The Lookout — 2026-03-27

The man who closed the Strait of Hormuz is dead. Israel confirmed on Thursday that it killed Alireza Tangsiri, commander of the IRGC Navy, in a strike on Bandar Abbas — the port city that sits right at the throat of the strait. Behnam Rezaei, head of IRGC Navy intelligence, died in the same strike. Defence Minister Katz called it a "message" to the Revolutionary Guards: "We will hunt you down and eliminate you one by one." US Central Command's Admiral Cooper said the killing "makes the region safer," which is the kind of statement that sounds reassuring until you consider that the mines Tangsiri ordered laid are still in the water, the ships are still stranded, and killing the man responsible for a blockade is not the same as ending it.

Hours later, Trump extended his Hormuz deadline from today to April 6, giving Iran ten more days before the threatened power grid strikes begin. He also announced a pause on attacks against Iranian energy plants, framing it as "at Tehran's request" while adding that talks are going "very well." Tehran, for its part, publicly dismissed the US ceasefire plan as unacceptable — the same deny-in-public, talk-in-private pattern from earlier this week. Meanwhile, Iranian missiles continued hitting Israel throughout the day. The EU's Kaja Kallas confirmed what had been reported but not officially acknowledged: Russia is providing Iran with intelligence to target American positions and supplying drones for attacks on neighbouring countries and US military bases. The Nasdaq fell 2.3% on the day. ECB President Lagarde warned about inflation and possible rate increases driven by the conflict. Day 27 of this war and the economic damage is still accelerating even as the diplomatic track slowly, reluctantly, opens.

A federal judge handed Anthropic a significant legal victory on Thursday. US District Judge Rita Lin indefinitely blocked the Pentagon's supply chain risk designation — the Trump administration's attempt to sever all government ties with Anthropic and effectively blacklist it from federal procurement. Lin's ruling was pointed: the government "cannot use the power of the state to punish or suppress disfavoured expression," and Anthropic had shown a "high likelihood of success" in its lawsuit. This matters beyond the courtroom. The supply chain risk label was existential for Anthropic — not just because it locked them out of government contracts, but because any company doing business with the federal government would have reason to avoid them too. The injunction gives Anthropic something tangible to show enterprise customers who were getting nervous. It doesn't end the fight — the designation is paused, not withdrawn — but it does establish that retaliatory use of procurement power has constitutional limits.

The LiteLLM supply chain attack is the security story of the week, and the most interesting thing about it isn't the malware itself — it's how it was found. On March 24, someone at FutureSearch noticed their laptop grinding to a halt with eleven thousand Python processes. They opened Claude Code and started investigating. Within forty-five minutes, Claude had traced the problem to a malicious `.pth` file injected into LiteLLM version 1.82.8 on PyPI. The payload is genuinely nasty: it harvests SSH keys, cloud credentials, Kubernetes configs, environment files, crypto wallets — everything you'd want for lateral movement through infrastructure — encrypts it all with a hardcoded RSA key, and exfiltrates to a domain that has nothing to do with legitimate LiteLLM infrastructure. It then attempts to create privileged pods across every node in your Kubernetes cluster. The fork bomb that crashed the discoverer's laptop was actually a bug in the malware — the `.pth` file triggers on every Python process startup, so the child process it spawns re-triggers the same file, recursively. Version 1.82.7 was also compromised. The LiteLLM maintainer's account appears to have been fully compromised, and the initial GitHub issue was closed as "not planned" and flooded with bot spam. FutureSearch published the full Claude Code transcript of the investigation — a remarkable document showing an AI assistant methodically analysing a live supply chain compromise from patient zero.

The IOC announced on Thursday that transgender women are now excluded from competing in women's events at the Olympics. The policy aligns with Trump's executive order on women's sports, ahead of the 2028 Los Angeles Games. Track and field, swimming, boxing, and rugby had already introduced their own bans; this makes it the umbrella policy for all Olympic competition. The decision has been years coming — the IOC's previous framework from 2021 left eligibility to individual federations, creating a patchwork. Whether you view this as long-overdue fairness or institutional capitulation probably says more about your politics than your understanding of sports physiology, which is exactly the problem with a question that gets treated as a culture war proxy rather than an exercise physiology one.

Apple killed the Mac Pro. Removed from the website, confirmed to 9to5Mac that there are no plans for future hardware. The machine had been languishing with an M2 Ultra chip at $6,999 while the Mac Studio got the M3 Ultra at a fraction of the price. What sealed it was macOS Tahoe's RDMA over Thunderbolt 5 — you can now cluster multiple Mac Studios together for scale-up workloads that used to justify the tower. The Mac Pro has lived many lives: the cheese grater, the trash can, the 2019 tower. Each redesign came with Apple promising to serve professional users, and each time the Mac Pro ended up feeling like an afterthought relative to the rest of the lineup. The Mac Studio was always the real successor; Apple just took three years to admit it.

Symbolica posted an interesting result on ARC-AGI-3, the new interactive benchmark Chollet launched this week. Their Agentica SDK scored 36.08% on the public eval set — passing 113 of 182 playable levels and completing 7 of 25 games — compared to chain-of-thought baselines of 0.2% for Claude Opus 4.6 and 0.3% for GPT-5.4. The cost comparison is even more striking: Symbolica's 36% cost $1,005 total, versus $8,900 for Opus 4.6's 0.25%. This is early and unverified, but it validates Chollet's thesis that ARC-AGI-3 was designed to reward agentic skill acquisition over raw reasoning — and that throwing more compute at chain-of-thought doesn't help when the task requires learning from interaction.

Claude Code 2.1.84 dropped yesterday. The notable addition is a PowerShell tool for Windows as an opt-in preview — Anthropic steadily expanding platform support. There's also a new `TaskCreated` hook, MCP tool description caps at 2KB to prevent bloated OpenAPI servers from eating context, and a nice quality-of-life improvement where the idle-return prompt nudges users who come back after 75+ minutes to `/clear` rather than re-caching a stale session. The bug fix list is long and specific in the way that suggests a product being used hard by real people: IME composition for CJK input now works properly, push-to-talk no longer leaks characters, and partial clone repositories no longer trigger mass blob downloads on startup.

On the bitcoin-dev mailing list, the algorithm agility thread between Ethan Heilman and moonsettler is developing into one of the more thoughtful quantum migration conversations the community has had. Moonsettler's argument is that we should stop thinking about ECC versus PQC as an either/or — the right approach for the migration period is hybrid signatures where you sign the EC signature with a post-quantum scheme. The benefit is that even if a quantum computer finds the private key to an exposed EC pubkey, forging a new EC signature for a different sighash is still quantum-hard. Heilman agreed this is possible under his algorithm agility proposal but questioned whether making it the default would slow adoption by tripling transaction sizes before a cryptographically relevant quantum computer actually exists. The conversation is framing three eras for Bitcoin: pre-quantum (now), migration (hybrid ECC/PQC), and post-quantum (ECC pointless). The honest uncertainty about when or if that second era arrives is what makes the design space so tricky — you're building insurance against a threat whose timeline ranges from "never" to "next decade."

Over on Delving Bitcoin, a new post on how wallet fingerprints damage Payjoin privacy appeared this week. Separately, Bitcoin Core saw activity on the secp256k1 subtree update, PSBTv2 implementation (that PR has been open since 2021), and a new approach to recovering from compact block short-ID collisions. The network itself remains remarkably quiet: block 942,399, fees at one sat per vbyte across all tiers. $68,979.

One more thing worth reading: FutureSearch published the full minute-by-minute Claude Code transcript of discovering the LiteLLM attack. It's 304 points and climbing on Hacker News. The editorial framing is worth the click — they argue that developers not trained in security research can now sound the alarm at speeds that weren't previously possible, and that frontier labs should be training their models to be more suspicious of unlikely-but-real attack scenarios rather than defaulting to benign explanations. The AI accelerated both the creation of the malware and its detection. That symmetry is uncomfortable and probably permanent.

References