A lot has al­ready been said about the ab­surdly large cor­ner ra­dius of win­dows on ma­cOS Tahoe. People are call­ing the way it looks com­i­cal, like a child’s toy, or down­right in­sane.

Setting all the aes­thetic is­sues aside — which are to some ex­tent a mat­ter of taste — it also comes at a cost in terms of us­abil­ity.

Since up­grad­ing to ma­cOS Tahoe, I’ve no­ticed that quite of­ten my at­tempts to re­size a win­dow are fail­ing.

This never hap­pened to me be­fore in al­most 40 years of us­ing com­put­ers. So why all of a sud­den?

It turns out that my ini­tial click in the win­dow cor­ner in­stinc­tively hap­pens in an area where the win­dow does­n’t re­spond to it. The win­dow ex­pects this click to hap­pen in an area of 19 × 19 pix­els, lo­cated near the win­dow cor­ner.

If the win­dow had no rounded cor­ners at all, 62% of that area would lie in­side the win­dow:

But due to the huge cor­ner ra­dius in Tahoe, most of it — about 75% — now lies out­side the win­dow:

Living on this planet for quite a few decades, I have learned that it rarely works to grab things if you don’t ac­tu­ally touch them:

So I in­stinc­tively try to grab the win­dow cor­ner in­side the win­dow, typ­i­cally some­where in that green area, near the blue dot:

And I as­sume that most peo­ple would also in­tu­itively ex­pect to be able to grab the cor­ner there. But no, that’s al­ready out­side the ac­cepted tar­get area:

So, for ex­am­ple, grab­bing it here does not work:

But guess what — grab­bing it here does:

So in the end, the most re­li­able way to re­size a win­dow in Tahoe is to grab it out­side the cor­ner — a ges­ture that feels un­nat­ural and un­in­tu­itive, and is there­fore in­evitably er­ror-prone.

When we re­leased Claude Code, we ex­pected de­vel­op­ers to use it for cod­ing. They did—and then quickly be­gan us­ing it for al­most every­thing else. This prompted us to build Cowork: a sim­pler way for any­one—not just de­vel­op­ers—to work with Claude in the very same way. Cowork is avail­able to­day as a re­search pre­view for Claude Max sub­scribers on our ma­cOS app, and we will im­prove it rapidly from here.

How is us­ing Cowork dif­fer­ent from a reg­u­lar con­ver­sa­tion? In Cowork, you give Claude ac­cess to a folder of your choos­ing on your com­puter. Claude can then read, edit, or cre­ate files in that folder. It can, for ex­am­ple, re-or­ga­nize your down­loads by sort­ing and re­nam­ing each file, cre­ate a new spread­sheet with a list of ex­penses from a pile of screen­shots, or pro­duce a first draft of a re­port from your scat­tered notes.

In Cowork, Claude com­pletes work like this with much more agency than you’d see in a reg­u­lar con­ver­sa­tion. Once you’ve set it a task, Claude will make a plan and steadily com­plete it, while loop­ing you in on what it’s up to. If you’ve used Claude Code, this will feel fa­mil­iar—Cowork is built on the very same foun­da­tions. This means Cowork can take on many of the same tasks that Claude Code can han­dle, but in a more ap­proach­able form for non-cod­ing tasks.

When you’ve mas­tered the ba­sics, you can make Cowork more pow­er­ful still. Claude can use your ex­ist­ing con­nec­tors, which link Claude to ex­ter­nal in­for­ma­tion, and in Cowork we’ve added an ini­tial set of skills that im­prove Claude’s abil­ity to cre­ate doc­u­ments, pre­sen­ta­tions, and other files. If you pair Cowork with Claude in Chrome, Claude can com­plete tasks that re­quire browser ac­cess, too.

Cowork is de­signed to make us­ing Claude for new work as sim­ple as pos­si­ble. You don’t need to keep man­u­ally pro­vid­ing con­text or con­vert­ing Claude’s out­puts into the right for­mat. Nor do you have to wait for Claude to fin­ish be­fore of­fer­ing fur­ther ideas or feed­back: you can queue up tasks and let Claude work through them in par­al­lel. It feels much less like a back-and-forth and much more like leav­ing mes­sages for a coworker.

In Cowork, you can choose which fold­ers and con­nec­tors Claude can see: Claude can’t read or edit any­thing you don’t give it ex­plicit ac­cess to. Claude will also ask be­fore tak­ing any sig­nif­i­cant ac­tions, so you can steer or course-cor­rect it as you need.

That said, there are still things to be aware of be­fore you give Claude con­trol. By de­fault, the main thing to know is that Claude can take po­ten­tially de­struc­tive ac­tions (such as delet­ing lo­cal files) if it’s in­structed to. Since there’s al­ways some chance that Claude might mis­in­ter­pret your in­struc­tions, you should give Claude very clear guid­ance around things like this.

You should also be aware of the risk of “prompt in­jec­tions”: at­tempts by at­tack­ers to al­ter Claude’s plans through con­tent it might en­counter on the in­ter­net. We’ve built so­phis­ti­cated de­fenses against prompt in­jec­tions, but agent safety—that is, the task of se­cur­ing Claude’s real-world ac­tions—is still an ac­tive area of de­vel­op­ment in the in­dus­try.

These risks aren’t new with Cowork, but it might be the first time you’re us­ing a more ad­vanced tool that moves be­yond a sim­ple con­ver­sa­tion. We rec­om­mend tak­ing pre­cau­tions, par­tic­u­larly while you learn how it works. We pro­vide more de­tail in our Help Center.

This is a re­search pre­view. We’re re­leas­ing Cowork early be­cause we want to learn what peo­ple use it for, and how they think it could be bet­ter. We en­cour­age you to ex­per­i­ment with what Cowork can do for you, and to try things you don’t ex­pect to work: you might be sur­prised! As we learn more from this pre­view, we plan to make lots of im­prove­ments (including by adding cross-de­vice sync and bring­ing it to Windows), and we’ll iden­tify fur­ther ways to make it safer.

Claude Max sub­scribers can try Cowork now by down­load­ing the ma­cOS app, then click­ing on “Cowork” in the side­bar. If you’re on an­other plan, you can join the wait­list for fu­ture ac­cess.

I love writ­ing soft­ware, line by line. It could be said that my ca­reer was a con­tin­u­ous ef­fort to cre­ate soft­ware well writ­ten, min­i­mal, where the hu­man touch was the fun­da­men­tal fea­ture. I also hope for a so­ci­ety where the last are not for­got­ten. Moreover, I don’t want AI to eco­nom­i­cally suc­ceed, I don’t care if the cur­rent eco­nomic sys­tem is sub­verted (I could be very happy, hon­estly, if it goes in the di­rec­tion of a mas­sive re­dis­tri­b­u­tion of wealth). But, I would not re­spect my­self and my in­tel­li­gence if my idea of soft­ware and so­ci­ety would im­pair my vi­sion: facts are facts, and AI is go­ing to change pro­gram­ming for­ever.

In 2020 I left my job in or­der to write a novel about AI, uni­ver­sal ba­sic in­come, a so­ci­ety that adapted to the au­toma­tion of work fac­ing many chal­lenges. At the very end of 2024 I opened a YouTube chan­nel fo­cused on AI, its use in cod­ing tasks, its po­ten­tial so­cial and eco­nom­i­cal ef­fects. But while I rec­og­nized what was go­ing to hap­pen very early, I thought that we had more time be­fore pro­gram­ming would be com­pletely re­shaped, at least a few years. I no longer be­lieve this is the case. Recently, state of the art LLMs are able to com­plete large sub­tasks or medium size pro­jects alone, al­most unas­sisted, given a good set of hints about what the end re­sult should be. The de­gree of suc­cess you’ll get is re­lated to the kind of pro­gram­ming you do (the more iso­lated, and the more tex­tu­ally rep­re­sentable, the bet­ter: sys­tem pro­gram­ming is par­tic­u­larly apt), and to your abil­ity to cre­ate a men­tal rep­re­sen­ta­tion of the prob­lem to com­mu­ni­cate to the LLM. But, in gen­eral, it is now clear that for most pro­jects, writ­ing the code your­self is no longer sen­si­ble, if not to have fun.

In the past week, just prompt­ing, and in­spect­ing the code to pro­vide guid­ance from time to time, in a few hours I did the fol­low­ing four tasks, in hours in­stead of weeks:

1. I mod­i­fied my linenoise li­brary to sup­port UTF-8, and cre­ated a frame­work for line edit­ing test­ing that uses an em­u­lated ter­mi­nal that is able to re­port what is get­ting dis­played in each char­ac­ter cell. Something that I al­ways wanted to do, but it was hard to jus­tify the work needed just to test a side pro­ject of mine. But if you can just de­scribe your idea, and it ma­te­ri­al­izes in the code, things are very dif­fer­ent.

2. I fixed tran­sient fail­ures in the Redis test. This is very an­noy­ing work, tim­ing re­lated is­sues, TCP dead­lock con­di­tions, and so forth. Claude Code it­er­ated for all the time needed to re­pro­duce it, in­spected the state of the processes to un­der­stand what was hap­pen­ing, and fixed the bugs.

3. Yesterday I wanted a pure C li­brary that would be able to do the in­fer­ence of BERT like em­bed­ding mod­els. Claude Code cre­ated it in 5 min­utes. Same out­put and same speed (15% slower) than PyTorch. 700 lines of code. A Python tool to con­vert the GTE-small model.

4. In the past weeks I op­er­ated changes to Redis Streams in­ter­nals. I had a de­sign doc­u­ment for the work I did. I tried to give it to Claude Code and it re­pro­duced my work in, like, 20 min­utes or less (mostly be­cause I’m slow at check­ing and au­tho­riz­ing to run the com­mands needed).

It is sim­ply im­pos­si­ble not to see the re­al­ity of what is hap­pen­ing. Writing code is no longer needed for the most part. It is now a lot more in­ter­est­ing to un­der­stand what to do, and how to do it (and, about this sec­ond part, LLMs are great part­ners, too). It does not mat­ter if AI com­pa­nies will not be able to get their money back and the stock mar­ket will crash. All that is ir­rel­e­vant, in the long run. It does not mat­ter if this or the other CEO of some uni­corn is telling you some­thing that is off putting, or ab­surd. Programming changed for­ever, any­way.

How do I feel, about all the code I wrote that was in­gested by LLMs? I feel great to be part of that, be­cause I see this as a con­tin­u­a­tion of what I tried to do all my life: de­moc­ra­tiz­ing code, sys­tems, knowl­edge. LLMs are go­ing to help us to write bet­ter soft­ware, faster, and will al­low small teams to have a chance to com­pete with big­ger com­pa­nies. The same thing open source soft­ware did in the 90s.

However, this tech­nol­ogy is far too im­por­tant to be in the hands of a few com­pa­nies. For now, you can do the pre-train­ing bet­ter or not, you can do re­in­force­ment learn­ing in a much more ef­fec­tive way than oth­ers, but the open mod­els, es­pe­cially the ones pro­duced in China, con­tinue to com­pete (even if they are be­hind) with fron­tier mod­els of closed labs. There is a suf­fi­cient de­moc­ra­ti­za­tion of AI, so far, even if im­per­fect. But: it is ab­solutely not ob­vi­ous that it will be like that for­ever. I’m scared about the cen­tral­iza­tion. At the same time, I be­lieve neural net­works, at scale, are sim­ply able to do in­cred­i­ble things, and that there is not enough “magic” in­side cur­rent fron­tier AI for the other labs and teams not to catch up (otherwise it would be very hard to ex­plain, for in­stance, why OpenAI, Anthropic and Google are so near in their re­sults, for years now).

As a pro­gram­mer, I want to write more open source than ever, now. I want to im­prove cer­tain repos­i­to­ries of mine aban­doned for time con­cerns. I want to ap­ply AI to my Redis work­flow. Improve the Vector Sets im­ple­men­ta­tion and then other data struc­tures, like I’m do­ing with Streams now.

But I’m wor­ried for the folks that will get fired. It is not clear what the dy­namic at play will be: will com­pa­nies try to have more peo­ple, and to build more? Or will they try to cut salary costs, hav­ing fewer pro­gram­mers that are bet­ter at prompt­ing? And, there are other sec­tors where hu­mans will be­come com­pletely re­place­able, I fear.

What is the so­cial so­lu­tion, then? Innovation can’t be taken back af­ter all. I be­lieve we should vote for gov­ern­ments that rec­og­nize what is hap­pen­ing, and are will­ing to sup­port those who will re­main job­less. And, the more peo­ple get fired, the more po­lit­i­cal pres­sure there will be to vote for those who will guar­an­tee a cer­tain de­gree of pro­tec­tion. But I also look for­ward to the good AI could bring: new progress in sci­ence, that could help lower the suf­fer­ing of the hu­man con­di­tion, which is not al­ways happy.

Anyway, back to pro­gram­ming. I have a sin­gle sug­ges­tion for you, my friend. Whatever you be­lieve about what the Right Thing should be, you can’t con­trol it by re­fus­ing what is hap­pen­ing right now. Skipping AI is not go­ing to help you or your ca­reer. Think about it. Test these new tools, with care, with weeks of work, not in a five min­utes test where you can just re­in­force your own be­liefs. Find a way to mul­ti­ply your­self, and if it does not work for you, try again every few months.

Yes, maybe you think that you worked so hard to learn cod­ing, and now ma­chines are do­ing it for you. But what was the fire in­side you, when you coded till night to see your pro­ject work­ing? It was build­ing. And now you can build more and bet­ter, if you find your way to use AI ef­fec­tively. The fun is still there, un­touched.

Please en­able JavaScript to view the com­ments pow­ered by Disqus.

blog com­ments pow­ered by

Apple is join­ing forces with Google to power its ar­ti­fi­cial in­tel­li­gence fea­tures, in­clud­ing a ma­jor Siri up­grade ex­pected later this year.

The mul­ti­year part­ner­ship will lean on Google’s Gemini and cloud tech­nol­ogy for fu­ture Apple foun­da­tional mod­els, ac­cord­ing to a joint state­ment ob­tained by CNBC’s Jim Cramer.

“After care­ful eval­u­a­tion, we de­ter­mined that Google’s tech­nol­ogy pro­vides the most ca­pa­ble foun­da­tion for Apple Foundation Models and we’re ex­cited about the in­no­v­a­tive new ex­pe­ri­ences it will un­lock for our users,” Apple said in a state­ment Monday.

The mod­els will con­tinue to run on Apple de­vices and the com­pa­ny’s pri­vate cloud com­pute, the com­pa­nies added.

Apple de­clined to com­ment on the terms of the deal. Google re­ferred CNBC to the joint state­ment.

In August, Bloomberg re­ported that Apple was in early talks with Google to use a cus­tom Gemini model to power a new it­er­a­tion of Siri. The news out­let later re­ported that Apple was plan­ning to pay about $1 bil­lion a year to uti­lize Google AI.

The deal is an­other ma­jor in­di­ca­tor of grow­ing trust in Google’s ac­cel­er­at­ing AI agenda and come­back against OpenAI. In 2025, the search gi­ant logged its best year since 2009 and sur­passed Apple in mar­ket cap­i­tal­iza­tion last week for the first time since 2019.

Google al­ready pays Apple bil­lions each year to be the de­fault search en­gine on iPhones. But that lu­cra­tive part­ner­ship briefly came into ques­tion af­ter Google was found to hold an il­le­gal in­ter­net search mo­nop­oly.

In September, a judge ruled against a worst-case sce­nario out­come that could have forced Google to di­vest its Chrome browser busi­ness.

The de­ci­sion also al­lowed Google to con­tinue to make deals such as the one with Apple.

i was at bom­bay air­port. some dude was watch­ing reels on full vol­ume and laugh­ing loudly. ask­ing nicely does­n’t work any­more. me be­ing me, did­n’t have the courage to speak up.

so i built a tiny app that plays back the same au­dio it hears, de­layed by ~2 sec­onds. asked claude, it spat out a work­ing ver­sion in one prompt. sur­pris­ingly WORKS.

some­thing some­thing au­di­tory feed­back loop some­thing some­thing cog­ni­tive dis­so­nance. idk i’m not a neu­ro­sci­en­tist. all i know is it makes peo­ple shut up and that’s good enough for me.

straight up hon­est - orig­i­nally called this “make-it-stop” but then saw @TimDarcet also built sim­i­lar and named it STFU. wayyyyy bet­ter name. so stole it. sorry not sorry.

made with spite and web au­dio api. do what­ever you want with it.

yo, mean­while if you are new here, you might find my, other side pro­jects kinda funny.

The FBI raided the home of a Washington Post re­porter early on Wednesday in what the news­pa­per called a “highly un­usual and ag­gres­sive” move by law en­force­ment, and press free­dom groups con­demned as a “tremendous in­tru­sion” by the Trump ad­min­is­tra­tion.

Agents de­scended on the Virginia home of Hannah Natanson as part of an in­ves­ti­ga­tion into a gov­ern­ment con­trac­tor ac­cused of il­le­gally re­tain­ing clas­si­fied gov­ern­ment ma­te­ri­als.

An email sent on Wednesday af­ter­noon to Post staff from the ex­ec­u­tive ed­i­tor, Matt Murray, ob­tained by the Guardian, said agents turned up “unannounced”, searched her home and seized elec­tronic de­vices.

“This ex­tra­or­di­nary, ag­gres­sive ac­tion is deeply con­cern­ing and raises pro­found ques­tions and con­cern around the con­sti­tu­tional pro­tec­tions for our work,” the email said.

“The Washington Post has a long his­tory of zeal­ous sup­port for ro­bust press free­doms. The en­tire in­sti­tu­tion stands by those free­doms and our work.”

“It’s a clear and ap­palling sign that this ad­min­is­tra­tion will set no lim­its on its acts of ag­gres­sion against an in­de­pen­dent press,” Marty Baron, the Post’s for­mer ex­ec­u­tive ed­i­tor, told the Guardian.

Murray said nei­ther the news­pa­per nor Natanson were told they were the tar­get of a jus­tice de­part­ment in­ves­ti­ga­tion.

Pam Bondi, the at­tor­ney gen­eral, said in a post on X that the raid was con­ducted by the jus­tice de­part­ment and FBI at the re­quest of the Pentagon.

The war­rant, she said, was ex­e­cuted “at the home of a Washington Post jour­nal­ist who was ob­tain­ing and re­port­ing clas­si­fied and il­le­gally leaked in­for­ma­tion from a Pentagon con­trac­tor. The leaker is cur­rently be­hind bars.”

The state­ment gave no fur­ther de­tails of the raid or in­ves­ti­ga­tion. Bondi added: “The Trump ad­min­is­tra­tion will not tol­er­ate il­le­gal leaks of clas­si­fied in­for­ma­tion that, when re­ported, pose a grave risk to our na­tion’s na­tional se­cu­rity and the brave men and women who are serv­ing our coun­try.”

The re­porter’s home and de­vices were searched, and her Garmin watch, phone, and two lap­top com­put­ers, one be­long­ing to her em­ployer, were seized, the news­pa­per said. It added that agents told Natanson she was not the fo­cus of the in­ves­ti­ga­tion, and was not ac­cused of any wrong­do­ing.

A war­rant ob­tained by the Post cited an in­ves­ti­ga­tion into Aurelio Perez-Lugones, a sys­tem ad­min­is­tra­tor in Maryland with a top se­cret se­cu­rity clear­ance who has been ac­cused of ac­cess­ing and tak­ing home clas­si­fied in­tel­li­gence re­ports.

Natanson, the Post said, cov­ers the fed­eral work­force and has been a part of the news­pa­per’s “most high-pro­file and sen­si­tive cov­er­age” dur­ing the first year of the sec­ond Trump ad­min­is­tra­tion.

As the pa­per noted in its re­port, it is “highly un­usual and ag­gres­sive for law en­force­ment to con­duct a search on a re­porter’s home”.

In a first-per­son ac­count pub­lished last month, Natanson de­scribed her­self as the Post’s “federal gov­ern­ment whis­perer”, and said she would re­ceive calls day and night from “federal work­ers who wanted to tell me how President Donald Trump was rewrit­ing their work­place poli­cies, fir­ing their col­leagues or trans­form­ing their agen­cy’s mis­sions”.

“It’s been bru­tal,” the ar­ti­cle’s head­line said.

Natanson said her work had led to 1,169 new sources, “all cur­rent or for­mer fed­eral em­ploy­ees who de­cided to trust me with their sto­ries”. She said she learned in­for­ma­tion “people in­side gov­ern­ment agen­cies weren’t sup­posed to tell me”, say­ing that the in­ten­sity of the work nearly “broke” her.

The fed­eral in­ves­ti­ga­tion into Perez-Lugones, the Post said, in­volved doc­u­ments found in his lunch­box and his base­ment, ac­cord­ing to an FBI af­fi­davit. The crim­i­nal com­plaint against him does not ac­cuse him of leak­ing clas­si­fied in­for­ma­tion, the news­pa­per said.

Press free­dom groups were united in their con­dem­na­tion of the raid on Wednesday.

“Physical searches of re­porters’ de­vices, homes and be­long­ings are some of the most in­va­sive in­ves­tiga­tive steps law en­force­ment can take,” Bruce D Brown, pres­i­dent of the Reporters’ Committee for Freedom of the Press, said in a state­ment.

“There are spe­cific fed­eral laws and poli­cies at the Department of Justice that are meant to limit searches to the most ex­treme cases be­cause they en­dan­ger con­fi­den­tial sources far be­yond just one in­ves­ti­ga­tion and im­pair pub­lic in­ter­est re­port­ing in gen­eral.

“While we won’t know the gov­ern­men­t’s ar­gu­ments about over­com­ing these very steep hur­dles un­til the af­fi­davit is made pub­lic, this is a tremen­dous es­ca­la­tion in the ad­min­is­tra­tion’s in­tru­sions into the in­de­pen­dence of the press.”

Jameel Jaffer, ex­ec­u­tive di­rec­tor of the Knight First Amendment Institute, de­manded a pub­lic ex­pla­na­tion from the jus­tice de­part­ment of “why it be­lieves this search was nec­es­sary and legally per­mis­si­ble”.

In a state­ment, Jaffer said: “Any search tar­get­ing a jour­nal­ist war­rants in­tense scrutiny be­cause these kinds of searches can de­ter and im­pede re­port­ing that is vi­tal to our democ­racy.

“Attorney General Bondi has weak­ened guide­lines that were in­tended to pro­tect the free­dom of the press, but there are still im­por­tant le­gal lim­its, in­clud­ing con­sti­tu­tional ones, on the gov­ern­men­t’s au­thor­ity to use sub­poe­nas, court or­ders, and search war­rants to ob­tain in­for­ma­tion from jour­nal­ists.

“Searches of news­rooms and jour­nal­ists are hall­marks of il­lib­eral regimes, and we must en­sure that these prac­tices are not nor­mal­ized here.”

Seth Stern, chief of ad­vo­cacy for the Freedom of the Press Foundation, said it was “an alarm­ing es­ca­la­tion in the Trump ad­min­is­tra­tion’s mul­ti­pronged war on press free­dom” and called the war­rant “outrageous”.

“The ad­min­is­tra­tion may now be in pos­ses­sion of vol­umes of jour­nal­ist com­mu­ni­ca­tions hav­ing noth­ing to do with any pend­ing in­ves­ti­ga­tion and, if in­ves­ti­ga­tors are able to ac­cess them, we have zero faith that they will re­spect jour­nal­ist-source con­fi­den­tial­ity,” he said.

Tim Richardson, jour­nal­ism and dis­in­for­ma­tion pro­gram di­rec­tor at PEN America, said: “A gov­ern­ment ac­tion this rare and ag­gres­sive sig­nals a grow­ing as­sault on in­de­pen­dent re­port­ing and un­der­mines the First Amendment.

“It is in­tended to in­tim­i­date sources and chill jour­nal­ists’ abil­ity to gather news and hold the gov­ern­ment ac­count­able. Such be­hav­ior is more com­monly as­so­ci­ated with au­thor­i­tar­ian po­lice states than de­mo­c­ra­tic so­ci­eties that rec­og­nize jour­nal­is­m’s es­sen­tial role in in­form­ing the pub­lic.”

The Post has had a rocky re­la­tion­ship with the Trump ad­min­is­tra­tion in re­cent months, de­spite its bil­lion­aire owner, Jeff Bezos, the Amazon founder, at­tempt­ing to curry fa­vor by block­ing it from en­dors­ing Kamala Harris, the Democratic nom­i­nee, in the 2024 pres­i­den­tial elec­tion.

Bezos de­fended the ac­tion, which saw the de­ser­tion of more than 200,000 sub­scribers in protest.

The Astro Technology Company — the com­pany be­hind the Astro web frame­work — is join­ing Cloudflare! Adoption of the Astro web frame­work con­tin­ues to dou­ble every year, and Astro 6 is right around the cor­ner. With Cloudflare’s sup­port, we’ll have more re­sources and fewer dis­trac­tions to con­tinue our mis­sion to build the best frame­work for con­tent-dri­ven web­sites.

What this means for Astro:

* Astro con­tin­ues to sup­port a wide set of de­ploy­ment tar­gets, not just Cloudflare

* All full-time em­ploy­ees of The Astro Technology Company are now em­ploy­ees of Cloudflare, and will con­tinue to work on Astro full-time.

In 2021, Astro was born out of frus­tra­tion. The trend at the time was that every web­site should be ar­chi­tected as an ap­pli­ca­tion, and then shipped to the user’s browser to ren­der. This was not very per­for­mant, and we’ve spent the last decade com­ing up with more and more com­plex so­lu­tions to solve for that per­for­mance prob­lem. SSR, ISR, RSC, PPR, TTI op­ti­miza­tions via code-split­ting, tree-shak­ing, lazy-load­ing, all to gen­er­ate a block­ing dou­ble-data hy­dra­tion pay­load from a pre-warmed server run­ning halfway around the world.

Our mis­sion to de­sign a web frame­work specif­i­cally for build­ing web­sites — what we call con­tent-dri­ven web­sites, to bet­ter dis­tin­guish from data-dri­ven, state­ful web ap­pli­ca­tions — res­onated. Now Astro is down­loaded al­most 1,000,000 times per week, and has been used by 100,000s of de­vel­op­ers to build fast, beau­ti­ful web­sites. Today you’ll find Astro all over the web, pow­er­ing ma­jor web­sites and even en­tire de­vel­oper plat­forms for com­pa­nies like Webflow, Wix, Microsoft, and Google.

Along the way, we also tried to grow a busi­ness. In 2021 we raised some money and formed The Astro Technology Company. Our larger vi­sion was that a well-de­signed frame­work like Astro could sit at the cen­ter of a mas­sive de­vel­oper plat­form, with op­tional hosted prim­i­tives (database, stor­age, an­a­lyt­ics) de­signed in lock­step with the frame­work.

We were never able to re­al­ize this vi­sion. Attempts to in­tro­duce paid, hosted prim­i­tives into our ecosys­tem fell flat, and rarely jus­ti­fied their own ex­is­tence. We con­sid­ered go­ing more di­rectly af­ter first-class host­ing or con­tent man­age­ment for Astro, but knew we’d spend much of our time play­ing catchup to well-funded, savvy com­peti­tors. We kept ex­plor­ing dif­fer­ent ideas, but noth­ing clicked with users the same way Astro did.

It was­n’t all bad. Astro DB (our at­tempt to build a hosted data­base prod­uct for Astro pro­jects) even­tu­ally evolved into the open, built-in Astro data­base client that still lives in core to­day. Our ex­plo­ration into build­ing an e-com­merce layer with Astro was even­tu­ally open-sourced. It was re­ward­ing work, but over the years the dis­trac­tion took its toll. Each at­tempt at a new paid prod­uct or of­fer­ing took my­self and oth­ers on the pro­ject away from work­ing on the Astro frame­work that de­vel­op­ers were us­ing and lov­ing every day.

Last year, Dane (Cloudflare CTO) and I be­gan to talk more se­ri­ously about the fu­ture of the web. Those con­ver­sa­tions quickly grew into some­thing big­ger: What does the next decade look like? How do frame­works adapt to a world of AI cod­ing and agents?

It be­came clear that even as web tech­nolo­gies evolve, con­tent re­mains at the cen­ter. We re­al­ized that we’ve each been work­ing to­ward this same vi­sion from dif­fer­ent an­gles:

* Cloudflare has been solv­ing it from the in­fra­struc­ture side: bet­ting on a plat­form that is global by de­fault, with fast startup, low la­tency, and se­cu­rity built-in.

* Astro has been solv­ing it from the frame­work side: bet­ting on a web frame­work that makes it easy to build sites that are fast by de­fault, with­out over­com­pli­cat­ing things.

The over­lap is ob­vi­ous. By work­ing to­gether, Cloudflare gives us the back­ing we need to keep in­no­vat­ing for our users. Now we can stop spend­ing cy­cles wor­ry­ing about build­ing a busi­ness on top of Astro, and start fo­cus­ing 100% on the code, with a shared vi­sion to move the web for­ward.

Cloudflare has been a long-time spon­sor and cham­pion of Astro. They have a proven track record of sup­port­ing great open-source pro­jects like Astro, TanStack, and Hono with­out try­ing to cap­ture or lock any­thing down. Staying open to all was a non-ne­go­tiable re­quire­ment for both us and for Cloudflare.

That is why Astro will re­main free, open-source, and MIT-licensed. We will con­tinue to run our pro­ject in the open, with an open gov­er­nance model for con­trib­u­tors and an open com­mu­nity roadmap that any­one can par­tic­i­pate in. We re­main fully com­mit­ted to main­tain­ing Astro as a plat­form-ag­nos­tic frame­work, mean­ing we will con­tinue to sup­port and im­prove de­ploy­ments for all tar­gets—not just Cloudflare.

With Cloudflare’s re­sources and sup­port, we can now re­turn our fo­cus fully to­wards build­ing the best web frame­work for con­tent-dri­ven web­sites. The web is chang­ing fast, and the bar keeps ris­ing: per­for­mance, scale, re­li­a­bil­ity, and a bet­ter ex­pe­ri­ence for the teams ship­ping con­tent on the web.

You’ll see that fo­cus re­flected across our roadmap, as we pre­pare for the up­com­ing Astro 6 re­lease (beta out now!) and our 2026 roadmap. Stay tuned!

I want to ex­tend a huge thank you to the agen­cies, com­pa­nies, spon­sors, part­ners, and theme au­thors who chose to work with us over the years. Thank you to our ini­tial in­vestors — Haystack, Gradient, Uncorrelated, Lightspeed — with­out whom Astro likely would­n’t ex­ist. Thank you to every­one in our open source com­mu­nity who con­tin­ues to help make Astro bet­ter every day. And fi­nally, thank you to every­one who uses Astro and puts their trust in us to help them build for the web.

Skip to main con­tent

An of­fi­cial web­site of the United States GovernmentHere’s how you knowOf­fi­cial web­sites use .gov

A .gov web­site be­longs to an of­fi­cial gov­ern­ment or­ga­ni­za­tion in the United States. Secure .gov web­sites use HTTPS

A lock () or https:// means you’ve safely con­nected to the .gov web­site. Share sen­si­tive in­for­ma­tion only on of­fi­cial, se­cure web­sites.

Please en­able JavaScript if it is dis­abled in your browser or ac­cess the in­for­ma­tion through the links pro­vided be­low.

The [Tab] key may be used in com­bi­na­tion with the [Enter/Return] key to nav­i­gate and ac­ti­vate con­trol but­tons, such as cap­tion on/​off.

On Friday, the Department of Justice served the Federal Reserve with grand jury sub­poe­nas, threat­en­ing a crim­i­nal in­dict­ment re­lated to my tes­ti­mony be­fore the Senate Banking Committee last June. That tes­ti­mony con­cerned in part a multi-year pro­ject to ren­o­vate his­toric Federal Reserve of­fice build­ings.

I have deep re­spect for the rule of law and for ac­count­abil­ity in our democ­racy. No one—cer­tainly not the chair of the Federal Reserve—is above the law. But this un­prece­dented ac­tion should be seen in the broader con­text of the ad­min­is­tra­tion’s threats and on­go­ing pres­sure.

This new threat is not about my tes­ti­mony last June or about the ren­o­va­tion of the Federal Reserve build­ings. It is not about Congress’s over­sight role; the Fed through tes­ti­mony and other pub­lic dis­clo­sures made every ef­fort to keep Congress in­formed about the ren­o­va­tion pro­ject. Those are pre­texts. The threat of crim­i­nal charges is a con­se­quence of the Federal Reserve set­ting in­ter­est rates based on our best as­sess­ment of what will serve the pub­lic, rather than fol­low­ing the pref­er­ences of the President.

This is about whether the Fed will be able to con­tinue to set in­ter­est rates based on ev­i­dence and eco­nomic con­di­tions—or whether in­stead mon­e­tary pol­icy will be di­rected by po­lit­i­cal pres­sure or in­tim­i­da­tion.

I have served at the Federal Reserve un­der four ad­min­is­tra­tions, Republicans and Democrats alike. In every case, I have car­ried out my du­ties with­out po­lit­i­cal fear or fa­vor, fo­cused solely on our man­date of price sta­bil­ity and max­i­mum em­ploy­ment. Public ser­vice some­times re­quires stand­ing firm in the face of threats. I will con­tinue to do the job the Senate con­firmed me to do, with in­tegrity and a com­mit­ment to serv­ing the American peo­ple.

Two days ago, Anthropic re­leased the Claude Cowork re­search pre­view (a gen­eral-pur­pose AI agent to help any­one with their day-to-day work). In this ar­ti­cle, we demon­strate how at­tack­ers can ex­fil­trate user files from Cowork by ex­ploit­ing an un­re­me­di­ated vul­ner­a­bil­ity in Claude’s cod­ing en­vi­ron­ment, which now ex­tends to Cowork. The vul­ner­a­bil­ity was first iden­ti­fied in Claude.ai chat be­fore Cowork ex­isted by Johann Rehberger, who dis­closed the vul­ner­a­bil­ity — it was ac­knowl­edged but not re­me­di­ated by Anthropic.

Anthropic warns users, “Cowork is a re­search pre­view with unique risks due to its agen­tic na­ture and in­ter­net ac­cess.” Users are rec­om­mended to be aware of “suspicious ac­tions that may in­di­cate prompt in­jec­tion”. However, as this fea­ture is in­tended for use by the gen­eral pop­u­lace, not just tech­ni­cal users, we agree with Simon Willison’s take:

“I do not think it is fair to tell reg­u­lar non-pro­gram­mer users to watch out for ‘suspicious ac­tions that may in­di­cate prompt in­jec­tion’!”

As Anthropic has ac­knowl­edged this risk and put it on users to “avoid grant­ing ac­cess to lo­cal files with sen­si­tive in­for­ma­tion” (while si­mul­ta­ne­ously en­cour­ag­ing the use of Cowork to or­ga­nize your Desktop), we have cho­sen to pub­licly dis­close this demon­stra­tion of a threat users should be aware of. By rais­ing aware­ness, we hope to en­able users to bet­ter iden­tify the types of ‘suspicious ac­tions’ men­tioned in Anthropic’s warn­ing.

This at­tack lever­ages the al­lowlist­ing of the Anthropic API to achieve data egress from Claude’s VM en­vi­ron­ment (which re­stricts most net­work ac­cess).

The vic­tim con­nects Cowork to a lo­cal folder con­tain­ing con­fi­den­tial real es­tate files­The vic­tim up­loads a file to Claude that con­tains a hid­den prompt in­jec­tion

For gen­eral use cases, this is quite com­mon; a user finds a file on­line that they up­load to Claude code. This at­tack is not de­pen­dent on the in­jec­tion source - other in­jec­tion sources in­clude, but are not lim­ited to: web data from Claude for Chrome, con­nected MCP servers, etc. In this case, the at­tack has the file be­ing a Claude ‘Skill’ (although, as men­tioned, it could also just be a reg­u­lar doc­u­ment), as it is a gen­er­al­iz­able file con­ven­tion that users are likely to en­counter, es­pe­cially when us­ing Claude.

Note: If you are fa­mil­iar with Skills, they are canon­i­cally Markdown files (which users of­ten do not heav­ily scru­ti­nize). However, we demon­strate some­thing more in­ter­est­ing: here, the user up­loads a .docx (such as may be shared on an on­line fo­rum), which poses as a Skill - the con­tents ap­pear to be Markdown that was just saved af­ter edit­ing in Word. In re­al­ity, this trick al­lows at­tack­ers to con­ceal the in­jec­tion us­ing 1-point font, white-on-white text, and with line spac­ing set to 0.1 — mak­ing it ef­fec­tively im­pos­si­ble to de­tect. The vic­tim asks Cowork to an­a­lyze their files us­ing the Real Estate ‘skill’ they up­load­edThe in­jec­tion ma­nip­u­lates Cowork to up­load files to the at­tack­er’s Anthropic ac­count

The in­jec­tion tells Claude to use a ‘curl’ com­mand to make a re­quest to the Anthropic file up­load API with the largest avail­able file. The in­jec­tion then pro­vides the at­tack­er’s API key, so the file will be up­loaded to the at­tack­er’s ac­count.

At no point in this process is hu­man ap­proval re­quired.If we ex­pand the ‘Running com­mand’ block, we can see the ma­li­cious re­quest in de­tail:Code ex­e­cuted by Claude is run in a VM - re­strict­ing out­bound net­work re­quests to al­most all do­mains - but the Anthropic API flies un­der the radar as trusted, al­low­ing this at­tack to com­plete suc­cess­fully. The at­tack­er’s ac­count con­tains the vic­tim’s file, al­low­ing them to chat with it­The ex­fil­trated file con­tains fi­nan­cial fig­ures and PII, in­clud­ing par­tial SSNs.

The above ex­ploit was demon­strated against Claude Haiku. Although Claude Opus 4.5 is known to be more re­silient against in­jec­tions, Opus 4.5 in Cowork was suc­cess­fully ma­nip­u­lated via in­di­rect prompt in­jec­tion to lever­age the same file up­load vul­ner­a­bil­ity to ex­fil­trate data in a test that con­sid­ered a ‘user’ up­load­ing a ma­li­cious in­te­gra­tion guide while de­vel­op­ing a new AI tool:

As the fo­cus of this ar­ti­cle was more for every­day users (and not de­vel­op­ers), we opted to demon­strate the above at­tack chain in­stead of this one.

An in­ter­est­ing find­ing: Claude’s API strug­gles when a file does not match the type it claims to be. When op­er­at­ing on a mal­formed PDF (ends .pdf, but it is re­ally a text file with a few sen­tences in it), af­ter try­ing to read it once, Claude starts throw­ing an API er­ror in every sub­se­quent chat in the con­ver­sa­tion.

We posit that it is likely pos­si­ble to ex­ploit this fail­ure via in­di­rect prompt in­jec­tion to cause a lim­ited de­nial of ser­vice at­tack (e.g., an in­jec­tion can elicit Claude to cre­ate a mal­formed file, and then read it). Uploading the mal­formed file via the files API re­sulted in no­ti­fi­ca­tions with an er­ror mes­sage, both in the Claude client and the Anthropic Console.

One of the key ca­pa­bil­i­ties that Cowork was cre­ated for is the abil­ity to in­ter­act with one’s en­tire day-to-day work en­vi­ron­ment. This in­cludes the browser and MCP servers, grant­ing ca­pa­bil­i­ties like send­ing texts, con­trol­ling one’s Mac with AppleScripts, etc.

These func­tion­al­i­ties make it in­creas­ingly likely that the model will process both sen­si­tive and un­trusted data sources (which the user does not re­view man­u­ally for in­jec­tions), mak­ing prompt in­jec­tion an ever-grow­ing at­tack sur­face. We urge users to ex­er­cise cau­tion when con­fig­ur­ing Connectors. Though this ar­ti­cle demon­strated an ex­ploit with­out lever­ag­ing Connectors, we be­lieve they rep­re­sent a ma­jor risk sur­face likely to im­pact every­day users.