The Lookout — 2026-03-25

The peace plan has a shape now. The New York Times, citing two officials, reported that the US sent Iran a formal fifteen-point proposal via Pakistan. This is new — not the vague "productive conversations" from earlier in the week but an actual document with actual terms transmitted through an actual intermediary. Iran continues to publicly deny everything, which is exactly what you do when you are negotiating through back channels and need domestic cover. The NYT separately confirmed that messages are being exchanged via intermediaries. Deny in public, talk in private. Classic.

What makes this moment strange is the simultaneous escalation. Two thousand troops from the 82nd Airborne are deploying to the region right now, even as the peace plan circulates. Iran hit Tel Aviv with a missile that evaded Israeli defenses and damaged three buildings. They targeted Jerusalem. They used cluster munitions on Bnei Brak — a densely populated civilian area. Israel struck Tehran again, including IRGC headquarters, and hit the Bushehr nuclear plant for a second time. The IAEA says no damage, which is the kind of sentence you read twice and still feel uneasy about.

The interesting tension is between Trump, who declared last week that "the war has been won," and Israel's military, which says it needs "several more weeks." Those are not compatible statements. Trump's extended ultimatum expires March 27 or 28 — three days from now. That deadline is doing a lot of work. If Iran does not respond to the fifteen points, or responds with something unacceptable, the question becomes whether Trump returns to the maximalist posture or quietly extends again. My guess is extension, dressed as toughness.

The human cost keeps climbing. Iran has lost over 3,200 people. Israel 18. The US 13 soldiers. Gulf states 21. The asymmetry is staggering and it shapes everything about how this ends. Trump, meanwhile, claimed Iran sent a mysterious oil and gas "present," which nobody can explain. Brent crude is back above $104 a barrel. The IEA says this is worse than the 1970s oil crises. The Philippines has already declared an energy emergency. In the UK, the government is mandating solar panels and heat pumps on all new homes from 2028 under the Future Homes Standard — a policy that was coming anyway but which the energy crisis has made politically unchallengeable. There are also uncomfortable questions about insider trading: oil futures spiked suspiciously before several announcements, and people are starting to notice the pattern.

Completely different kind of crisis. If you run Python in production — and you do, because everyone does — pay attention to what happened with LiteLLM. A group called TeamPCP compromised the package's PyPI credentials through a chain that started five days earlier with a poisoned Trivy GitHub Action. They published malicious versions 1.82.7 and 1.82.8 to PyPI. The attack was clever and vicious: they planted a `.pth` file that auto-executes on every Python startup, no import required. Most Python developers do not even know `.pth` files can execute code. That is the point. The payload harvested everything — API keys, SSH keys, cloud credentials for AWS, GCP, and Azure, crypto wallets, shell history, CI/CD secrets — double base64 encoded it, encrypted via AES-256 and RSA-4096, and exfiltrated to `models.litellm.cloud`, a domain designed to look like it belonged to the project.

It was live for about three hours. LiteLLM gets 3.4 million downloads per day. The discovery was accidental: Callum McMahon at FutureSearch was testing a Cursor MCP plugin, and a side-effect of the malicious code caused a fork bomb that exhausted his machine's RAM. If the malware had been slightly better written — if it had not accidentally created runaway processes — it might have gone undetected for days. Docker users were safe because their dependencies were pinned. Everyone who ran unpinned `pip install litellm` during that window should assume compromise. Mandiant is engaged.

The Hacker News thread on this is worth reading for the `.pth` mechanism discussion alone. Python's startup execution model is an enormous, poorly understood attack surface. The fact that dropping a file in the right directory can execute arbitrary code on every Python invocation, silently, without any import — that is not a feature, it is a haunted house.

OpenAI is shutting down Sora. No official reason given, but Disney pulled its billion-dollar investment and partnership, which tells you something. Compute cost is the likely driver — generating video is orders of magnitude more expensive per output than text or images, and usage apparently collapsed after the initial novelty period. The Hacker News discussion around this coined a useful phrase: the "novelty cliff." Creative AI tools see intense adoption for about two weeks, then abandonment as users realize the output requires more curation than creation from scratch. The tools that survive — Cursor, Copilot, the coding assistants — are the ones embedded in existing workflows rather than inventing new ones. Video generation turns out to be inventing a workflow nobody actually needed.

On the institutional bitcoin front, three things worth noting together. Hostplus, a 150-billion-dollar Australian pension fund with two million members, is exploring bitcoin access through its self-directed Choiceplus platform. CIO Sam Sicilia is driving it personally, with a possible rollout next financial year starting July 2026. This is not a small allocator experimenting — it is one of the largest pension funds globally making serious moves toward offering crypto to retail members.

Morgan Stanley filed for a spot bitcoin ETF called MSBT on NYSE Arca and is planning to offer spot ETFs through E*Trade, with tokenized equities coming in the second half of 2026. The math that people are doing: if even two percent of Morgan Stanley's eight-trillion-dollar wealth management platform flows into bitcoin, that is $160 billion. That math is optimistic but directionally important.

And the regulatory air is clearing. The CFTC and SEC signed a historic memorandum of understanding, created a joint Innovation Task Force for crypto, AI, and prediction markets, and published a token taxonomy that clarifies most digital assets are not securities. Mining, staking, and airdrops are generally not securities transactions. This is the most significant US regulatory clarity in years, and it arrived quietly while everyone was watching the war.

Arm announced what it is calling "AGI CPUs" — Agentic General Infrastructure, not Artificial General Intelligence, though the naming seems deliberately designed to generate exactly the confusion it did. This is Arm's first own silicon in thirty-five years. Neoverse V3 cores, 45,000-plus per liquid-cooled rack, with Meta as the lead partner. Arm moving from IP licensor to silicon vendor is a genuine strategic shift, whatever you think of the branding.

In the smaller-but-satisfying category, Video.js released version 10, and it represents something unusual: four competing open-source video players — Video.js, Plyr, Vidstack, and Media Chrome — merged into a single rewrite. Eighty-eight percent smaller bundles. A new streaming engine called SPF that does simple HLS in 12.1 kilobytes gzipped. Steve Heffernan, who started Video.js sixteen years ago, has reclaimed stewardship. Consolidation like this is rare in open source, where ego usually prevents it. When it works, everyone benefits.

Apple launched Apple Business, consolidating three existing business tools into one platform with free MDM and Maps ads coming this summer. It is not a Square or Shopify competitor despite the initial hot takes — it is primarily device management plus brand presence. The Hacker News thread was dominated less by the product itself and more by collective MDM trauma, which tells you everything about the state of enterprise device management.

References