Plutonic Rainbows

Anthropic's content management system has a toggle. Public or private. Someone forgot to flip it.

That's how roughly 3,000 unpublished assets ended up publicly searchable on the open web. Draft blog posts, images, PDFs. Among them: a detailed draft announcing Claude Mythos, described as "by far the most powerful AI model we've ever developed." Security researchers Roy Paz and Alexandre Pauwels found the cache. Fortune broke the story on Thursday. Anthropic called it "human error" and removed public access.

The irony needs no elaboration. A company that has made AI safety its founding identity, that walked away from a $200 million Pentagon contract over surveillance and weapons concerns, exposed its most sensitive model details through a checkbox.

The model sits above Opus in Anthropic's hierarchy. Two versions of the draft existed, one calling it Mythos, the other Capybara. The leaked documents claim "dramatically higher scores on tests of software coding, academic reasoning, and cybersecurity" compared to Opus 4.6. Anthropic confirmed they're developing "a general purpose model with meaningful advances in reasoning, coding, and cybersecurity" and called it "a step change."

The cybersecurity angle is what moved markets. The draft warned Mythos is "currently far ahead of any other AI model in cyber capabilities" and "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders." CrowdStrike dropped 7 percent on Friday. Palo Alto Networks fell 6. Stifel analyst Adam Borg called it "the ultimate hacking tool."

This is the dual-use problem made concrete. A model that discovers zero-day vulnerabilities helps defenders patch them. It also hands attackers a map to every unlocked door. Anthropic says they're rolling out to cybersecurity organizations first, giving defenders a head start. Whether that advantage survives broader availability is the question nobody can answer yet.

Futurism raised a fair point: frontier AI companies routinely claim breakthrough capabilities, and OpenAI's underwhelming GPT-5 launch should temper expectations. The difference is that Anthropic didn't choose to make these claims publicly. The draft was written for internal use, which makes the language harder to dismiss as marketing. Companies tend to be more honest in documents they don't expect anyone to read.

The model is reportedly expensive to serve, with no public release date. Anthropic is being "deliberate," which is the right word for a company whose safety reputation just absorbed an unforced error. The leak didn't expose model weights or API access. But for a company whose entire brand rests on the claim that it handles powerful AI more carefully than anyone else, a misconfigured CMS toggle is a difficult look.

Sources:

• Anthropic 'Mythos' AI Model Revealed in Data Leak — Fortune

• Anthropic's Leaked AI Poses Unprecedented Cybersecurity Risks — Fortune

• Claude Mythos Leak: Dramatically Higher Scores — The Decoder

• Cybersecurity Stocks Plunge After Mythos Leak — Investing.com

Three letters, no definition. AGI has become the most consequential acronym in technology, and nobody can tell you what it means. Not the researchers building toward it, not the companies staking billions on it, not the policymakers trying to regulate it. The term floats through earnings calls, congressional hearings, and arXiv papers with the confidence of something settled. It is not settled. It is not close to settled.

OpenAI defines AGI as "a highly autonomous system that outperforms humans at most economically valuable work." Their partnership agreement with Microsoft reportedly defines it differently: AI systems generating at least $100 billion in profits. One definition is about capability. The other is about revenue. They use the same two words. Sam Altman has called AGI "a very sloppy term," which is a strange thing to say about the stated mission of your company.

Google DeepMind took the most serious shot at resolving this in late 2023, when Meredith Ringel Morris, Shane Legg, and colleagues published a taxonomy surveying nine existing AGI definitions and finding all of them inadequate. Their proposed replacement is a matrix: five performance levels (Emerging through Superhuman) crossed with breadth of generality. Under this framework, current large language models qualify as "Level 1 Emerging AGI." Which tells you more about the framework than about the models.

Dario Amodei at Anthropic rejects the term entirely. He has called AGI "a marketing term" and prefers "powerful AI," which he defines as AI smarter than a Nobel Prize winner across most relevant fields, capable of running autonomously for days. That is a definition with teeth. It is also nothing like the other two.

So we have the three leading AI labs working toward something they cannot collectively name. This is not a minor semantic quibble. Definitions determine timelines, shape investment decisions, trigger contractual clauses, and inform regulation. When someone says AGI is two years away and someone else says it is twenty, they are frequently not disagreeing about progress. They are disagreeing about the destination.

The pattern has a name. Larry Tesler identified it in 1979: "Intelligence is whatever machines have not done yet." Every time AI clears a bar previously considered definitive, the bar moves. The ARC-AGI benchmark went from 0% in 2023 to 85% by December 2024. The response was not celebration but harder benchmarks. GPT-4.5 passed the Turing test in 2025 and it barely made the news. Coding tasks that would have seemed impossible to most researchers five years ago are now routine. The finish line retreats at the speed of approach.

In December 2025, this tension went public in the most entertaining way possible. Yann LeCun declared on a podcast that "there is no such thing as general intelligence" and called predictions of near-term AGI "completely delusional." Within hours, Demis Hassabis fired back, accusing LeCun of confusing general intelligence with universal intelligence. These are arguably the two most qualified people alive to have this argument, and they cannot agree on whether the concept itself makes sense.

Michael Timothy Bennett captured the frustration in an academic paper titled, bluntly, "What the F*ck Is Artificial General Intelligence?". His survey of AGI definitions found them varying on scope, metrics, feasibility assumptions, and whether human parity is even the right target. His conclusion: discussions about AGI risks, timelines, and policy rest on fundamentally incompatible premises.

I think the $100 billion definition is the most revealing one. Not because it is good, but because it is honest. It exists because AGI triggers a contractual clause: if OpenAI achieves it, Microsoft loses access to certain technology. The definition has nothing to do with cognition or capability. It is a legal instrument wearing a lab coat. And yet it governs the most consequential AI partnership in the world. That a financial threshold can sit alongside Turing tests and capability benchmarks under the same label tells you everything about how degraded the term has become.

There is a version of this argument that says none of it matters, that the capabilities are real regardless of what we call them. I have some sympathy for that position. The models are genuinely useful. They write code, summarise research, generate images that would have taken a studio two weeks to produce. Whether that constitutes "general intelligence" is, in some practical sense, beside the point for anyone using the tools today. But the label is not beside the point for the people setting expectations, raising capital, and writing legislation. When a company says it is building AGI, it is making a claim. When that claim has no stable referent, it cannot be falsified. And a target that cannot be falsified is not an engineering goal. It is marketing.

AGI is the only engineering target where the people building it, funding it, and regulating it cannot agree on what it is. We would not accept this in any other domain. Imagine a pharmaceutical company announcing it had cured cancer, but defining cancer as whatever diseases its drug happened to treat. The FDA would have questions. AI has no equivalent authority, no shared specification, no acceptance criteria. It has a phrase that means different things in different rooms and adapts to suit whoever is speaking.

Maybe that is the point. Maybe a fuzzy target serves everyone just well enough: researchers get funding, companies get valuations, politicians get something to regulate, and the public gets a story about the future. The ambiguity is not a bug. It is the product.

Sources:

• Levels of AGI for Operationalizing Progress on the Path to AGI — arXiv (Google DeepMind)

• Shrinking AGI timelines: a review of expert forecasts — 80,000 Hours

• Yann LeCun calls general intelligence 'complete BS' and Hassabis fires back — The Decoder

• What the F*ck Is Artificial General Intelligence? — arXiv

• Microsoft and OpenAI have a financial definition of AGI — TechCrunch

• Machines of Loving Grace — Dario Amodei

Sora is dead. OpenAI confirmed the shutdown on March 24, pulling both the consumer app and the API. The official statement frames this as a strategic pivot toward "world simulation research to advance robotics," which is the corporate equivalent of saying you didn't want to go to the party anyway.

The numbers tell a simpler story. Sora launched as a standalone iOS app in late 2025 and hit number one on the App Store within 24 hours. Downloads peaked at 3.3 million in November. By February 2026 they had fallen 67 percent, to 1.1 million. Total in-app purchases across the product's entire lifespan: $2.1 million. That is not a revenue stream. That is a rounding error on the inference bill for a single month of GPT-5.

The Disney deal collapsing made this worse. Disney had signed a three-year agreement that included a planned $1 billion investment in OpenAI and licensing of Disney, Marvel, Pixar, and Star Wars characters for Sora-generated content. It fell apart. Disney confirmed "no money changed hands." Losing a billion-dollar partnership on a product that was already bleeding users doesn't leave much ambiguity about where the axe falls next.

But Sora was the easy cut. The harder question is what follows.

OpenAI's product surface area has become genuinely difficult to enumerate. ChatGPT in six tiers (free, Plus, Pro, Team, Enterprise, Edu). The API platform. Codex. Deep Research. The agent mode that absorbed Operator before Operator was even a year old. Atlas, their web browser. DALL-E 3, now deprecated as of May. A hardware device with Jony Ive. E-commerce features bolted onto ChatGPT. A $200 million Department of Defense contract. The GPT Store, which appears to be in a state of quiet abandonment, with no monetisation pathway and community threads full of people asking if anyone at OpenAI still works on it.

Fidji Simo, OpenAI's CEO of Applications, addressed this directly in a March all-hands meeting. "We cannot miss this moment because we are distracted by side quests," she told employees, calling Anthropic's success a "wake-up call." The Wall Street Journal reported that current and former employees described the company as having "lost much of its focus last year" with an organisational structure that was "a mess." Internally, OpenAI's own diagnosis was blunt: too many apps, not enough focus.

I wrote in January about the revenue panic driving OpenAI's decisions, and in February about the circular capital flows propping up the whole structure. The Sora shutdown fits both patterns. HSBC Global Research now projects OpenAI still won't be profitable by 2030 and faces a $207 billion funding shortfall, with cumulative rental costs of $792 billion against projected free cash flow of just $282 billion. The company is burning 57 percent of revenue in 2026 and 2027. For comparison, Anthropic burns 33 percent in 2026 and drops to 9 percent by 2027.

Those numbers explain why Sora had to go. They also explain why Sora probably isn't the last thing to go. The shipping cadence that once felt like momentum now looks like a company throwing products at the wall while the inference costs pile up underneath. Something has to give, and OpenAI has chosen to give up the things that don't make money. Which, at the moment, is almost everything except ChatGPT subscriptions and API access.

The pre-IPO calculus matters here. You don't go public carrying a video generation product that made two million dollars and cost orders of magnitude more to run. You cut it, you talk about focus, and you hope investors read that as discipline rather than retreat. Whether the GPT Store, Atlas, or the Ive hardware survive the same arithmetic is something I'd bet against.

Sources:

• OpenAI Shelving Side Projects to Focus on Key Business — PYMNTS

• Panicked OpenAI Execs Cutting Projects as Walls Close In — Futurism

• OpenAI won't make money by 2030, faces $207B funding shortfall — Fortune

• OpenAI Shuts Down Sora AI: What Happened? — Deeper Insights

Rose Glass made Saint Maud for roughly $2.5 million, which is less than the catering budget on most studio horror. You'd never know it. The film looks like it cost ten times that, partly because Ben Fordesman's cinematography treats a bleak Scarborough beachfront like it's the edge of the world, and partly because the production design understands that a lonely bedsit can be more frightening than any haunted house if you shoot it correctly.

Morfydd Clark plays Maud, a palliative care nurse who has recently converted to Catholicism after something went wrong with a previous patient. She's assigned to care for Amanda, a terminally ill choreographer played by Jennifer Ehle with the precise detachment of someone who has already made peace with dying and finds Maud's earnestness first curious, then entertaining, then repulsive. The power dynamic between them is the engine of the film. Amanda has money, sophistication, a history of artistic achievement. Maud has God. For a while, God seems like enough.

The possession question is handled with more ambiguity than most horror films would tolerate. Maud experiences physical sensations she interprets as divine. Her body arches. Her eyes roll back. Whether this is ecstasy or seizure depends entirely on which character you believe, and Glass refuses to resolve the tension. She cited Taxi Driver as an influence, which tracks: Maud shares Travis Bickle's conviction that she has been chosen for a sacred mission, and the same inability to recognise that the mission is the disease.

I keep returning to Adam Janota Bzowski's score. Also a debut. He built what he called a Colourbox, a folder of processed sounds made by hitting objects with a drumstick and running the recordings through effects chains until they became something between music and industrial noise. The result sits underneath the film like a migraine, present even when you can't quite identify it. There's a click-clack sound that recurs, something straining and ready to snap. It won an Ivor Novello nomination, which felt overdue by the time it happened.

Glass joins a line of directors who understand that faith and horror share a border. The same territory The Blackcoat's Daughter occupies, where the supernatural isn't the threat but the comfort, and the real horror is what happens when it withdraws. Saint Maud takes that idea further. Maud's self-mortification scenes, nails pressed into the soles of her shoes, kneeling on broken glass, are shot with a tenderness that makes them harder to watch than if they were played for shock. She isn't being punished. She's trying to feel something she felt once and can't find again.

The final image is the cruelest thing A24 has put on screen. We see Maud's apotheosis through her own eyes first: wings, a crowd of worshippers, transfiguration. Then a smash cut to reality. An 84-minute film and Glass saves her most devastating technique for the last three seconds. The entire audience at Toronto reportedly gasped. I believe it. Some images you can't unsee, not because they're graphic but because they contain two contradictory truths at once and force you to hold both.

Sources

• Saint Maud Review - Variety

• Saint Maud - BFI Sight and Sound

• Composer Interview - SPIN

Geinoh Yamashirogumi was not a band. It was a collective of over two hundred people, scientists and engineers and students, led by Tsutomu Ohashi, a professor of agricultural chemistry who composed under the name Shoji Yamashiro. Their 1986 album Ecophony Rinne is structured as a four-movement symphony tracing the Buddhist cycle of samsara: primordial germination, death, dormancy, reincarnation. That description makes it sound academic. It isn't.

The first movement opens with something that resembles the universe waking up. Synthesised gamelan, programmed on Roland D-50 and Yamaha DX7-II keyboards because standard MIDI couldn't handle the slendro and pelog tuning scales of Indonesian tradition, collides with field recordings from Central African forests and Buddhist mantras captured with binaural microphones. Javanese jegog bamboo percussion sits alongside pipe organ patches built from sampled Tibetan horns. None of this should cohere. It does, somehow, in a way that feels less composed than geological.

The album's impossible cover art gives you the right frame of reference: mythological, dense, deliberately overwhelming. Kristoffer Cornils at HHV called it "one of the positively strangest, most alluring albums of all time," and for once the hyperbole fits. The record aligns with Jon Hassell's Fourth World concept, blending indigenous forms with electronic processing, but the scale here dwarfs anything Hassell attempted. Two hundred people is not a studio experiment. It is an institution committing fully to an idea.

Ohashi later published research in the Journal of Neurophysiology demonstrating that ultrasonic frequencies above 20kHz, inaudible to human hearing, measurably affect brain activity when paired with audible sound. He called it the hypersonic effect. That research grew directly from the recording methodology on Ecophony Rinne and its successor Ecophony Gaia. The man was scoring the lifecycle of the universe and simultaneously running psychoacoustic experiments. I've written about the peculiarities of early Japanese CD mastering before. Ohashi's obsession with preserving ultrasonic content explains why his group's pressings demanded unusual care.

Two years after Ecophony Rinne, Katsuhiro Otomo commissioned the group to score Akira. He gave them only two conceptual themes, "festival" and "requiem," and let them compose before the animation was finished. The visuals were cut to the music, not the other way around. Everything that made the Akira soundtrack feel alien and inevitable, the jegog, the Noh chanting, the layered electronic processing, was rehearsed here first. Ecophony Rinne is the proof of concept that haunts the margins of one of the most celebrated soundtracks in film history.

Sources

• Geinoh Yamashirogumi 'Ecophony Rinne' - Electronic Sound

• The Music You Can't Hear - Time Capsule Sound

• Ecophony Rinne Review - HHV Magazine

Oz Perkins finished the script in 2012. It took three years to find financing because nobody believed it could work as a film. They were half right. The Blackcoat's Daughter doesn't work as a conventional horror movie. It works as something considerably stranger and more durable than that.

The setup is boarding school gothic at its most reduced. Bramford Academy empties out for winter break. Two girls remain. Kat, a freshman played by Kiernan Shipka, has parents who simply don't show up. Rose, a senior played by Lucy Boynton, has manipulated the dates so she can deal with a suspected pregnancy. Meanwhile a third storyline follows Joan, an asylum escapee played by Emma Roberts, hitchhiking through upstate New York. These three threads intercut without explanation, and the film trusts you to hold all of them without a timeline card or a helpful chyron.

That structural confidence is the first thing that separates this from the possession films it superficially resembles. Perkins isn't interested in the mechanics of demonic inhabitation. He treats the possession the way Tarkovsky treated the Zone in Stalker, as a condition that reveals character rather than overwhelming it. Kat doesn't thrash around or speak in tongues. She gets quieter. She bows to the furnace. She develops a stillness that Shipka calibrates with precision that shouldn't be available to someone who was fifteen when she filmed this.

I'm not sure the film entirely earns its non-linear structure. There's a reveal in the final act that recontextualises Joan's storyline, and while it's been foreshadowed with care, the emotional payoff depends on you having felt something for a character the film has kept deliberately opaque. Emma Roberts does what she can with this. Her performance is the quietest thing she's ever done, almost withdrawn, but the screenplay gives her so little to work with before the turn that the revelation lands more as an intellectual satisfaction than a gut punch.

The atmosphere, though. Perkins builds dread the way frost forms on glass, so gradually that you only notice when you can't see through it anymore. Elvis Perkins, Oz's brother, composed the score having never worked on a film before, and you can hear that unfamiliarity working in its favour. It doesn't sound like a horror score. It sounds like someone trying to describe loneliness with a piano and not quite finding the right notes, which turns out to be exactly right for what this film is doing.

Perkins has said explicitly that the horror elements are a Trojan Horse. His actual intent was to tell a sad story about loss. That framing might sound like directorial pretension, the kind of thing filmmakers say to distance themselves from genre, but the final image proves he means it. Kat, now adult, alone on a frozen road, weeping because the demon has left her. Not because it possessed her. Because it abandoned her. The thing that every horror film positions as the threat is, for Kat, the only presence that ever stayed. When it goes, she has nothing.

This is where the Perkins biography becomes unavoidable. Oz lost his father Anthony Perkins, Norman Bates himself, to AIDS-related pneumonia in 1992. His mother Berry Berenson was killed on American Airlines Flight 11 on September 11, 2001. I don't think you need to know this to understand the film, but you can feel it in the architecture. The Blackcoat's Daughter understands, at a cellular level, what it means to be left behind.

The film premiered at Toronto in 2015 under its original and better title, February. It didn't reach US cinemas until 2017, by which point A24 had renamed it to something more marketable. It made $38,000 at the box office. Essentially nothing. Since then it's accumulated a reputation that outstrips most films that opened wide that year. The New York Times put it on their list of 13 scariest horror movies in 2020, five years after its premiere, the kind of slow critical reappraisal that happens when a film was always good but arrived before its audience was ready.

I'd put it alongside The Witch and Nosferatu in a narrow tradition of horror films that trust their own silence more than their scares. It's not perfect. The pacing will lose some viewers before the halfway mark, and if you need your horror to explain its mythology, this will frustrate you. But I keep thinking about Kat bowing to the furnace. That image has a weight to it that most horror directors spend entire franchises trying to manufacture and never find.

Sources

• The Blackcoat's Daughter - Wikipedia

• The Blackcoat's Daughter - Rotten Tomatoes

Mark Jenkin's Enys Men opens with a woman walking the same path, checking the same flowers, writing "no change" in the same notebook, day after day. The structure is so rigid it takes fifteen minutes before you realise the film is training you. Teaching you the rhythm so it can break it.

The setup is simple. A wildlife volunteer (Mary Woodvine, extraordinary in near-silence) lives alone on an island off the Cornish coast. It's 1973. She monitors a rare cliff-edge flower. She records her observations. She drinks tea, listens to static on the radio, sleeps. Then does it again. Jenkin shot it on his own clockwork Bolex, which can only record 27 seconds before needing to be wound again, and you feel that constraint in every cut. The edits are blunt. Image slams against image, a technique Jenkin traces back to Nicolas Roeg's Walkabout, and it works the same way here: not smooth, not comfortable, but alive with friction.

The folk horror references are obvious and deliberate. Children in white dresses carrying hawthorn branches, straight from The Wicker Man's May Day. Standing stones. Miners emerging from the earth like the dead rising. But Jenkin doesn't build toward a revelation the way genre convention demands. The temporal layers just accumulate. Past and present coexist on screen without hierarchy, without explanation, without the courtesy of a twist. The film's philosophical anchor is block universe theory, the idea that all moments exist simultaneously, and Jenkin commits to it structurally. There are no flashbacks because nothing is past.

The island swallows her in red and white and stone, and Jenkin's hand-processed 16mm bleeds colour until the landscape looks fevered. The Sight & Sound review described "sensorial immersion into the textures, shapes and colours of the place," and that's exactly right. This is not a film you follow so much as one you absorb.

The critical split tells you everything. Eighty percent on Rotten Tomatoes, 5.6 on IMDb. Critics who value formal ambition loved it. Audiences expecting narrative resolution did not. I understand both reactions, but I think the dismissals miss what Jenkin is actually doing. The horror isn't what changes. It's that nothing does, until you can't trust your own ability to tell the difference.

Jenkin made this in 21 days during COVID lockdown, on an island, mostly alone. The enforced isolation mapped directly onto the film's premise. He wrote it, directed it, shot it, recorded the sound in post, composed the score, and edited it himself. That level of singular authorship shows. For better or worse, there is nobody else's sensibility in the frame. It reminded me of how hauntological music works: the texture carries the meaning that narrative refuses to.

Sources:

• Island of Lost Souls: Mark Jenkin on Enys Men — Sight & Sound

• Enys Men review — Sight & Sound

• Mark Jenkin's Enys Men: Cornish Folk Horror — Horror Homeroom

Anthropic published a piece on harness design for long-running applications that crystallises something I've been circling for months. The thesis: the scaffolding around the model matters more than the model itself. Not a little more. Structurally more.

Their architecture borrows from GANs. A planner expands a brief prompt into a full spec. A generator builds features iteratively. An evaluator, running Playwright against the live application, grades the output against a rubric. The generator never sees its own score directly. The evaluator never generates code. Separation of concerns, applied to cognition.

The evaluator is the interesting part. Out of the box, Claude's QA capability is described as "poor." When asked to assess its own work, it praises the result confidently, even when the quality is obviously mediocre. A NeurIPS 2024 paper puts numbers on this: GPT-4 recognises its own output at 73.5% accuracy, and self-recognition correlates linearly with self-preference. Stronger models show more pronounced bias when they err. The better the model gets, the harder it is to make it honest about its own mistakes.

So you separate the roles. Tuning a standalone evaluator to be skeptical is, as Anthropic puts it, "far more tractable than making a generator critical of its own output." I've been applying this to my own workflows. A Topaz image enhancement pipeline now runs an image analysis agent as a quality gate before distributing files. Blog deployments get a post-deploy evaluator that fetches the live page and verifies OG tags, image rendering, internal links. The coordination overhead is real, but the alternative is trusting the thing that made the mistake to notice the mistake.

Context management is the other half. Long sessions degrade. Not because you run out of tokens, but because reasoning quality rots as history accumulates. Factory.ai calls this context rot, distinguishing it from context exhaustion. Anthropic's solution is context resets: clear the window entirely, hand off state through structured files, let the next agent start fresh. Compaction, summarising in place, preserves more history but introduces compression artifacts in the reasoning itself. Resets are blunter but cleaner.

The most honest admission in the article is about cost. A solo agent built a retro game in twenty minutes for nine dollars. Broken mechanics, poor UI. The full harness took six hours and two hundred dollars, but produced something that actually worked. That's the real tradeoff, not whether harnesses are better, but whether the quality delta justifies 20x the spend. For a throwaway prototype, probably not. For anything facing users, obviously yes.

Every component in a harness encodes an assumption about what the model can't do alone. When Anthropic moved from Sonnet to Opus, they removed their sprint decomposition system entirely because Opus sustained coherence over longer sessions. The subagent patterns that seemed essential six months ago might be overhead tomorrow. The discipline isn't building the perfect harness. It's knowing which pieces to remove.

Sources:

• Harness Design for Long-Running Apps — Anthropic Engineering

• LLM Evaluators Recognize and Favor Their Own Generations — NeurIPS 2024

• The Context Window Problem — Factory.ai

Cursor launched Composer 2 on March 19 with the kind of language companies use when they want you to feel something big just happened. "Frontier-level coding intelligence." "Our first continued pretraining run." The blog post read like a declaration of independence from foundation model providers. Within 24 hours, a developer named Fynn caught an internal model identifier leaking through Cursor's OpenAI-compatible base URL: kimi-k2p5-rl-0317-s515-fast.

That is not subtle. Kimi K2.5 is an open-source model from Moonshot AI, a Beijing-based company backed by Alibaba. One trillion parameters total, 32 billion active per request. Cursor took it, applied reinforcement learning on coding tasks, and shipped it as their own breakthrough. Yulun Du, Head of Pretraining at Moonshot, confirmed the tokenizer was "completely identical." The base model was never mentioned in the announcement.

Cursor co-founder Aman Sanger eventually acknowledged the omission on X: "It was a miss to not mention the Kimi base in our blog from the start." He claimed roughly a quarter of the compute came from the base model, with the rest from Cursor's own training. That ratio is debatable, but the transparency failure is not.

The licensing angle makes it worse. Kimi K2.5 ships under a Modified MIT License requiring prominent UI attribution for any product exceeding 100 million monthly active users or $20 million in monthly revenue. Cursor's annualized revenue exceeds $2 billion. Their interface displayed "Composer 2" and nothing else. Moonshot initially had employees publicly questioning whether the use was authorized. Those posts disappeared, replaced by an official statement calling it an "authorized commercial partnership" through inference provider Fireworks AI.

This matters beyond one company and one model. Cursor built a $29 billion valuation partly on the perception that they were doing novel AI research. The Hacker News thread captured the tension: one user wrote that "the entire company is built on packaging open source and reselling it," while others countered that serious engineering goes into fine-tuning and RLHF pipelines. Both things can be true. But the omission transforms a legitimate technical contribution into something that feels like sleight of hand.

The broader pattern is familiar. When I wrote about why Anthropic had to close the back door, the underlying question was the same: who controls access to what, and does the user actually know? AI tools increasingly operate as routing layers, assembling capabilities from various foundation models. The label on the box tells you almost nothing about what is inside.

Cursor still makes a good product. The editor is fast, Tab predictions feel nearly telepathic some days. None of that required hiding the provenance of the model doing the heavy lifting. The fix was always simple: one line in the blog post, one badge in the UI. They chose not to, and a developer reading API metadata had to do it for them.

Sources:

• Cursor admits its new coding model was built on top of Moonshot AI's Kimi — TechCrunch

• Cursor quietly built Composer 2 on top of Chinese open-source Kimi K2.5 — The Decoder

• Cursor's Composer 2 Is Kimi K2.5 With RL and No Attribution — Awesome Agents