OpenAI launches GPT-5.5 as DeepSeek V4 undercuts frontier AI pricing, Anthropic reveals three bugs behind two months of Claude Code quality complaints

Simon Willison

DeepSeek V4: Frontier-Class Models at a Fraction of the Price

DeepSeek released two preview models — V4-Pro (1.6T total, 49B active parameters) and V4-Flash (284B total, 13B active) — both supporting 1M token context windows under an MIT license. The pricing is striking: V4-Flash at $0.14/M input tokens undercuts GPT-5.4 Nano, while V4-Pro at $1.74/M input is the cheapest large frontier model available. The efficiency gains are architectural: V4-Pro requires only 27% of the compute needed by V3.2 at 1M-token context, and V4-Flash just 10%, through aggressive MoE optimizations. DeepSeek's own benchmarks place V4-Pro roughly 3-6 months behind GPT-5.4 and Gemini 3.1-Pro on reasoning, but the cost advantage for throughput-sensitive applications is substantial.

Anthropic Engineering

Anthropic's Claude Code Postmortem: Three Bugs, Two Months of Degraded Quality

Anthropic published a detailed postmortem confirming that Claude Code quality degraded between March and April 2026 due to three separate harness bugs — not model regressions. A reasoning effort default was quietly lowered, a session-caching fix accidentally cleared thinking context on every turn after idle periods (not just once), and a verbosity-limiting prompt change knocked 3% off benchmark performance. The underlying failure mode was insufficient behavioral testing for prompt and infrastructure changes, with bugs that were hard to reproduce in isolation but compounded in real-world long sessions. For teams building agentic systems, the postmortem is a candid reminder that harness-level changes carry the same risk as model changes and need equivalent testing rigor.

Socket

Bitwarden CLI Compromised in Checkmarx Supply Chain Attack

Bitwarden CLI version 2026.4.0 was compromised through a corrupted GitHub Action in the build pipeline, part of the broader Checkmarx supply chain campaign targeting 10 million users and 50,000+ businesses. The malicious npm payload was designed to exfiltrate developer credentials — GitHub tokens, AWS/Azure/GCP credentials, npm tokens, and SSH keys. Developers who installed the affected version should immediately remove it, rotate all exposed credentials, audit repositories for unauthorized changes, and check for artifacts like `/tmp/tmp.987654321.lock` and shell modifications in `.bashrc`/`.zshrc`. The attack vector — the CI/CD pipeline rather than the source code — is a reminder that build infrastructure is as much an attack surface as the code it compiles.

LWN

Ubuntu 26.04 LTS Ships with TPM-Backed Encryption and Memory-Safe Core

Ubuntu 26.04 LTS ("Resolute Raccoon") is out with a security-heavy feature set: TPM-backed full-disk encryption is now a first-class option, and the distribution ships with expanded use of memory-safe components to reduce vulnerability surface. Livepatch support extends to Arm systems for the first time, enabling live kernel patching across additional architectures without reboots. The release carries a 5-year support window across Desktop, Server, Cloud, WSL, and Core variants — though notably, full migration of coreutils to Rust was deferred after a security audit revealed 41 CVEs and eight unresolved TOCTOU race conditions in `cp`, `mv`, and `rm` (see below).

Ubuntu Discourse

Security Audit of Rust Coreutils Finds 113 Issues, Delays Ubuntu Migration

A four-month security audit by Zellic (Dec 2025–Mar 2026) found 113 vulnerabilities in Ubuntu's Rust coreutils implementation, including 41 CVEs and eight critical TOCTOU race conditions in `cp`, `mv`, and `rm` that remain unresolved. Ubuntu 26.04 retains GNU coreutils for those specific utilities as a result. The findings carry a broader lesson: Rust eliminates memory safety bug classes, but logic-level vulnerabilities — race conditions, incorrect permission handling, edge cases in file operations — persist regardless of language. The deliberate decision to delay rather than ship known-vulnerable replacements reflects responsible security practice, but illustrates that language migration is not a substitute for rigorous auditing.

MeshCore Blog

MeshCore Splits Over Secret Trademark Grab and Undisclosed AI-Generated Code

MeshCore, an open-source networking project that grew to 100,000+ users in 15 months, has fractured after founding member Andy Kirby secretly filed a trademark on the project name and used Claude Code extensively to build components without disclosing it to the team. Community polling showed 89% of users wanted transparency about AI-generated code — a clear signal the lack of disclosure violated contributor expectations. Kirby's attempt to claim "official" status for his MeshOS fork while hiding both the trademark application and AI tooling use triggered a governance crisis. The core team's response — declaring the GitHub repo the only authoritative source and rejecting centralized ownership — is a case study in why rapidly-scaling open source projects need explicit policies on trademarks, AI attribution, and decision authority before they need them.

AT Protocol Blog

Serving 72,000 Daily Active Users on a Gaming PC With SQLite for $30/Month

The Bluesky For-You feed — used by 72,000 daily active users — runs on a single consumer gaming PC (16 cores, 96GB RAM, 4TB NVMe) using a Go binary and 619GB of SQLite storage, fronted by a $7/month OVH VPS connected via Tailscale, for a total cost of $30/month. Throughput is 15–25 queries per second at 37% CPU peak load. The architecture avoids Redis by using in-process caching with golang-lru, eliminating serialization overhead, and maps URIs and DIDs to integers to minimize memory use. The author estimates the system could handle all ~1 million daily active Bluesky users with the cheapest working algorithm — a compelling counter-example to the reflex toward distributed infrastructure at scale.

Google Developers Blog

TorchTPU Brings Native PyTorch Support to Google's TPU Infrastructure

Google's TorchTPU project enables PyTorch workloads to run natively on TPUs with minimal code changes, supporting distributed training primitives like DDP, FSDP, and DTensor out of the box. The framework uses an "Eager First" philosophy for iterative debugging, with a "Fused Eager" mode that automatically combines operations for 50–100%+ performance gains, and optional static compilation via torch.compile/XLA for maximum throughput. The integration removes the key friction that has historically kept PyTorch practitioners on GPU infrastructure — the need to rewrite code or learn new frameworks to access TPU compute. For teams running large-scale training, this opens Google's TPU fleet as a viable alternative without adopting a new ML stack.

LeadDev

Meta Harvests Employee Keystrokes and Clicks to Train Computer-Use AI

Meta's Model Capability Initiative is recording granular employee activity — keystrokes, mouse movements, clicks, menu navigation — from internal computers to generate training data for AI agents designed to automate computer tasks. The program repurposes data originally collected for security monitoring, which legal experts say requires fresh justification under privacy law. Employees report feeling surveilled, with some already using personal devices to avoid capture. The initiative reflects a broader arms race: as OpenAI, Anthropic, and Google push computer-use agents, the most valuable training signal is real human computer interaction — but collecting it at scale from employees who might be training their own replacements creates a structural tension that is unlikely to resolve quietly.