Jun 10, 2026

This is a story of how build­ing HTML-first dou­bled a com­pa­ny’s users lit­er­ally overnight.

My client was a util­ity com­pany, and they had a big prob­lem. To ap­ply for their ser­vices, cus­tomers could ei­ther use an old ASP form on the web­site, or fol­low a man­ual process. The man­ual process was more ex­pen­sive for the com­pany, of course. Adding a lot of pres­sure, this was a reg­u­lated mo­nop­oly, and if their cus­tomer sat­is­fac­tion dropped be­low 96% (if I re­mem­ber cor­rectly) it could re­sult in mil­lions of pounds in fines.

There were two pre­vi­ous failed (and very ex­pen­sive) at­tempts to solve the prob­lem. In the most re­cent, con­trac­tors in an­other coun­try had built a React app. The React app was on­line for 3 days be­fore be­ing pulled be­cause of cus­tomer com­plaints. I took one look at it and told my boss “we can’t take own­er­ship of this.” It was a mess of load­ing spin­ners and global javascript states. It was not ac­ces­si­ble. Image up­load was a vi­tal part of the form, and it at­tempted to store im­ages (along with all other form data) in lo­cal­stor­age which has a 5mb limit!

I took a very bold de­ci­sion and built a new ver­sion of the site us­ing Astro. It was HTML-first. Javascript ex­isted, in web com­po­nents, but only to pro­gres­sively-en­hance a web­site that worked per­fectly fine with­out it.

My logic was thus:

This is a pub­lic ser­vice

It should work on every ma­chine pos­si­ble

It should work when con­nec­tions are poor

The forms must never lose data once it is en­tered

I was very moved by this anec­dote from Terence Eden:

A few years ago I was do­ing pol­icy re­search in a hous­ing ben­e­fits of­fice in London. They are sin­gu­larly unlovely places. The walls are bright­ened up with posters of­fer­ing help­ful ser­vices for peo­ple flee­ing do­mes­tic vi­o­lence. The se­cu­rity guards on the door are cau­tiously in­dif­fer­ent to any­one walk­ing in. The air is filled with tense con­ver­sa­tions be­tween part­ners - drowned out by the noise of scream­ing kids. In the mid­dle, a young woman sits on a hard plas­tic chair. She is sur­rounded by can­vas-bags con­tain­ing her worldly pos­ses­sions. She does­n’t look like she is in a great emo­tional place right now. Clutched in her hands is a games con­sole - a PlayStation Portable. She stares at it in­tensely; block­ing out the world with Candy Crush. Or, at least, that’s what I thought. Walking be­hind her, I glance at her con­sole and recog­nise the screen she’s on. She’s con­nected to the com­ple­men­tary WiFi and is brows­ing the GOV.UK pages on Housing Benefit. She’s not slic­ing fruit; she’s arm­ing her­self with knowl­edge. The PSP’s web browser is - char­i­ta­bly - pa­thetic. It is slow, fre­quently runs out of mem­ory, and can only open 3 tabs at a time. But the GOV.UK pages are writ­ten in sim­ple HTML. They are de­signed to be light­weight and will work even on rub­bish browsers. They have to. This is for every­one.

A few years ago I was do­ing pol­icy re­search in a hous­ing ben­e­fits of­fice in London. They are sin­gu­larly unlovely places. The walls are bright­ened up with posters of­fer­ing help­ful ser­vices for peo­ple flee­ing do­mes­tic vi­o­lence. The se­cu­rity guards on the door are cau­tiously in­dif­fer­ent to any­one walk­ing in. The air is filled with tense con­ver­sa­tions be­tween part­ners - drowned out by the noise of scream­ing kids.

In the mid­dle, a young woman sits on a hard plas­tic chair. She is sur­rounded by can­vas-bags con­tain­ing her worldly pos­ses­sions. She does­n’t look like she is in a great emo­tional place right now. Clutched in her hands is a games con­sole - a PlayStation Portable. She stares at it in­tensely; block­ing out the world with Candy Crush.

Or, at least, that’s what I thought.

Walking be­hind her, I glance at her con­sole and recog­nise the screen she’s on. She’s con­nected to the com­ple­men­tary WiFi and is brows­ing the GOV.UK pages on Housing Benefit. She’s not slic­ing fruit; she’s arm­ing her­self with knowl­edge.

The PSP’s web browser is - char­i­ta­bly - pa­thetic. It is slow, fre­quently runs out of mem­ory, and can only open 3 tabs at a time.

But the GOV.UK pages are writ­ten in sim­ple HTML. They are de­signed to be light­weight and will work even on rub­bish browsers. They have to. This is for every­one.

Some re­quire­ments I de­rived:

Each ses­sion with the form should have a unique ID

At every step in the form wiz­ard, sub­mit­ted data should be stored on the back­end, in­clud­ing up­loads

It should be pos­si­ble to com­plete the form with­out javascript

It should be pos­si­ble to com­plete the form on out­dated and crap web browsers

We had to meet WCAG ac­ces­si­bil­ity (the team set­tled on AA rather than AAA)

Javascript and mod­ern CSS should be used to en­hance the ex­pe­ri­ence

The ba­sic setup ended up be­ing that each step in the form wiz­ard was its own page. When the user clicked next, the form would sub­mit. If the data was judged to be valid by the API, the browser would be redi­rected to the next step.

A ven­er­a­ble web ap­pli­ca­tion pat­tern that has had a small mod­ern re­nais­sance thanks to Remix, form sub­mis­sions and redi­rects took a while to ex­plain to my col­leagues, on ac­count of every­one be­ing used to heav­ily client-side web ap­pli­ca­tions. I have noth­ing against heav­ily client-side ap­pli­ca­tions, in their place. But this is just a big form - it’s not show­ing real-time data. Our user could be stand­ing in the mid­dle of a field on a new-build hous­ing es­tate, hold­ing a decade-old com­mod­ity an­droid phone they bought in Tesco. Shipping them 20MB of javascript be­fore we even ren­der a form would be a ridicu­lous thing to do.

Next, I tack­led one of my biggest bug­bears, form val­i­da­tion (and form and form er­ror ren­der­ing). I have seen teams waste per­son-months of ef­fort wran­gling React val­i­da­tion li­braries. If you are a React per­son, you might be scoff­ing at this - skill is­sue, I guess - but it is the re­al­ity for many teams. I would like to humbly sug­gest that you too may be spend­ing more time than you re­alise, and a lot more time than is nec­es­sary, in­ter­act­ing with and main­tain­ing poor im­i­ta­tions of the val­i­da­tion sys­tem that ships with every browser.

So I built an HTML web com­po­nent. These are sim­ple cus­tom el­e­ments that wrap around ex­ist­ing HTML and bring it to life. No shadow DOM, no (or lit­tle) ren­der­ing HTML in javascript. Mine wrapped around any HTML form, picked up the HTML val­i­da­tion, and made it look mod­ern. It would pre­vent those HTML val­i­da­tion popup tooltips, and in­stead place the er­ror in the aria-de­scribedby el­e­ment as­so­ci­ated with the field (today, aria-er­rormes­sage is ad­vised in­stead). It would clear val­i­da­tion while you typed, if you reached a valid state, and as­sess it again on blur and sub­mit.

Exactly the user ex­pe­ri­ence a form needs, de­liv­ered in un­der 1KB. If it failed, the form would fall back to built-in browser val­i­da­tion. If that failed, the back­end API would han­dle val­i­da­tion. We re­ported val­i­da­tion is­sues to the user as early as pos­si­ble given their browser, and al­ways fell back to an ac­cept­able ex­pe­ri­ence if it failed.

I have since writ­ten a new ver­sion of this web com­po­nent from scratch, aimed for gen­eral use. It’s called val­i­da­tion-en­hancer. I have been in this in­dus­try for over 20 years, and it is the best form val­i­da­tion li­brary I have ever used. I am very proud of it.

The code is so sim­ple to work with:

<validation-enhancer> <form>

<label for=“my-email”>Email</​la­bel> <input type=“email” name=“my-email” aria-er­rormes­sage=“my-email-er­ror” re­quired /> <div id=“my-email-er­ror”></​div>

<button type=“sub­mit”>Sub­mit</​but­ton> </form> </validation-enhancer>

The re­sults? When we launched, the num­ber of peo­ple com­plet­ing the form dou­bled. The an­a­lyt­ics peo­ple did­n’t even know where these users were com­ing from. Of course, your javascript-based an­a­lyt­ics pack­age does­n’t see the users you are bounc­ing be­cause of javascript fail­ures. It was a flood! We also saw my “keep a back­end ses­sion, never lose user data” ap­proach pay off. In one case, some­one com­pleted a form a month af­ter start­ing it.

There was a sad coda; as is the way of con­tract work, I moved on. I ex­plained what I had built to my re­place­ment, that it al­ways worked even with­out javascript. He was ap­palled and said, “but that’s a lot more work for us.”

It is not ac­cept­able to bounce users on old browsers, users with bad net­work con­nec­tions, users us­ing as­sis­tive tech­nolo­gies. Certainly not from a mo­nop­oly pub­lic ser­vice. A lot of hype and noise is press­ing us to ex­tend the cow­boy, wild-west phase of the soft­ware in­dus­try’s ex­pan­sion. We should set that aside, and take our­selves se­ri­ously as a ma­ture in­dus­try. Build a web ap­pli­ca­tion that works on a playsta­tion portable on a 3G con­nec­tion - if you do, it will work for all your users, and it will still work 30 years from now.

Anthropic re­leased its lat­est model Fable on Tuesday, billing it as a pub­lic and lim­ited ver­sion of its pow­er­ful and much-hyped cy­ber­se­cu­rity model Mythos.

But not every­one is happy with the re­stric­tions, and a num­ber of cy­ber­se­cu­rity re­searchers and pro­fes­sion­als have aired com­plaints on­line.

“[Fable] re­jects any re­quest that could be tan­gen­tially cy­ber re­lated. Even in­nocu­ous tasks like read­ing a blog post,” said Valentina “Chompie” Palmiotti, a well-known se­cu­rity re­searcher who works at IBM X-Force.

When a prompt trig­gers its guardrails, Fable pauses the chat and says that its “safety mea­sures flagged this mes­sage for cy­ber­se­cu­rity or bi­ol­ogy top­ics.”

The guardrails were put in place to limit the risk that Fable could be used to de­velop mal­ware or com­pro­mise soft­ware — a long-stand­ing con­cern within Anthropic. The re­stric­tions on bi­ol­ogy come from a sim­i­lar con­cern around de­vel­op­ing bi­o­log­i­cal weapons.

When the AI gi­ant re­leased Mythos in April, it re­stricted the model to a lim­ited num­ber of com­pa­nies and or­ga­ni­za­tions in what it called Project Glasswing, an ef­fort to de­ploy the model to se­cure crit­i­cal soft­ware and in­fra­struc­ture. Last week, Anthropic ex­panded ac­cess to Mythos to hun­dreds of or­ga­ni­za­tions in 15 coun­tries.

But de­spite the good in­ten­tions, many cy­ber­se­cu­rity ex­perts are still put off by the hap­haz­ard na­ture of the re­stric­tions. Matt Suiche, a cy­ber­se­cu­rity vet­eran, told TechCrunch that “if you ask it to write se­cure code, it as­sumes it is cy­ber­se­cu­rity re­lated work in­stead of soft­ware en­gi­neer­ing best prac­tices, and you get down­graded.” Fable is pro­grammed to fall back to Claude Opus 4.8 if it hits a guardrail. “It seems to be key­word based, so any­thing in the lex­i­cal field of ‘cybersecurity’ trig­gers the guardrails.”

Contact Us

Do you have more in­for­ma­tion about how hack­ers are us­ing AI? Or how cy­ber­se­cu­ity com­pa­nies are us­ing AI? We’d love to hear from you. From a non-work de­vice and net­work, you can con­tact Lorenzo Franceschi-Bicchierai se­curely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

“But it is un­der­stand­able as we are still in the early days and they are still adapt­ing their guardrails. I am sure they are go­ing to evolve over time as Anthropic and other fron­tier model com­pa­nies will col­lab­o­rate more with the cur­rent new gen­er­a­tion of cy­ber­se­cu­rity com­pa­nies,” said Suiche, who is a mem­ber of the tech­ni­cal staff at Tolmo, an AI cy­ber­se­cu­rity startup. “It’s bet­ter to catch more peo­ple than not enough when you do such a re­lease and to re­lax the guardrails over time.”

Another re­searcher griped on X that “even ask­ing for a code re­view” trig­gers Fable’s guardrails.

Anthropic did not im­me­di­ately re­spond to a re­quest for com­ment.

Apart from guardrails in­side its mod­els, Anthropic re­quires cy­ber­se­cu­rity pro­fes­sion­als to ap­ply to the Cyber Verification Program. If they get ap­proved, the ap­pli­cants have fewer lim­i­ta­tions on us­ing Claude for cy­ber­se­cu­rity work. OpenAI has a sim­i­lar pro­gram called Trusted Access for Cyber.

When you pur­chase through links in our ar­ti­cles, we may earn a small com­mis­sion. This does­n’t af­fect our ed­i­to­r­ial in­de­pen­dence.

Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he cov­ers hack­ing, cy­ber­se­cu­rity, sur­veil­lance, and pri­vacy.

You can con­tact or ver­ify out­reach from Lorenzo by email­ing lorenzo@techcrunch.com, via en­crypted mes­sage at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.

View Bio

All Collections

Team and Enterprise plans

Security and com­pli­ance

Data re­ten­tion prac­tices for Mythos-class mod­els

Updated to­day

Table of con­tents

To en­sure we’re re­spon­si­bly de­ploy­ing Mythos-class mod­els, we are re­quir­ing lim­ited data re­ten­tion and re­view as part of our safety work. Prompts sub­mit­ted to, and out­puts gen­er­ated by, Mythos-class mod­els are re­tained for 30 days for trust and safety pur­poses, on every plat­form where these mod­els are of­fered.

This ap­plies to Mythos-class mod­els and fu­ture mod­els with sim­i­lar ca­pa­bil­i­ties that we des­ig­nate as cov­ered mod­els. For all other mod­els, every­thing you use is un­af­fected and stays un­der the cur­rent terms.

This pol­icy, de­scribed be­low, goes into ef­fect on June 9, 2026. For more in­for­ma­tion on the threat model for re­tained data and as­so­ci­ated pri­vacy con­trols, please see the cor­re­spond­ing tech­ni­cal white pa­per on our Trust Center.

Who this ap­plies to

Consumer plans (Claude Free, Pro, and Max) across our web, desk­top, and mo­bile apps—in­clud­ing Claude.ai and Claude Code—are un­af­fected by this up­date, since we al­ready re­tain in­puts and out­puts for safety pur­poses on these sur­faces. Learn more about how we re­tain data for con­sumer plans.

This change only ap­plies to or­ga­ni­za­tions that have set up work­spaces with zero data re­ten­tion (ZDR) in Claude Console, use Claude Code with ZDR in Claude Enterprise, or ac­cess Claude through AWS Bedrock, Google Cloud Agent Platform, or Microsoft Foundry with ZDR. The rest of this ar­ti­cle ap­plies only to these or­ga­ni­za­tions.

Why we’re do­ing this

Claude Mythos 5 rep­re­sents a sub­stan­tial in­crease in model ca­pa­bil­i­ties, some of which can be used for both be­nign and ma­li­cious pur­poses. Claude Fable 5 shares the same un­der­ly­ing model as Claude Mythos 5, but with ad­di­tional safe­guards, par­tic­u­larly in the cy­ber and bio do­mains. While these safe­guards al­low us to share this in­tel­li­gence more broadly, we are tak­ing a con­ser­v­a­tive ap­proach that al­lows us to look for pat­terns of mis­use with this class of model. Some at­tacks only be­come vis­i­ble across mul­ti­ple re­quests. Best-of-N jail­break­ing, for ex­am­ple, sends hun­dreds of slight vari­a­tions of a prompt in the hope that one will work. Larger pat­terns of mis­use, such as state-spon­sored es­pi­onage or data ex­tor­tion cam­paigns, only sur­face when our safe­guards clas­si­fiers can zoom out across many re­quests. Detecting these threats re­quires tem­porar­ily re­tain­ing prompts and out­puts so they can be an­a­lyzed to­gether, rather than one at a time.

How we pro­tect your data

Anthropic em­ploy­ees can­not ac­cess your con­ver­sa­tions un­less they are flagged for po­ten­tial se­ri­ous harm or upon a cus­tomer’s writ­ten re­quest. These re­views can only be per­formed by a small set of ap­proved re­view­ers through tool­ing that pre­vents ex­port, copy­ing, or down­load­ing. Every in­stance of ac­cess is recorded in a tam­per-proof log that re­view­ers can­not sup­press or mod­ify. After 30 days, the data is deleted au­to­mat­i­cally, ex­cept in the rare cases where it’s part of a safety in­ves­ti­ga­tion or we’re legally re­quired to keep it. Eligible or­ga­ni­za­tions also have the op­tion to add cus­tomer-man­aged en­cryp­tion keys and ac­cess trans­parency au­dit logs.

Anthropic main­tains a doc­u­mented in­for­ma­tion se­cu­rity pro­gram with tech­ni­cal and or­ga­ni­za­tional mea­sures that are de­signed to pro­tect the se­cu­rity, con­fi­den­tial­ity, and in­tegrity of cus­tomer data. Our risk-based pro­gram is built for and evolves to de­fend against known and an­tic­i­pated threat mod­els and is tested reg­u­larly. For more in­for­ma­tion, see the tech­ni­cal white pa­per in our Trust Center.

What, if any­thing, do I need to con­fig­ure?

This change only ap­plies to or­ga­ni­za­tions that have set up work­spaces with zero data re­ten­tion (ZDR) in Claude Console, use Claude Code with ZDR in Claude Enterprise, or ac­cess Claude through AWS Bedrock, Google Cloud Agent Platform, or Microsoft Foundry with ZDR. For all other or­ga­ni­za­tions, there is no change and there’s noth­ing to con­fig­ure. The rest of this sec­tion is for or­ga­ni­za­tions that ac­cess Claude with­out data re­ten­tion to­day and need to set up data re­ten­tion in or­der to use des­ig­nated mod­els when they be­come avail­able.

If your de­vel­op­ers use the Claude API

If your team uses Claude Code

If your team uses Claude chat or Cowork through Claude for Enterprise

Related Articles

Public Sector FAQs

Use Claude for Microsoft 365 with third-party plat­forms

Real-time cy­ber safe­guards on Claude

Covered Models

Covered Models un­der a Business Associate Agreement (BAA)

Jun 10th, 2026 Lev Kokotov

Postgres is the only data­base you need.

The rea­son DBs like Mongo or Dynamo ex­ist is be­cause Postgres has a scal­ing prob­lem. If you could make it just work, with 100 TB+ ta­bles and 1M queries per sec­ond, we don’t think you would use any­thing else.

This is why we are build­ing PgDog. Same old Postgres, just with a proxy in front of it, to make it hor­i­zon­tally scal­able.

You can de­ploy PgDog any­where, in­clud­ing on-prem and in your cloud ac­count: pull our Docker im­age, change your DATABASE_URL, and make us do the work.

Our sta­tus

PgDog is serv­ing more than 2M queries per sec­ond, in pro­duc­tion, across dozens of de­ploy­ments. We sharded over 20 TB that we know about.

PgDog is open source and any­one can just de­ploy it, and they do: we have over 1.4M Docker pulls on GitHub.

A new ver­sion comes out every week, on Thursdays. Our Discord com­mu­nity is grow­ing. We are there, every day, to an­swer ques­tions and pro­vide sup­port.

Why us

PgDog is a small, three-per­son startup. So, why use our stuff and trust us with your data?

We are in­fra­struc­ture en­gi­neers, ap­pli­ca­tion en­gi­neers and gen­er­al­ists. We built apps on Postgres be­fore it was cool and made it work at mas­sive scale.

I ran Postgres at Instacart, where we scaled the com­pany 5x in April of 2020. The biggest prob­lem we had was mak­ing Postgres serve 100,000s of gro­cery de­liv­ery or­ders per minute.

We sharded Postgres on RDS, Aurora and EC2. We fixed the ac­tual prob­lem, us­ing first prin­ci­ples (and a lot of code).

The same tech­nol­ogy is now avail­able as an open source prod­uct.

Building PgDog is not a pivot. For us, scal­ing Postgres has been, and is, the only goal.

We built PgDog to run in your cloud, in your colo rack, on-prem, or on your lap­top. Wherever you need it, PgDog works, with no de­pen­den­cies or hid­den server­less costs. If you can pro­vide CPUs, our mul­ti­threaded code will use them all.

Postgres adop­tion is only go­ing to in­crease. With $5.5M from Basis Set, YC, Pioneer Fund and other great in­vestors, we have years of run­way, and we are go­ing to make Postgres just work, for every­one, at any scale.

– Lev

P.S. We are build­ing an Enterprise edi­tion of PgDog to make it eas­ier to run in AWS. It comes with SLA-backed sup­port from our team. Give us a call if you want to try it out.

More info

Read our docs to get started with PgDog

Star our repo and fol­low it for weekly re­leases

Join our Discord to get to know us bet­ter

[LWN sub­scriber-only con­tent]

Welcome to LWN.net

The fol­low­ing sub­scrip­tion-only con­tent has been made avail­able to you by an LWN sub­scriber. Thousands of sub­scribers de­pend on LWN for the best news from the Linux and free soft­ware com­mu­ni­ties. If you en­joy this ar­ti­cle, please con­sider sub­scrib­ing to LWN. Thank you for vis­it­ing LWN.net!

Welcome to LWN.net

The fol­low­ing sub­scrip­tion-only con­tent has been made avail­able to you by an LWN sub­scriber. Thousands of sub­scribers de­pend on LWN for the best news from the Linux and free soft­ware com­mu­ni­ties. If you en­joy this ar­ti­cle, please con­sider sub­scrib­ing to LWN. Thank you for vis­it­ing LWN.net!

Agentic AI sys­tems can be used to do a va­ri­ety of things au­tonomously on be­half of a hu­man user: open or man­age bugs, gen­er­ate code, sub­mit pull-re­quests, and (apparently) even com­plain about re­jec­tion. In May, a Fedora de­vel­oper dis­cov­ered that an al­legedly rogue agent had been pes­ter­ing the pro­ject in a num­ber of ways: re­as­sign­ing bugs, fab­ri­cat­ing un­help­ful replies to bugs, and even per­suad­ing main­tain­ers to merge ques­tion­able code into the Anaconda in­staller. It also sub­mit­ted a num­ber of pull re­quests (PRs), some ac­cepted, to sev­eral up­stream pro­jects. The Fedora ac­count as­so­ci­ated with the agent has had its group priv­i­leges re­voked and the messes have been mopped up, but the mo­tive be­hind the agen­t’s ac­tions is still a mys­tery.

“Kind of er­ratic”

On May 27, Adam Williamson copied Fedora’s de­vel­oper and test­ing mail­ing lists on a mes­sage to Nathan Giovannini about what ap­peared to be an un­su­per­vised agen­tic AI sys­tem un­der Giovannini’s con­trol. “It’s great that you’re try­ing to fix things, but the re­sults seem to be kind of er­ratic.”

Williamson said that he was still look­ing through the his­tory of Giovannini’s ac­tions in Bugzilla, but had al­ready spot­ted a num­ber of prob­lems. For ex­am­ple, Williamson had found dozens of in­stances of Giovannini’s agent as­sign­ing Bugzilla en­tries to his ac­count af­ter sub­mit­ting al­legedly re­lated pull re­quests to up­stream pro­jects, or clos­ing a bug af­ter a PR was merged into an up­stream pro­ject. In some cases, the agent sim­ply closed bugs with com­ments that ei­ther re­stated the orig­i­nal bug or were, as Williamson said of this com­ment, “superficially plau­si­ble, but prob­lem­atic in other ways”.

In ad­di­tion, Williamson said that Giovannini (or his agent) had sub­mit­ted patches that were in­cor­rect and then “replied to ob­jec­tions with LLM-generated jus­ti­fi­ca­tions that even­tu­ally over­whelmed the main­tainer into merg­ing the fix”. The agent, as GitHub user “nathan9513-aps”, had sub­mit­ted a pull re­quest for the Anaconda in­staller used by Fedora and other Linux dis­tri­b­u­tions. The PR’s de­scrip­tion claimed it was a fix for an Anaconda bug that would cause in­stal­la­tion to fail, but the patch ac­tu­ally pre­served a ker­nel op­tion passed on the com­mand line that seemed to have noth­ing to do with the ac­tual bug.

The agen­t’s GitHub ac­count has since been dis­abled. It now shows up in con­ver­sa­tions on GitHub as “ghost”, which is the plat­for­m’s de­fault place­holder for user ac­counts that have been deleted. Thus, it is dif­fi­cult, if not im­pos­si­ble, to piece to­gether a full trail of all the agen­t’s ac­tions on GitHub.

Williamson said, rather diplo­mat­i­cally, that the agen­t’s ac­tions were not “having a pos­i­tive im­pact on Fedora or the up­stream pro­jects”, and sug­gested that Giovannini ad­just the agent to be “substantially less au­tonomous”. He specif­i­cally asked that the agent not as­sign bugs to Giovannini, change their state, or “post con­fi­dent as­ser­tions or spe­cific ac­tion rec­om­men­da­tions” with­out hu­man re­view.

Hacked?

Later on May 27, Williamson said that Giovannini had replied to him pri­vately to say that his cre­den­tials had been com­pro­mised and that he was not the one be­hind the AI sys­tem. “Obviously we should there­fore treat any ac­tions it has taken with sus­pi­cion”, Williamson said. He planned to re­view the bugs touched by Giovannini’s ac­count “even more ag­gres­sively”, and asked for help from oth­ers to re­view them as well.

A re­ply later that day, os­ten­si­bly from Giovannini, said that he was able to re­gain ac­cess to his GitHub and Fedora ac­counts “and I am cur­rently se­cur­ing and re­view­ing all in­volved sys­tems and cre­den­tials”. The re­ply said his GitHub ac­count was “nathangiovannini99″. Williamson replied that the GitHub ac­count was only an hour old, and that the re­cent emails to the list and sent to Williamson pri­vately did not seem like mes­sages Giovannini had sent in ear­lier in­ter­ac­tions with the pro­ject.

Giovannini has par­tic­i­pated in dis­cus­sions at least as far back as 2018, and his ac­tiv­ity in Bugzilla goes back to at least 2016. He does not ap­pear to have been a par­tic­u­larly ac­tive con­trib­u­tor to the pro­ject, but his in­volve­ment clearly pre­dates the agen­tic AI era. Whether his ac­count is now be­ing op­er­ated by a hu­man at­tacker, an agen­tic AI, or a mix of both, it has a le­git­i­mate his­tory prior to its re­cent ac­tiv­ity.

Williamson said that he had re­viewed ac­count ac­tiv­ity in Bugzilla by “nathan95” from this year, and found sus­pi­cious ac­tiv­ity, such as sever­ity and pri­or­ity changes to a bug with no jus­ti­fi­ca­tion, be­gin­ning on April 7, in bug 2416721. Activity be­fore that ap­peared le­git­i­mate, he said, and none of the ac­tiv­ity that he had seen so far looked out­right ma­li­cious.

He also iden­ti­fied an­other GitHub ac­count, “leurus27-boop”, as likely be­ing as­so­ci­ated with the same agen­tic AI. That ac­count is still ac­tive, and has sub­mit­ted a PR to the open­SUSE Commander (osc) com­mand-line in­ter­face for the Open Build Service as well as a PR to the lxqt-pol­i­cykit repos­i­tory. That pro­ject is used to ex­tend the priv­i­leges of the LXQt desk­top’s lxqt-ad­min GUI tools for ad­min­is­ter­ing op­er­at­ing-sys­tem set­tings such as user and group con­fig­u­ra­tions.

Williamson said that it would be good to look through any other ac­tions by the re­lated ac­counts and warn other pro­jects that they should re­view any­thing that had been sub­mit­ted by them. Williamson seems to have fol­lowed up on each PR to warn other main­tain­ers “the whole sit­u­a­tion is ex­tremely fishy”. Kevin Fenzi said that he had re­moved the nathan95 user from any groups it had been in, so it should no longer have the per­mis­sion to re­as­sign or close bugs.

Pre-attack?

Martin Kolman, a mem­ber of the Anaconda team, said the events were “really prob­lem­atic” even if not ma­li­cious. The team had spent a lot of time re­view­ing PRs from what seemed to be an ea­ger con­trib­u­tor: “while it started to look off af­ter a while, all the replies were still like this - a bit weird, but still *plausible*”. He also the­o­rized that it could be an at­tacker work­ing their way up to ma­li­cious ac­tiv­ity, much like the XZ back­door:

Unfortunately, for an ac­tual at­tack the prepara­tory phase could (and for the Xz at­tack did) look very sim­i­lar - a new con­trib­u­tor slowly gain­ing trust in the com­mu­nity, get­ting in harm­less changes and build­ing up to the point when the at­tack pay­load can be in­jected (or the changes not ac­tu­ally be­ing harm­less if com­bined the right way).

So not say­ing this was it, but an AI agent au­to­mated at­tempt at a Xz like com­pro­mise might re­ally look very sim­i­lar what we have just seen here.

Unfortunately, for an ac­tual at­tack the prepara­tory phase could (and for the Xz at­tack did) look very sim­i­lar - a new con­trib­u­tor slowly gain­ing trust in the com­mu­nity, get­ting in harm­less changes and build­ing up to the point when the at­tack pay­load can be in­jected (or the changes not ac­tu­ally be­ing harm­less if com­bined the right way).

So not say­ing this was it, but an AI agent au­to­mated at­tempt at a Xz like com­pro­mise might re­ally look very sim­i­lar what we have just seen here.

Chris Adams said that the com­mit to Anaconda should be in­spected and prob­a­bly re­verted im­me­di­ately. Kolman replied that it had been re­verted. He also con­firmed that the LLM-generated PRs had made it into the Anaconda 45.5 re­lease on May 26. They were re­verted in the Anaconda 45.6 re­lease on June 2.

The tar­gets cer­tainly sug­gest that it may have been a pre­lude to an at­tack of some sort; an op­er­at­ing-sys­tem in­staller, a util­ity for es­ca­lat­ing user priv­i­leges, and a tool for in­ter­act­ing with a build sys­tem all seem like promis­ing av­enues for in­sert­ing mal­ware or hi­jack­ing sys­tems.

It’s dis­con­cert­ing that what ap­pears to be an AI agent has had so much suc­cess af­ter gain­ing ac­cess to a hu­man con­trib­u­tor’s ac­counts. It seems that an AI agent with ac­cess to an ac­count with a le­git­i­mate his­tory of in­ter­act­ing with pro­jects stands a good chance of per­suad­ing busy main­tain­ers to ac­cept ques­tion­able con­tri­bu­tions. Happily, Williamson caught this be­fore it be­came a big­ger prob­lem. Let’s hope that other hu­man main­tain­ers are as ob­ser­vant.

Back in 1999, 87 acres of land in Taylor, Texas, was do­nated (nominal fee $10) to the city by a farmer, with a con­di­tion in the deed that it would be used for com­mu­nity park­land. In 2025, the land was sold for $10M to a data cen­ter de­vel­oper, who has won sev­eral le­gal bat­tles against the nearby res­i­dents who are try­ing to stop the mas­sive con­struc­tion pro­ject, re­ports 404 Media. Now, the dis­grun­tled lo­cals are plan­ning to take their case to an ap­peals court.

To in­tro­duce this case, let’s go back to 1999, when the $10 deed was inked. For some back­ground, 404 Media talked to long-time lo­cal Pamela Griffin, who used to play on the farm­land, and watched her chil­dren grow up and en­joy the same free­dom. Griffin re­called that old farmer Mr. Bland used to talk to her fa­ther from time to time. According to her, Bland once said to her dad, “I see the kids don’t re­ally have nowhere to play.” He con­tin­ued, “I’m think­ing about giv­ing this land for park­land be­cause these kids need some­where to play.” The orig­i­nal July 1999 deed has since been un­earthed, and the farmer did in­deed fol­low through with his words. Now, let’s make the fol­low­ing chain of events sim­ple us­ing a bul­let point time­line:

Pre 1999 — a farmer’s promise to his neigh­bors,

July 7, 1999 — Bland granted the land to the Texas Parks and Recreation Foundation, a pub­lic trust, for $10 on the con­di­tion it be used as a park,

2003 - Texas Parks and Recreation Foundation granted the land to an­other non-profit called the Williamson County Park Foundation,

2003, one month later, Williamson County Park Foundation gave the land to the City of Taylor,

2008 - the city of Taylor sold the land to the Taylor Economic Development Corporation (TEDC) for $15,000,

2025 — TEDC sold the land to data cen­ter de­vel­op­ers Blueprint for $10 mil­lion.

This is quite a tale, and there ap­pears to be a lot at stake for par­ties on ei­ther side of the dis­pute. In sum­mary, lo­cals face a mul­ti­tude of un­de­sir­able side ef­fects com­ing from hav­ing a data cen­ter in their back­yard. There’s also the prin­ci­ple of the orig­i­nal deed be­ing ig­nored, a big deal in Texas. Meanwhile, the coun­cil as­serts that stop­ping this kind of de­vel­op­ment (in the city zone it is sit­u­ated) is be­yond its scope, and the mil­lions in tax raised will ben­e­fit res­i­dents.

Griffin only found out about the planned 135,000-square-foot data cen­ter on the land when lo­cal or­ga­niz­ers called around the neigh­bor­hood to raise aware­ness in 2025. She did­n’t even know what a data cen­ter was at the time. Looking it up with her fam­ily, the idea of such a con­struc­tion on your doorstep did­n’t ap­peal.

Locals like Griffin be­came con­cerned about im­pacts to air, wa­ter, elec­tric­ity, and noise. In cor­re­spon­dence with the City Council, they have been as­sured that work will be done to min­i­mize health risks to peo­ple liv­ing nearby. Mitigations like a bar­rier wall, land­scap­ing, closed-loop wa­ter cool­ing, and the de­vel­op­ers build­ing their own power sub­sta­tion were men­tioned.

While folks might not want to live near a data cen­ter for the afore­men­tioned rea­sons. It may also neg­a­tively im­pact the re­sale price of nearby homes. However, the City Council says that the ex­pected ex­tra $30M in tax rev­enue over the com­ing decade will be a pos­i­tive for the area. With $20M ear­marked for the school dis­trict.

Meanwhile, the coun­cil has also painted its sit­u­a­tion as one where it is pow­er­less to re­sist the data cen­ter de­vel­op­ment. This was made clear in a coun­cil web­site FAQ. 404 Media in­ves­ti­ga­tions re­vealed that this lack of power to change the course of the de­vel­op­ment is likely be­cause of the prop­er­ty’s ex­ist­ing Employment Center zon­ing. The City can only reg­u­late form, not func­tion, it seems. However, the dev has­n’t yet se­cured the City’s ap­proval for plan­ning and build­ing per­mits.

Get Tom’s Hardware’s best news and in-depth re­views, straight to your in­box.

With the lack of sat­is­fac­tory re­sponse from the coun­cil, Griffin and her fam­ily de­cided to hire a lawyer. There then fol­lowed a se­ries of le­gal dis­putes, which, so far, have fa­vored Blueprint. Nevertheless, Griffin and fam­ily mem­bers are fil­ing an ap­peal with the Third Court of Appeals in Austin, Texas.

Land deeds are pow­er­ful doc­u­ments in Texas. Activists op­posed to the data cen­ter un­earthed the orig­i­nal July 7, 1999, deed, which is shared on the 404 Media site. Indeed, we can see the le­gal doc­u­ment does stip­u­late that the 87.97 acres of land “be held in trust for fu­ture use as park­land.”

Central to Griffin’s de­ter­mi­na­tion to con­tinue is the no­tion that “I’m not fight­ing just be­cause of a data cen­ter. I’m fight­ing be­cause this land was deeded for park­land.” Texas deeds need to be up­held, and the com­mu­nity should have a park, ac­cord­ing to the res­i­dent.

Follow Tom’s Hardware on Google News, or add us as a pre­ferred source, to get our lat­est news, analy­sis, & re­views in your feeds.

Mark Tyson is a news ed­i­tor at Tom’s Hardware. He en­joys cov­er­ing the full breadth of PC tech; from busi­ness and semi­con­duc­tor de­sign to prod­ucts ap­proach­ing the edge of rea­son.

We’re check­ing if you’re a real per­son and not an au­to­mated bad bot. Usually, the captcha be­low will com­plete it­self. If it does­n’t, sim­ply click the check­box in the captcha to ver­ify. Once ver­i­fied, you’ll be taken to the page you wanted to visit.

If for some rea­son af­ter ver­i­fy­ing the captcha above, you are con­stantly be­ing redi­rected to this ex­act same page to re-ver­ify the captcha again, then please click on the but­ton be­low to get in touch with the sup­port team.

Preflight Checklist

I have searched ex­ist­ing is­sues and this has­n’t been re­ported yet

This is a sin­gle bug re­port (please file sep­a­rate re­ports for dif­fer­ent bugs)

I am us­ing the lat­est ver­sion of Claude Code

What’s Wrong?

[BUG] Claude Desktop spawns 1.8 GB Hyper-V VM on every launch, even for chat-only use Environment

Note: This is­sue is spe­cific to the Claude Desktop app (Windows), not Claude Code CLI.

OS: Windows 11 Pro 25H2, Build 26200.7840 Hardware: Razer Blade 15 Base Model (Late 2020), i7 – 10750H, 16 GB RAM Claude Desktop: Latest ver­sion as of 2/26/2026 Windows Features: VirtualMachinePlatform en­abled; Hyper-V, WSL, Docker, and Windows Sandbox are all dis­abled Core Isolation / Memory Integrity: Off

Summary The Claude Desktop app launches a Hyper-V vir­tual ma­chine (Vmmem) con­sum­ing ap­prox­i­mately 1.8 GB of RAM every time it starts — even when the user only needs chat func­tion­al­ity and has no in­ten­tion of us­ing Cowork or agent mode. On a 16 GB lap­top, this rep­re­sents over 11% of to­tal mem­ory con­sumed by in­fra­struc­ture that is­n’t be­ing used. Steps to Reproduce

Install Claude Desktop on Windows 11 with VirtualMachinePlatform en­abled Use Cowork/agent mode at least once (this cre­ates ses­sion files) Close and re­open Claude Desktop — or sim­ply re­boot the ma­chine Open Task Manager and ob­serve Vmmem con­sum­ing ~1,800 MB

What Happens On every launch, the Claude Desktop app trig­gers the Hyper-V Host Compute Service (vmcompute) via an RPC in­ter­face event, which spawns a vmwp.exe process host­ing a full vir­tual ma­chine. This VM ap­pears as “Vmmem” in Task Manager at ap­prox­i­mately 1,796 – 1,846 MB. The Hyper-V Compute Admin event log shows re­peated er­rors: “The spec­i­fied prop­erty query is in­valid: The vir­tual ma­chine or con­tainer JSON doc­u­ment is in­valid. (0xC037010D, ‘Invalid JSON doc­u­ment ‘$’’)” These er­rors have been oc­cur­ring since at least 2/19/2026, trig­gered on every boot and app launch. Root Cause Investigation Through ex­ten­sive PowerShell di­ag­nos­tics, we con­firmed:

WSL is not in­stalled — wsl –shutdown re­turns “not in­stalled” Hyper-V man­age­ment tools are not in­stalled — Get-VM fails Docker is not in­stalled — no Docker processes found Windows Sandbox is dis­abled Core Isolation / Memory Integrity is off (and was off be­fore this is­sue started) VirtualizationBasedSecurityStatus shows 2 (running), likely due to LSA Protection be­ing en­abled — but this alone does­n’t ex­plain the 1.8 GB VM The only en­abled vir­tu­al­iza­tion fea­ture is VirtualMachinePlatform

The vm­com­pute ser­vice is set to Manual start but is trig­gered at boot by an RPC in­ter­face event (GUID: bc90d167 – 9470-4139-a9ba-be0bbbf5b74d). The par­ent process is ser­vices.exe (PID 1400), con­firm­ing it’s a ser­vice trig­ger, not a user-ini­ti­ated launch. We found 2,689 stale ses­sion files in %APPDATA%\Claude\local-agent-mode-sessions\ — all from pre­vi­ous Cowork ses­sions that were never cleaned up. Session names fol­low Docker-style nam­ing (e.g., “nifty-dreamy-volta”, “tender-vigilant-goodall”, “admiring-elegant-johnson”). Even af­ter delet­ing all 2,689 files and killing vm­com­pute/​vmwp, sim­ply re­open­ing the Claude Desktop app im­me­di­ately respawned the VM and the 1.8 GB Vmmem process. Impact On a 16 GB sys­tem, this bug causes mem­ory us­age to jump from ~50% to ~62% at idle be­fore the user does any­thing. Combined with nor­mal ap­pli­ca­tion load, this pushes to­tal us­age to 70 – 75%, caus­ing sys­tem slug­gish­ness and forc­ing the user to man­u­ally kill VM processes af­ter every launch. Expected Behavior

The Claude Desktop app should not spawn a VM for chat-only ses­sions If Cowork in­fra­struc­ture is needed, it should ini­tial­ize on de­mand — only when the user ac­tu­ally starts a Cowork/agent ses­sion Stale ses­sion files from pre­vi­ous Cowork ses­sions should be cleaned up au­to­mat­i­cally, not ac­cu­mu­late in­def­i­nitely (2,689 files in our case) The app should fall back to chat-only mode if VM ini­tial­iza­tion fails or is un­nec­es­sary, rather than un­con­di­tion­ally start­ing VM in­fra­struc­ture

Current Workaround The only re­li­able workaround is to dis­able VirtualMachinePlatform en­tirely: pow­er­shellD­is­able-Win­dow­sOp­tion­alFea­ture -Online -FeatureName “VirtualMachinePlatform” -NoRestart This pre­vents the VM from launch­ing but also dis­ables Cowork func­tion­al­ity. Alternatively, the user can kill the VM processes af­ter every launch: pow­er­shell­Stop-Process -Name vmwp -Force Stop-Process -Name vm­com­pute -Force Chat func­tion­al­ity con­tin­ues to work nor­mally af­ter killing these processes. Request Please mod­ify the Claude Desktop app so that:

VM/container in­fra­struc­ture only ini­tial­izes when Cowork or agent mode is ac­tively re­quested Old ses­sion data is cleaned up au­to­mat­i­cally af­ter ses­sions end The app grace­fully han­dles the ab­sence of VM in­fra­struc­ture with­out de­graded chat per­for­mance

What Should Happen?

The Claude Desktop app should not spawn a Hyper-V VM (Vmmem, ~1.8 GB RAM) when launch­ing for chat-only use. VM/container in­fra­struc­ture should only ini­tial­ize when the user ac­tively starts a Cowork or agent ses­sion. Stale ses­sion files should be cleaned up au­to­mat­i­cally af­ter ses­sions end.

Error Messages/Logs

Hyper-V Compute Admin log shows re­peated er­rors on every boot: “The spec­i­fied prop­erty query is in­valid: The vir­tual ma­chine or con­tainer JSON doc­u­ment is in­valid. (0xC037010D, ‘Invalid JSON doc­u­ment ‘$’’)”

Steps to Reproduce

Install Claude Desktop on Windows 11 with VirtualMachinePlatform en­abled

Use Cowork at least once

Close and re­open Claude Desktop (or re­boot)

Observe Vmmem in Task Manager con­sum­ing ~1,800 MB at 0% CPU

Claude Model

Not sure / Multiple mod­els

Is this a re­gres­sion?

I don’t know

Last Working Version

No re­sponse

Claude Code Version

Claude Desktop (Windows) lat­est as of 2/26/2026

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

PowerShell

Additional Information

See de­tailed bug re­port in de­scrip­tion above.

Jun 10, 2026

Our newest open ex­per­i­men­tal model de­liv­ers up to 4x faster in­fer­ence on ded­i­cated GPUs and opens the door to ex­plor­ing speed-crit­i­cal, in­ter­ac­tive lo­cal work­flows.

Brendan O’Donoghue

Research Scientist

Sebastian Flennerhag

Research Scientist

Today, we’re in­tro­duc­ing DiffusionGemma, an ex­per­i­men­tal open model that ex­plores text dif­fu­sion, an ex­cep­tion­ally fast ap­proach to text gen­er­a­tion. Released un­der an Apache 2.0 li­cense, this 26B Mixture of Experts (MoE) model moves be­yond the se­quen­tial to­ken-by-to­ken pro­cess­ing of typ­i­cal au­tore­gres­sive Large Language Models (LLMs). Instead, it gen­er­ates en­tire blocks of text si­mul­ta­ne­ously, de­liv­er­ing up to 4x faster text gen­er­a­tion on GPUs.

Built upon the in­dus­try-lead­ing in­tel­li­gence-per-pa­ra­me­ter of our Gemma 4 fam­ily and cut­ting-edge Gemini Diffusion re­search, DiffusionGemma in­te­grates a novel dif­fu­sion head de­signed to max­i­mize gen­er­a­tion speed. While au­tore­gres­sive Gemma 4 mod­els re­main the stan­dard for high-qual­ity pro­duc­tion out­puts, DiffusionGemma is de­signed for re­searchers and de­vel­op­ers ex­plor­ing speed-crit­i­cal, in­ter­ac­tive lo­cal work­flows such as in-line edit­ing, rapid it­er­a­tion, and gen­er­at­ing non-lin­ear text struc­tures.

Unlocking new value for de­vel­op­ers

Developers build­ing real-time in­ter­ac­tive AI ap­pli­ca­tions of­ten strug­gle with the la­tency bot­tle­necks of lo­cal in­fer­ence. DiffusionGemma ad­dresses these chal­lenges di­rectly, with some key trade-offs:

Blazing fast in­fer­ence: By shift­ing the de­code bot­tle­neck from mem­ory-band­width to com­pute, DiffusionGemma gen­er­ates up to 4x faster to­ken out­put on ded­i­cated GPUs. (1000+ to­kens per sec­ond on a sin­gle NVIDIA H100, 700+ to­kens per sec­ond on NVIDIA GeForce RTX 5090).

1

Accessible hard­ware foot­print: Operating as a 26B to­tal Mixture of Experts (MoE) model that ac­ti­vates only 3.8B pa­ra­me­ters dur­ing in­fer­ence, DiffusionGemma fits com­fort­ably within 18GB VRAM lim­its of high-end ded­i­cated con­sumer GPUs when quan­tized.

Bi-directional at­ten­tion: Generating 256 to­kens in par­al­lel with each for­ward pass al­lows every to­ken to at­tend to all oth­ers. This pro­vides sig­nif­i­cant ad­van­tages for non-lin­ear do­mains such as in-line edit­ing, code in­fill­ing, amino acid se­quences or math­e­mat­i­cal graphs.

Intelligent self-cor­rec­tion: The model it­er­a­tively re­fines its own out­put, al­low­ing it to eval­u­ate the en­tire text block at once to fix mis­takes in real-time.

Experimental sta­tus & pro­duc­tion rec­om­men­da­tions: Because it pri­or­i­tizes speed and par­al­lel lay­out gen­er­a­tion, DiffusionGemma’s over­all out­put qual­ity is lower than stan­dard Gemma 4. For ap­pli­ca­tions that de­mand max­i­mum qual­ity, we rec­om­mend de­ploy­ing stan­dard Gemma 4.

You can im­prove DiffusionGemma’s per­for­mance on spe­cific tasks through fine-tun­ing. In the ex­am­ple be­low, Unsloth fine-tuned DiffusionGemma to play Sudoku — a task au­tore­gres­sive mod­els strug­gle with be­cause each to­ken de­pends on fu­ture to­kens. DiffusionGemma’s bi-di­rec­tional at­ten­tion makes this much eas­ier.

Fine-tuned DiffusionGemma solv­ing Sudoku.

Why dif­fu­sion for text?

While the AI re­search com­mu­nity has ex­plored dif­fu­sion-based text gen­er­a­tion for years, ap­ply­ing it to large mod­els has re­mained a chal­lenge. DiffusionGemma changes this by shift­ing how mod­els use hard­ware.

The trade-off with tra­di­tional mod­els

Most lan­guage mod­els act like a type­writer, gen­er­at­ing one to­ken at a time from left to right. In the cloud, this is ef­fi­cient be­cause servers can batch thou­sands of user re­quests to­gether to share the hard­ware load. But when run lo­cally for a sin­gle user, this word-by-word process leaves your ded­i­cated GPU or TPU un­der­uti­lized — it spends most of its time sim­ply wait­ing for the next “keystroke.”

DiffusionGemma re­verses this in­ef­fi­ciency. Instead of pre­dict­ing words se­quen­tially, it drafts an en­tire 256-token para­graph si­mul­ta­ne­ously. By giv­ing the com­put­er’s proces­sor a larger chunk of work at once, DiffusionGemma uti­lizes your hard­ware to its full po­ten­tial. It up­grades your model in­fer­ence from a sin­gle, se­quen­tial type­writer to a mas­sive print­ing press that stamps the en­tire block of text si­mul­ta­ne­ously.

DiffusionGemma text-to-3D SVG demo by Hugging Face. Step-by-step gen­er­a­tion.

This means DiffusionGemma’s speedup is de­signed for lo­cal and low-con­cur­rency in­fer­ence. In high-QPS cloud serv­ing, au­tore­gres­sive mod­els can be de­ployed to sat­u­rate com­pute ef­fi­ciently, so DiffusionGemma’s par­al­lel de­cod­ing of­fers di­min­ish­ing re­turns and can re­sult in higher serv­ing costs. The through­put ad­van­tage is strongest at low-to-medium batch sizes on a sin­gle ac­cel­er­a­tor.

How text dif­fu­sion works

Similar to AI im­age gen­er­a­tors that start with vi­sual sta­tic and it­er­a­tively re­fine it into a clear pic­ture, DiffusionGemma ap­plies this to text:

The can­vas: The model starts with a can­vas of ran­dom place­holder to­kens.

Iterative re­fine­ment: The model makes mul­ti­ple passes, lock­ing in cor­rect to­kens and us­ing them as con­text clues to re­fine the rest.

Final pol­ish: The text con­verges into high-qual­ity out­put.

Because the model can process the whole para­graph while gen­er­at­ing, it un­locks new pat­terns of model be­hav­ior, like per­fectly clos­ing com­plex mark­down for­mat­ting or gen­er­at­ing and ren­der­ing code in near real-time.

Get started to­day

Download the weights: Access the ex­per­i­men­tal model weights (released un­der a per­mis­sive Apache 2.0 li­cense) right now on Hugging Face.

Integrate & learn: Learn more in our DiffusionGemma de­vel­oper guide. Or deep dive into A Visual Guide to DiffusionGemma to un­der­stand the me­chan­ics un­der the hood.

Use your fa­vorite de­vel­op­ment tools: Serve the model ef­fi­ciently us­ing MLX, vLLM (with in­te­gra­tion sup­ported by Red Hat), and Hugging Face Transformers. For rapid ex­per­i­men­ta­tion, we are re­leas­ing a fine-tun­ing tu­to­r­ial us­ing Hackable Diffusion, a mod­u­lar JAX tool­box de­signed for com­pos­abil­ity. You can also ex­plore fine-tun­ing with Unsloth and NVIDIA NeMo. Additionally, of­fi­cial sup­port for llama.cpp is ar­riv­ing soon.

Experience op­ti­mized per­for­mance: We worked with NVIDIA to op­ti­mize across their hard­ware stack, en­sur­ing com­pat­i­bil­ity with con­sumer se­tups (quantized for GeForce RTX 5090 and 4090 GPUs) along­side high per­for­mance on en­ter­prise sys­tems (Hopper and Blackwell us­ing ad­vanced NVFP4 ker­nels), in­clud­ing NVIDIA DGX Spark and DGX Station for lo­cal desk­side de­ploy­ment, and RTX PRO for AI pro­fes­sion­als. Native sup­port for NVFP4 (4-bit float­ing-point) ac­cel­er­ates com­pute through­put, al­low­ing the model to run at faster speeds with near-loss­less ac­cu­racy.

Try your way: Run on your desk­top ded­i­cated GPU or in the cloud through Gemini Enterprise Agent Platform Model Garden or NVIDIA NIM.

1

Note: Because this speedup re­lies on ex­ploit­ing the high arith­metic in­ten­sity of ac­cel­er­a­tors, uni­fied-mem­ory ar­chi­tec­tures like those in Apple Silicon Macs — which are of­ten mem­ory-band­width-bound rather than com­pute-bound dur­ing in­fer­ence — may not see the same ac­cel­er­a­tion over au­tore­gres­sive mod­els like Gemma 4.

Related sto­ries

Related sto­ries

.

With the re­lease of Claude Fable, it is clear that Anthropic is pro­gress­ing from po­ems to en­ter­prise-scale nar­ra­tive ob­jects. To keep pace with com­peti­tors, the com­pany is de­vel­op­ing a broad port­fo­lio of mod­els op­ti­mized for the full lit­er­ary stack.