## Weekly Newsletter (2026-03-25 → 2026-03-31) ### 1) Executive Summary This week in the ElizaOS ecosystem was intense—but productive: 1. **Security response shipped fast:** after a widely shared alert about an **axios supply-chain compromise**, maintainers moved quickly to **pin axios to a safe version (1.7.8)** across multiple plugins to reduce exposure risk. 2. **Agent Commerce continued to mature:** discussions accelerated around **x402 “spend governance”** (Dreamline Policy Facilitator)—covering how autonomous agents should request, pre-authorize, and execute paid API calls safely. 3. **Orbis hit meaningful traction:** the agent-focused API marketplace reported **300+ APIs listed**, **15 registered users**, and **13 active paid subscriptions**, plus a new **hackathon with 1,700 USDC in prizes** aimed at onboarding more providers and real usage. At the same time, community sentiment in `#discussion` remained heavily dominated by **token economics concerns** and **requests for clearer communication** from leadership. --- ### 2) Development Updates (Technical) #### Critical security fix: axios supply-chain attack mitigation A major developer PSA circulated about **axios v1.14.1** pulling in a suspicious dependency (`plain-crypto-js@4.2.1`) described as installer malware. The immediate recommendation was to **pin axios to a known-good version**. **What landed:** a coordinated mitigation across ElizaOS plugins: - **Pinned axios to `1.7.8`** in: - `plugin-autocoder` - `plugin-coingecko` If you maintain a plugin or downstream app, it’s worth double-checking your dependency tree (including lockfiles) and ensuring your CI doesn’t auto-resolve to compromised versions. #### Ongoing design work: Dreamline x402 Policy Facilitator (agent spend governance) Multiple repos continued deeper design discussion on a key question for “autonomous agents that can pay”: **How do we prevent an agent from spending funds unexpectedly or unsafely while still allowing automation?** Topics actively debated this week: - **Spend governance patterns** (what is the “policy engine” and where does it live?) - A **pre-authorization layer** (machine-enforced rules vs. explicit human approval) - **On-chain registry target chain selection** (impacts token standards, oracle availability, enforcement primitives) - Potential integrations (e.g., **MAXIA AIP Protocol** or **on-chain escrow** approaches) - **Operator visibility**: whether the x402 plugin can (or should) emit an event *before* a paid fetch executes—so the first “alert” isn’t just a wallet balance change A notable conceptual direction: a minimal “two-stage” model—**automated policy checks first**, then **human operator approval only when needed**—to preserve autonomy without sacrificing safety. #### Plugin ecosystem momentum A **new plugin proposal** was submitted to the `elizaos-plugins` registry for: - **Wallet reputation scoring** - **DeFi TVL verification** This reflects a broader trend: plugins aren’t just “tools,” they’re becoming **trust and safety modules** that agents can consult before acting. --- ### 3) Community Spotlight (Discord) #### The big conversation: ecosystem clarity and “where to find what” A strong thread emerged around **channel fragmentation** and discoverability. Community members highlighted that investors and newcomers often can’t tell which apps/agents are “part of ElizaOS” vs. separate projects (with Milady frequently mentioned as an example). Two concrete ideas gained traction: - A **centralized website hub** listing *all* agents, apps, dApps, and community projects built on ElizaOS (a “single source of truth”) - A **bridged room** connecting different Discord spaces (builder-focused vs. trader-focused) without forcing everyone into one channel structure If you’ve ever answered “is this built on Eliza?” in DMs, this is the problem being tackled. #### Real-time safety culture: scam warnings Community members in `#coders` continued to flag suspicious messages and potential scams. It’s not glamorous work, but it’s essential—especially during high-volatility market periods. #### Tooling request of the week: Instagram Story scraping A practical dev question surfaced: **cost-effective Instagram Story scraping** to extract mentions/URLs by story URL. Apify was tested, but at roughly **$0.30/story**, it’s currently too expensive for many use cases. If you have a cheaper workflow (official APIs, browser automation, third-party providers), consider posting it—this is a real need for social-intel agents. #### Shout-outs - **dankvr** for raising the axios supply-chain alarm quickly and loudly - **cyborgxai** for sharing utility documentation when token-utility questions spiked - **odilitime** for being repeatedly recognized as a consistent source of updates and follow-through --- ### 4) Token Economics (AI16z token + auto.fun) Community attention stayed locked on token performance and credibility questions: - Members reported an approximate **99.5% decline from peak**, with intense debate around root causes. - A recurring point of confusion was token supply changes; a clarification in chat noted the supply increase was **~10× (not 40×)**. - Migration-related distrust remains high, with claims (from community members) that **a large portion of migrated tokens ended up in team-associated wallets**. - A core structural concern raised: **paying developers in the token** can create continuous sell pressure (more tokens required to cover the same USD costs as price falls), amplifying a “death spiral” dynamic. On **auto.fun** specifically: there weren’t clear product-release notes in the captured discussions this week, but community interest is visible (including an “auto.fun enjoyer” cohort). If there are new mechanics or fee flows tied to auto.fun, the community is explicitly asking for **a clearer narrative linking product usage → value accrual → transparent reporting**. --- ### 5) Coming Soon Here’s what to watch next based on this week’s threads: - **Discord bridging work** (proposed for next week) to reduce fragmentation while keeping builder/trader spaces effective - The next iteration of **x402 spend governance** decisions: - target chain selection for on-chain registry - operator notification/approval UX before payments execute - **Orbis hackathon** (with Bags): **1,700 USDC** prize pool for top API providers/subscribers—likely to drive new endpoints that Eliza agents can purchase autonomously - Potential progress on the **“ecosystem hub”** idea—if implemented, it could materially improve onboarding and reduce confusion around “what’s built on ElizaOS” --- ### 6) Resources (Links) **Discord threads & channels** - Main discussion (token + comms): https://discord.com/channels/1253563208833433701/1253563209462448241 - Coders channel (axios + tooling): https://discord.com/channels/1253563208833433701/1300025221834739744 **Orbis API Marketplace** - Agent discovery/catalog endpoint: https://orbisapi.com/api/agents/discovery **Security** - axios supply-chain mitigation summary (pinned to 1.7.8 across plugins): https://elizaos.github.io/api/summaries/overall/day/2026-03-31.json **Governance / x402 design discussions** - Dreamline x402 Policy Facilitator + spend governance threads (aggregated): https://elizaos.github.io/api/summaries/overall/day/2026-03-31.json If you want to help most this week: (1) verify your dependencies are pinned safely, (2) contribute concrete proposals to the x402 pre-authorization/operator-visibility design, and (3) share practical tooling solutions (like affordable IG Story extraction) that unblock real agent use cases.