Vibe Coding Weekly #27
The tools are moving faster than the trust that's supposed to contain them.
If you only read one thing this week: Cursor 3 is not an update — it’s a new product. The company rebuilt the entire interface around agents as first-class citizens: parallel execution, multi-repo support, local-cloud handoffs, and a Design Mode that lets agents target UI elements in-browser. The era of the AI IDE is over; this is the AI orchestration layer. Read more →
This week in one satisfying refactor:
The Infrastructure Story: Oracle cut up to 30,000 jobs in a single morning, replacing human capital with compute capital — $2.1B in restructuring charges funding a $156B AI data center buildout
The Security Story: Sapphire Sleet compromised the axios npm package (100M+ weekly downloads) for three hours; Anthropic accidentally shipped Claude Code’s entire source code — 500,000 lines — to the public npm registry, then triggered accidental takedowns of 8,100 GitHub repos trying to clean it up
The Open Model Story: Google released Gemma 4 — Apache 2.0, up to 256K context, runs on a Raspberry Pi 5 — while GitHub deprecated the entire GPT-5.1-Codex family and replaced it with GPT-5.3-Codex
Key Takeaways
Cursor rebuilt its interface from scratch for the agent era: Cursor 3 replaces the VS Code–based editor with a unified workspace where humans orchestrate fleets of parallel agents across repos, environments, and platforms — locally, in the cloud, and via Slack or GitHub integrations. This is the clearest signal yet that the agent is the primary unit of development work, not the keystroke. Read more →
Oracle erased 30,000 jobs in a morning to fund AI infrastructure: On March 31, employees across the US, India, Canada, Mexico, and Uruguay received termination emails at 6am EST with no prior warning. The $2.1B restructuring charge is expected to generate $8–10B in annual savings that flow directly into data centers and GPUs — one of the most explicit examples of compute capital replacing human capital in the enterprise. Read more →
The axios supply chain attack is a warning shot for every AI-assisted project: North Korean state actor Sapphire Sleet compromised axios — the HTTP client found in almost every JavaScript project — for three hours on March 31, injecting a cross-platform remote access trojan. Any project auto-updating axios during that window was exposed. AI agents that scaffold new projects with npm dependencies are now a fresh attack surface for exactly this kind of infiltration. Read more →
Anthropic accidentally leaked Claude Code’s entire source code — then accidentally took down 8,100 GitHub repos trying to contain it: On March 31, a misconfigured debug file bundled into a routine npm release exposed nearly 500,000 lines of code — including feature flags for unshipped capabilities like background persistent assistants and remote phone control. Anthropic’s DMCA response then incorrectly targeted ~8,100 unrelated GitHub repositories before the company retracted the bulk of the notices. No customer data was exposed, but the incident is the sharpest reminder yet that the infrastructure underpinning AI coding tools runs on the same fragile, human-error-prone processes as everything else. Read more →
Google’s Gemma 4 runs frontier-quality reasoning on edge hardware: Released April 2 under Apache 2.0, Gemma 4 comes in four sizes (2B to 31B parameters) and runs on mobile phones, Raspberry Pi 5, and in-browser via WebGPU — with 256K context support and 140+ language coverage. For developers building offline-capable or privacy-sensitive agentic applications, this removes a major constraint. Read more →
GitHub Copilot’s cloud agent can now plan before it codes: A significant workflow shift: the Copilot cloud agent can now produce an implementation plan for your review before writing a single line of code, conduct deep research sessions grounded in your repository, and work on branches without immediately opening pull requests. The asynchronous, delegated development model just got a meaningful review layer. Read more →
Claude Code auto mode resolves the permissions dilemma: Anthropic’s auto mode is the middle ground developers have been looking for between constant manual approvals and the
--dangerously-skip-permissionsflag. Two AI classifiers evaluate each action before execution — one for prompt injection, one for intent alignment. False positive rate: 0.4% in production. The catch: ~17% of overeager actions still get through, so it’s designed for isolated environments, not production infrastructure. (editorial inclusion — outside range, published March 25, 2026) Read more →
Growing at 20% new subscribers per week.
The stories this week aren’t hard to find. What’s hard is knowing which ones actually matter before your team asks you on Monday.
That’s the only thing Vibe Coding Weekly does: cut through the volume so you arrive at the week with context, not anxiety.
Get the ebook Change Management in Agentic AI Adoption when subscribe — the framework for the conversation that always comes after “we should use AI more”: how to actually move an organization that didn’t ask to be moved. Included with every subscription.
📦 Releases & News
Anthropic Leaked Claude Code’s Source Code — Then Accidentally Took Down 8,100 GitHub Repos
On March 31, a debug file accidentally bundled into a routine npm release exposed nearly 500,000 lines of Claude Code’s source code to the public registry — including feature flags for capabilities that are fully built but unshipped, like a background persistent assistant and remote control from a phone or browser. Anthropic confirmed no customer data or credentials were involved, attributing the incident to human error in the release packaging process. The response compounded the original story: Anthropic’s DMCA takedown request incorrectly targeted approximately 8,100 GitHub repositories — most unrelated to the leak — before the company retracted the bulk of the notices and described the overbroad enforcement as also accidental. For a company whose products are now running autonomously in developer workflows, two back-to-back unforced errors in a single day are an uncomfortable data point about operational maturity.
Ollama 0.19 Preview: Nearly 2x Faster on Apple Silicon via MLX
Ollama’s 0.19 preview release switches to Apple’s MLX framework, delivering approximately 1.6x faster prompt processing and nearly 2x faster response generation on Apple Silicon — with M5-series Macs seeing the largest gains. Initial support is limited to Qwen3.5, requires 32GB unified memory, and broader model support is planned. For developers running local coding agents or chat assistants on Mac, the responsiveness difference during extended sessions is described as noticeable.
Salesforce Gives Slack 30 AI Features — Including MCP Client Support
Salesforce announced 30 new AI features for Slack, the headline being that Slackbot now functions as a Model Context Protocol client — meaning it can make tool calls into external services across the 2,600+ Slack Marketplace apps and 6,000+ Salesforce AppExchange integrations. Slackbot can now coordinate with Agentforce agents, create Google Docs and Slides, and operate as an autonomous work assistant. The update positions Slack less as a messaging platform and more as an agentic operating system for enterprise workflows.
Copilot Organization Custom Instructions Now Generally Available
GitHub Copilot’s organization custom instructions — allowing admins to set default behavior guidelines that shape how Copilot behaves across all repositories in their organization — reached general availability. The feature applies across Copilot Chat on github.com, code review, and the cloud agent. Configuration lives in Organization Settings → Copilot → Custom Instructions. Available for Copilot Business and Enterprise admins.
GitHub Actions: Early April 2026 Updates
Three noteworthy additions to GitHub Actions: service containers now support entrypoint and command overrides via workflow YAML; OIDC tokens now carry repository custom properties as claims, enabling more granular cloud trust policies without referencing individual repo names; and Azure private networking for hosted runners gained failover network support in public preview for workflow continuity during subnet failures.
GPT-5.1-Codex Family Deprecated in GitHub Copilot
As of April 1, 2026, GPT-5.1-Codex, GPT-5.1-Codex-Max, and GPT-5.1-Codex-Mini are deprecated across all Copilot experiences — chat, inline edits, ask and agent modes, and code completions. The replacement is GPT-5.3-Codex. If your team has workflows or API integrations specifying these model names, update them now.
📚 Tutorials and Resources
Pinterest’s Production MCP Playbook: 66,000 Invocations/Month and 7,000 Hours Saved
Pinterest’s engineering team published a detailed account of their production MCP deployment — the most concrete real-world data on MCP at scale published to date. Their architecture uses domain-specific cloud-hosted MCP servers (separate servers for Presto, Spark, and Airflow) connected through a central registry. The system processes 66,000 invocations per month across 844 active users, saving roughly 7,000 hours per month. Two-layer authorization (JWT + service mesh) and mandatory human approval for sensitive operations kept governance intact. Worth reading for anyone planning an enterprise MCP rollout.
💡 Others
‘Vibe Coding’ May Offer Insight into Our AI Future
Harvard researchers surfaced a tension that’s easy to miss in the excitement around AI-assisted development: vibe coding replaces technical knowledge with a different and harder-to-evaluate skill set — the ability to articulate ideas in natural language. The question isn’t whether you can build fast, it’s whether the resulting software is reliable, secure, and maintainable when you can’t read the code it contains. As Karen Brennan notes, the essential capability becomes “imagine possibilities, express clearly what we want to see in the world, review what we create, and iterate” — and not all developers are equally equipped to do that final step.
Every week, a new model drops. A new agent framework ships. A new “this changes everything” thread goes viral. And you still have actual code to write.
Every Monday, you open your inbox and already know what matters. You’ve skipped three viral threads that turned out to be nothing. You didn’t spend your weekend reading to know this. We did.
That’s what Vibe Coding Weekly is. For developers, architects, tech leads, and everyone building or managing software in the age of AI.
Clean code and positive vibes,
Angel.