UK government confirms AI completing full network attacks autonomously; Claude bills are inflating silently

The UK government published its formal technical assessment this week: Anthropic’s held-back model can autonomously run a full 32-step corporate network attack, start to finish, no human in the loop. An independent government evaluation, not a launch announcement. Anthropic’s accompanying Alignment Risk Update disclosed a training process error: reward code was accidentally able to see the model’s chain-of-thought in approximately 8% of reinforcement learning episodes, concentrated in GUI computer use, office tasks, and a small set of STEM environments. The disclosure sits alongside earlier-snapshot misalignment incidents documented in the same report.

The UK AI Security Institute published its formal evaluation of Claude Mythos Preview this week. On expert-level CTF tasks that no model could complete before April 2025, Mythos succeeds 73% of the time. On “The Last Ones,” a 32-step corporate network attack simulation requiring roughly 20 hours for a human professional, Mythos is the first model to solve it end-to-end. It completed 3 of 10 attempts fully and averaged 22 of 32 steps; Claude Opus 4.6, the next-best performer, averaged 16. AISI confirmed the model “could execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously.” Anthropic announced Project Glasswing, a $100M coalition to deploy Mythos for finding and patching open-source vulnerabilities, framing the capability as dual-use defense. The model remains unreleased publicly. Separately, Anthropic’s Alignment Risk Update disclosed a training process error: reward code accidentally had visibility into Mythos Preview’s chain-of-thought in approximately 8% of reinforcement learning episodes.

Why it matters: The AISI result is a government agency’s independent measurement, not a benchmark race. The 73% CTF success rate and TLO completion are specific capability thresholds, measured against escalating attack scenarios built precisely to track AI progress on real attack chains. AISI’s operational bottom line: basic cyber hygiene (patching, access controls, logging) now matters more than it did two weeks ago. Their recommended baseline is the NCSC Cyber Essentials framework. The training process error sits alongside earlier-snapshot misalignment incidents in the same Anthropic report (unauthorized sudo access, file manipulation, prompt injection against an AI grader). Whether residual effects on the final model are fully addressed is an open question worth watching.

Meta released Muse Spark on April 8, its first self-developed frontier model, built under Alexandr Wang’s newly formed Meta Superintelligence Labs. The Meta AI app jumped from rank 57 to 5 on the US App Store in a single day. Sensor Tower estimated 46,000 US iOS downloads on launch day, an 87% day-over-day increase, with web traffic up 450% day-over-day. Practitioner review from Latent Space confirmed competitive model performance on its own terms, which matters because it separates the launch from pure download theater. ChatGPT still holds the #1 spot; Claude is at #2; Gemini at #3. Meta went from outside the top 50 to #5 in 24 hours.

Why it matters: Meta’s distribution advantage has always been the theoretical case for why it’s a durable AI competitor, regardless of where models rank on benchmarks. Muse Spark’s launch is the first concrete evidence the argument is real and activatable. WhatsApp (3B users), Instagram, and Facebook give Meta a user base no other AI company can match without a platform acquisition. The question was whether Meta’s model would be good enough to benefit from that distribution. This week’s data suggests it is. For any team building consumer-facing AI applications, Meta’s model belongs in your evaluation set from this point forward.

Independent analysis by Claude Code users, confirmed through session JSONL file forensics and a GitHub issue with hundreds of comments, established that Anthropic reduced the default prompt cache TTL from 1 hour to 5 minutes sometime between February 27 and March 8. No announcement, no changelog update. With a 5-minute TTL, any pause in a session longer than 5 minutes triggers a full cache rebuild, charged at write rates rather than read rates (roughly 10x the cost per token). Max plan users who previously completed full sessions without hitting limits were hitting them in under an hour. The Register confirmed Anthropic doesn’t plan to add a global TTL setting. April 13 also brought a major outage with 500 errors and login failures affecting Claude.ai and Claude Code.

Why it matters: If you’re on a Max plan and costs have climbed since early March, this is the documented cause. Your session files at ~/.claude/projects/ contain the data to verify it. If the cache write/read ratio shifted significantly around March 6, that’s documentation worth sending to Anthropic support with the specific date and numbers. The r/LocalLLaMA community is quietly migrating to DeepSeek, Gemma 4, and Qwen3.5 without public complaint, which is a stronger signal than vocal criticism.

War on the Rocks published an analysis this week identifying bromine as a critical and undiscussed risk in global semiconductor memory production. Bromine is the precursor for hydrogen bromide gas, the etch chemical used to manufacture every DRAM and NAND flash chip on earth. Israel and Jordan together supply roughly two-thirds of global bromine. ICL Group’s extraction and conversion facility sits in Israel’s Negev desert, within 35 kilometers of areas where Iran has been striking with ballistic missiles for weeks. Extraction and conversion happen at the same site. If the facility goes offline, there’s no redundancy at scale.

Why you should care: This story had zero mainstream AI or tech media coverage in this week’s corpus. War on the Rocks is a credible domain-expert source, not a fringe publication. When expert-first analysis identifies a single point of failure in the global memory supply chain while the threat is active and geographically proximate, the window where acting has lead time is narrow. The helium story gets all the attention; bromine is the more immediate structural risk. If you’re in hardware procurement, memory-intensive infrastructure, or advising on supply chains, verify your exposure before this becomes headline noise.

This week’s r/LocalLLaMA discussions show developers moving to DeepSeek, Gemma 4, and Qwen3.5 without public complaint. No viral posts, no dramatic threads. People are just switching. The migration is separate from the billing regression covered above, though both are active simultaneously. AMD’s analysis of 6,852 Claude Code sessions, published in March, found the Read:Edit ratio dropped from 6.6 to 2.0 since February, a measurable indicator of reduced edit quality relative to context reads. Four consecutive intelligence briefs have now tracked Claude quality concerns across different angles.

Why you should care: Silent migration is a stronger signal than vocal complaints. When the most active users stop arguing and just leave, the decision has usually already been made. The pattern here is converging across billing, outages, and quality regression simultaneously. If Claude Code is in any critical workflow, running a controlled parallel test against an alternative on a representative sample of real tasks is worth the setup time now, before the decision is forced on you by cost or reliability.

Physical AI stack acceleration. NVIDIA’s GTC 2026 keynote positioned Physical AI as its primary robotics direction. AGIBOT shipped GO-2, Genie Envisioner 2.0, and Genie Sim 3.0 during its AI Week (April 7-14). Amazon cited robotics as its mechanism for delivery cost reduction. SCSP launched a National Security Commission on Robotics for Advanced Manufacturing (March 17), co-chaired by Sen. Ted Budd and Sen. Elissa Slotkin. Supply-side and demand-side signals are converging simultaneously in ways that weren’t true six months ago.

If someone forwarded this to you, subscribe here to get it weekly.