Season 3

Project Butterfly of Damocles

From fairy dust to Glasswing: a decade of being right about the wrong thing

In 2014 the internet’s foundational software was held together by wishful thinking and volunteer labor. In 2026, Anthropic's unreleased frontier model validated that at industrial scale, and two nation-state actors proved the security tooling itself is now the attack surface. This 10-part series explores Project Glasswing, the ML dependency graph, and the most consequential AI security policy decisions of the decade.

Companion Materials

  • πŸ“„
    Whitepaper

    Full research paper β€” coming soon.

  • πŸ“Š
    Infographics

    Architecture diagrams and threat models β€” coming soon.

Episode Guide

  1. Ep 1
    Introduction: From fairy dust to Glasswing

    A decade of being right about the wrong thing. An overview of the Glasswing paradigm shift.

  2. Ep 2
    The original quantitative case: internet infrastructure is not OK

    Revisiting the 2014 DEF CON data showing almost nothing critical lived in the safe quadrant.

  3. Ep 3
    Third-party libraries: the vulnerability layer nobody counted

    The transitive dependency graph, structural vulnerabilities, and how Node.js services became 847 applications.

  4. Ep 4
    When the security scanner became the weapon: Trivy → LiteLLM → Axios

    The March 2026 cascade: Two nation-state actors striking developer toolchains within 12 days.

  5. Ep 5
    Silicon Valley's new attack surface: the machine learning dependency graph

    Examining PyTorch, TensorFlow, HuggingFace, LiteLLM, and how the AI gateway became the credential vault.

  6. Ep 6
    From "I have a toolbox" to "the scanner has a backdoor"

    The timeline mapping the progression from 2014 to the release of Project Glasswing.

  7. Ep 7
    What Project Glasswing actually changes for every open source actor on earth

    The Glasswing Doctrine, capability withholding as governance, and the impact across maintainers and regulators.

  8. Ep 8
    Pros, cons, and tensions that don't resolve

    The honest accounting of Project Glasswing. Does withholding Mythos actually buy us time?

  9. Ep 9
    What this means if you work in security, build OSS, or set policy

    The scarcity of finding capability is over. The crisis of fixing it is just beginning. Key takeaways for the ecosystem.

  10. Ep 10 β˜…
    Conclusion: What it looks like when you hold the whole picture at once

    Season finale β€” The questions nobody is asking loudly enough, structural paradoxes, and the uncomfortable truth.

← Back to all series