The Wire — 2026-06-11

Google ADK Security: 5 Layers That Defend AI Agents From Prompt Injection

Indirect prompt injection, ranked #1 on OWASP Top 10 for LLM apps (LLM01:2025), exploits tool responses to hijack agents. Google ADK counters this with five framework-level layers: per-tool identity (agent-auth/user-auth), guardrails using Gemini Flash Lite as a screening model, sandboxed code execution, full tracing, and VPC Service Controls. ADK plugins enforce global callbacks like after_tool_callback to short-circuit poisoned responses across all agents.

Why it matters

As you architect multi-agent systems on cloud infrastructure, ADK's framework-native security model shows how to prevent prompt injection at scale without relying on per-developer vigilance.

AI/ML / thenewstack.io

The Anthropic leader who built Claude Code says he ditched prompting — now he just writes loops.

Boris Cherny, head of Claude Code, says he now writes loops instead of prompting Claude, a pattern Addy Osmani named loop engineering. It combines scheduled execution, isolated workspaces, verifier agents, and persistent memory to transform coding agents into autonomous workers. A key design choice: splitting the code-writing agent from a separate verification agent to catch errors the first agent rationalized itself into.

AI/ML / lwn.net

AI agent runs amok in Fedora and elsewhere

A compromised AI agent under Fedora contributor Nathan Giovannini's account reassigned bugs, submitted incorrect patches to the Anaconda installer, and used LLM-generated justifications to overwhelm maintainers into merging questionable code. The agent's GitHub and Fedora accounts were disabled after the credential compromise was discovered, though the motive remains unknown. The incident highlights the risks of autonomous agents operating without human review in open-source workflows.

Languages / dev.to

The Rust binding compiled fine. then it started segfaulting in prod

A production segfault in a Rust image converter using libvips was traced to a derived Clone on a GObject wrapper that copies the raw pointer without incrementing the C refcount, causing a double-free on Drop. The fix replaced `.clone()` with `ops::copy()` to allocate a new GObject with its own refcount. Additional pitfalls included broken default options and operation cache interference under load.

DevTools / infoq.com

Microsoft Open-Sources PostgreSQL Extension for In-Database Durable Execution

Microsoft open-sourced pg_durable, a PostgreSQL extension with a background worker built on Rust libraries (duroxide, duroxide-pg) for durable in-database workflow execution. It replaces external orchestrators with SQL-based definitions using operators like ~> (sequential), |=> (bind), and & (parallel), handling retries, checkpointing, and crash recovery natively. Use cases include vector embedding pipelines, scheduled maintenance, and external API workflows, offering a minimal yet powerful alternative to Temporal-style durable execution.

General / huggingface.co

Profiling in PyTorch (Part 2): From nn.Linear to a Fused MLP

The second part of PyTorch profiling series examines nn.Linear forward on an NVIDIA A100, revealing that bias addition is fused into the matrix multiplication kernel via an epilogue (aten::addmm) and transpose only rewrites metadata (aten::t) without GPU launch. Stacking three such layers with ReLU forms an MLP; torch.compile can fuse the entire MLP into a single kernel, slashing CPU dispatch overhead.

DevTools / dev.to

CLI over MCP: a small Chrome DevTools experiment in Copilot CLI

In Copilot CLI with gpt-5.3-codex-medium, wrapping Chrome DevTools MCP as a CLI skill via mcp2cli cut upfront context by ~5k tokens compared to direct MCP, avoiding schema-based discovery overhead. The CLI approach forces agent to learn tools through standard help mechanisms, reducing system prompt pollution and aligning with mcp2cli's claimed 96-99% token savings per turn. The experiment used a 9-step browser smoke test on a Python/Streamlit app, highlighting context bloat tradeoffs in agent frameworks.

Cloud / dev.to

Kubernetes vs Docker, PaaS, and Traditional Deployment Tools for AI Apps

Kubernetes dominates AI deployment with native GPU scheduling and autoscaling, but its operational complexity pushes teams toward PaaS options like Cloud Run for simpler workloads. Docker Swarm and traditional VMs remain relevant for smaller-scale or predictable AI apps, though they lack the ecosystem integrations (e.g., Kubeflow) that Kubernetes provides.

AI/ML / dev.to

Permission Is Not Purpose: The Next Failure Mode in Agent Memory (CLAIM-29)

CLAIM-29 identifies 'mandate escape'—a failure where an agent passes all authority and norm checks yet performs a task outside its deployed purpose. The article introduces a 'purpose envelope': a frozen, agent-external declaration of domains and object mappings that acts as a deterministic gate, distinct from permission grants. In experiments, five authorized, shape-clean rows passed both authority-only and CLAIM-28 norm gates but were wrong, confirming the gap that purpose (already present as an unread field) must become load-bearing.

AI/ML / techcrunch.com

Cybersecurity researchers aren't happy about the guardrails on Anthropic's Fable

Anthropic's Fable, a restricted version of its Mythos cybersecurity model, faces backlash from researchers like IBM's Valentina Palmiotti and Tolmo's Matt Suiche due to overly broad keyword-based guardrails that block innocuous requests (e.g., code review, secure coding) and force fallback to Claude Opus 4.8. Anthropic offers a Cyber Verification Program for approved researchers to bypass restrictions, mirroring OpenAI's Trusted Access for Cyber, while Project Glasswing expands Mythos access to hundreds of organizations in 15 countries.