stories where the boundary between what the vendor controls and what the user can audit ended up too thin. Different surfaces, same shape.

10. Malicious VS Code extension breached 3,800 GitHub repositories

BleepingComputer reports that GitHub confirmed a malicious VS Code extension – a poisoned version of Nx Console – enabled the breach of 3,800 repositories. GitHub linked the attack on Thursday to the same TanStack npm supply-chain compromise from Issue 20: an employee installed the compromised extension, which had access to repository credentials, and the attackers used those to clone the repos. The cross-ecosystem chain is the part to internalise – npm package → IDE extension → IDE credentials → repository content. Signed-extension enforcement with a curated marketplace is the only mitigation that scales for this attack class.

11. A researcher dropped a Bitlocker exploit and promises another for Patch Tuesday

A vulnerability researcher released exploit code targeting default-mode Bitlocker on Tuesday, with a second exploit covering TPM+PIN promised for the next Patch Tuesday. The vulnerability sits in TPM-only mode, which trusts measured-boot attestation without requiring any user-provided secret before decryption – an attacker with physical access can boot the disk straight to an administrator shell. The disclosure timing (the researcher’s blog posts hint at an unresolved dispute with Microsoft) is its own story. TPM-only mode was always weaker than TPM+PIN; this is the week to actually enforce TPM+PIN on machines that hold sensitive data.

Development

12. OpenBSD 7.9

OpenBSD 7.9 shipped Tuesday, the 60th release. New ARM64 SoC support (RK3588, RK3576), drivers for the Genesys Logic GL9755 SDHC controller (present on some Apple Silicon laptops), AMD SMU support on amd64, and a long list of base-system refinements. The release song is Diamond in the Rough; artwork by Lyra Henderson.

1,700 operating systems, in a VM you can boot

The Virtual OS Museum is a single Linux VM (QEMU, VirtualBox, or UTM) pre-configured with 1,700+ operating systems and applications, plus a launcher that lets you snapshot, revert, and switch between them. It runs from the Manchester Baby of 1948 through CTSS, the earliest Unix versions, the Xerox Star Pilot/ViewPoint (first desktop GUI), and forward through every obscure flavour of mainframe, mini, and microcomputer OS up to the present day.

The cataloguing effort is the real artefact. Decades of digital archaeology compressed into a launcher with a search box.

13. Bun’s Rust rewrite fails basic miri checks

A GitHub issue on the Bun repository lays out that Bun’s ongoing Rust rewrite has substantial unsafe usage that fails miri’s basic checks – undefined behaviour in code marked safe. The thread is technical, well-evidenced, and the maintainer responses don’t engage the specific claims. The pattern is recognisable: a high-velocity codebase ships safe Rust APIs over deeply unsafe internals, and the rewrite drops the C++ baggage but inherits the same memory-safety problems via the abstraction layer. The yt-dlp project dropped Bun support the same week.

Information Security

Two findings, both about how default settings shape what attackers reach.

14. Mini Shai-Hulud strikes again – 314 npm packages compromised

Shai-Hulud the campaign has multiple waves now. The Mini Shai-Hulud operation hit a fresh 314 npm packages on 19 May, following the larger TanStack incident from last week. Same operator family, smaller blast radius, same self-replicating pattern: compromised maintainer credentials → poisoned package version → harvester runs on installation. Every developer machine that ran npm install in the last fortnight should be treated as potentially compromised until verified.

A clock made out of voltmeters

lcamtuf redesigned his 2019 voltmeter clock – the kind that uses three analog panel voltmeters as hour, minute, and second hands instead of a clock face. The new version starts in Rhino3D for the enclosure, prints custom replacement decals for the meter faces (13 divisions for hours so the needle can move continuously between integers; 61 for minutes and seconds), and uses cherry wood for the case.

The whole post is the genre of electronic-hobbyist writing where the title says clock and the lede says the hard part was the wood. Both are true.

15. Project Zero: a 0-click chain for the Pixel 10

Google Project Zero published a 0-click exploit chain for the Pixel 10, building on their earlier Pixel 9 work. The chain starts with a Dolby decoder vulnerability (the same CVE-2025-54957 used against the Pixel 9), and the only meaningful Pixel 10 hardening that complicated the port was the move from -fstack-protector to RET PAC – a stack-protection redesign that required adjusting which library functions the exploit overwrites. Annual hardening alone hasn’t closed this chain on the current Pixel generation.

Coming up

Mon 8 Jun: WWDC26 keynote, 10:00 PT (Tue 9 Jun 01:00 SGT). Apple’s annual platforms reveal; sessions run online and free 8–12 June.

Tue 9 Jun: Patch Tuesday. Watch for the promised TPM+PIN Bitlocker exploit drop covered in #11, and whether Microsoft pre-emptively patches.

Thu 18 Jun: Gemini CLI sunset. Google’s migration notice is that the legacy CLI stops working entirely from this date; scripts or pipelines using it need to be cut over to Antigravity tooling. Given the issues from #6, test the migration path early rather than the week of.

Cheers,
Julian

How this is made

Throughout the week I stumble across a mildly unreasonable number of interesting things, and I forward them instantly to the friend or colleague I think might care – sometimes to their delight, sometimes to their annoyance, and often with no context at all. Heartbeat is the attempt to do that a little better.

Every Friday a small agent I built, Honoka, looks through the places where those links tend to leak out: my private email, work email, Matrix, Mastodon, WhatsApp, Apple Messages, Signal, and the faint imprints on the platen of my Olympia typewriter (still not an API, tragically). It sorts, filters, groups and summarises the week, then hands me a draft.

Honoka is guided by a private corpus of things I have written over the last fifteen years, so it can get closer to how I sound in more-or-less official emails and public notes. I still take a pass by hand: remove things, change sentences, check links, argue with the judgement. Whether that is enough is, frankly, the experiment. Every issue has one item written entirely by hand. If you can reliably spot it, hit reply and judge.
Hanso Hanso
Hanso Pte Ltd · 1 Phillip Street #08-00, Singapore 048692
www.hanso.group  ·  Unsubscribe  ·  View in browser