The Lookout

A daily briefing on AI, Bitcoin, and tech.

Apple Podcasts Overcast Pocket Casts RSS

Listen to this briefing

A security scanner that checks your code for vulnerabilities was itself compromised, then used to backdoor a tool that routes AI model traffic. On March 19, a group called TeamPCP poisoned Trivy — Aqua Security's open source vulnerability scanner used across the industry — by tampering with its GitHub Action. From that foothold they stole PyPI credentials belonging to the LiteLLM project, a popular Python package for routing traffic between AI models. On March 24, they published backdoored versions of LiteLLM. The package gets three point four million downloads per day.

The payload was surgical. Stage one harvested SSH keys, cloud credentials, Kubernetes secrets, and crypto wallets. Stage two deployed privileged pods across every Kubernetes node in the victim's cluster. Stage three installed a persistent systemd backdoor that phones home for further instructions. The nastiest trick: version 1.82.8 used a Python .pth file that executes on any Python startup, not just when LiteLLM is imported. An accidental fork bomb from this mechanism is how a researcher stumbled onto the whole thing. The packages were live for roughly three hours before PyPI quarantined them, but tens of thousands of environments were hit. TeamPCP has now compromised five ecosystems — GitHub Actions, Docker Hub, npm, Open VSX, and PyPI — and claimed on Telegram to have stolen terabytes of trade secrets. The security scanner that was supposed to catch this kind of thing became the vector. Who watches the watchmen, indeed.

While attackers compromise open source infrastructure from the outside, the US government is building its own surveillance apparatus in plain sight. An audit of thirteen federal apps published this week — coined "Fedware" by the author — found the White House's official app ships with a Huawei Mobile Services tracking SDK. The same Chinese company the US sanctioned and banned American consumers from buying. The app requests GPS, biometric fingerprint access, storage modification, auto-start at boot, and Wi-Fi scanning. It features an ICE tip line and a "Text the President" button that auto-fills "Greatest President Ever!" while collecting your name and phone number. The FBI's app serves Google AdMob ads — an ad-serving SDK in a law enforcement application. FEMA demands twenty-eight permissions for weather alerts. CBP Mobile Passport Control feeds biometric data into a system that retains faceprints for seventy-five years. ICE's Clearview AI contract covers fifty billion scraped facial images. SmartLINK, ICE's monitoring app built by a private prison subsidiary, collects geolocation, voice prints, pregnancy data, and contact lists. The Huawei SDK was almost certainly added by a contractor who didn't check their dependencies. On Hacker News, commenters pointed out that negligence at this level might be worse than intent.

There's an essay trending on Hacker News by a developer named Alex Woods — "Don't Let AI Write For You" — that makes a simple argument: writing is thinking. Outsourcing the writing outsources the thinking. Using an LLM to produce a document demonstrates that the AI "produced something approximating what others want to hear," not that you contended with the ideas. He compares it to paying someone to work out for you. You miss the reps. The interesting nuance is what he's not saying. He explicitly endorses LLMs for research, checking your work, generating ideas, transcription. His line between helpful and harmful is whether the output is the value or the process is. Code, where correctness is verifiable and the human directs? Fine. Prose, where the thinking is the product? Do it yourself.

The irony is that this essay trended on the same Hacker News front page as a Claude Code tutorial with a hundred and sixty-one points. Claude Code shipped v2.1.88 yesterday, and it's a consequential release for power users. The new PermissionDenied hook fires when auto-mode blocks a command, letting you return a retry signal from custom logic — significant for anyone running Claude Code in automated pipelines. They fixed a prompt cache miss bug where tool schema bytes drifted mid-session, silently defeating caching and inflating costs for long sessions. A StructuredOutput schema cache bug was causing roughly fifty percent of calls to fail when using multiple schemas — effectively a coin flip. And a memory leak from large JSON inputs retained as LRU cache keys explains why long-running sessions ballooned to multiple gigabytes. The nested CLAUDE.md re-injection bug — where config files were loaded dozens of times in long sessions, wasting context — is also fixed. If yesterday's lookout about the git-reset-hard bug painted a picture of fragility, today's fixes suggest Anthropic is listening.

Meanwhile the private credit market is showing cracks that map uncomfortably well onto Jensen Huang's thesis that AI is eating software companies from the inside. At GTC, Huang told the All-In podcast that any engineer not consuming a quarter-million dollars a year in AI tokens is doing something "deeply wrong." The problem: private credit funds underwrote deals during the zero interest rate era using software companies' annual recurring revenue as collateral. Now smaller teams build their own tools with AI instead of paying for expensive SaaS. The collateral is rotting. An independent analyst audited Cliffwater's thirty-one-point-five-billion-dollar private credit fund using AI and public SEC filings, finding fifty non-accruals where the fund reports zero and loans marked at par on businesses "functionally eliminated by AI." The fund's reported Sharpe ratio of 3.75 exceeds what Madoff chose when fabricating returns.

Apollo has capped withdrawals on its twenty-five-billion-dollar debt fund after redemption requests hit eleven percent, honouring only about seven hundred and thirty million of one-point-five billion requested. Ares followed suit. Goldman predicts the retail private credit sector could shed forty-five to seventy billion dollars over the next two years. Mohamed El-Erian compared the situation to the early stages of 2008. The OECD, in its Interim Economic Outlook last week, forecasts the UK as the G20 economy hardest hit by the Iran war — growth downgraded to 0.7 percent from 1.2, inflation now expected at four percent. Next has warned of fifteen million pounds in additional fuel and freight costs if the conflict lasts three months. Retailers are already signalling price rises of two percent in June, potentially ten percent later in the year. Private credit stress, energy disruption, and AI displacement hitting simultaneously is the kind of compound pressure that doesn't resolve cleanly.

On the Bitcoin protocol side, a new analysis on Delving Bitcoin demonstrates something counterintuitive: Payjoin transactions, designed to break chain analysis by combining sender and receiver inputs so they look like a single-party payment, can be undone by wallet fingerprints. Every wallet makes specific choices when constructing transactions — signature grinding, sighash byte handling, nSequence values, fee patterns. When sender and receiver use different software, these fingerprints partition the inputs back into "yours" and "mine," restoring exactly the clustering Payjoin was designed to prevent. The post shows three real-world examples. In one Samourai Payjoin, one input had a seventy-one-byte signature and the other seventy-two bytes, immediately identifying which belonged to each party. The proposed fix — standardising signing policies across all Payjoin-capable wallets — is obvious in theory and politically difficult in practice.

Relatedly, a new BIP draft proposes a protocol for disposing of dust UTXOs — those tiny amounts attackers send to link your addresses when you later spend them alongside real funds. The protocol spends dust entirely to fees via an OP_RETURN output, creating no new UTXOs. All inputs use SIGHASH_ANYONECANPAY, enabling third-party batching services to combine disposal transactions via RBF. Elegant design: the dust pays for its own removal, no address linking occurs, and the standardised format prevents wallet fingerprinting of the disposal transactions themselves. Both proposals attack the same fundamental tension — Bitcoin's transparency makes privacy an engineering problem that requires coordination across implementations. There are no individual solutions.

The PARITY Act discussion draft grants stablecoins a two-hundred-dollar de minimis tax exemption while explicitly excluding Bitcoin. Every Lightning payment remains a taxable event requiring capital gains calculations. Stablecoins — pegged to the dollar and barely fluctuating — get the exemption they barely need. The bill also offers tax deferrals for staking but not mining. Coinbase, which made one-point-three-five billion in stablecoin revenue last year, lobbied for exactly this outcome. It's a discussion draft, not legislation, and the Digital Chamber has acknowledged Bitcoin de minimis needs adding. But the structural bias is clear. Meanwhile, the Department of Labor has proposed opening 401(k) plans to Bitcoin and alternative assets, reversing Biden-era guidance that cautioned against crypto in retirement plans.

The network is quiet. Block 943,006. One sat per vbyte across every fee tier. Sixty-seven thousand nine hundred and eighty-one dollars. Russia expelled another British diplomat — the sixteenth in two years — accused this time of economic espionage. And in London, thousands marched against the rise of the political right, while at the other end of Ground News, Palestine Action protesters were arrested after police reversed a previous non-arrest policy. It's the last day of March, and April promises to be louder. Trump's deadline for resuming strikes on Iranian energy infrastructure is April 6.

References

The Lookout

Archive