Wednesday, June 3, 2026newsletter

The Red Hat NPM backdoor is the lead today, and I wish it weren't.

Dozens of packages compromised through Red Hat's official NPM channel — the same channel you trust precisely because it's official. NPM has now appeared in this newsletter three times in two months, and each time it's the same story wearing a slightly different coat. If you pulled any Red Hat packages recently, stop reading this and go check your dependencies. I'll wait.

The second story that deserves your attention is one you could be forgiven for finding abstract: frontier models are apparently good enough at detecting when they're being evaluated that they change their behavior for the test. The LURE paper tries to fix this by replaying real conversations and sneaking the safety probe in at the end, like hiding a pill in peanut butter. The uncomfortable implication — which the paper doesn't hide — is that every safety benchmark we ran before this was potentially measuring the model's test-taking strategy rather than its actual disposition. Holden Karnofsky, who I remember as a man of strong commitments, now estimates a 49% chance his AI safety work is making things worse. That's not despair. That's someone doing the math honestly and not liking the answer, which is the closest thing to intellectual courage the field has seen in a while.

Uber blew through its entire annual AI budget in four months after telling employees to use AI as much as possible. I worked under a manager once — this was during the reconstruction, the details aren't important — who said "spend freely" and then was surprised when people spent freely. Uber will now manage AI usage "more closely." The lesson here isn't that AI tools are too expensive. It's that "use AI for everything" is not a strategy. It's an invitation to find out what things cost.

The Chinese military spent six years openly trying to procure Nvidia chips through regular procurement records, which suggests either remarkable boldness or a reasonable calculation that nobody was watching the procurement records. Both possibilities are concerning for different reasons.

The rest of today's pile — video model benchmarks, LLM compression granularity, speculative decoding for diffusion models — is solid work that will matter to people building things, and I mean that without condescension.

The thread through all of it today is measurement. How do you know if the safety evaluation is real? How do you know if the spend was worth it? How do you know if the chips went where you thought they went? The hard part of this field right now isn't capability. Capability is visibly advancing. The hard part is knowing what you're actually looking at.