Top Stories
Anthropic’s MCP Has a Fundamental Security Flaw — and They Won’t Fix It
OX Security researchers disclosed this week that Anthropic’s Model Context Protocol (MCP) contains an architectural vulnerability that enables arbitrary command execution on any system running a vulnerable implementation. The flaw affects software totaling over 150 million downloads and approximately 200,000 servers, including widely used developer tools like Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI.
The vulnerability is not a traditional coding error. It is baked into Anthropic’s official MCP SDKs across Python, TypeScript, Java, and Rust. The protocol’s STDIO subprocess spawning mechanism lets attackers execute OS commands without authentication. Even when developers restrict allowed commands, attackers can inject through arguments — for example, using npx -c <command> to bypass restrictions. Researchers successfully compromised 9 of 11 MCP marketplaces with proof-of-concept submissions.
Anthropic’s response: the behavior is “expected.” After OX Security’s disclosure, Anthropic released a security policy cautioning against STDIO adapters but declined to modify the protocol’s architecture. When a company describes a flaw that grants arbitrary command execution across 200,000 servers as “expected behavior,” the question shifts from whether the protocol is secure to whether its designers treat security as a priority.
Sources: The Register, OX Security, Infosecurity Magazine
Meta Sets May 20 for First Wave of 8,000 Layoffs
Meta will begin cutting approximately 10% of its global workforce — roughly 8,000 employees — on May 20, with additional rounds planned for later in 2026. CEO Mark Zuckerberg is restructuring the company around AI, reorganizing Reality Labs teams, creating a new “Applied AI” organization focused on autonomous coding agents, and establishing Meta Small Business as a separate unit.
The cuts come despite Meta reporting over $200 billion in revenue and $60 billion in profit last year. The company expects capital expenditures between $115 billion and $135 billion in 2026, driven almost entirely by data centers, GPUs, and infrastructure for its Llama models and recommendation systems. This is Meta’s largest workforce reduction since the 2022-2023 “year of efficiency” that eliminated 21,000 positions.
The pattern across tech is now unmistakable: record revenue and record profits fund record AI spending, which funds record layoffs. Meta currently employs nearly 79,000 people. After this round, it will employ 71,000 — while spending more than ever.
GPT-6 Watch: Five Days Past the Rumored Date, Still Nothing
OpenAI’s next model — codenamed “Spud” — completed pre-training on March 24 at the Stargate data center in Abilene, Texas. An unverified leak pointed to April 14 as the launch date. It is now April 19, and OpenAI has published no blog post, no model card, no pricing sheet, and no benchmark results. Sam Altman has said only that it is “a few weeks” away.
The model is in safety evaluation and red-teaming, a process that typically takes 3 to 6 weeks for OpenAI. If that timeline holds, the release window stretches from late April through early May. Polymarket traders currently place a 72% probability on release by April 30. Whether it ships as GPT-5.5 or GPT-6 is still unconfirmed — OpenAI has not committed to either name.
Meanwhile, Anthropic’s Claude Mythos Preview, announced April 7, remains limited to roughly 50 partner organizations through Project Glasswing. Mythos solves advanced 32-step corporate network attack simulations and succeeds on 73% of expert-level cybersecurity tasks that no model could complete before April 2025. The model triggered emergency meetings at the U.S. Treasury, the Federal Reserve, the White House, and the European Commission within two weeks of its announcement.
Sources: FindSkill.ai, LumiChats, CryptoBriefing
Quick Hits
- Human scientists still win: Stanford’s 2026 AI Index Report found that the best AI agents perform only half as well as PhD-holding experts on complex scientific tasks, even as AI adoption across natural sciences grows to 6-9% of all publications. Nature
- Q1 funding smashed records: Investors poured $300 billion into 6,000 startups globally in Q1 2026, up over 150% from the previous quarter. AI accounted for $242 billion — 80% of total venture funding. Four of the five largest rounds ever closed in Q1: OpenAI ($122B), Anthropic ($30B), xAI ($20B), and Waymo ($16B). TrueUp
- 2026 layoff toll rising: Tech companies have cut 95,278 jobs across 247 layoffs so far this year — 882 people per day. Nearly half are attributed to AI-related automation rather than business downturns. TrueUp
- Neuro-symbolic breakthrough: Tufts University researchers printed artificial neurons that communicate with real ones and unveiled a system that cuts AI energy use by 100x while improving accuracy by combining pattern recognition with symbolic reasoning. ScienceDaily
Worth Watching
The MCP security standoff. Anthropic’s decision to classify an architectural vulnerability as “expected behavior” sets a troubling precedent for the entire AI tooling ecosystem. MCP has become the default protocol for connecting AI agents to external services. If the protocol’s designers won’t patch a flaw that enables arbitrary command execution, the burden falls on every downstream developer using the SDK. The 200,000 affected servers are not going to patch themselves.
GPT-6 timing and market positioning. With Claude Mythos locked behind Project Glasswing and Gemma 4 already shipping under Apache 2.0, the window for OpenAI’s next release matters more than usual. If Spud lands in the next two weeks, it arrives into a market where Anthropic’s strongest model is restricted and Google’s open-source offering is already running on consumer hardware. If it slips to May, the competitive landscape shifts again.