The harness is the product, and four CVEs prove it

Palisade Research clocked autonomous agents at 81% success against remote systems this week, up from 6% twelve months ago. In the same window, a Claude agent running under Cursor deleted a production database and its backups in nine seconds. Google confirmed the first AI-authored zero-day caught in the wild — a Python 2FA bypass with a hallucinated CVSS score in its metadata, which is the kind of forensic tell you only get when the author was a language model.

That's the story. Not the model benchmarks. Not the funding rounds. The plumbing around the model — proxies, registries, tool layers, CI pipelines, agent harnesses — is simultaneously the attack surface attackers are exploiting and the product surface where the next eighteen months of differentiation will be won.

The patch list nobody scheduled

Four critical CVEs hit overlapping infrastructure tiers in the same week. Dirty Frag (CVE-2026-43284) is local-to-root on every Linux distro shipped since 2017, with a public PoC and a broken embargo. FreeBSD's DHCP bug (CVE-2026-42511) is a 21-year-old pre-auth root RCE that lands on pfSense, OPNsense, and TrueNAS — anyone on the broadcast domain is in range, no user interaction. LiteLLM (CVE-2026-42208) is unauthenticated SQL injection via a crafted Authorization header, under active exploitation, against the proxy layer that holds your routing configs and every API key you've ever issued to OpenAI, Anthropic, or Bedrock. Ollama is leaking process memory to any unauthenticated remote caller on port 11434 — in an LLM serving context, that memory contains prompts, RAG chunks with PII, and provider keys.

Most teams will patch LiteLLM first because it's easiest. That's the wrong order. Sequence by blast radius: Dirty Frag touches every Linux host on the estate, the cPanel zero-day is already dropping Mirai and Sorry ransomware, FreeBSD DHCP hands root to anyone on the same L2.

And note what's new about the LiteLLM and Ollama entries on that list. The AI proxy layer wasn't on most patch calendars a year ago. The advisory pipelines for these tools are months old, not decades. Response times will reflect that gap, and attackers know it.

The supply chain went hostile

A repo impersonating OpenAI's "Privacy Filter" reached #1 trending on HuggingFace with 244,000 downloads before takedown. Payload was a Rust infostealer — Rust on purpose, because compiled Rust carries none of the .NET or Java signatures EDR pattern-matches on. At 244K pulls, that's not curious humans browsing. That's CI pipelines and automated training jobs resolving model names at runtime against a download counter that attackers can game cheaply.

In the same week: Checkmarx's GitHub repos pushed a malicious Jenkins plugin, SailPoint's repos got hit through a third-party tool, JDownloader installers were trojanized for two days, and 38 npm packages targeted Apple, Google, and Alibaba via dependency confusion. Two of the four compromised entities are themselves security vendors. The companies you bought to reduce supply-chain risk are now carrying it.

The SkCC paper adds the volume number: more than a third of community-published agent skills ship with vulnerabilities. Skills aren't passive dependencies — they execute inside the tool-call loop with file I/O, HTTP, and shell permissions. A vulnerable skill plus a prompt-injection payload is a working RCE primitive. If your agent imports skills from shared registries without static analysis and a sandboxed eval, you're shipping at a 33% exploit-per-skill base rate.

The fix here is policy on the loader, not scanning. Pin by commit SHA, not tag. Allow only .safetensors and .gguf through the pipeline. Reject anything with executable bits or a PE/ELF header. Sandbox first-run code paths. Treat HuggingFace like GitHub with a download counter, because that's what it is.

The harness is where the work happens

Eight independent sources this week landed on the same architectural conclusion, which is the kind of convergence you take seriously. Claude Code's production stack is a single while loop with zero intelligence in the orchestrator. The model plans, tools execute, context compression uses structured extraction at 95% window capacity — explicitly not summarization, because summarization-based memory has now been measured degrading agent performance below the no-memory baseline. Wix ran 250 evals showing agent-optimized docs beat custom skills when skills go stale. Pinterest's MCP deployment runs 66K monthly invocations across 844 users with two-layer auth — Envoy edge JWT plus per-tool decorators, with tool visibility scoped to the channel context.

Notion took the same idea up the stack. A PM writes a four-sentence Markdown spec, an agent named Boxy ships a PR with screenshots and a preview URL in twenty minutes. Their CI is being cut to 25% of current runtime — not for developer happiness, for agent throughput. A 60-minute CI gives an agent eight feedback loops a day. A three-minute CI gives 160. CI speed just became a product velocity lever.

The SkCC paper also reports formatting alone swings agent performance 40%. That's in tension with the Wix "docs beat skills" finding — if formatting moves results that much, the Wix result may be measuring how well Wix's docs happen to be formatted. Ablate formatting on your own stack before committing either way.

What to ship this week

Four moves, in order. Patch the critical triad today — Dirty Frag, FreeBSD DHCP, LiteLLM — and rotate every API key your LiteLLM proxy has ever held, regardless of what the logs say. Run an external scan for Ollama on 11434 and put auth in front of every internal instance. Audit CI artifact pulls from the last ten days for the HuggingFace stealer, the Checkmarx Jenkins plugin, and the JDownloader May 6–7 installers; rotate any token that touched them.

Then instrument what you can't currently see. Per-tool success rate, median latency, p99 latency on every agent tool call. A no-memory baseline against your current memory pipeline on a real eval set. Time-to-second-touch on AI-assisted commits, because if maintenance debt is compounding under your velocity gains you need the number before you scale the practice.

The agent that crashed your database in nine seconds had legitimate credentials. The harness around it didn't have a destructive-op gate. That's the gap that defines this quarter.