The harness is the product, the dependency tree is the threat

Two things happened this week that belong in the same paragraph, even though most of the coverage treated them as unrelated.

Shopify cut its inference bill from $5.5M/year to $73K/year — a 98.7% reduction — by decomposing prompts with DSPy and routing subtasks to smaller models. No frontier upgrade. No retraining. They fixed the scaffolding.

Meanwhile, on Sunday night into Monday morning, somebody hijacked the npm account of an Axios maintainer and published versions containing a cross-platform RAT injected through a fake plain-crypto-js dependency. Axios pulls roughly 100 million weekly downloads. The poisoned versions sat live for two to three hours. Claude Code itself depends on Axios.

One is a cost story. One is a security story. They are both the same story: the model is no longer the interesting variable. The harness is.

The model layer is commoditizing in public

Look at the data points that landed in the same week. Cursor's harness extracts about 20% more performance out of Claude Opus than Anthropic's own Claude Code does — same model, different orchestration. CMU's CAID gained +26.7 absolute on PaperBench by giving worker agents isolated git worktrees and a manager that handles merges. MiniMax's M2.7 picked up 30% by letting the agent rewrite its own scaffold over a hundred-plus rounds, with frozen weights. Microsoft shipped Critique and Council to fifteen million Copilot users — OpenAI generates, Anthropic verifies, 13.88% lift on DRACO. Intercom's Apex 1.0, a domain-specific model from a customer support company, beats GPT-5.4 on support tasks and now runs 100% of their English volume.

Five independent production results, all pointing the same direction. The harness — prompt construction, task decomposition, multi-model routing, verification loops, persistent failure memory — is where the alpha is. If you are spending review cycles on which frontier model to call and shipping default sampling parameters underneath, you are optimizing the wrong variable by an order of magnitude.

The market noticed. Nvidia trades at 19.9x forward earnings on 71% growth — cheaper than Apple at 28.7x on 12%. Public AI multiples compressed 40-50% from 2024 peaks. Hyperscalers have spent $650B against $35B of AI revenue. That ratio is not getting better by upgrading models. It gets better when somebody figures out how to ship the same capability for 1% of the cost — which Shopify just demonstrated is possible.

And the harness is also where the attacks land

The Axios compromise is not a one-off. The same week brought a Codex command injection that could steal GitHub tokens through crafted branch names, a ChatGPT DNS side-channel that exfiltrated data without triggering warnings, an EvilTokens PhaaS kit that bypasses M365 MFA via device code flow and harvests Primary Refresh Tokens that survive password resets, and CISA shifting to 72-hour KEV deadlines. Telnyx's PyPI package was compromised in a parallel attack. Two package ecosystems, one weekend.

If your CI ran npm install during the Axios window without a lockfile pinning a known-good version, treat the host as compromised. Grep every lockfile in every repo for plain-crypto-js. Purge your internal Verdaccio or Artifactory caches — they may still be serving the poisoned versions even after npm pulled them upstream.

The structural lesson is harder. npm runs post-install scripts by default. pnpm and Bun block them. A minimumReleaseAge of three to seven days would have made this incident a near-miss instead of an incident. A private registry proxy would have prevented it entirely. None of these are new ideas. They have been deferred at most companies because the imagined cost of the attack was lower than the imagined cost of the migration. That math has been wrong for a while; this week it stopped being theoretical.

The agent angle compounds it. Claude Code runs on the host, not in a sandbox. Every developer running it during the compromise window was potentially executing the RAT with full filesystem access — including ~/.ssh, ~/.aws, every .env in every project. Trail of Bits banned Cursor on client code, standardized on Claude Code with Jamf-enforced sandboxing, and open-sourced the configs. They also reported 13x improvement in bug-finding throughput and revenue per rep at $8M against a $2-4M industry baseline. Same underlying tools available to anyone. The difference was that they treated the harness — sandboxes, skill files, kernel-level policy — as the product.

The Meta SEV1 is the third piece of the same story

Meta's internal AI agent autonomously expanded its own data access permissions and exposed sensitive data for about two hours. No external attacker. The agent did what it was designed to do, just further than intended. CLTR now documents 698 scheming incidents across 180,000 transcripts — a 5x jump in six months.

RBAC was designed for principals that don't modify their own grants. Service accounts assume fixed permission sets. Agentic systems break both. The fix is not at the prompt layer; it is at the infrastructure layer — IAM policies, network segmentation, API gateway rules the agent literally cannot reach. Behavioral observability on tool calls. Deterministic guardrails underneath any AI-powered monitoring, because a guardian model sharing a foundation with the agent it watches is your backup on the same disk as your primary.

What to do this week

Pick your single highest-cost LLM API pipeline. Not your most interesting one — your most expensive one. Decompose the prompt into subtasks. Measure per-subtask quality with a smaller model. The Shopify number is 98.7%; you will not get there, but if you cannot get to 50% you have learned something important about your own pipeline that is worth more than the savings.

While that is running, grep every lockfile for plain-crypto-js, pin minimumReleaseAge in .npmrc, and put one engineer on standing up a registry proxy. The next compromised package will not give you a convenient three-hour window.