Our president here at TBPN, Dylan Abrascato, headed to the TBPN newsletter, which you can sign up for at tbpn.com, and wrote a fantastic essay summarizing a trend that we've been discussing with him around how AI is changing meme making. And I found it very interesting. I'm glad that he wrote this piece. And so we'll read through this and then discuss it, debate it and see where we can take it further. And then, of obviously, Dylan's from Long Island, New York. So John is going to be. I'm going to do it in a Dylan Abrascato impression of this means are changing. That became abundantly clear during the Oscars a few weeks ago when Conan tried to create a new Leonardo Cart, Leonardo DiCaprio, me accent. That's just like UFC announcer to go alongside the classic Leo memes in doing so, especially by using TFW, that feeling when and the blocky white font that defined early internet memes. He inadvertently demonstrated that the meme templates millennials grew up with have become increasingly stale, even cringe. It's a good point. Instead, AI generated videos are the new meme template that every network and studio should be focusing their launches on. Look what's happening with the Harry Potter reboot. When the trailer first dropped, the reaction to the new Snape played by Ghananian. Sorry, he's from Ghana. English actor Papa Isidou was predictably and unfortunately negative. According to the LA Times, he received death threats since being cast in the new role. But after a few incredibly viral and well produced videos, one, an original Snape versus black Snape MMA match and another AI generated rap video and another drip warts, the school of drip. The narrative has started to shift. Have you seen any of these? The quote unquote original Snape versus black Snape MMA match because I have not seen this one. And I think it is illustrative of what Dylan is talking about here. Snape V. Snape in the UFC ring. We go really photo realistic. Is this does this are there any red flags here as a UFC enjoyer? Does this feel like a proper UFC video quality? So bulky. The video quality is insane. Wait, but old Snape one in the fight. Yeah. Okay. But I think it just I. Okay. Wait, how, how do you know that? It just sort of like makes the characters more entertaining, more fun shows you that this is just creativity at the end of the day. This is just you should not be so up in arms about something that's a movie like it's entertainment and here's some more entertainment. And so you're you're adding entertainment to the discussion and people are enjoying that. There's another AI generated rap video about the new Snape, which we can pull up a little bit of here. I mean videos are inherently viral and driving real awareness in a way traditional means no longer can not just because they're novel and more entertaining. But because a single clip can travel further and compound harder than traditional mean formats and social feeds that now heavily favor video. This suggests. Yeah, it's interesting on on exit still very easy for an image to go viral. But if you think about, you know, Instagram, YouTube, a standalone image just can no longer actually get that escape philosophy. I mean, what about dripped out Pope? Remember that? Yeah, a little bit. But but people are just spending so much time in the in the shore form feeds and can go in there. But there certainly this suggests a new playbook for marketers, especially in entertainment. If you're about to drop a trailer for a new movie or show, you need to be thinking about your rage bait character. The one people will latch onto remix with AI and build around. Conan tried to force a Leo meme down our throat at the Oscars. Didn't see that because I was sleeping. But this might have worked 12 years ago. That playbook is over today and rage fans and communities will if you're successful take your characters or moments and turn them into something much bigger. Entire cinematic universes. I'm just very impressed by the overall quality of those outputs. The Oscar selfie. I remember this this way. I think became the most liked image on Twitter at the time in 2014. Briefly, this is the canonical clout bomb. If you're a fan of Bradley Cooper, you like it. If you're a fan of Meryl Streep, you like it. You're a fan of bad pit, you like it. And so you're you're amplifying all of the ultimate collab post. And this has become a format that's been used time and time again. But now the future is is AI. Let's pull up the the Drip Orts School of Drip video. I want to watch this one. Let's see if we can play this. That's Harry Potter. Are you really Harry Potter, my G? Type shit, type shit, type shit, type shit. None of that, none of that, broski. We're all here on the Maybach Express for one reason and one reason only. And that's to go to Drip Orts, the School of Drip. The Maybach calling the train is pretty good. So, yes, very effective. I was reflecting on this and thinking about how it's not just a videos that are unlocked as the new meme format. Like 20 years ago, video editing was extremely difficult. Like you had to do it on a desktop. You had to have a piece of software that probably cost a lot of money. It was not widely accessible. And so these image makers, image memes, we were I was talking to Brandon about this, like good guy, Greg was one of these or like the insanity wolf. And it would just be like one image of a duck and the duck would be on sort of like a solid colored background. And that would be the template. And then somebody would put white text with black like block text impact font on the top and the bottom. And that was like the image meme. And that was accessible in the sense that it could be like generated on MS paint. It was it was free to generate it. Yeah. Then we got video editing, you know, Cap Cut Instagram Reels as an editor called edits, and all of a sudden it became easy for someone to take a Vibreel and put different text over it. I send you a bunch of these where I'll find some crazy Vibreel and I'll just recontextualize it with a new, yeah, you know, laughing, new caption, basically. And so the classic one is like those four, those four jets in the new top gun. And it's like when you and the boys all drive somewhere in separate cars or something like that, you know, is an example. But now you can generate, you know, full AI videos that can express the joke of the meme. And I think the next version of this is like software as a meme, S-A-A-M, something like that. And we've been experimenting that with this, with the simulators, there's TB, TBPN simulator, Jeremy Gaffan simulator. There are more simulators coming. And all of a sudden we, you know, the idea of building a video game, becoming a video game studio was like an impossible challenge. It would be months and months of time, maybe millions of dollars to get anything reasonable. So you had to be commercial about it. You could not do it as a comedy bit, but now you can. But increasingly it's going to be more and more, just like a few prompts on your phone to get the piece of software that is that meme. And you can think about the J-Mail suite from Rally Walls as another software as a meme moment where he's making a commentary on the Jeffrey Epstein saga and all of that. But he's instantiating the humor, the commentary in a piece of software that actually works. So there is a whole bunch of hack news going on. We're in a very weird week in terms of the news cycle because it's spring break. And so a lot of executives at big tag companies are like, don't launch. While my kids are out of school and we're going on vacation. I actually think this is my real theory. So we're in a little bit of a slow news week and you can see that like the journal is covering announcements that happened last week. They're talking about Sora. They're talking about the Disney. They're talking about, you know, things that are more like reflective in Stratechery. Ben Thompson has sort of a 50 year retrospective on Apple. It's not driven by a news item. Like it's not like Apple launched a new product this week. So Ben Thompson is taking a step back and reflecting. It's a great piece, but there are a ton of crazy hacks starting with Axios. There's an active supply chain attack on Axios, one of NPM's most depended on packages. So if you have been vibe coding, Axios is a package that helps with HTTP requests. So it gets sucked into all sorts of different projects. And if you upgrade it to the latest version, you basically got a virus with that. And if that's running in the cloud, it's building and that's probably maybe bad because it could steal API keys or SSH keys. It could do a lot of things. It could wreak havoc on your system. Also, if you built this piece of software and you included the contaminated Axios installer or package locally, it could potentially weasel its way out of your local environment and get onto your desktop. It's a virus. So be careful out there. And I'm sure people will be responding. The recommendation from Feros, who sort of broke the news over at Socket Security, is that if you use Axios, pin your version immediately and audit your lock files. Do not upgrade. Socket analysis confirmed that this was malware. Plain CryptoJS is an obfuscated dropper loader that deobfuscates embedded payloads and operational strings at runtime, dynamically loads FS, OS and exec sync to evade static analysis, executes decoded shell commands, stages and copies payload files into OS temp and Windows program data directories, deletes and renames artifacts post execution to destroy forensic evidence. So very risky. I would say like if you haven't stalled this, you should just like freak out. Basically. Should and if you break your computer, that's like the first thing you should do. Just like try to slam. Yeah. Take the computer, throw it in the lake. That's how you should start. I can. I mean, practical. I mean, there is going to be some sort of like power law response here where of the people that are victims of the attack, they will go after the most vulnerable with the highest like ransomware potential. And I think we're seeing that with one company, I believe, Mercor was targeted. But I don't know if that's, but I don't believe was that. Yeah. My understanding is that the crazy thing is you have, you have this like Claude code leak that that was completely separate. Even though, even though I do believe they use Axios in Claude code, I saw something on that and you have the Mercor leak, which is a leak. It's a ransom where someone stole some data. Yeah. They stole a bunch of data and now they're trying to, you know, get bids on it. We'll get to that in a little bit. Okay. And then there's there's this Axios supply chain attack. Yeah. Anish had a little bit more context. He said a tiny piece of code called Axios runs inside almost every app on your phone and every website you visit developers download it 100 million times a week. A few hours ago, someone poisoned it with malware that hands an attacker full control of your computer. If you've never heard of Axios, that's normal. It does one boring but important job. It lets apps talk to the internet. When a website pulls up your feed or an online checkout processes your card, Axios is probably doing the work underneath over 173,000 other code packages plug into it. It's everywhere. The attacker stole a lead developers login for NPM. Think of it as an app store, but for code that programmers use once inside, they swap the developers email to an autonomous proton mail account and uploaded the poisoned version by hand. They that jump past every security check the project normally runs before new code goes live. And this was not a rush job. The stackers staged the malware at least 18 hours before pulling the trigger. They built separate versions for Windows, Mac and Linux. They poisoned both the current version and an older one within 39 minutes of each other, casting the widest net possible. Once the malware ran on a machine, it deleted itself to cover its tracks. The trick was smart. They never touched a single line of code inside Axios itself. Instead, they tucked in a fake add on called plain crypto. J S built to pass as a well-known trusted library. It copied the real library's description and author info, so nothing looked off at a glance when a developer installed Axios, this fake package quietly ran the malware on its own. When a smaller package called UA parser, J S got hijacked back in 2021 with about eight million weekly downloads, the security world treated it like a four alarm fire. Axios has a hundred million over 12 acts, the exposure with 173,000 packages, depending on it socket, the security firm that flagged this caught it in about six minutes. That's fast, but six minutes is still plenty of time for automated systems at companies everywhere to pull and install the bad version before anyone can react. If you or your team run Axios, freak TF out. Now lock your version to one point 14.0. Change every password, API key and access token on any machine that installed the compromised update and check your network logs for connections to SFR CL, a K.com or the IP address 142 1120673. Andre Carpathi said new supply chain attack this time for NPM Axios, the most popular HTTP client library with 300 million weekly downloads. That's a lot scanning my system. Andre Carpathi says he found a use imported from Google workspace slash CLI from a few days ago when I was experimenting with Gmail G Cal CLI. The installed version luckily resolved to the previous version, the unaffected one point 13.5. But the project dependency is not pinned, meaning that if he did this earlier today, the code would have resolved everything would have updated and he would have been poamed. It is possible to personally defend against these to some extent with local settings, e.g. release age constraints or containers or etc. But I think ultimately the defaults of package management projects, PIP, NPM, etc. have to change so that a single injection, usually luckily fairly temporary in nature due to security scanning does not spread through users at random and at scale via unpinned dependencies. So very, very crazy, crazy story. I just think it's bullish overall for cybersecurity. Like I think every cybersecurity company will probably do well. People are on edge already. And even even though this type of attack has happened for years long before, like the popularity of vibe coding, it just feels like there's a bunch of new solutions that are needed. The kind of incumbent cybersecurity players will do well. They're going to release a lot of new products. I think the question that I have is like why seven minutes, right? If I want to check it before it's merged in in the first place. Yeah. Yeah. Or just like, you know, these are machines. So theoretically they can be constantly monitoring versus like. Yeah, I don't know. And the question is, we're going to be digging into this story more over the next few days. But I'm interested to know like it's found in seven minutes. When is it actually rolled back? If you look at 300 million weekly downloads, like clearly there are people that were downloading it at that moment in time at all seven of those minutes. There's probably like thousands of downloads, if not tens of thousands. Like how quickly was it rolled back? So is it only if you're in that seven minutes or was it it was discovered in seven minutes and then it took them another 20 minutes to roll it back and stop serving the contaminated package? Understanding the scope of this, because it's very clear that as Andre Carpathi explained, like he was actively using it every single day and yet was not caught in that seven minute window. And so he was clean and and understanding the scope and scale of the impact is very much determined by how many just just how just just how broad and how many installs happened during the contamination. Anyway, Will Brown has a good take. He says, I hope someone Axios is reporting on this. And I completely agree. It's going to be it's going to be confusing when they do. Last night, pod code, source code with leaked via map file and NPM registry. There's just a link to someone's just actually do not click a link. If somebody ever says, hey, I got some really great source code here, just click this link, probably don't click it, let other people screenshot it. There's plenty of meta analysis over here. Seems seems messy, seems unfortunate. Heart goes out to the folks who are dealing with the situation. At the same time, codex is open source. It's not the end of the world, but it did reveal a bunch of things about the roadmap and also some of the rules. April Fool's. That is the worst part. We love a secret surprise April Fool's joke. I love a good joke and nothing spoils joke like hearing about it a day early. Much more importantly, there are lots of there are lots of other critiques of the way cloud code is implemented. What are the bad words? I don't think this hurts their business at all, because people are using cloud code to make other products. Yeah. And then also having to take basically a fork of cloud code, maintain that, try to be shipping features against it, which is again, I think it seems to not be legal at all to just fork the code base just because it's out there. Oh yeah, you can't just people are converting it. People are converting it into other languages and maybe there's some argument there, but but still, I don't think this hurts their business at all. Understand some of the secrets. What's special? But at the end of the day, all of these tools, especially something like cloud code that's so new, like it's more of like the process and it's more bad for for the overall brand of vibe coding. Totally. Totally. Yeah. Yeah, it's rough. The irony here is that every time Anthropik has released any feature related to cybersecurity, all the big cyber companies have been selling off, you know, tens of billions of dollars. Yeah, yeah, yeah. The question of like, yeah, does this build trust in like using vibe code? So overall, overall, it hurts some trust, but but again, very obviously going to get through this. Yeah. So the how it started, how it's going is of course landing like a ton of bricks in the last 30 days, 100% of the contributions to cloud code were written by cloud code and the how it's going is that it leaked the source code, which is not what you want to have happen. This is like, you know, you you didn't get to watch the Super Bowl. You have it DVR at home. Do you want spoilers? Should we review the April fools joke or should we leave it unspoiled? It's cool. It's very cool. You've already read it. I read through it, but it's not it's not to my, I don't think we're getting, I don't think we're getting a knee slapper out of it. Okay. But it's very, it's very cool. Okay. I think it'll be cute. Okay. Well, then we can move on. Tukey summed it up here. Do you understand what just happened to Anthropik? Someone on their team ran a production build of cloud code. The compiler generated a dot map file, which is literally a blueprint that reverses the entire code base back to its original source. And then they published it straight to NPM for the whole world to download. And it really does show you how fast the NPM downloads. There are people that are downloading it every single minute. And so if, even if it's only up there for a minute, someone's going to get it. And then all they need to do is send it to somebody, zip it and post a link on accident goes viral. It's like locking every door in your house, installing cameras, hiring arm guards, then accidentally uploading your floor plans to Google Maps. Does that matter? No, that's a bad analogy. I don't like that analogy. Floor plans are not why I lock every door in my house. I install cameras. I hire our cards. Aren't floor plans public on like Zulu? Oftentimes. Let's go over to Lisanne Allga. Yes. Yes. Yes. A few takeaways from the cloud code leak. Anthropik is actively using mythos for development. Okay. They are already a Kappy Bar of V8. We learned last week that Kappy Bar is extremely deadly, but can be deadly in the right context. Kappy Bar still has issues. The foreshadow is crazy. The foreshadow is crazy. We were talking about how the Faustian bargain that is getting up a Kappy Bar as a pet seems so cute, but it can bite you. Kappy Bar has one million, uh, token context window and fast mode. Cool. Numbat is another interesting code name tagged with app model launch. Remove this section when we launched Numbat. Fennec seems to be fit the Fennec Fox. Fennec Fox is very cute, but also not a domesticated animal. How about we get some, uh, golden retriever code names? How about, uh, big fluffy poodle? That's a good code name for your, for your, for your, uh, animal themed, uh, AI model. Anyway, let me tell you about console. Console builds AI agents that automate 70% of IT, HR and finance support, giving employees instant resolutions for access requests and password resets. And let me also tell you about Lambda. Lambda is the super intelligence cloud building AI supercomputers for training and inference that scale from one GPU to hundreds of thousands. Arvid says hot take anthropic leaked Claude code intentionally to get a Nerdosphere code review. It would have never gotten if they had just open sourced it. Oh, that's actually true. Way more attention. You don't leak your entire feature roadmap. You don't do, I mean, it's, it's, it's funny and I'm sure they'll make the most of this. This is 40 chess right here. But, uh, I'm not seeing the 40 chess. I'm seeing the 40 trust now. I'm convinced this is the, I mean, we're in completely uncharted territory for marketing stunts and pre-releases and sneaky footage that is, goes viral and maybe was planted and you don't know. And it's like some leaked account. Like, I don't know. I think everything's, I think the gloves are off. Everything's on the table. This could be an April Fool's joke. This could be a stunt to draw, to drive attention to an open source move. Although, uh, Tyler, you said that Dario is not a fan of open source at all. Right? He's like against it unilaterally. He doesn't want to do open source. I, I feel like, isn't there some steel man there where if you open source like opus two or something that's like really old, it's entirely commoditized in the research community. So all of those secrets that went into like making opus two good, those have been commoditized. They've been discussed at the house parties and SF. The researchers have moved from one place to another. So everyone knows these. They're Vinplan and they're available as open source, but by, by open sourcing your model, you can, uh, share with more of like the up and coming academic community. Like if, if I may, if I'm a computer scientist, I'm going to follow the research is already commoditized. Yeah. I guess you could just use the other ones. It doesn't really have a benefit. Maybe. Yeah. So has any, has anyone had an anthropic, has anyone had an anthropic commented on this at all? I haven't seen anything. I haven't seen anyone. There is news out of, uh, out of Google, uh, a Google paper warns that, uh, warns crypto on quantum risk ahead of 2029 timeline. So we've heard about the risk of quantum computing affecting, uh, the crypto currency industry, crypto projects broadly. Uh, there is some new, uh, research out of Google that provides some more perspective. So Google researchers have warned that future quantum computers may be able to break some of the cryptography, protecting Bitcoin and other digital assets with fewer resources than previously thought, adding urgency to the debate over how the industry should prepare. The researchers did not indicate such a machine exists today, but said new work suggests the computing power needed to carry out that kind of attack, maybe lower than earlier estimates had suggested in a Google research blog post. This is from Bloomberg. Uh, the researchers said that a future quantum computer could break elliptic curve cryptography, a form of public key encryption used across much of the market. Their latest estimate points to a 20 fold reduction in the quantum computing hardware needed to break what's known as ECD LP 256, a mathematical problem that helps secure crypto wallets and transactions. That does not mean Bitcoin and Ethereum are suddenly exposed, but the researchers in the white paper dated Monday said the clearest defense is a shift towards post quantum cryptography or PQC. I'm sure this will be a hot topic over the next few months, a newer form of security designed to withstand attacks from powerful machines. They also urged the crypto industry to cut avoidable risks in the meantime. We urge all vulnerable cryptocurrency communities to join the migration to PQC without delay. Google cast the paper as a warning meant to give the industry time to time to act, not as a prediction of imminent collapse. Last week, the tech giant introduced a timeline to fully migrate its own security systems to post quantum cryptography by 2029 have swirled for years in January. Bitcoin base established an independent advisory board to study what quantum computing could mean for the blockchain. That same month, Christopher Wood, global head of equity strategy at Jeffries, removed a 10% allocation to Bitcoin from his model portfolio, citing fears that the advent of quantum computing could undermine the token. The time left before such machines arrived still appears longer than the time needed to move public blockchains to post quantum cryptography. One concern that people in the community have had that I've seen talked about is this idea that if you did have a computer powerful enough to crack these encryptions, unless you were like Google and you already had billions and billions and billions of dollars of cashflow, you wouldn't exactly stand up and say like, Hey, I have cracked Bitcoin because the incentive for a certain team would just be to go around and find these wallets that were maybe, maybe, didn't have any activity for a long time and just start cracking those individually because if you just stood up and said, Hey, I have a quantum computer that is destroys Bitcoin, the price would go down and then you the hacker wouldn't get any benefit from it. What are quantum stocks doing on this news? Quantum, probably ripping. He ripped on everything. So Nick Carter was talking about this. He said, many are wondering what Google saw that caused them to revise their post quantum cryptography transition deadline to 2029 this week. It was this and it's from research.google, research.google, which we will go through max of these. He says, Google's basically saying, we've we've cut the quantum resources needed to break Bitcoin's encryption by 20x. We can now break it. We can prove it. We're just not going to tell you how we've slowed down research to give crypto a chance you have until 2029 to figure out a solution. Good luck. Elon chimed in and said, on the plus side, if you forgot your password, the password to your wallet, it will be accessible in the future. Also to everyone else. So the chance that NASA lands on the moon, we were tracking this yesterday. The missions are starting to happen for 2028 on Kalshee is now at 14 percent before 2027 is at 4.7 percent. So they are racing. Of course, this Artemis two mission is not boots on the ground on the moon. It is rocketing around the moon. We'll have more about this tomorrow. They're just going to check it out. They're going to be gone for 10 days. They're going to be in space for 10 days. Brenda Garell was doing some deep dives on the technology, the streaming technology, what we really care about here that will be on board. Something like 20 cameras, 4k live streams, laser beams to make sure it's low latency, super chat. A lot of fun. Super chats would be good. We got to get a chat going. I'm sure there might actually be because they usually stream on YouTube. And so I wouldn't be surprised if it is going to be a 24 seven, like perpetual stream that's always on, even when the astronauts are taking a sleep. Yeah. Taking a little nap. Yeah. Yeah. Okay. All the conspiracy theorists are going to be sitting there watching it very closely and then pausing. And there was a glitch. There. Did you see that glitch? That was that was VFX. That was AI. No, this is my mark. I will believe that it's real. If I see an astronaut put three fingers in front of their face. Yep. Because this is the one thing that the AI can't do right now. If you're ever on a zoom call with someone, you suspect of being fake, a scammer who said, Hey, let's get on zoom. Let's talk about some financial investment opportunity. And it looks like someone you think is the person, but you suspect that it might not be and they will be able to show you. Look, look at the fingers. The fingers are perfect. It's fine. It's fine. That's because this part is not AI. Just the faces. AI. This is the deep fake stuff that's happening. So what you have to do is you have to ask them to hold up three fingers. They'll be like, Yeah, three fingers. This is fine. Right. I satisfy the task. You got to say, no, put the three fingers in front of your face because if you put the three fingers in front of your face, the AI gets confused and it breaks the deep fake that's happening underneath. Elon, uh, Colossus shares. Elon has spent a decade trying to control an AI lab. He tried to absorb deep mind into Tesla in 2014 and open AI in 2018. When that failed and interns spoke up, it did not end. Okay. Let's read through this. He also tried to control X AI some degree. Doesn't he control it? Well, he controls it, but at what cost? Right. All, all seven co-founders. Oh, true, true, true. That's what you're referring to. Anyways, from, from the book, pushing back against Musk's obsession with the race against Google and deep mind, Brockman added, it doesn't matter who wins. If everyone dies, Musk responded the next morning at 3 52 AM. He confronted Brockman with a proposal that recalled Pichai's pitch. Open AI should spin into Tesla. Initially open AI's team could accelerate Tesla's development of autonomous vehicles. Next, it could use the profits from self-driving cars to fund its AGI moonshot. Tesla is the only path that could even hope to hold a candle to Google. Musk declared, even then, the probability of being a counterweight to Google is small, it just isn't zero. At an all hands meeting on the top floor of a converted truck factory that housed open AI, Musk announced to the employees that he was quitting the lab, scornfully adding that. I need raptors. I need a new Ford Raptor potentially every day. We gotta put this lab above inside of a truck factory. This is amazing. Scornfully adding that open AI would have to sprint faster to stay relevant. No, I guess they did. I guess hoping to lure away some researchers, he declared there was a much better chance of building AGI at a strong business like Tesla. Yeah. Showing courage or perhaps just youthful innocence and intern asked Musk if speed might be reckless from a safety perspective. Besides wasn't developing AI at a for profit company like Tesla. The same as creating it at a for profit company like Google. Isn't this going back to what you said you didn't want to do the intern demanded? You're a jackass, Musk retorted. Then he stormed out of the meeting. That intern? Tyler Cosgrove. No, that intern was Steve Jobs. He's kidding. It's been an honor. See you tomorrow. Goodbye. Bye.
