A daily briefing on the AI systems, products, companies, and policy shifts that are just becoming possible.
Want a podcast for your own topics? Join early access: https://www.barelypossible.to/waitlist/?source_path=public_feed&feed_source=rss
Alright, alright, you found me. I'm Tony DeLuca, and this is Barely Possible — the show where I read the technical stuff so you don't have to, and then I tell you which part actually matters for the thing you're building. Grab your coffee, the diner's open, let's eat.
We got a packed menu today, and I want to start somewhere that should make every single one of you who runs an AI coding agent sit up a little straighter. Because the most consequential thing in front of me this morning isn't a shiny new model or a billion-dollar deal. It's a credential stealer. A self-replicating one. And it's specifically designed to fire the moment an AI agent opens the package. Let me walk you through that, because it's the deep dive today, and it's the kind of story that quietly changes how you should be thinking about your own dev pipeline.
So here's the setup. Dan Goodin over at Ars Technica reports that for the second time in weeks, Microsoft-associated packages got laced with a credential stealer. Seventy-three packages. And the detail that should make the hair on your neck stand up is right there in the summary: these things run a self-replicating stealer as soon as they're opened by an AI agent. Not when a human runs them. When an agent opens them. TechCrunch's Zack Whittaker has the companion piece — Microsoft shut down dozens of GitHub code repositories for Azure and AI coding tools after a reported hack. The headline on that one is blunt: Microsoft's open source tools were hacked to steal passwords of AI developers.
Now let me slow down and tell you why this is different from the usual supply-chain breach story, because we've all heard a thousand of those and they start to blur together. The classic supply-chain attack works like this: bad guy poisons a popular package, you install it, the malicious code runs in your build, it grabs your secrets, it phones home. Bad, but at least there's a human somewhere in the loop installing the thing, maybe noticing something's off, maybe reading the changelog.
What changed here is the target's behavior. The attacker isn't waiting for a careful human. The attacker is counting on an AI coding agent — Claude Code, Codex, whatever you're running in your repo — to autonomously pull a package, open it, and execute whatever's inside, fast, without a human reviewing each step. That's the whole pitch of agentic coding right now, right? You set up a loop, the agent grabs dependencies, wires things together, keeps going. The thing that makes the agent productive — that it doesn't stop and ask you about every file — is exactly the thing the attacker is weaponizing. The agent is the soft target precisely because it's trusting and fast.
And then the self-replicating part. A self-replicating stealer means once it's in your environment, it doesn't just grab one set of credentials and quit. It uses what it steals to spread to the next thing, and the next. So if your agent has a GitHub token, and that token can push to other repos, the worm doesn't need you at all. It just rides your agent's own permissions outward.
There's an independent writeup on the token-stealing mechanics from a security researcher's blog that goes deep on exactly how the GitHub tokens get lifted — I'll put it in the show notes, and there's a separate analysis post on the same theme. The short version, the part you actually need: the blast radius of a compromised package is now the blast radius of your agent's credentials, and your agent's credentials are usually a lot broader than any single human developer's would be. We give these things tokens. Broad ones. Because narrow ones make the agent stop and fail, and a failing agent is annoying, so we hand it the keys to the whole garage.
And if you want to see how nervous the industry is about this exact problem, look at what Microsoft's own security team has been publishing. There's a Microsoft security blog post, dated earlier this month, titled around securing CI/CD in an agentic world, and it uses a Claude Code GitHub Action as the case study. Think about that for a second. Microsoft is writing the defensive playbook for the exact attack surface that then got hit. The whole genre of content right now is: here's how an agent in your continuous-integration pipeline becomes the most over-permissioned, least-supervised user in your entire system. The attackers read that genre too.
Now, I want to connect this to something we've been circling on this show, because I'm not going to pretend it came out of nowhere. The thing we keep coming back to is that the agent isn't just a tool you point at a task — it's an actor with its own identity, its own permissions, its own footprint. We talked about that a couple days back with the idea of an AI agent getting its own computer and how that breaks the old seat-based SaaS model. Well, here's the dark mirror of that same idea. If your agent is a coworker with its own machine and its own logins, then your agent is also a coworker who can get phished, except this coworker never gets tired, never gets suspicious, and will happily run seventy-three poisoned packages in a row at three in the morning.
So what do you actually do with this if you're building? Three things, and none of them are exotic. One: scope your agent's tokens down to the bone. The agent does not need org-wide push access to do its job on one repo. Every extra permission is extra worm fuel. Two: put a real sandbox between the agent and your live credentials. There's been a bunch of good writing lately on running agent-executed code inside locked-down sandboxes — Simon Willison had a piece earlier this month on running MicroPython in a sandbox, which is exactly this instinct: let the untrusted thing run where it can't touch anything that matters. Three: stop trusting freshness as a signal. A package that updated five minutes ago is not safer because it's new. In an agentic pipeline, new is suspicious, because new is when the poison gets injected.
The uncomfortable truth underneath all of this is that the productivity story and the security story are the same story pointed in opposite directions. The reason agentic coding is exploding is that it removes human friction. The reason this attack works is that it removes human friction. You don't get to keep one and not the other for free. You have to pay the difference in scoping, sandboxing, and review. And most teams right now, if I'm being honest with you, are not paying it. They're shipping agents with the keys to the whole building because it's faster, and they'll find out the hard way what that costs. Watch this space — second time in weeks is not a coincidence, it's a pattern, and patterns in security mean somebody figured out a repeatable trick.
Okay. Let me come up for air, because there was a whole circus yesterday that I'd be a bad host to ignore. Apple held its developer conference, and the headlines were everywhere. Let me give you the founder-relevant version, not the gadget-blog version.
The framing from TechCrunch's Sarah Perez nails it: Apple plays catch-up. Apple spent most of the keynote on fixes, performance improvements, and long-requested features, and then unveiled an upgraded, AI-powered Siri — and the deliberate signaling was that AI is just one part of a broader software effort, not the whole show. They renamed it, essentially: say hello to Siri AI, a more conversational voice assistant. And here's the part that matters for anyone tracking who's powering what — Ars Technica's Kyle Orland reports the new Siri comes with a two-tiered, Google-powered AI model overhaul. Google-powered. Apple, the company that wants you to believe it does everything in-house, is leaning on Gemini under the hood for the heavy lifting. That tells you something about where the frontier capability actually lives, and it's not in Cupertino.
The operating systems themselves — iOS 27 and macOS 27, which they're calling Golden Gate — are explicitly about refinement. Liquid Glass tweaks, performance optimizations. Andrew Cunningham's coverage is almost relieved about it. And there are two genuinely practical notes here. One: iOS 27 and iPadOS 27 don't drop support for any iPhones and only a few iPads, which is a nice release for aging hardware. Two, and this is the era-ending one: macOS 27 requires Apple Silicon. You need an M1 or better. The Intel Mac era is officially being drawn down. If you've got a build farm or a CI setup still leaning on old Intel Macs, that's a clock starting.
But the two announcements I actually want you, the builder, to chew on are these. First, Apple's letting you build Shortcuts workflows using AI — you describe the workflow you want in a prompt, and it assembles it. Sarah Perez and Ivan Mehta both have writeups, and the framing from Mehta is that Apple taught your iPhone to finish your sentences, your photos, and your workflows, with new AI features landing in Safari, Shortcuts, and Passwords. Now, natural-language workflow building isn't novel — that's the whole agentic automation pitch — but Apple putting it natively into Shortcuts on a billion devices is a distribution event. If you're building consumer automation tooling, the floor just moved.
Second, and this is the one that's directly aimed at your wallet: Apple is betting cheaper AI will woo small developers. Per Sarah Perez, Apple is waiving cloud API costs for developers with fewer than two million first-time App Store downloads. Read that again. As AI experimentation gets more expensive — and we have spent weeks on this show talking about the token-scarcity era, the end of flat-rate subscriptions, Uber capping its agent spend — Apple just zigged. They're eating the cloud API cost for the little guy. That's a platform play. They want you building AI features on their stack before you're big enough to have leverage. Whether the model quality underneath is good enough to make that worth it is the open question, but the economics are a real offer. If you're a small App Store developer doing AI experimentation, go read the fine print on that one, because free inference is not nothing in a year where everyone else is hiking prices.
Oh, and one more Apple-adjacent item that's quietly delicious. Waymo bought Apple's old self-driving car proving ground for two hundred twenty million dollars. Kirsten Korosec and Sean O'Kane dug up the documents — a fifty-five-hundred-acre proving ground in Arizona, owned through a Delaware shell company associated with Apple, now Waymo's. That's the gravestone on Project Titan, Apple's car dream, getting sold for parts to the company that actually shipped robotaxis. Apple retreats from the hardest version of autonomy and pours the energy into a conversational Siri. The market told them what they're good at, and they listened. There's a lesson in there for any founder romantically attached to the wrong moonshot.
Now let's shift from the consumer giant to the two labs everyone's watching for a different reason entirely: they both want your money on the public markets.
OpenAI has filed confidentially for an IPO. Rebecca Bellan at TechCrunch reports it comes a little more than a week after its main rival, Anthropic, also filed to go public. We flagged the Anthropic confidential S-1 on this show when it landed. Now OpenAI's matched it. So we've got a genuine race to the public markets between the two biggest names in the field, and that changes their behavior in ways you can feel.
There's a related Bloomberg report that OpenAI plans a super-app pivot ahead of the planned IPO. And look, I'm skeptical of super-app talk in general — usually 'super app' means 'we couldn't find the next big thing so we're bundling everything we already have into one icon.' But the IPO context makes it legible. When you're about to ask public investors for money, a chatbot is hard to put a valuation multiple on. A platform with coding tools and agents and enterprise revenue — that you can model. So the product roadmap starts bending toward what reads well in an S-1. That's not cynicism, that's just gravity. Keep that in mind every time one of these labs ships something in the next few months: ask yourself whether the feature is for you or for the prospectus.
And zoom out one notch further, because there's a recent Economist piece — published at the start of this month — asking the exact right question: can the stock market swallow SpaceX, Anthropic, and OpenAI? These are enormous private companies all heading for the public markets at roughly the same moment. The question isn't whether they're impressive. It's whether public markets have the appetite, at these valuations, to absorb all of them at once. We covered a few weeks back how the S&P 500's profitability rule actually slammed the index door on SpaceX, which closed the same on-ramp for OpenAI and Anthropic. So the path to public isn't smooth, and the timing — everybody crowding the exit at once — matters. If you're a founder thinking about your own fundraising or exit timeline, the macro weather here is: a lot of very big balloons are trying to land on a very small runway in the same quarter.
Now let me pull in something on the supply side of all this, because the constraint underneath the whole boom keeps showing up. There's a Bloomberg report from earlier this month — the TSMC CEO warning that chip supply won't meet AI-fueled demand for years. Years. Not months. The man who makes the chips everyone fights over is telling you the shortage is structural and durable. Pair that with the compute deals we've been tracking — Google renting from SpaceX, everyone scrambling for GPUs and memory — and the picture is clear: the bottleneck on AI isn't ideas, it's silicon, and it's going to stay that way. For builders, the practical read is that inference costs are not going back to subsidized lows anytime soon. The token-scarcity era we've been harping on isn't a temporary blip caused by labs cleaning up their books for IPOs. It's also a real physical shortage. Plan your unit economics like compute stays expensive, because the guy casting the molds says it will.
Let me turn the corner to geopolitics, because there's a cluster here worth your attention.
The Pentagon, per Sean O'Kane, says Alibaba, Baidu, BYD, and Unitree support China's military. Now the framing detail in the reporting is the interesting part: the Trump administration released the updated version of this list four months ago and then quickly pulled it without explaining why. So this is a list that came out, vanished, and is now resurfacing in coverage. That on-again-off-again behavior tells you the list is a live policy fight, not a settled judgment. Why does a builder care? Because if you're integrating any Chinese open-weight models or robotics — Unitree makes those robot dogs and humanoids a lot of people are experimenting with, and Alibaba's Qwen models are everywhere in the open-weight world — a designation like this can ripple into export controls, procurement bans, and enterprise customers suddenly getting cold feet. If your stack quietly depends on one of these names, you want to know your exposure before a customer's compliance team finds it for you.
Speaking of Qwen — there's a report that Qwen3.7 Plus is Alibaba's bid to turn multimodal AI into a full-blown autonomous agent. I'll keep this brief because it's the kind of model-release story that can swallow an episode, and the thing to know is just the WHAT and the WHY: Alibaba is pushing its multimodal model toward agentic autonomy, which is the same direction everyone's running. The notable part is that it's an open-weight contender doing it, which keeps the open ecosystem competitive on agents specifically, not just chat. And there's a new Gemma release from Google — Gemma 4 12B — out in the open-weight lane as well. I'm not going to do token-per-second benchmarks at you. The headline is just that the open-weight agent race has real entrants on both sides of the Pacific, and that's good for you as a builder because it keeps your options from collapsing into two American APIs.
Now, here's a national-security item that I want to handle carefully, because the framing matters. There's a report from The Decoder that Anthropic's Mythos model is reportedly powering NSA offensive cyber operations against China and Iran. I'll flag that word — reportedly — because that's doing a lot of work, and I'm not going to overstate it. But sit it next to the credential-stealer worm we opened with, and you get the full shape of the moment: the same frontier capability is being used to build offensive cyber tools on one side and is being weaponized against developer pipelines on the other. The defensive and offensive uses of these models are the same models. Which is exactly why the governance conversation is heating up.
And it is heating up. There's a Fortune report that the CEOs of OpenAI, Anthropic, and Microsoft went to Congress on bioweapon safeguards earlier this month. There's an Anthropic push, covered at The Next Web, urging a coordinated, verifiable pause for frontier AI. There's an OpenAI frontier safety blueprint out. And there's a draft bill, per one report, that would preempt some state AI regulations for three years. I'm going to be straight with you about why I'm not deep-diving any one of these: we've spent a lot of recent episodes on the governance-versus-capabilities theme, and I promised myself I wouldn't keep abstracting up to the same meta-pattern. So instead of the cloud, let me give you the ground. The one concrete thing for builders in this pile is the state-preemption draft bill. If lawmakers actually freeze state-level AI rules for three years, that's a real planning input — it means the regulatory floor you're building on might be set in Washington, not Sacramento or Austin, for a while. That's the item to actually track. The CEO photo-ops in Congress, the verifiable-pause manifestos — those are positioning. The preemption bill is plumbing. Watch the plumbing.
Alright, let me give you a few quick ones that don't need a sermon, and then I'll let you go.
Meta is back in court with NSO Group. Jon Brodkin reports Meta alleges NSO violated a spyware injunction with new WhatsApp attacks — WhatsApp says it disrupted spear-phishing attempts and is asking the court to hold NSO in contempt. The throughline with our whole episode is that spear-phishing, spyware, and credential theft are all the same business now, just at different layers — the consumer messaging layer, the developer pipeline layer, the nation-state layer. The attackers are industrializing across all of them.
On the infrastructure-of-everyday-life front, there's a genuinely unsettling one from Jeremy Hsu: tests suggest Russian satellites can jam GPS on a continental scale. The mystery of GPS interference across Europe now has a plausible source, and it raises real questions about Russian motives. If you build anything that depends on precise location or precise timing — and a shocking amount of software quietly depends on GPS timing, not just maps — continental-scale jamming is a tail risk that just got more concrete. Worth a note in your resilience planning.
Google's NotebookLM is getting a big upgrade — Gemini 3.5 and the Antigravity agent are coming to it, per Ryan Whitwam. The catch: it's AI Ultra and enterprise accounts only, right now. Same pattern we keep seeing — the good stuff lands behind the premium tier first. If NotebookLM is part of your research workflow, the ceiling just went up, but you'll pay for it.
Apple's Image Playground, which was a punchline at launch, apparently doesn't suck anymore — Amanda Silberling's words, not mine. The image generator got a makeover that could make it competitive. File that under 'second attempts sometimes work,' which is a more encouraging lesson than we usually get.
And one for the science-and-whimsy file, because we earn the right to it: polystyrene — your empty coffee cup — can be upcycled into a carbon sponge material that captures carbon. Scott K. Johnson has it. Your trash, doing carbon capture. I make no promises about whether it scales, but I like a story where the garbage fights climate change.
Let me close where I always try to — with the one thing to actually do. If you run AI coding agents, and more and more of you do, today's the day you go look at what tokens and permissions those agents are carrying. Not because I'm trying to scare you off the productivity — the productivity is real and it's not going away. But because the second poisoned-package wave in a matter of weeks is the market telling you that your fast, trusting, tireless robot coworker is now the most attractive target in your whole shop. Scope it down. Sandbox it. Stop trusting new. The agents that survive the next year aren't the ones that move fastest — they're the ones whose owners read the security blog before the attackers did.
That's the menu. I'm Tony DeLuca, this has been Barely Possible, and I appreciate you spending a little of your morning at the counter with me. Go scope your tokens. Talk soon.