Welcome back. Supply chain attacks keep coming, thanks to AI. Microsoft just found malware hidden inside a Python package that was disguised as Hugging Face's Transformers library. It was specifically built to steal developer credentials. Here is how you can mitigate the risk.

Also: A prompt to defend against the next npm supply chain attack, how an engineer merged 30 PRs overnight with Codex, and Coursera co-founder Andrew Ng on the AI job apocalypse.

Anthropic upgrades its coding agent with autonomy and speed: The AI lab just rolled out two new features to Claude Code. First, the new /goal command allows you to set a specific target, such as passing all tests in a folder. The agent will then work continuously until an evaluator model confirms the goal has been met. Additionally, a fast mode for Opus 4.7 is now available in research preview through both the API and Claude Code.

Prime Intellect open-sources a fix for agent training: The San Francisco-based AI lab just unveiled renderers, an open-source Python library that fixes a major inefficiency in agent training. Most training systems process data as tokens, but the environments agents actually use are based on messages. Swapping between the two usually messes up data and wastes compute. Renderers handles that translation cleanly, boosting throughput by over 3x on popular open-source models.

Google catches its first AI-built exploit in the wild: The search giant's security team just caught the first confirmed case of hackers using AI to build a working zero-day exploit. The attackers used a model to find a way around two-factor authentication in a popular open-source admin tool, then started prepping for a mass attack. Fortunately, Google flagged the flaw in time for the vendor to push out a fix before anyone actually got hit.

AI Pods replace complex delivery with a focused, production-first approach. Your devs own the architecture and decisions, AI handles execution.

No need to hire a large team: AI Pod can give you a working AI system in 4-6 weeks:

When the pilot ends, you own everything—code, prompts, eval data, and infrastructure. The Pod leaves, but the system keeps running.

Book an AI Pod fit call at no cost.

Sessions are dying out. AI coding agents are ditching the session-based model for always-on background services. Unlike Claude Code or Codex, where a new window wipes your context, self-hosted agents like OpenClaw and Hermes Agent run 24/7. They keep their memory for months and can even ping you on Telegram while you sleep.

Two species are emerging. OpenClaw went viral with 345K GitHub stars and connections to dozens of messaging apps before moving to an independent foundation when its creator joined OpenAI. Meanwhile, Hermes Agent from Nous Research focuses on a lean approach built around persistent memory and a closed learning loop. While OpenClaw bets on breadth, Hermes is doubling down on depth.

But the ground is shaky. OpenClaw's popularity made it a prime target. Shortly after launch, security firm Koi found 341 malicious entries in its registry from a coordinated attack. Tens of thousands of exposed instances followed, and Microsoft eventually warned enterprise customers to avoid using it on work machines.

Memory becomes the moat. Beyond security, an agent's expanding memory brings up a tougher question. Who actually owns it? If your engineering team is evaluating Hermes, you can browse what's already being built with it. Ultimately, whoever controls the memory will lead the next wave of development tools.

Every Claude Code session eventually times out, and the next one starts from scratch. Any decisions made, bugs found, or half-finished plans are lost. To fix this, Matt Pocock, an ex-Vercel engineer, created a “/handoff” skill that compresses your current session into a Markdown file so the next agent can start with full context.

To install it, run this in your terminal: “npx skills@latest add mattpocock/skills”.

Select “handoff” from the menu, set Claude Code as your agent, and restart. Before you close a session, run the skill with a quick description of what's next:

When you start your next session, just load that Markdown file, and Claude will be right back where you left off.

P.S. You can find 50+ AI coding hacks here.

How to build apps with Codex and GPT-5.5: This tutorial shows you how to use the Codex app and GPT-5.5 to build and refine iOS or macOS apps. You'll learn how to set up projects with the "App Creator" skill, automate UI tweaks, and even refine your marketing strategy, all while spending less time manually coding in Xcode.

Warp: A modern terminal paired with powerful agents that help you build, test, deploy, and debug code.

oMLX: This is a high-performance server built specifically for Apple Silicon Macs that makes running local AI models fast and efficient. It allows you to host and manage several local LLMs and vision models at once, all through a simple macOS menu bar app, a web dashboard, or standard APIs that work just like OpenAI or Anthropic.

Build agents that remember your users: Most AI agents have a short memory, which means you're stuck repeating your preferences every time you chat. Claude’s memory feature changes that. It works like a personal notebook, automatically keeping track of your details and recalling them across every conversation.

Grow customers & revenue: Join companies like Google, IBM, and Datadog. Showcase your product to our 270K+ engineers and 150K+ followers on socials. Get in touch.

You can also reply directly to this email if you have suggestions, feedback, or questions.

Until next time — The Code team