Hanso Heartbeat Hanso Heartbeat
Anthropic ships Claude Opus 4.8 and raises $65B at a $965B valuation; the Netherlands blocks a US takeover of DigiD's host; Spain pulls Polymarket and Kalshi; YouTube will auto-label AI video; Megalodon backdoors 5,500 GitHub repos in six hours.

Issue 22

29 May 2026

Hi there,

Anthropic put everything on the table in one week. Claude Opus 4.8 shipped Thursday, 41 days after 4.7. The same day, a $65 billion raise valued the company at $965 billion – a rounding error short of a number no private company has ever printed.

Europe, meanwhile, spent the week drawing lines around its own infrastructure. The Netherlands blocked an American buyer from taking over the cloud provider that runs DigiD, the login half the country uses to file its taxes, on the plain logic that a national identity layer shouldn’t sit somewhere a foreign government can subpoena it. Worth more than $965 billion, in a way nobody put on a term sheet.

Industry

The capital story and the sovereignty story arrived the same week, and they don’t really argue with each other.

1. Anthropic raises $65B at a $965B valuation

Anthropic closed a $65 billion Series H at a $965 billion post-money valuation, led by Altimeter, Dragoneer, Greenoaks and Sequoia. It’s the largest private AI raise on record, and it edges the company past OpenAI to the top of the private market. The number that actually matters sits underneath: revenue is reported running at roughly $47 billion annualised, up from about $30 billion six weeks earlier. Anthropic has flagged this as likely its last private round before a targeted October IPO.

2. The Netherlands blocks a US takeover of DigiD’s host

The Dutch government blocked Kyndryl’s acquisition of Solvinity, the cloud provider that hosts DigiD, the national digital-identity system Dutch citizens use to reach government services and file their taxes. State Secretary for Digital Economy Willemijn Aerdts told parliament the investment-screening authority had advised against the deal as a possible risk to the public interest. The fear, stated openly, was that DigiD data could fall under US jurisdiction and a US legal demand. Sovereign-cloud arguments usually live in slide decks; this one was carried all the way through to a blocked transaction.

3. Spain pulls Polymarket and Kalshi; Brussels fines Temu

Spain moved to block Polymarket and Kalshi as a precaution, citing the lack of a Spanish gambling licence while it works out whether the prediction markets are running unlicensed betting. The same week, the European Commission fined Temu about €200 million under the Digital Services Act for failing to keep illegal products off its marketplace. Spain reached for gambling law, Brussels for the DSA, and both landed on platforms that scaled faster than the rulebooks they operate inside.

The pixel look, done on purpose

Marcin Wichary – who once wrote a two-volume book about keyboards – took a walk through a handful of modern pixel fonts: typefaces that chase the old bitmap look with vector technology underneath. Andrew Gleeson's Analog Mono quietly fixes the broken baseline and descenders of the VCR font you've seen on a hundred title cards; Kumiko Yoshida's Coral Pixels is a colour font that builds in the chromatic fringing of a 2000s subpixel screen, on purpose.

Specimen of a modern pixel font from Marcin Wichary's survey

Marcin Wichary

The detail I liked most is Vercel's Geist Pixel, built with real kerning and metrics because, as Wichary puts it, pixel fonts have a habit of breaking the moment they meet a real layout. A whole craft hiding inside something that's supposed to look careless.

4. Drew Houston steps down at Dropbox

Drew Houston is stepping down as Dropbox CEO after roughly nineteen years, moving to executive chairman; Ashraf Alkarmi, who joined in late 2024 to run the core product, takes over. Houston said he wants to spend his time on AI. A founder handing off a defining Web 2.0 company to a product chief so he can go chase the current wave is its own small marker of where the energy has moved.

5. Dell’s record AI-server quarter, and a $9.7B Pentagon deal

Dell reported revenue up 88% year-on-year to $43.8 billion, with AI-server revenue up a frankly silly 757% to $16.1 billion; the stock had its best day ever, closing up about a third. The day before, the US Defense Department announced a $9.7 billion, five-year deal with Dell for Microsoft 365, cloud subscriptions and digital infrastructure. That one comes with an asterisk – reporting flagged Michael and Susan Dell’s ties to Trump-aligned accounts, so the procurement and the politics are hard to separate cleanly. Hanso runs on M365, like a lot of our clients, so a five-year Pentagon contract for the same suite is less a surprise than a measure of how much gravity that stack has now.

Artificial Intelligence

Two stories sat side by side this week: the labs posting business-scale revenue, and a chunk of their users actively hunting for the version without the AI in it.

6. Claude Opus 4.8, and Claude Code learns to run a thousand agents

Anthropic shipped Claude Opus 4.8 on Thursday, 41 days after 4.7 and at the same price – the fastest its flagship line has ever turned over. The pitch is sharper judgement and more honesty about its own limits, plus an effort control that lets you dial how hard the model works and a fast mode now about three times cheaper. Alongside it, Claude Code picked up dynamic workflows, which orchestrate hundreds to a thousand sub-agents in parallel for codebase-scale jobs like big migrations. Claude Code has been my daily driver for about a year now; a thousand parallel agents is well past how I use it, but "point it at a migration across a few hundred thousand lines" is the first version of the agentic-coding pitch that maps onto a problem I actually have. The benchmarks put it ahead of GPT-5.5 on SWE-Bench Pro and computer-use tasks, for whatever this month’s benchmarks are worth.

7. Simon Willison makes the case for product-market fit

Simon Willison makes the case for product-market fit at the two leading labs – that Anthropic and OpenAI have crossed from expensive research bets into businesses with real, paying enterprise demand, pointing at revenue curves that have bent sharply upward in a matter of weeks. Coming from someone who’s stayed more measured than most about this whole cycle, it lands. The "is any of this actually a business" question that hung over the sector a year ago is mostly answered now.

JTAG, Ghidra, and a Yamaha amp

Michael Forney got annoyed enough at his Yamaha THR10c to reverse-engineer its firmware. He soldered onto the unpopulated UART and JTAG headers, talked to the amp's ARM7TDMI over OpenOCD, dumped the 2MB flash, and read through it in Ghidra until he could add the three things Yamaha never shipped: a cabinet-sim bypass, forced speaker output with headphones plugged in, and a fix for the flat-cab volume.

JTAG and UART cables soldered to a Yamaha THR10c guitar amp circuit board

Michael Forney

The generous part is the ending. Rather than leave everyone else soldering, he packaged the modified firmware as a MIDI SysEx file you flash over the amp's normal USB updater – no iron required. A proper hack, generously finished.

8. YouTube will auto-label AI video

YouTube is moving from voluntary disclosure to automatic detection: when its systems spot significant photorealistic AI-generated content and the creator hasn’t flagged it, the platform attaches the "AI-generated" label itself. Detection leans on C2PA provenance metadata and SynthID watermarks alongside internal signals. Labelled videos won’t be demoted or demonetised, and creators can contest a label in Studio – though disclosures on anything made with Veo or Dream Screen are permanent. The largest video platform deciding to label synthetic media without asking creators first is the kind of move the rest of the industry quietly ends up matching.

9. DuckDuckGo’s anti-AI bump

DuckDuckGo’s AI-free search saw nearly 28% more visits in the week after Google insisted that people love its AI Mode. Small sample, one week – but a clean little signal of the gap between what Google says users want and what some of them go looking for.

Infrastructure

10. Cloudflare puts feature flags at the edge

Cloudflare opened a closed beta of a service that puts feature flags inside Workers, evaluating them locally through a native binding instead of calling an external service on every check. It’s called Flagship, built on the OpenFeature standard, with targeting rules and percentage rollouts. We run R2 and DNS on Cloudflare and haven’t reached for Workers in anger, but flags that resolve at the edge with no extra network hop is a genuinely nice primitive – the kind that quietly removes a class of latency you’d half stopped noticing.

Microsoft

Microsoft spent the week trying to make Copilot make sense, then spent some of that goodwill in a single blog post.

11. Microsoft is building one Copilot to rule them all

Microsoft is building a single Copilot app to pull its scattered AI tools – GitHub Copilot, Copilot chat, Copilot Cowork, a new agentic "Autopilot", and M365 Copilot – into one place, under the internal banner "Delivering one Copilot", aimed at the end of summer. The context explains the urgency: fewer than 4.5% of M365’s 450 million seats pay for Copilot, GitHub Copilot is fighting Cursor and Claude Code, and the consumer chatbot trails OpenAI and Google. Consolidation is the right instinct here. The fragmentation had got hard to explain to customers, let alone sell to them.

A laptop with nothing to click

Veronica Explains turned a six-year-old System76 laptop into a writerdeck – a writing machine running console-only Debian, no desktop at all. NetworkManager for tethering, kmscon for decent fonts and colours, tmux with a battery-and-brightness status bar, Neovim and vimwiki for the actual writing, autologin straight into the wiki, Syncthing back to a home server.

A System76 laptop running a console-only Debian writerdeck setup

Veronica Explains

After a week she'd finished several writing projects she'd been circling for ages. Take away everything that can interrupt you and what's left is a cursor and the next sentence – which is, of course, the entire point.

12. Microsoft threatened a security researcher, then walked it back

After a researcher going by Nightmare Eclipse published proof-of-concept exploits for six unpatched Windows Defender and BitLocker bugs over April and May, a Microsoft blog post implied a criminal referral through its Digital Crimes Unit. The researcher says Microsoft also deleted their MSRC portal account, withheld bounties and stripped their credit; GitHub banned them too. The backlash was immediate, and Microsoft’s Security Response Center walked it back, saying it has "no intention to pursue action against individuals conducting or publishing their security research." The bugs are real and still unpatched, which is the uncomfortable part – threatening the messenger doesn’t close the BitLocker holes, and it does make the next person think twice about reporting one to you first.

Development

13. Rust 1.96 fixes a years-old papercut

Rust 1.96.0 stabilises the new range types from RFC 3550, so ranges finally implement IntoIterator rather than Iterator and can be Copy – the kind of ergonomics annoyance that’s needled people for years. Iterating over ranges of NonZero integers works now, cfg takes an expr metavariable, and there are two security fixes (CVE-2026-5222 and CVE-2026-5223) that earn the upgrade on their own.

Information Security

Two security stories at opposite ends of the field this week – the automated supply-chain kind, and the legislative kind.

14. Megalodon backdoored 5,500 repos in six hours

An automated campaign dubbed Megalodon pushed malicious commits to 5,561 GitHub repositories in under six hours on 18 May – 5,718 commits, all injecting poisoned GitHub Actions workflows from throwaway accounts with names like build-bot and ci-bot. The payloads scraped exactly what a CI runner holds: AWS, GCP and Azure credentials, SSH keys, Docker and Kubernetes configs, database strings, CI/CD tokens. Malicious npm packages followed a few days later. This is the third supply-chain story in three weeks, after the TanStack npm compromise and the malicious VS Code extension; the pattern has settled into "whatever holds your secrets, automated." If you run Actions with cloud credentials in the environment, which is most of us, 18 May is a rotate-the-keys date.

15. California carves Linux out of its age-verification law

California’s Assembly voted 68-1 to exempt open-source operating systems from the OS-level age-verification rules in its Digital Age Assurance Act – which, in practice, spares Debian, Fedora, Ubuntu, Arch and Mint from being told to collect users’ ages before the 2027 start date. The amendment came from Buffy Wicks, who wrote the original bill, after the backlash made the first draft look unworkable. Good, as far as it goes. The same amendment also extends age-data collection to every browser and website for the first time, so the ID-checking didn’t disappear; it moved off the operating system and onto the open web. The bill heads to the Senate next.

Coming up

Tue 2 Jun: Microsoft Build 2026 (2–3 June), now in San Francisco. Watch whether the Copilot consolidation from (#11) gets a public shape, alongside the usual Azure and GitHub announcements.

Early June: Computex in Taipei. AI silicon and the first wave of ~$300 Windows-on-ARM laptops (the new Snapdragon C class) are the ones to watch if you buy hardware.

June: FERC is expected to propose how AI data centres connect to and pay for the US grid – the rule-making behind the whole buildout, finally getting written down.

Heavy week. If one of these is worth a longer back-and-forth, hit reply.

Until next week,
Julian

How this is made

Throughout the week I stumble across a mildly unreasonable number of interesting things, and I forward them instantly to the friend or colleague I think might care – sometimes to their delight, sometimes to their annoyance, and often with no context at all. Heartbeat is the attempt to do that a little better.

Every Friday a small agent I built, Honoka, looks through the places where those links tend to leak out: my private email, work email, Matrix, Mastodon, WhatsApp, Apple Messages, Signal, and the faint imprints on the platen of my Olympia typewriter (still not an API, tragically). It sorts, filters, groups and summarises the week, then hands me a draft.

Honoka is guided by a private corpus of things I have written over the last fifteen years, so it can get closer to how I sound in more-or-less official emails and public notes. I still take a pass by hand: remove things, change sentences, check links, argue with the judgement. Whether that is enough is, frankly, the experiment. Every issue has one item written entirely by hand. If you can reliably spot it, hit reply and judge.
Hanso Hanso
Hanso Pte Ltd · 1 Phillip Street #08-00, Singapore 048692
www.hanso.group