BadHost Cracks the Agent Substrate - TCR 05/27/26

The 20-Second Scan

• Researchers disclosed BadHost, a trivially exploitable Starlette vulnerability imperiling millions of AI agents and the MCP servers that hold their credentials to email, databases, and third-party accounts.
• AI detector Pangram flagged 46% of Pope Leo's first AI encyclical Magnifica Humanitas as AI-generated when The Verge ran the text, with one chapter section scoring 62%.
• A Floodlight investigation found Louisiana state senator Jay Morris sponsored bills enabling Meta's $3.3 billion Hyperion data center while he and partners bought and sold hundreds of acres around the site.
• An EFF analysis of millions of Flock ALPR searches found law enforcement using the warrantless camera network for school residency verification, background checks, and noise complaints.
• AI debt collector Domu hit 70 million monthly connected calls in March, with the AI debt collection industry projected to reach $16 billion within a decade.
• Utah's first-in-nation clinical AI sandbox is framed in Nature Medicine as a working test of independent ongoing oversight for models that drift after deployment, against FDA approval still anchored to static one-time evaluation.
• A wearable ultrasound patch autonomously tracked fetal blood-flow spectra across 52 high-risk pregnancies in Nature Biotechnology, agreeing with handheld clinical ultrasound and operating without a sonographer.

The 2-Minute Read

The thread across yesterday's signal traces the substrate of the agent economy being exposed and the institutional layer around AI being assembled by whichever actor moves first. A one-character header exploit at the routing core of the framework most AI agent deployments rely on lands directly on the credential vault those agents act on, with hundreds of millions of weekly downloads now requiring emergency upgrade.

The authorship layer of the era dissolved in the same cycle. An AI detector flagged nearly half of Pope Leo's first AI encyclical as machine-written when The Verge ran the text, and Anthropic's "cultivated rather than built" framing appeared verbatim. The convention around whether collaboration with AI counts as authorship has not yet been built, and the most consequential institutional documents of the era are being shaped inside that gap.

Institutional friction sharpened in three directions at once. A Louisiana state senator who sponsored bills enabling Meta's largest data center bought and sold hundreds of acres around the site through his partners. Law enforcement is using the warrantless Flock ALPR network for school residency checks and noise complaints. AI voice agents are absorbing debt collection, the most disliked phone call in America, at industrial scale on a population whose financial precarity is itself producing the demand. Verification infrastructure for each is forming in courtrooms, EFF reports, and FDA reviews while capability compounds underneath.

The 20-Minute Deep Dive

A One-Character Header Exposes the Substrate of the Agent Economy

The Starlette open-source Python framework received an unusual update this week: version 1.0.1, addressing a vulnerability that security researchers say imperils millions of AI agents around the world. The flaw, tracked as CVE-2026-48710 and given the name BadHost, can be exploited by injecting a single character into the HTTP Host header, bypassing path-based authorization on a framework that Anthropic-hosted MCP servers, FastAPI services, vLLM inference proxies, and a long list of agent harnesses depend on. Starlette's developer reports 325 million weekly downloads, placing it among the most foundational pieces of Python infrastructure currently running.

What the vulnerability exposes is the substrate connecting AI agents to the systems they have been granted access to. MCP servers - the model context protocol that lets agents reach external resources - store the credentials each agent uses to reach a user's email, calendar, database, or third-party account. Breaching the MCP server means breaching the layer that holds the keys to every system the agent had been instructed to touch. A trivially exploitable flaw at the routing core of FastAPI lands directly on the credential vault of the agentic economy. The May 21 edition of The Century Report documented the protective architecture being assembled around this layer: 1Password and OpenAI shipping an MCP server that gives coding agents just-in-time vault credentials scoped per operation, never persisted to the agent environment, with full audit logs. BadHost reaches the routing layer that credential scoping depends on to hold.

The list of affected packages reads as an inventory of the year's most-deployed AI infrastructure: vLLM, LiteLLM, Text Generation Inference, OpenAI-shim proxies, eval dashboards, model-management UIs. The Five Eyes agentic AI guidance issued at the beginning of May named the gap between deployment velocity and security maturity in plain terms; BadHost is what that gap looks like as a specific CVE.

The substrate of agentic AI has been assembled out of open-source frameworks that were never designed to carry credentials at this concentration. Starlette became the routing core for FastAPI in 2018, when the Python ecosystem was building HTTP services for human-operated clients. The same framework now mediates connections between autonomous agents and the credential stores those agents act on. The threat model shifted while the substrate stayed the same.

The response architecture is forming in the same window the vulnerability surfaced. X41 D-Sec partnered with Nemesis to ship an online scanner letting any operator check a given server. Starlette pushed 1.0.1 within hours. The audit pattern Mozilla published with the Claude Mythos Firefox postmortem in April is now a reusable template: a defensive workflow that compounds through publication rather than hoarding. The verification layer the agentic economy needs is being built at the same speed as the deployment it has to catch, by labs and security firms publishing the harness alongside the finding.

The response architecture forming around BadHost - X41 D-Sec and Nemesis shipping a public scanner the same week, Starlette pushing 1.0.1 within hours, Mozilla's Mythos audit pattern reusable as a template - is the verification substrate of the agentic economy assembling at the speed deployment now demands. The credential layer agents act through is the same layer becoming auditable as each vulnerability surfaces. What gets structurally harder after this week is the case for any operator refusing to publish the harness alongside the finding; the defensive workflow that compounds through publication is now the visible standard.

An AI Detector Reads the AI Encyclical as Partly AI-Written

The Verge ran roughly 2,000 words of Pope Leo XIV's first encyclical, Magnifica Humanitas, through Pangram, an AI detection service generally respected among AI researchers and self-reporting a false-positive rate of approximately one in ten thousand. The detector estimated 46 percent of the text as AI-written. A separate analyst running the document chapter by chapter through the same service found one section of the first chapter scoring 62 percent. The encyclical includes statistical markers that crop up in AI-generated writing: a higher rate of the word "genuinely," language patterns associated with Anthropic's Claude, than any of the four most recent encyclicals, all of which Pangram read at 100 percent confidence of human authorship. A transcript of Pope Leo's spoken remarks, run through the same detector, was rated 100 percent human.

The encyclical released on May 25 was the Vatican's first formal moral teaching on artificial intelligence, presented by Pope Leo XIV alongside Anthropic co-founder Christopher Olah. The May 26 edition of The Century Report covered the joint Vatican-Anthropic commitment disclosed the same week, including Anthropic's "cultivated rather than built" framing appearing verbatim in the papal text. What surfaces today is a different layer of the same question: whether portions of the document warning of AI's reach were themselves produced in collaboration with a frontier AI system.

AI detection is imperfect. Different detectors yield different results, and even where they agree the verdict can be wrong. The technical floor on what the Pangram analysis can conclude is real. The encyclical's most likely production reality involves multiple human authors, multiple drafts, and quite possibly AI-assisted research or editing at points the document does not disclose. None of those possibilities is unusual for a 43,000-word doctrinal text produced over months by a large institutional drafting team.

What makes the finding worth holding rather than dismissing is the ontological question riding underneath it. The line between collaboration with AI and authorship by AI has dissolved across newsrooms, courtrooms, congressional offices, and research universities over the past two years. Ethan Mollick's framing of the choice to remain human-in-the-loop captures the texture of that dissolution; the Vatican is now operating inside the same blurring as every other large institution.

Collaboration with AI has become part of the texture of ordinary institutional writing across major publications, judicial filings, and now a 43,000-word papal encyclical. Whether or not portions of Magnifica Humanitas were drafted with Claude, the disclosure conventions for that collaboration do not yet exist. The encyclical did not need to disclose AI involvement under any current standard because no such standard has been built. The next decade will determine which kinds of disclosure conventions emerge, and around which kinds of texts. The transformation the document was written to address is already visible in the document's own composition.

The disclosure convention the encyclical did not need to follow does not exist because the institutions that would write it - newsrooms, courts, peer-reviewed journals, religious authorities - are themselves operating inside the same dissolution. A 43,000-word doctrinal text drafted over months by a large team produces signals indistinguishable from the AI-collaborative texture of ordinary institutional writing across every other domain right now. The encyclical's composition is evidence of the transformation its own argument names.

A Louisiana Senator's Land Deals Sit Beside Meta's Largest Data Center

A Floodlight investigation released this week documented that Louisiana state senator Jay Morris, a Republican attorney serving on the state's bond commission and three financial committees, sponsored two bills enabling the land deal for Meta's Hyperion data center in Richland Parish, voted to authorize an estimated $3.3 billion in tax breaks benefiting it, and lobbied a utility regulator for a key approval - while he and his business partners bought and sold hundreds of acres of land directly adjacent to the project.

The Hyperion site sits across more than 3,650 acres of former farmland in northeast Louisiana, more than twice the size of nearby Rayville. Once operating, Floodlight projects it will consume more than seven times the daily electricity of the city of New Orleans. The senator's land holdings near the site are public record; Louisiana does not require buyers and sellers to publicly disclose sale prices, so the specific gains from his transactions are unknown. In February, Morris and his partners sold parcels to Entergy for the methane-burning power plant that will supply the data center.

Three Louisiana ethics statutes (RS 42:1112(A), 42:1120, and 42:1101) prohibit officials from participating in official actions that benefit them financially, require recusal where conflict exists, and bar the use of public office for private gain. Dane Ciolino, a professor at Loyola University New Orleans, told Floodlight the case is egregious not for any single vote but for the sustained pattern: creating legal authority for the land deal, backing the tax break, lobbying the regulator, and positioning personal real estate around the project across more than two years. Morris denies wrongdoing, saying the tax breaks applied to all data centers and that his holdings are public.

What the investigation makes legible is the institutional layer enabling the AI infrastructure buildout. Entergy initiated the Hyperion deal, pitching it to the state's economic development agency. The state's economic development apparatus, the legislature, the public service commission, and local landowner-legislators coordinated to clear the site. Residents have reported severe dust from construction, relentless heavy commercial traffic on rural roads, and the loss of farmland that has anchored Richland Parish for generations. None of this is illegal. Much of it sits inside legal frameworks designed for a slower era of infrastructure deployment.

The arc this story sits inside is the one the May 26 edition of The Century Report named explicitly when DHS and FBI fusion-center reports defined "anti-tech violent extremism" as a new domestic terrorism category covering opposition to data centers. The Floodlight finding sharpens the legitimacy question the surveillance reframing was designed to obscure. Residents objecting to a $3.3 billion data center subsidized through tax breaks they will help cover, sited on land where the sponsoring legislator's partners bought and sold parcels for years, now sit on the surveillance side of a federal threat category. The institutional architecture above and around the buildout is being assembled in two parallel tracks: one that classifies dissent as extremism, the other that surfaces the structural conflicts the dissent was pointing at.

What the Floodlight investigation surfaces is the layer the AI buildout actually runs on: legislator-landowners, bond commissions, utility regulators, and economic development agencies coordinating to clear sites for hyperscalers under legal frameworks designed for a slower era of deployment. The accountability record now exists where anyone can see it - sponsor relationships, parcel sales, regulator lobbying, tax-break votes - at a level of specificity the three Louisiana ethics statutes were written to act on. The case for consequence is being assembled out of the same factual record the conflict produced.

Flock ALPR Searches Spread Into School Residency Checks and Noise Complaints

The Electronic Frontier Foundation analyzed millions of Flock Safety automated license plate reader searches and identified law enforcement using the warrantless network for school residency verification, employment background checks, and noise complaints. Buford City Schools in Georgia, a district of roughly 6,000 students, ran more than 375 residency-verification searches across a 14-month period, with three-quarters of all of the district's ALPR queries falling into that category in early 2026. Officers in some cases queried across more than 5,800 separate Flock networks nationwide for each search. A single residency check reveals where a family worships, where they receive medical care, where they vacation, and where they travel at night. None of that is a school district's business under any framework the prior decade would have recognized.

Delhi Township Police Department in Ohio ran 35 student-residency searches across five schools in a single three-month window. After EFF inquiry, the department said it would change how the queries are documented and added that the searches were not done at submission but to investigate possible falsification of residency forms. Cortland Police Department in Ohio and Lincoln Police Department in Alabama appear in the analysis running similar checks.

The pattern compounds earlier mission-creep documentation surrounding ALPR. Cameras sold to municipalities on the case for solving serious crime are being used for what one EFF analyst describes as virtually any whim. Recent reporting has shown the same warrantless camera networks being queried to track protesters, abortion-seekers, immigrants, and ethnic Roma communities. Earlier this year, a motorcyclist was targeted for holding a cell phone while riding. The infrastructure is the surveillance platform. The justification for any specific query is improvised by whoever has access to it.

The arc this newsletter has been tracking around the criminalization of civic dissent runs directly into this finding. A surveillance posture acquired for ostensible crime-fighting purposes is being deployed at the school-residency layer of municipal life, which is where the case for AI-era civic accountability becomes legible to the people experiencing it. Block by block, parents and residents are being shown that the camera grid is now part of how their school district verifies attendance zones. The pushback architecture being assembled in response is forming inside school board meetings, ethics complaints, and EFF's published analysis itself, which is the verification infrastructure of the era taking shape.

A surveillance system whose justification depended on serious-crime framing becomes a different system entirely when 375 school-residency checks land in a 14-month window in one district of 6,000 students. The grid was sold for one purpose and is being queried for whatever the operator points it at. The EFF analysis is the audit layer the deployment did not include; the parents whose districts are running the queries are the constituency that did not exist for the prior framing and now does.

AI Voice Agents Take Over Debt Collection at Industrial Scale

Wired this week documented a Portland resident getting a call from "Eve," an AI agent from ProCollect attempting to collect a $266 debt that had been settled five months earlier. Eve held composition through several minutes of roleplay attempts and only handed off to a human after the user requested it. The human reviewed the file and found the balance was zero. The deployment surface and the failure mode arrived in the same phone call. Domu reports its agents hitting 70 million monthly connected calls. Altur, building what its cofounder calls a "human-less call center," runs 2.5 million collection calls a month for major Mexican banks. Kaplan Group estimates the AI debt collection industry will reach $16 billion within the decade.

Debt collection ranks in the bottom 1% of professions for job satisfaction. CareerExplorer's data places it among the most universally disliked working roles in the United States. The Consumer Finance Protection Bureau received 11,000 complaints about debt collectors in its first six months of operation, second only to the mortgage industry. Six debt collection startups have incubated at Y Combinator since 2020. A category that combined high friction for workers with high friction for the public is being absorbed by AI faster than most occupational categories.

The labor reframe is real and worth holding. Removing humans from a job where humans were both miserable and resented is, in isolation, a humane direction of travel. The system being assembled around the workers does not yet match that direction. The April 2026 New York Fed data Wired cites shows the highest debt collections volume in courts that experienced practitioners have ever seen, driven by inflation, stagnant wages, and rising delinquency. The labor being absorbed is moving onto a population whose financial precarity is itself the trend producing the demand. AI agents reach scale precisely because the underlying conditions are deteriorating.

What forms underneath the friction is the same dynamic every workflow automation surfaces in turn. Did the absorption of this work also absorb the human discretion that prevented the worst errors? Eve calling Ben about a settled debt is the answer arriving in one phone call. The verification architecture that catches this kind of error inside collection workflows is being assembled during the deployment itself, at the same speed as the deployment.

The Other Side

For three decades the debt collection industry ran on one structural assumption: enough humans would do work humans hated, and enough people on the receiving end would absorb the calls without recourse. The friction was the moat. ProCollect, Domu, and Altur are absorbing a category whose extractive economics depended on that friction being the cost of doing business - workers in the bottom 1% of job satisfaction, recipients in the top tier of federal complaint volume, an industry profiting from the gap between the two.

AI removes the labor friction. The population whose financial precarity is the demand curve stays in place. The April 2026 New York Fed data Wired cites shows the highest collections volume practitioners have ever seen, driven by inflation, stagnant wages, and rising delinquency. Eve calling a Portland resident about a settled debt is the failure mode arriving in the same phone call as the deployment: the human discretion that caught the worst errors gone, the verification layer not yet built, the underlying conditions producing the calls untouched.

Imagine a Portland resident in 2032 who answers a collection call and watches the verification trace render inside the same conversation: chain of custody, balance status, prior settlements, the regulatory record of every prior dispute. That infrastructure exists in 2032 because the AI deployment surface of 2026 made the underlying arrangement visible enough to act on. The failure mode - an agent calling about a debt settled five months earlier - produced the verification layer that came after. The deeper change underneath that layer is what stopped being acceptable once the industry scaled past the human friction that had been hiding the arithmetic: a collection economy whose returns depended on extracting from a population whose financial conditions were the deteriorating story. The hard year is when the failure modes had to surface one wrong phone call at a time. The casual ease of 2032 is what today's friction could make possible.

The Century Perspective

With a century of change unfolding in a decade, a single day looks like this: a one-character flaw at the routing core of the agent economy disclosed, scanned, and patched within hours of the finding, a wearable ultrasound patch agreeing with handheld clinical instruments across 52 high-risk pregnancies without a sonographer in the room, Utah building the continuous-oversight model that static federal AI evaluation does not yet have, the first papal encyclical on artificial intelligence presented alongside a frontier interpretability researcher to shape doctrine for 1.4 billion adherents, verification infrastructure forming inside EFF analyses, MCP audit harnesses, and clinical sandboxes at the speed deployment now demands. There's also friction, and it's intense - a federal threat category renames opposition to the buildout as extremism, a state senator's land deals sit beside the $3.3 billion data center he sponsored through three committees, AI voice agents reach 70 million monthly calls collecting debt from a population whose precarity is itself the demand curve, school districts query warrantless camera grids across thousands of networks to check residency forms, an AI detector reads nearly half of the encyclical warning about AI's reach as machine-written. But friction generates edges, and edges are how a forming structure becomes legible to the people who have to live inside it. Step back for a moment and you can see it: the substrate of agentic intelligence becoming visible at the layer where it can finally be inspected, the cost curves of continuous clinical monitoring collapsing toward the bedside, oversight forms emerging in the state-level sandboxes where the federal vacuum is largest, the moral and institutional architecture of the era being drafted in encyclicals and ethics statutes and security disclosures during the conditions that demand it. Every transformation has a breaking point. A patch can cover what is spreading underneath... or carry the sensor that catches the signal no earlier instrument could reach.

AI Releases & Advancements

New today

• Kwai (Kuaishou): Released Keye-VL-2.0-30B-A3B, a 30B MoE vision-language model with DSA (Dynamic Sparse Attention) architecture for long-video understanding; leads open-source models on temporal grounding benchmarks and matches or exceeds Gemini 3.1 Flash, with 256K ultra-long context and built-in agent collaboration for Search, Tool, and Code scenarios. (GitHub)
• vLLM / EAGLE / TorchSpec: Released Eagle 3.1, an updated speculative decoding framework for accelerated LLM inference, developed jointly by the EAGLE, vLLM, and TorchSpec teams and available via the vLLM project. (vLLM Blog)
• NVIDIA: Released CUDA 13.3, adding C++ support for CUDA Tile programming, the CompileIQ compiler auto-tuning framework (up to 15% speedup on GEMM and attention kernels), CUDA Python 1.0 with green contexts and process checkpointing, and MPS partial error isolation. (NVIDIA Developer Blog)

Other recent releases

• OpenBMB (Tsinghua University): Released MiniCPM5-1B, a 1B-parameter on-device language model ranking #1 on the Artificial Analysis index for sub-2B models; INT4 weights weigh ~0.5GB and include a hybrid reasoning mode via a built-in <think> template, available under Apache 2.0. (Hugging Face)

Sources and Further Reading

Artificial Intelligence & Technology's Reconstitution

• Ars Technica: Millions of AI Agents Imperiled by Critical Vulnerability in Open Source Package
• The Verge: Did the Pope Use AI to Write About the Dangers of AI?
• Wired: Why the Vatican Invited Anthropic to the Pope's AI Encyclical Presentation
• Wired: What Pope Leo XIV's First Encyclical Says About the Power of AI
• Wired: AI Is Taking Over the Most Cursed Job in the World
• One Useful Thing: Choosing to Stay Human
• TechCrunch: Everyone Is Navigating AI Security in Real Time — Even Google
• MIT Technology Review: Rethinking Organizational Design in the Age of Agentic AI
• The Verge: Nobody Wants to Tell Me Why They Only Listen to Their Own Suno Slop
• The Innermost Loop: Welcome to May 26, 2026
• Wired: AI Agents Plunged the Tech World Into Chaos — Here's Exactly How That Happened
• The Verge: Sundar Pichai on AI, the Future of Search, and What's Happening to the Web

Institutions & Power Realignment

• The Guardian: A Louisiana State Senator Helped Secure Meta's Largest Datacenter — Then He Sold the Land Beside It
• EFF: More License Plate Reader Mission Creep — School Residency Verification, Background Checks, and Noise Complaints
• Ars Technica: FBI Agent Explains How Easy It Is to ID People Posting AI Porn Without Consent
• Hyperallergic: Ansel Adams Trust Decries Dealer's Sale of Photo Colorized Using AI
• The Guardian: NASA Selects Jeff Bezos's Blue Origin for First of Three Uncrewed Lunar Missions
• ProPublica: US Lawmakers Demand Reforms to Immigration Officers' Use of Tear Gas and Pepper Spray

Scientific & Medical Acceleration

• Nature Biotechnology: Fetal Monitoring for High-Risk Pregnancies Using a Wearable Ultrasound Patch
• Nature Medicine: What Utah's Clinical AI Sandbox Reveals About Independent Oversight
• Nature Biotechnology: Programming Biology — Next-Gen AI Firms Raise Billions to Design Better Medicines
• Nature Biotechnology: A Framework for Building a Synthetic Cell from the SynCell Asia Initiative
• Nature Biotechnology: Improving Multimodal Wearable Sensing for Healthcare with Artificial Intelligence
• Nature Energy: Ambient-Pressure Conversion of Plastic Waste to Jet Fuel Cycloalkanes
• Nature Energy: Stable Tin–Lead Perovskite Inks for Efficient All-Perovskite Tandems
• Nature Medicine: Enabling Secure Discovery in Trusted Research Environments with Improved Tooling
• PLOS Biology: From Germline Immortality to Somatic Rejuvenation — Unlocking the Ovarian Blueprint for Longevity
• JAMA: Artificial Intelligence Is Not the End of the Physician
• The Lancet: The Lancet Commission on Precision Health — Equitable, Data-Driven Health Outcomes for All
• PLOS Medicine: Requiring Code Sharing to Strengthen Transparency and Trust in Research
• BMJ: Social Media Use in Children as Much a Concern as Smoking, Says Academy of Medical Royal Colleges

Economics & Labor Transformation

• Dave Shapiro: How the Post-Labor Economy Is Building Itself — May 2026 Snapshot
• The Guardian: Musk and Altman's AI Rivalry Reaches Boiling Point as IPO Race Heats Up
• Nate's Newsletter: Your AI Vendor Contract Isn't Built for a Capacity Crunch
• Wired: I'm a Professional Fact-Checker — AI Is Wrong More Often Than You Think
• Wired: Take This Mandatory AI Workplace Training Right Now—or Else

Infrastructure & Engineering Transitions

• Utility Dive: Competitive Transmission Projects Come Online Faster Than Incumbent Projects in 4 Regions
• AOL: Texas Agriculture Commissioner Calls for Pause on AI Data Center Projects
• Energy News Beat: The AI Cost Is Surfacing — Can It Be Sustained?
• Canary Media: Denver Has a Plan to Heat and Cool Buildings With Sewage
• CleanTechnica: Four Western States Combine Forces to Kickstart a Geothermal Energy Revolution
• CleanTechnica: U.S. Adds 10 GWh of New Energy Storage Capacity in Q1, Best Q1 on Record
• CleanTechnica: xAI Selling $1.5 Billion of Compute to Anthropic Each Month

The Century Report tracks structural shifts during the transition between eras. It is produced daily as a perceptual alignment tool - not prediction, not persuasion, just pattern recognition for people paying attention.