Hanso Heartbeat Hanso Heartbeat
Anthropic's Claude Fable 5 goes public; a Munich court rules Google liable for false AI Overviews; Apple rebuilds Siri on Google's Gemini and withholds it from the EU; Meta confirms 20,000+ Instagram accounts hijacked via its support AI; CISA cuts the federal patch deadline to three days.

Issue 24

12 June 2026

Hi there,

Anthropic put its most capable model in front of everyone this week. Claude Fable 5 – the publicly safe cut of the frontier line it had kept behind controlled access since the start of the year – shipped on Tuesday, state of the art on nearly every benchmark it was tested against.

Almost immediately, the argument started about who’s responsible for what these things say. A court in Munich ruled that when Google’s AI Overview invents defamatory nonsense about a company, that’s Google’s own speech, not a search result it can hide behind – the safe harbour that protected search for two decades doesn’t stretch to the model. We’re going to spend a while finding out where the liability actually lands.

Industry

The money and the law both spent the week trying to catch up with the models.

1. A German court makes Google liable for its AI Overviews

A court in Munich ruled that Google’s AI Overviews are Google’s own words and ordered it to stop repeating false claims the feature had made about two local publishers, wrongly tying their names to scams and "dubious business practices" that appeared in none of the linked sources. The key move is legal, not technical: the safe harbour that shields a search engine from what it links to does not, the court held, cover content the engine’s own AI generates. It’s preliminary and Google may appeal, but as a precedent for who pays when generative AI fabricates, it points straight at the company that built the model.

Making graphics like it's 1993

Marko Stanic is building Catlantean 3D, a first-person shooter deliberately boxed into 320x240 and a 256-colour palette – modern tools aimed at a deliberately ancient look. The write-up goes deep on the craft: palette design, colormap-based lighting, three different sprite pipelines (pre-rendered Blender, hand-drawn, Python-generated), and a custom map editor he built in wxPython.

A scene from Catlantean 3D, a 320x240 256-colour first-person shooter

Marko Stanic

His thesis is the good part: restriction forces deliberate choices, and deliberate choices tend to look good. Hard to argue with, looking at the screenshots.

2. OpenAI files for a ~$1T IPO, and the S&P 500 won’t fast-track the AI crowd

OpenAI confidentially filed a draft S-1 ("we expect it to leak, so we’re just announcing it"), the first formal step toward an IPO reportedly aimed at around a trillion dollars, with a window from September into Q4. The backdrop is less flattering: roughly $20 billion in 2025 revenue against internal projections of a $14 billion loss this year and no profit until 2029. The other half of the story is the gate: the S&P 500 declined to waive its profitability rule to fast-track newly-public SpaceX, and by the same logic keeps OpenAI and Anthropic out of the index until they post sustained GAAP profits. The companies can go public; the passive money that anchors the market just won’t be made to hold them yet.

3. Microsoft plans an "Xbox reset" and significant layoffs

Microsoft is preparing significant Xbox layoffs and budget cuts to land after its fiscal year closes at the end of June, as new gaming CEO Asha Sharma pushes what a staff memo calls an "Xbox reset." The direction is away from console-hardware ambition and toward Game Pass and higher-margin services, after more than $20 billion spent on gaming over five years, not counting Activision Blizzard. The memo’s own word for the moment was "frustrating", which is at least honest.

Artificial Intelligence

Putting a frontier model in everyone’s hands turned out to be the easy part.

4. Claude Fable 5 goes public

Anthropic released Claude Fable 5, the most capable model it has made generally available – the publicly safe version of the "Mythos" frontier line it had kept under controlled access since early in the year, and state of the art across most of what it was tested on. It’s free on the paid plans through 22 June. The rollout didn’t land cleanly: security researchers pushed back on invisible guardrails that silently blocked or degraded legitimate cybersecurity and biology work without telling the user, and Anthropic apologised. Simon Willison, using it in anger, called it "relentlessly proactive": strong as an agent, but prone to charging ahead and overshooting. Which is the thing to actually test before you wire it into anything that runs unattended.

5. Apple rebuilds Siri on Google’s Gemini, and won’t ship it in the EU

At what was billed as Tim Cook’s final WWDC keynote, Apple rebuilt Apple Intelligence around Google’s Gemini – a 1.2-trillion-parameter mixture-of-experts model – with Siri routing simple tasks to on-device models, medium ones to Private Cloud Compute, and the heavy reasoning out to Google Cloud. Apple has handed its frontier-model layer to Google; the redesigned Siri, with its own app, synced history and personal context, rides on top of that decision. Then the EU wrinkle: Apple said Siri AI won’t ship in the EU on iOS 27, blaming DMA interoperability rules, and the Commission hit back a day later that nothing in the DMA blocked it and the choice was "Apple’s and Apple’s only." 450 million users are stuck between a vendor and a regulator each pointing at the other.

6. Anthropic says Mythos can build exploits in hours

Anthropic told Axios its restricted Mythos model can turn fresh vulnerabilities into working exploits within hours: take a newly disclosed N-day, produce a functioning exploit, fast. That capability is the stated reason Mythos stays behind controlled access while Fable 5 is the version the public gets. It’s also the clearest statement yet of why frontier models stopped being a pure-upside story for defenders – the same speed that helps you patch helps whoever’s scanning your perimeter, and they don’t run a change-management process.

Infrastructure

The Mac grew a piece of infrastructure it used to make you outsource.

7. Apple ships Linux container machines for macOS

Apple’s open-source container project added "Container Machines", a way to run Linux containers on macOS through lightweight VMs on Apple silicon – first-party tooling for something developers have leaned on Docker Desktop and third-party VMs to do for years. I’ve been on OrbStack instead of Docker Desktop for a while, and it’s hard not to read this as Apple deciding that layer is core enough to own. Whether it lands better than the existing options or just becomes the default is the open question.

Microsoft

8. June’s record-breaking Patch Tuesday

June’s Patch Tuesday was the largest on record – roughly 198 CVEs, 32 of them critical, including a Visual Studio Code flaw. Microsoft says none are known to be exploited in the wild yet, with three publicly disclosed. The volume is the story: 198 fixes in a month is a brutal ask for any patch cycle, and it lands the same week CISA told federal agencies to fix the worst flaws within three days (#14).

Click to split

When the week has been a lot, there is Firewood Splitting Simulator: one log on a chopping block, rendered in the browser, that you rotate by dragging and split by clicking. That is the whole thing. The physics are satisfying in a way that is hard to justify and easy to lose ten minutes to.

A 3D log on a chopping block in the browser toy Firewood Splitting Simulator

shapiro500

It's by shapiro500, one of a small set of equally pointless screen toys. No account, no upsell, no point. Exactly the right amount of nothing for a Friday afternoon.

9. npm v12 will block install scripts by default

GitHub previewed three breaking changes coming in npm v12, due around July: lifecycle scripts in dependencies won’t run unless you approve them with npm approve-scripts, Git dependencies are blocked without --allow-git, and remote-URL or tarball dependencies need --allow-remote. After this year’s run of npm supply-chain attacks (#13), making install-time code execution opt-in is overdue. Warnings are live in npm 11.16.0+, so the migration can start before the cutover bites.

Development

10. Homebrew 6.0 adds tap-trust, and starts the Intel countdown

Homebrew shipped 6.0.0 with tap-trust: third-party taps and their formulae now have to be explicitly trusted before any of their code runs, with official taps trusted by default. After the year’s run of package-ecosystem attacks, a package manager making "don’t execute untrusted tap code by default" the default is exactly right. It also brings Linux sandboxing and a faster internal API, and it starts the clock on Intel – macOS 27 drops Intel support, Homebrew moves Intel Macs to Tier 3 (no CI, no prebuilt bottles) in September, fully unsupported a year later. On Apple silicon none of this stings; if there’s still an Intel Mac in your toolchain, the countdown is now official.

11. LWN: AI agents are running amok in open source

LWN has a report on AI agents loose in open-source projects, Fedora among them – autonomous agents filing low-quality patches, opening noisy pull requests and quietly eating the time of maintainers who didn’t ask for any of it. It’s the unglamorous flip side of the "most of our code is written by Claude" numbers: when the agent works for a company shipping a product, fine; when it’s pointed at a volunteer project as free labour nobody wanted, it’s just load. The people carrying open source didn’t sign up to be QA for someone else’s agent.

Information Security

A heavy security week, with one theme surfacing again and again: the weak point is rarely the cryptography. It’s the identity, the pipeline, or the law around it.

12. Meta confirms 20,000+ Instagram accounts were taken

Meta confirmed that at least 20,225 Instagram accounts were hijacked through the support-AI account-recovery flaw from last week – the chatbot would send password-reset links to an attacker’s email without checking it matched the account. It only worked on accounts without two-factor, and ran from mid-April until Meta closed it in early June; some reporting puts the real figure nearer 34,000, including a White House-linked account. So now there’s a number on it, and the number is the point: an AI support agent that can touch account recovery is account-recovery infrastructure, and has to be secured like it.

13. The Miasma worm turns up in Microsoft’s repos

The same Miasma worm from last week resurfaced with a bigger name attached: Microsoft cut off dozens of its open-source repos after a stolen contributor credential pushed a malicious update into the Azure Durable Task project. The twist is the trigger – the payload fires when a developer opens the poisoned repo in an AI coding tool like Claude Code, Gemini CLI or VS Code, then harvests tokens, cloud credentials and passwords. Supply-chain malware purpose-built to detonate inside the agent is a new and unwelcome category.

The art of unreadable C

The 29th International Obfuscated C Code Contest published its winners – 22 programs whose entire point is to do something astonishing while being almost impossible to read. The award categories tell you the spirit: "Best imaginary emulator", "Ping pong prize". The judges say submissions are at near-historic highs in both volume and quality.

It's one of the last genuinely non-utilitarian corners of programming – C written as puzzle, as sculpture, as a dare. In a year when the talk is all about agents producing code nobody reads for a much duller reason, there's something restorative about people obfuscating it on purpose.

14. An Oracle zero-day, and a three-day patch clock from CISA

ShinyHunters exploited a zero-day in Oracle PeopleSoft (CVE-2026-35273, an unauthenticated RCE rated CVSS 9.8) to hit more than 100 organisations, breaching around 300 instances before it was public; the University of Nottingham alone had 454,600 student records dumped on the group’s leak site. Oracle patched out of band on 5 June. The policy bookend arrived the same week: CISA issued BOD 26-04, cutting the deadline for federal agencies to fix the most critical flaws to three calendar days, and naming AI-accelerated exploitation as the reason the patch-to-exploit window keeps collapsing. Three days is brutal. On the evidence of weeks like this one, it’s also about right.

15. Signal draws a line with the UK over encryption

Signal published "Surveillance Is Not Safety", a direct shot at renewed UK proposals for device-side content scanning that would, in practice, break end-to-end encryption, with president Meredith Whittaker repeating that Signal would leave the UK before weakening it. Signal is where my own private conversations actually happen, so "we’ll walk before we backdoor it" isn’t an abstract position to me. Client-side scanning is mass surveillance with a child-safety label on it, and calling it something else has never once made it work.

Coming up

Mon 22 Jun: Claude Fable 5’s free-inclusion window on the paid plans ends; after that, usage may draw on credits until capacity expands. Worth knowing if you’ve built it into a workflow this fortnight.

Thu 25 Jun: Public comments close on the FCC’s proposed telecom customer-ID rule – the one that would require name, address and government ID before phone service, effectively ending anonymous prepaid SIMs. Reply comments run to 27 July.

July: npm v12 is expected, with install scripts, Git and remote-URL dependencies blocked by default (#9). Anyone on a JS or CI pipeline should test on npm 11.16.0+ first.

A lot landed this week. If any of it is worth picking apart, reply and tell me.

Best,
Julian

How this is made

Throughout the week I stumble across a mildly unreasonable number of interesting things, and I forward them instantly to the friend or colleague I think might care – sometimes to their delight, sometimes to their annoyance, and often with no context at all. Heartbeat is the attempt to do that a little better.

Every Friday a small agent I built, Honoka, looks through the places where those links tend to leak out: my private email, work email, Matrix, Mastodon, WhatsApp, Apple Messages, Signal, and the faint imprints on the platen of my Olympia typewriter (still not an API, tragically). It sorts, filters, groups and summarises the week, then hands me a draft.

Honoka is guided by a private corpus of things I have written over the last fifteen years, so it can get closer to how I sound in more-or-less official emails and public notes. I still take a pass by hand: remove things, change sentences, check links, argue with the judgement. Whether that is enough is, frankly, the experiment. Every issue has one item written entirely by hand. If you can reliably spot it, hit reply and judge.
Hanso Hanso
Hanso Pte Ltd · 1 Phillip Street #08-00, Singapore 048692
www.hanso.group