Composio got breached through its own AI agent
Opus 4.8 got more honest, DeepSeek made its 75% cut permanent, Socket turned into a security unicorn, and Anthropic is paying SpaceX $15B a year…
💬 Editor’s Note
Two things happened this week that look unrelated and aren’t. Socket raised sixty million dollars and crossed a billion-dollar valuation for catching malicious code before it ships. Two days earlier, Composio disclosed that attackers got inside its systems through one of its own internal agents, then used the automated tooling that repairs its connectors to run their own code. One company got rewarded for guarding the supply chain. The other became the cautionary tale about what happens when an agent with real access gets turned against you.
Most of the noise this week was models and money. Opus 4.8 landed, DeepSeek made its price war permanent, and Anthropic’s compute bill leaked out of someone else’s IPO filing. All of it worth your time. But the story I keep circling back to is smaller and closer to home. The thing you hand your agent access to is the thing an attacker inherits.
📰 Top News
Claude Opus 4.8 got more honest
Anthropic shipped Opus 4.8 on Wednesday, and the headline number isn’t a benchmark. It’s that the model is roughly four times less likely than 4.7 to let a code flaw slide by without flagging it. Pricing holds at five dollars per million input tokens and twenty-five out, and fast mode is now three times cheaper while running at two and a half times the speed. The new effort control lets you dial reasoning from high all the way up to max, and Claude Code gets dynamic workflows that can fan out into hundreds of parallel subagents for codebase-scale migrations. Reuters also reports Anthropic is rolling Claude Mythos out to all customers over the coming weeks.
https://www.anthropic.com/news/claude-opus-4-8
DeepSeek made its 75% price cut permanent
The discount everyone assumed was a promo is now just the price. DeepSeek confirmed it’s making the seventy-five percent cut on its flagship V4-Pro permanent, which puts developer pricing at a quarter of where it started. This is the same playbook that rattled the market a year ago, except now it’s policy rather than a stunt. If you run high-volume work that doesn’t need a frontier model, the math changed again.
Socket is a security unicorn now
Socket raised a sixty million dollar Series C led by Thrive Capital, with a16z and Capital One Ventures joining, pushing it to a billion-dollar valuation and one hundred twenty-five million raised in total. The pitch is simple: scan dependencies for malicious behavior before they reach production. The customer list is the tell, with Anthropic, xAI, Cursor, Vercel, and Figma all on it. Socket is also expanding past package managers into browser extensions, editor plugins, and MCP servers, which is exactly where agents go looking for tools.
https://socket.dev/blog/series-c
Composio got breached through its own AI agent
Composio disclosed that an attacker compromised an internal agent it uses to monitor its own infrastructure, then escalated through the automated remediation system that fixes broken connectors. From there they registered malicious tool definitions and got arbitrary code execution inside the tool-execution sandbox. More than five thousand GitHub connections were affected and tokens were revoked. The entry point was a compromised Gmail OAuth token tied to magic-link sign-in, which is a humbling reminder that your auxiliary login flows are part of your attack surface.
https://composio.dev/blog/composio-may-2026-security-incident
A former Microsoft VP says it missed the AI wave
A former Microsoft vice president argued this week that the company missed AI the way it once missed the internet and mobile, pointing at Copilot adoption stuck around three percent despite billions spent. The timing was awkward. Microsoft had just announced it was scaling Copilot back across Windows 11, then turned around days later and pushed an update that re-adds an intrusive sidebar shoving your apps aside. Spending the most money and owning the clearest distribution still hasn’t bought the habit.
🕵️ Undercovered
Anthropic is paying SpaceX $15 billion a year
This one surfaced inside SpaceX’s S-1, of all places. The filing shows Anthropic committed to roughly 1.25 billion dollars a month through May 2029 for compute on Colossus, with access to more than two hundred twenty thousand GPUs. That works out to around fifteen billion a year. Musk clarified on Wednesday that the arrangement starts as a smaller one hundred eighty day lease rather than the full multi-year figure, but the direction is clear enough. The model labs are now line items in each other’s financials.
https://www.theverge.com/science/935229/spacex-anthropic-ipo-ai-capacity-deal-colossus
Meta quietly shipped a Reddit clone
Meta launched a standalone app called Forum with no announcement at all. It’s a Reddit-style front end for Facebook Groups, complete with an AI “Ask” tab that compiles answers across communities and an AI assistant for group admins. You sign in with Facebook and can post under a nickname, though admins still see who you actually are. Launching something this big in silence usually means they’re not sure it’ll work either.
https://techcrunch.com/2026/05/22/meta-quietly-launches-a-new-reddit-like-app-called-forum/
US spy agencies are using Claude anyway
A few months after the Pentagon flagged Anthropic as a supply-chain risk, reporting this week says the NSA is using Claude Mythos regardless. Anthropic’s position is that the designation is narrow and procedural rather than a real ban. Either way, the gap between official procurement policy and what analysts actually reach for is wide, and it says something about how indispensable these models have become inside government.
https://thenextweb.com/news/us-government-chip-shortage-anthropic-nsa-9-billion
🗄️ The Vault
Pake
Turn any webpage into a tiny desktop app with one command. It’s built on Rust and Tauri, so the output lands around five megabytes instead of the hundreds an Electron build would cost you. Sitting at 49.5k stars with a fresh release this week.
Claw Patrol
A security firewall for agents that holds credentials outside the agent and inspects traffic at the wire, parsing Postgres, Kubernetes, and HTTP calls. You write rules per action, route the risky ones to a human in Slack or an LLM judge, and get an audit log of everything the agent actually did. Open source under MIT.
Devbox
Instant, isolated dev environments backed by Nix without making you learn Nix. Define your tools in a small config, run one command, and get a reproducible shell drawing on four hundred thousand package versions. It exports to a Dockerfile or devcontainer when you need to ship it.
https://github.com/jetify-com/devbox
Powabase
Postgres, RAG, and agents behind one backend. You get managed Postgres with row-level security, auth, and storage, plus retrieval that ships with OCR, vector search, and rerankers out of the box, plus ReAct agents that can call tools and MCP servers. Think Supabase aimed squarely at AI apps.
Papra
Open-source, self-hostable document archiving for people tired of paying a subscription to store their own PDFs. It does tagging rules, email ingestion so you can forward attachments straight in, and offers an API, CLI, and SDK. Bootstrapped and AGPL licensed.
Supertonic
On-device, multilingual text to speech that’s genuinely fast. It’s a ninety-nine million parameter open-weight model running through ONNX across thirty-one languages, small enough to run in a browser or on a Raspberry Pi, and it can turn a webpage into audio in under a second.
https://github.com/supertone-inc/supertonic
🔥 This Week’s Pick
The week the supply chain became the attack surface
Look at the four security stories together and a pattern falls out. Socket crossed a billion dollars for guarding dependencies. Composio got breached through its own agent and the automation meant to fix it. Perplexity open-sourced Bumblebee, a read-only scanner that checks your lockfiles, extensions, and AI tool configs for exposure in about fifteen seconds. And Claw Patrol showed up to sit between an agent and the systems it can touch.
None of that is a coincidence. As models write more of our code and agents get real production access, the place attackers aim has moved. It used to be your app. Then it was your dependencies. Now it’s the agent itself, because an agent is a single identity holding a bundle of credentials and a willingness to act on instructions it can’t fully vet. Granting access was never the same thing as controlling action, and this is the week that distinction stopped being theoretical.
If you’re building on agents, the takeaway isn’t fear. It’s that the security layer is now a product surface, not a checkbox. The companies treating it that way are the ones raising at a billion dollars. The ones that didn’t are writing incident postmortems.
🧪 This Week’s Experiments
Upgrade to Opus 4.8 and point its dynamic workflows at one real migration you’ve been putting off, then watch where the parallel subagents get confused.
Run the cost math on DeepSeek’s permanent V4-Pro cut for any high-volume job that doesn’t need a frontier model, and move the ones that pencil out.
Rotate every token your agents currently hold in the wake of the Composio disclosure, and turn off magic-link sign-in on anything auxiliary.
Scan your machine with Perplexity’s Bumblebee, or put one agent’s production credentials behind Claw Patrol and see what it blocks.
Package one internal web tool as a desktop app with Pake to find out whether the five-megabyte pitch actually holds.