AI × Software Engineering

Weekly Explorer — March 22–29, 2026
supply-chain security agentic-sdlc vibe-coding voices research
Read the Full Research Report →
Supply Chain Mythos Leak Claude Code Copilot Backlash Vibe Coding Regression AutoResearch Pentagon Case Voices Jobs Tool Updates
500K
Credentials Stolen (LiteLLM)
3,000
Anthropic Docs Leaked
93%
Permission Prompts Approved
700
Karpathy Experiments
75%
Agents Break Working Code
172
Downvotes on Copilot Policy
59,121
Tech Layoffs YTD
7,851%
AI Agent Traffic Growth

Signal Radar

  • 🔴
    Supply chain attacks chain through security tools
    TeamPCP weaponized Trivy (a security scanner) to backdoor LiteLLM — 500K credentials stolen. The tools meant to protect became the attack vector.
  • 🔴
    Frontier model details leaked via CMS misconfiguration
    Anthropic's CMS default exposed ~3,000 internal documents including Claude Mythos — "step change" in capabilities, unprecedented cyber capabilities.
  • 🟠
    75% agent regression rate in long-term maintenance
    SWE-CI paper: agents that pass all tests still break codebases over time. Only Claude Opus exceeds 50% zero-regression rate.
  • 🟠
    Platform data defaults eroding developer trust
    GitHub opted all Copilot users into AI training data collection by default. 172 downvotes, near-universal community backlash.
  • 🟠
    Sora's $15M/day cost collapse
    OpenAI shut down Sora after six months — $15M/day inference costs against $2.1M total lifetime revenue. Disney drops $1B partnership.
  • 🟢
    AI pentesting for vibe-coded apps
    Lovable + Aikido: automated agent-based security testing integrated into the build flow. $100/test.
  • 🟢
    Reasoning-blind classifiers for agent safety
    Claude Code Auto Mode uses a classifier that can't see the agent's reasoning — preventing self-justification of dangerous actions.
  • 🟢
    Autonomous research loops entering production
    Karpathy autoresearch: 700 experiments, 11% speedup. Shopify CEO: 19% gains. 35 agents ran 333 experiments unsupervised.
  • 🟢
    Human pair programming → agent pair programming
    JetBrains sunsets Code With Me, replaces with ACP agent integration. Product strategy now explicitly agent-first.
  • 🔵
    Anthropic IPO (October 2026)
    Bloomberg reports Anthropic considering an IPO as soon as October 2026. Pentagon appeal in Ninth Circuit pending.

Theme Coverage

Supply Chain Security
3
Agentic SDLC
3
Model Capabilities
2
Vibe Coding
2
Code Quality
2
Developer Trust
2
AI Research
1
Jobs & Economy
1
AI Policy & Law
1

Voice Position Map

Horizontal: Practitioner ← → Theorist | Vertical: Cautious ↑ Accelerationist ↓

Cautious Accelerationist Practitioner Theorist
SW
Simon Willison
Supply chain cooldown, LiteLLM response
AO
Addy Osmani
Code Agent Orchestra, "not generation but coordination"
MF
Martin Fowler
"Both booster and doomer", ADRs
AK
Andrej Karpathy
"Humans are the bottleneck", autoresearch
KB
Kent Beck
"Nobody Knows" — Still Burning series
KH
Kelsey Hightower
KubeCon EU Amsterdam
DS
Daniel Stenberg
NTLM beast, curl security
MH
Mitchell Hashimoto
Ghostty AI bug fix, AI PR policy
SY
Steve Yegge
Inactive this week
GO
Gergely Orosz
Inactive this week
EM
Ethan Mollick
Inactive this week
GB
Grady Booch
Inactive this week

Key Quotes of the Week

"To get the most out of the tools that have become available now, you have to remove yourself as the bottleneck."
Andrej Karpathy
"Nothing in the governing statute supports the Orwellian notion that an American company may be branded a potential adversary and saboteur of the U.S. for expressing disagreement with the government."
Judge Rita F. Lin
"When asked to evaluate work they've produced, agents tend to respond by confidently praising the work — even when, to a human observer, the quality is obviously mediocre."
Anthropic Engineering
"Almost nobody's figured out how to make everything work together as smoothly as possible... And that's the actual hard problem here. Not generation, but coordination."
Addy Osmani
"Powerful technologies rarely yield simple consequences."
Martin Fowler
"AI assisted PRs are now only allowed for accepted issues. Drive-by AI PRs will be closed without question. Bad AI drivers will be banned from all future contributions."
Mitchell Hashimoto
"Old skills are losing leverage, and nobody has the answers — not even the people who've been doing this for 30 years."
Kent Beck

Voice Tracker (23 Voices)

NameThis WeekStatus
Simon WillisonSupply chain cooldown, LiteLLM response, Auto Mode coverageActive
Addy OsmaniCode Agent Orchestra, O'Reilly AI CodeConActive
Martin FowlerAnthropic AI study, ADRs, "both booster and doomer"Active
Andrej KarpathyAutoResearch, "humans are bottleneck"Active
Kent Beck"Nobody Knows" / Still Burning seriesActive
Kelsey HightowerKubeCon EU AmsterdamActive
Daniel StenbergNTLM beast, curl meeting, HTTP/3 talkActive
📌Mitchell HashimotoGhostty AI bug fix, Vercel board, AI PR policyEarlier
📌Clive ThompsonNYT Magazine "Coding After Coders" (still driving discussion)Earlier
Steve YeggeQuiet
Gergely OroszQuiet
Ethan MollickQuiet
Grady BoochQuiet
Patrick DeboisQuiet
Charity MajorsQuiet
Dave FarleyQuiet
DHHQuiet
ThePrimeagenQuiet
Bryan CantrillQuiet
Jaana DoganQuiet
Mike MasonQuiet
Max WoolfQuiet
Chelsea TroyQuiet

AI × Software Engineering — Edition 3 (March 22–29, 2026)

Previous: March 14–21 · March 8–13