Anthropic just gave Claude the ability to actually use your computer: clicking, typing, browsing your files, and running dev tools.
The setup:
Safety first: It asks permission per app, scans for malicious instructions, hides your other windows while working, and you can kill it anytime.
Dispatch: Text Claude from your phone ("fix that bug and make a PR"), and it executes on your desktop while you're away. Come back to finished work.
Research preview reality:
Mac only, Pro/Max subscribers only
It's slow/occasionally clumsy. (Screen control is slower than direct APIs)
Start with tasks where mistakes are easy to undo. I repeat start with tasks where mistakes are easy to undo.
Why it matters: Everyone's building this now: agents that actually execute, not just advise. Anthropic's take: APIs first, then brute-force screen control when needed. Still early, still messy, but, for good or worse, this is where the whole field is heading.
Source: https://claude.com/blog/dispatch-and-computer-use
pip install nightmare:
LiteLLM 1.82.7 and 1.82.8 just got hijacked on PyPI. TeamPCP (same crew that hit Trivy last week) slipped malware into the package for about three hours yesterday. With 97 million monthly downloads on the line, the blast radius was massive.
The setup:
Attacker stole PyPI credentials via a compromised Trivy GitHub Action in LiteLLM's own CI/CD pipeline. Ironic. Using a security scanner to break security. They published two poisoned versions: 1.82.7 hid malware in proxy_server.py, but 1.82.8 got nastier. A .pth file that runs on every Python startup, even if you never import LiteLLM.
The transitive trap:
You didn't even need to type pip install litellm. Install DSPy (which depended on litellm>=1.64.0) and you'd also be pwnd. Any package depending on LiteLLM became a delivery mechanism. So your innocent pip install of some AI tool could have dragged this in via the back door.
How they got caught:
Researcher Callum McMahon was testing a Cursor plugin when his machine suddenly ran out of RAM and crashed. The malware had a bug (fork bomb) that ate all his memory. If the attacker had tested their code instead of vibe-coding it, this runs silent for weeks instead of minutes.
The damage:
It vacuums SSH keys, AWS/GCP/Azure creds, Kubernetes configs, crypto wallets, shell history, database passwords, and Git credentials. Then it phones home to models.litellm.cloud. If you're in Kubernetes, it tries to deploy privileged pods to every node and install persistent backdoors.
The fix:
Revert to 1.82.6 immediately. Check for litellm_init.pth, ~/.config/sysmon/sysmon.py, and rogue Kubernetes pods named node-setup-*. Rotate every credential that touched the affected machine. Assume compromise if you installed LiteLLM (or anything that depended on it) on March 24 between 10:39 and 13:38 UTC.
Why it matters:
This is supply chain attacks in a nutshell. You trust one package, it trusts another, and suddenly your infrastructure is wide open because a CI/CD tool got compromised upstream. TeamPCP literally used the Trivy breach to breach LiteLLM, and they'll use LiteLLM credentials to hit the next target.
