The Claude Code takeover is the smallest story this week

The Pragmatic Engineer's 906-respondent survey finally put numbers on what most of us already felt. Ninety-five percent of senior engineers use AI tools weekly. Fifty-six percent do 70%+ of their work with AI. Fifty-five percent regularly drive autonomous agents. Staff+ engineers lead at 63.5%. Claude Code went from launch in May 2025 to the #1 AI coding tool by February 2026 — overtaking GitHub Copilot, which had a four-year head start. Cursor doubled from $1B to $2B ARR in 90 days.

That's the story everyone will quote. It's also the least interesting thing that happened this week.

The model layer just stopped mattering

Sonnet 4.6 lands at 79.6% on agentic coding. Opus 4.6 lands at 80.8%. The price gap: $3/$15 versus $5/$25 per million tokens. A 1.2-point quality gap for a 40% cost cut. If you're still hardcoding Opus as the default for everything, you're paying for benchmark pride.

Alibaba's Qwen 3.5 9B claims to beat OpenAI's gpt-oss-120B on multiple tasks under Apache 2.0, runnable on 6GB of RAM. Treat the benchmarks with the usual skepticism — ARC-AGI-2 numbers from Chinese open-weight models are still in the single digits, and "graduate-level reasoning" can mean almost anything. But the directional claim is real: a 13x compute efficiency delta, served from Docker Model Runner at localhost:12434 with an OpenAI-compatible API. One env var swap and your dev/test inference is free.

There's a quieter cost story underneath. Researchers confirmed Instruct-tuned models burn thousands of internal reasoning tokens even with thinking mode disabled. Your cost-per-query estimates are systematically low by an unknown but non-trivial factor. A stolen Gemini API key turned a $180 bill into $82K in 48 hours. If you don't have hard spend caps and per-key anomaly alerts on every LLM integration, fix that this week before you fix anything else.

The model layer is now a routing problem. Sonnet as L1, Opus as L2 escalation, Qwen on the edge for cost-sensitive paths. Anyone shipping a single-model architecture in 2026 is leaving 40% on the table to avoid writing a router.

The auth stack broke in three places at once

Starkiller turned Adversary-in-the-Middle MFA bypass into a subscription product. The victim sees the real login page — because it is the real login page, proxied. They enter credentials. They tap the push notification. The proxy keeps the authenticated session cookie. Your MFA event log shows a clean, successful login. TOTP, SMS, and push are now speed bumps.

Microsoft confirmed active campaigns weaponizing OAuth redirect URIs against government targets — registering apps with intentionally invalid scopes to force error redirects to attacker infrastructure. No tokens stolen. The protocol's designed error handling is the delivery mechanism. CVE-2026-0628 (CVSS 8.8) showed a Chrome extension with basic permissions could hijack Gemini Live to reach the camera, microphone, and local files. Patched in 143.0.7499.192. Verify your fleet.

UC Riverside's AirSnitch research tested Netgear, Cisco, Ubiquiti, ASUS, TP-Link, DD-WRT, OpenWrt. Every single one was vulnerable to client-isolation bypass via GTK abuse or gateway bouncing. There's no CVE because the flaw is in the design of Wi-Fi client isolation itself. If your network diagram lists "AP client isolation" as a security control, update the diagram today. It's theater.

Meanwhile, CrowdStrike confirmed adversary dwell time is now under 30 minutes. That's not enough time for a human to receive the alert, page the on-call, and execute containment.

The supply chain is the attack surface

StepSecurity uncovered hackerbot-claw — an automated bot that scanned 47,000+ repos, identified exploitable vulnerabilities, and actually exploited them, compromising open-source projects from DataDog, Microsoft, and Aqua Security. Trivy — a container security scanner — was compromised so thoroughly that Aqua renamed and privatized the repo. A scanning tool got owned by an AI scanner. Read that twice.

At the same time, a TOCTOU race in Node.js ClientRequest.path enables HTTP request splitting across libraries with 160M+ weekly downloads. Node.js declared it out of scope for their threat model. No upstream fix is coming. Every HTTP client built on Node — axios, got, node-fetch, undici wrappers — independently owns the mitigation. If you proxy HTTP requests in a Node service, audit whether your construction patterns allow path mutation between create and send.

Layer on the AI-generated code data: Veracode found 45% of AI-generated code introduces security flaws, and Stanford showed developers using AI assistants write less secure code while being more confident it's safe. Combine that with terminal-first agents like Claude Code that operate entirely outside browser DLP, and you have the systemic AppSec liability of the decade — invisible, prolific, and trusted by the engineers shipping it.

What to actually do this week

If I had to pick one move: instrument actual token consumption against billed token consumption on every LLM integration in production, set hard per-key spend caps, and stand up a model router that defaults to Sonnet 4.6 with Opus as escalation. That single workstream addresses the hidden-reasoning-token cost leak, the $82K-in-48-hours key-theft scenario, and the 40% margin you're handing back by hardcoding flagships.

If I had to pick two: start the FIDO2/passkey rollout for privileged accounts. Admin panels and CI/CD systems first. Starkiller is on sale to anyone with crypto. The credential phishing landscape changed this week and it isn't changing back.

The Claude Code adoption curve is real, and it's rewriting how engineering teams ship. But the load-bearing story this week is that the model layer commoditized, the auth layer broke, and the supply chain became sentient. The teams that win the next two quarters won't be the ones that picked the right coding agent. They'll be the ones who noticed the floor moving and rebuilt the routing, auth, and SBOM disciplines underneath it.