Issue 23

5 June 2026

Hi there,

The most instructive security story of the week needed no exploit code. You could take over a high-profile Instagram account by opening a chat with Meta’s support AI, claiming the account was yours, and asking it to send the password-reset codes to an address you controlled. It never checked whether that recovery email had ever touched the account. The video-selfie identity step got beaten with an AI-animated photo pulled from the target’s own feed.

That’s the shape of a lot of this year: AI gets dropped into a position of trust before anyone wires up the part that says no. Anthropic spent the same week asking the industry to consider slowing down – which is easier to say than to do when your own models now write most of your code. The bill for moving this fast seems to arrive in instalments.

Industry

1. Anthropic files to go public, into a crowded IPO line

Anthropic filed a confidential draft S-1 with the SEC – the paperwork that starts the clock on a listing, even with share count and price still unset. It lands in a genuinely crowded queue: The Economist spent the week asking whether markets can absorb Anthropic, SpaceX and OpenAI arriving more or less at once. Alphabet raised about $85 billion in equity over the same stretch, and hyperscaler bond issuance is running into the hundreds of billions. Float enough correlated AI names into the indices at once and passive money ends up holding the whole bet by default. (Economist, paywall.)

2. Trump floats government equity stakes in AI labs

President Trump said he’s weighing equity stakes for the US government in the leading AI labs – an idea Sam Altman first floated as a sovereign-wealth-style pitch back in 2024, now reportedly being discussed in actual White House meetings. OpenAI separately confirmed it will comply with an executive order letting the government assess frontier models before release. Government as both regulator and shareholder of the same labs is a genuinely new shape for the US, and not an obviously comfortable one.

3. Tech layoffs hit a near-two-year high

US tech companies announced 38,242 job cuts in May, the most in nearly two years, per Challenger data. The individual stories increasingly arrive with an AI rationale stapled on: GitLab cut 14% and pulled out of 22 countries the same day it posted 23% revenue growth, redirecting everything into its agent platform. Whether AI is the cause or the cover story depends on the company. The number is the number either way. (Bloomberg, paywall.)

Artificial Intelligence

4. Anthropic says self-improving AI is close, and asks the field to slow down

Anthropic published a piece on recursive self-improvement – AI systems autonomously designing and training their successors – and used it to call on frontier labs to build a coordinated, verifiable way to slow or pause if a threshold gets crossed. The number that grounds it: as of May, more than 80% of the code merged into Anthropic’s own codebase was written by Claude, with engineers shipping roughly eight times more per day than in 2024. Jack Clark put a possible two-year horizon on models that can improve themselves. A lab claiming it’s nearly there and asking everyone to consider stopping is an odd posture to hold at once, but at least an honest one.

5. Ted Chiang pushes back on the consciousness talk

Ted Chiang used a long Atlantic essay to argue that AI is not conscious, taking apart the category error of granting inner experience to a next-token predictor and naming the commercial incentive to anthropomorphise. It landed the same week Anthropic was talking about AI welfare and self-improvement, which is the right week for it. Worth reading slowly, ideally before the next meeting where someone says a model "wants to" do something.

6. Gemma 4 puts a real multimodal model on your laptop

Google released Gemma 4 12B, an Apache-2.0 open model that handles text, vision and – new for a mid-size Gemma – native audio, with no separate encoders: vision is a single embedding matrix-multiply, audio projects straight into the text token space. It runs in about 16GB of unified memory, under half the footprint of the 26B version while landing close to it on benchmarks, and Google put total Gemma 4 downloads at 150 million. A genuinely capable multimodal model that fits on a laptop under a permissive licence is the kind of release that quietly widens what local and agentic setups can do.

Infrastructure

The build-out keeps running into things that don’t bend – the power grid, and the maths underneath TLS.

7. New York puts a one-year hold on big data centres

New York passed a one-year moratorium on new data centres, the first statewide ban of its kind, while it works out the power and water arithmetic. It’s part of a pattern: Illinois is moving to suspend data-centre tax breaks from July, and Arizona’s main utility floated a 45% rate hike for data-centre power. The AI build-out has mostly been a story about chips and capex; the constraint starting to bite is whether the local grid – and the local voters – will have it.

8. Let’s Encrypt maps a post-quantum path

Let’s Encrypt published a post-quantum path for Web PKI that tries not to break the web in the process. The problem is size: an ML-DSA-44 signature is about 2,420 bytes against 64 for today’s ECDSA, which pushes per-connection handshake overhead past 10KB. Their answer is Merkle Tree Certificates – batch many certs into one signed tree, then hand each client a compact inclusion proof instead of a full signature. Staging late this year, production aimed at 2027. The dominant free CA quietly doing the unglamorous migration work the rest of us will eventually lean on.

Microsoft

Build this year read as a declaration of independence: Microsoft would rather build its own models than keep renting OpenAI’s.

9. Microsoft ships seven of its own models at Build

At Build, Microsoft AI launched seven in-house MAI models trained from scratch – no distillation from OpenAI – on licensed data: a flagship reasoner, MAI-Thinking-1 (35B active parameters, 256K context), plus code, image, transcription and voice models. Microsoft says blind raters prefer MAI-Thinking-1 to Sonnet 4.6 and that it matches Opus 4.6 on SWE-Bench Pro coding, and Mustafa Suleyman framed the goal as "long-term self-sufficiency" and a top-four lab. After years as the company that resold OpenAI, a full from-scratch model family is the clearest signal yet that Microsoft wants off that dependency. We run on M365 and partner with Microsoft, so "whose model is behind Copilot" stops being trivia here and turns into a procurement question.

10. A standalone GitHub Copilot app, the week the meter starts running

GitHub previewed a standalone Copilot desktop app at Build, built around "canvases" for an agent-native workflow. It lands the same week Copilot’s move to token-based billing took effect – the shift flagged back in Issue 18 – and the developer reaction to paying per token, retry and tool call has been sharp. A nicer app and a less predictable bill in the same news cycle is a lot to ask people to feel good about at once.

Development

A good week down at the foundations – the languages, toolchains and engines most of us build on without thinking too hard about who’s steering them.

11. Elixir 1.20 makes the language gradually typed

Elixir 1.20 turns the language gradually typed: it infers and checks types across whole programs with no annotations required. A new dynamic() type only reports "verified bugs" – violations guaranteed to fail at runtime – and narrows across case and conditionals, while the compiler tracks struct and map fields and derives unions and intersections from your guards. This is the BEAM stack I build on, and annotation-free gradual typing is the feature I’d half assumed a dynamic language couldn’t really have. If you wrote Elixir off because "dynamic" meant "no safety net", this is the release to look at again.

12. VoidZero joins Cloudflare

Evan You’s VoidZero is joining Cloudflare, which means Vite, Vitest, Rolldown and Oxc – the toolchain a large slice of the frontend world builds and tests on – now sit under one roof. Everything stays MIT-licensed, and Cloudflare has put $1 million into a Vite ecosystem fund; it mirrors Astro joining earlier this year. The open-source commitments are the thing to watch. Cloudflare has been a good steward so far, and concentrating the core JS build tools under any single vendor is exactly the case where "vendor-neutral" has to stay true after the announcement, not just inside it.

13. Ladybird changes how code gets in

Ladybird, the from-scratch browser engine led by Andreas Kling, is changing how code enters the project as it gets closer to shipping to real users – tightening review and how it balances velocity against its no-Google-code, standards-first principles. It’s a small governance post that drew an outsized reaction, because Ladybird is the one genuinely new engine in a world that’s otherwise Chromium all the way down. The real question under it is whether an independent engine can scale its development without burning out the handful of people doing the work.

Information Security

Both of this week’s security stories are about trust handed to the wrong layer – a support bot, and a build pipeline.

14. You could take an Instagram account by asking Meta’s AI

The exploit behind a wave of Instagram takeovers was social engineering aimed at a chatbot. Targets reportedly included @obamawhitehouse and a US Space Force account, with short, valuable handles resold through Telegram groups for anywhere from hundreds of thousands to millions. The flaw sat live for weeks, maybe months, before Meta closed it. The lesson for anyone wiring up a support agent is blunt: the model is now part of your attack surface, and "be helpful" is the opposite of the instinct a password-reset flow needs. A human doing this is a training failure; a model doing it is an architecture one.

15. A worm in Red Hat’s npm packages

On 1 June, researchers found malware in @redhat-cloud-services npm packages – at least 32 of them, around 80,000 weekly downloads – running on every npm install before your own code does. Dubbed Miasma, it sweeps GitHub Actions secrets along with AWS, GCP, Azure, Kubernetes, Vault and CircleCI tokens, and it spread through compromised GitHub Actions OIDC tokens rather than stolen developer logins, which means the CI pipeline itself was the way in. That’s the part that should worry people: short-lived OIDC tokens were meant to be the safer option. Anyone pulling Red Hat cloud packages in CI over that window has rotation work to do.

Coming up

Mon 8 Jun: WWDC 2026 keynote (runs 8–12 June). Apple’s AI-overhauled Siri and the "27" OS line, under sharper scrutiny than last year’s thin showing.

Tue 1 Jul: Illinois suspends its data-centre tax breaks – the next move in the same state-level backlash as New York’s moratorium (#7).

Lots this week. If something here changes how you’re thinking about it, I’d like to hear.

Yours,
Julian

How this is made

Throughout the week I stumble across a mildly unreasonable number of interesting things, and I forward them instantly to the friend or colleague I think might care – sometimes to their delight, sometimes to their annoyance, and often with no context at all. Heartbeat is the attempt to do that a little better.

Every Friday a small agent I built, Honoka, looks through the places where those links tend to leak out: my private email, work email, Matrix, Mastodon, WhatsApp, Apple Messages, Signal, and the faint imprints on the platen of my Olympia typewriter (still not an API, tragically). It sorts, filters, groups and summarises the week, then hands me a draft.

Honoka is guided by a private corpus of things I have written over the last fifteen years, so it can get closer to how I sound in more-or-less official emails and public notes. I still take a pass by hand: remove things, change sentences, check links, argue with the judgement. Whether that is enough is, frankly, the experiment. Every issue has one item written entirely by hand. If you can reliably spot it, hit reply and judge.