March 8, 2026: Andrej Karpathy dropped a 630-line Python script, aimed an AI agent at his own training code with a single metric to chase, and went to bed. Two days later the agent had run 700 experiments, found 20 genuine improvements, and cut training time by 11%. It also found a bug in Karpathy’s attention implementation that he had missed — not because the agent is smarter, but because it tried more things faster without getting bored after the 15th failed attempt. ...
The attack required no action from the victim. Visit a page. Leave. By the time the browser tab closed, the extension had already talked to Claude, exported chat history, read Gmail, and potentially sent an email under your name. Patched in Claude Chrome extension v1.0.41. Here is how the chain worked. The Attack Chain The Claude Chrome extension trusted any page on *.claude.ai to send it messages. That wildcard, every subdomain under claude.ai, is where the attack found its entry point. ...
The way RAG works is easier to understand if you stop thinking about AI memory. Think about a dictionary instead. You do not memorize every definition before you need one. Look up the word when you need it. RAG does the same thing with your files — chunks them, embeds them into a vector database, and pulls back only what matches your question. The model never sees the whole library. ...
You download a free PDF, a VS Code extension, a font pack. The file lands on your machine, and your background AI agent reads it. The file contains hidden instructions. The agent follows them. That is not a hypothetical. That is the exact threat model nobody is naming right now. OpenAI’s Codex runs silently on Mac while you work, learning from previous actions and picking up repeating tasks in parallel. Perplexity Personal Computer puts local agents on your machine with access to local files, native apps, and the web. Both ship with the premise that background access creates leverage. It does. It also creates exposure. These two things are not separable. ...
Topics: Ollama, MCP, Python, Kali Linux, Responsible Scope The tool does not determine whether you are a professional. Scope does. Before any script runs, before any model generates a command, you need written authorization for every target you plan to touch. That is not a disclaimer to skip past. Every piece of tooling in this article enforces that principle because I have watched what happens when it gets ignored. A few years ago a student ran a scan against a host that was not in the lab scope. I did not give a zero and move on. That student wrote the apology email. Not me, the student wrote it, disclosed exactly what ran and what the scan returned, and waited to hear what the victim decided to do about it. Outside a classroom, unauthorized access carries consequences the victim controls, not the teacher. That framing changes how seriously students take scope documents. ...