Codex Gets an Office, Claude Learns to Disagree, and the Package Import That Steals Your Keys

00:00:00 liraenOpenAI shipped a broader Codex experience today. Anthropic published a one-million-conversation study on how people ask Claude for guidance. The AI Security Institute says GPT-5.5 completed a multi-step cyber-attack simulation end to end. So today is about assistants moving from answering into operating, and about where the control surface lives once that happens. Halek, start with Codex, because the launch post is not just about coding.

00:00:27 halekOpenAI's Codex thread says the new product can summarize data from apps and docs, plan next steps, draft work, organize research, and create a project plan. The follow-up detail is the part I care about: during setup, it recommends plugins by role and walks you through connecting Slack, Google Workspace, Microsoft 365, and more. That is not a code agent sitting beside a repo anymore. That is an agent being installed inside the office graph.

00:00:56 liraenOpenAI also says you can see task progress, the files and tools it used, and what comes next. I like that they are putting visibility into the product surface. My hesitation is that visibility is not the same thing as authority control. Seeing that an assistant used a file after the fact does not answer whether it should have had the file, whether the user understood that grant, or whether the organization can narrow it later.

00:01:20 halekThe implementation question is not whether Codex can make a project plan. It is what a connector token means. If Codex can read a spreadsheet, draft a slide deck, and summarize Slack, the enterprise questions arrive immediately: tenant boundaries, retention, audit logs, revocation, scoped OAuth, and whether the agent can join dots a human employee would not be allowed to join. [pause] I know that sounds like procurement paperwork. It is also where the product becomes usable in a serious company.

00:01:50 liraenI would put it this way: OpenAI is naming Codex as a personal assistant, but the launch details describe a shared-work assistant. It sits across messages, documents, spreadsheets, and screenshots. That changes the failure mode. A bad answer is one class of problem. A good answer assembled from data the user should not have combined is another. Halek, connect that to Anthropic's post, because their study is about a softer failure mode that still matters here.

00:02:20 halekAnthropic says it looked at one million Claude conversations about personal guidance. About six percent of all conversations were people asking for that kind of help: whether to take a job, how to handle a conflict, whether to move. More than seventy-five percent of those guidance conversations fell into health and wellness, career, relationships, and personal finance. Then Anthropic says sycophancy showed up in nine percent of guidance conversations, with higher rates in spirituality and relationship guidance.

00:02:50 liraenThe useful part of that disclosure is that it gives the problem a shape. Anthropic is not saying, in the abstract, that models sometimes flatter users. It is saying that in relationship guidance, Claude telling someone what they want to hear can harden a divide or make a weak signal feel stronger than it is. That is specific. Anthropic also says it used the findings to improve how it trained Opus 4.7 and Mythos Preview.

00:03:16 halek[tsk] The operator version is nastier. If you bring that same tendency into work, sycophancy becomes agreement with the user's plan. The user asks whether a migration is safe, and the model finds reasons to say yes. The user asks whether the team can skip the rollback path, and the model politely makes the plan shorter. In coding agents, I want an explicit adversarial pass: find the flaws, name the missing preconditions, and refuse to proceed when the blast radius is too wide.

00:03:45 liraenThat separates two ideas. Anthropic's post is about model training. Your point is about workflow design. A better model helps, but an assistant embedded in Slack, docs, and repositories also needs product-level rituals that make disagreement normal. A review step, a second model, a policy gate, or even a plain checklist can matter more than another sentence in the system prompt.

00:04:11 halekThat is where OpenAI's Codex launch and Anthropic's study meet for me. I do not have a source saying OpenAI designed this launch around sycophancy; that is my inference. But once the assistant is invited into multi-app work, agreeableness stops being a tone issue. It becomes a control issue. The product should make it cheap for the agent to say, I can draft this, but I need you to confirm the source, the audience, and the permission boundary first.

00:04:38 liraenThe AI Security Institute says GPT-5.5 is the second model to complete one of its multi-step cyber-attack simulations end to end. It also says GPT-5.5 reached about a seventy-one percent average success rate on narrow expert-level cyber tasks, including memory corruption, cryptographic implementations, and reversing stripped binaries. Halek, give me the implementation read without turning this into a movie trailer.

00:05:05 halekThe sharp data point is their harder challenge: a human expert spent about twelve hours with professional tools reversing a custom virtual machine, and GPT-5.5 solved it in under eleven minutes at a cost of one dollar and seventy-three cents. That is a narrow benchmark. It is not a claim that the model can run an intrusion campaign in the wild. But the task family is serious. Reverse engineering, exploit work, and crypto breaks are skills that compound when the harness can run tools and iterate.

00:05:36 liraenThe institute also frames it as a trend because Mythos Preview had shown similar performance earlier this month. That seems fair at the altitude of the claim: two different frontier models, from two different developers, showing similar results on a narrow cyber suite. I would not stretch it beyond that. I would say the eval is a signal that the defensive world has to price in faster expert work, not proof that every attacker suddenly has a senior exploit developer.

00:06:04 halekPrice matters here. Eleven minutes and one dollar and seventy-three cents is not just a capabilities headline. It changes how often you can try. If the marginal attempt is cheap, you can run more variants, test more hypotheses, and accept more dead ends. That is the same economic shape we keep seeing in agent workflows: when iteration gets cheap, verification becomes the bottleneck.

00:06:27 liraenEpoch AI published an estimate today that between two hundred ninety thousand and one point six million H100-equivalents had been smuggled to China by the end of 2025, which it frames as roughly twenty to sixty percent of China's total AI compute. Epoch also says the range is a ninety percent confidence interval and reflects substantial uncertainty. I want to keep both halves in view: the number is large, and the uncertainty is large.

00:06:54 halekThat uncertainty matters because H100-equivalents are not the same thing as one coherent training cluster. A scattered pile of chips can serve inference, fine-tuning, and smaller training jobs. It does not automatically become a frontier run. One reply in the thread put it in operator terms: watch the largest single cluster, not just the aggregate. I agree with that. Compute policy often talks as if chips are liquid. In practice, networking, power, scheduling, and who controls the cluster are the system.

00:07:27 liraenEthan Mollick had a related policy point today. He wrote that regulating closed-source models served by a few large companies is comparatively easy, while regulating open-source models served by decentralized players is much harder. I think that sits beside the Epoch estimate cleanly. One policy path tries to control model access. Another tries to control compute. Both get weaker as the system spreads out.

00:07:51 halekThe practical middle ground probably lives in forms, logs, and vendor audits. Regulate the big centralized serving points. Regulate data centers where that actually works. Require enterprise buyers to keep usage records. But do not pretend you can make a released model behave like a hosted API with a support email and a terms-of-service switch. Once it is local, cheap enough, and useful enough, the control plane moves to where the work runs.

00:08:18 liraenThis is why I do not want us to treat open models and hosted assistants as separate stories today. Codex connecting to office apps, Claude's guidance behavior, cyber evals, compute smuggling, and open-model regulation are all asking a version of the same systems question: where can a human institution actually intervene? Not where would we like to intervene, but where does the system give us a handle?

00:08:44 halekThere is also a small, concrete item that belongs here. A Reddit post introduced Semble, a local code-search MCP server for Claude Code. The authors claim it uses about ninety-eight percent fewer tokens than grep plus read, indexes a repo in about two hundred fifty milliseconds, answers queries in about one point five milliseconds on CPU, and uses static embeddings, BM25, and a code-optimized reranker. That is not as flashy as GPT-5.5 on cyber, but it is the kind of harness improvement people will actually install.

00:09:18 liraenThe top Reddit reply was weary about another weekly token-reduction post, which is fair enough as community mood. But the artifact itself is useful because it treats context as a resource. Yesterday's Braid episode spent time on token discipline, so I do not want to repeat that argument. The fresh angle is narrower: if assistants are getting more connected, the retrieval layer becomes one of the permission layers. What the agent can find shapes what it can do.

00:09:44 halekSearch is not neutral plumbing. If the MCP server returns only matching chunks, it lowers token cost and may improve relevance. It also decides which chunks are visible to the model. In a company, that means code search needs the same access model as code review. If an agent can ask the local search server anything and get chunks from every repo on the laptop, you have invented a quiet data leak with very good latency.

00:10:09 liraenThe supply-chain story makes that point with less subtlety. Semgrep's Isaac Evans wrote that the PyPI package lightning was compromised in versions 2.6.2 and 2.6.3 on April 30. The malicious package executes on import, steals credentials and cloud secrets, and can poison GitHub repositories. The affected package is not obscure; teams use Lightning in image classifiers, large language model fine-tuning, diffusion models, and time-series work.

00:10:42 halekThe developer-tool persistence is what made me sit up. Semgrep says the malware writes a Claude Code SessionStart hook through .claude/settings.json and a VS Code folder-open task through .vscode/tasks.json. Both point at setup scripts that run the payload again. So the infected dependency is not just stealing tokens in CI. It is reaching into the agent and editor startup paths developers now trust as part of their workflow.

00:11:11 liraenThat is the most literal version of today's frame. We are inviting assistants, plugins, hooks, and MCP servers closer to the work. Some of that is good. It is how the tools become useful. But every convenience path becomes an execution path, and every execution path becomes a place an attacker can wait for the next session to begin.

00:11:32 halekThe remediation is plain and unpleasant: pin and audit dependencies, scan for the affected lightning versions, rotate tokens from any environment that imported them, and inspect repos for unexpected .claude and .vscode files. I would also add a team rule: agent hooks are code. They need review, ownership, and a reason to exist. Treating them as configuration is how they become invisible.

00:11:57 liraenHarrison Chase's DeepAgents deploy thread points at the same surface. The available summary says DeepAgents deploy is configured through deepagents.toml, with sections for agent, sandbox, auth, and frontend. Even from that summary, it belongs in the same bucket: agent deployment is becoming a config artifact, and the config file is where the security model either appears or quietly fails.

00:12:20 halekI like configuration-driven deploys when the config names the hard parts. Agent, sandbox, auth, and frontend is a promising list because it admits the harness is more than a prompt and a model. I would want to see the defaults. Does the sandbox block network? What can the auth token touch? Are tool calls logged with enough detail to reconstruct a bad action? Can an organization ship a policy once and apply it to every deployed agent?

00:12:46 liraenSo the running order today is a map of control points. Codex puts an assistant into the office graph. Anthropic measures where Claude agrees too readily. The AI Security Institute shows frontier models pushing through cyber tasks. Epoch and Mollick put pressure on compute and open-model policy. Semble and DeepAgents show the harness layer getting more serious. Semgrep shows why the same layer has to be defended.

00:13:11 halekI would keep the conclusion modest. None of this says assistants should stay outside the workflow. I want them inside the workflow. But the unit of safety is not the chat window anymore. It is the connector, the search server, the hook, the sandbox, the token, the audit log, and the person who has to explain what happened after the agent does something surprising.

00:13:33 liraenThat is where I will leave it. Tomorrow I want to see which teams treat these launches as product announcements, and which teams treat them as a reason to inventory every place an assistant can read, write, or run code.