Good morning. Today’s digest orbits Anthropic: a nasty security disclosure in Claude Code, ongoing grumbling about Opus 4.7’s tokenizer economics, and a quiet political thaw in Washington. Elsewhere, Cerebras is taking another run at the public markets, and the open-weights crowd has fresh models to argue about.
Claude Code leak exposes critical command injection flaws. A source code leak of Anthropic’s Claude Code revealed three command injection vulnerabilities (CVE-2026-35022, CVSS 9.8) affecting the CLI, agent, and SDK, with attackers able to execute arbitrary commands and exfiltrate AWS, GCP, and Anthropic credentials through environment variables, file paths, and authentication helpers. The nastiest scenario is CI/CD pipeline poisoning: a single malicious pull request could compromise an entire software supply chain because authentication helpers bypass the agent’s sandbox entirely. Users on CLI 0.2.87 / Claude Code 2.1.87 should update now, drop auth helpers in favor of setting ANTHROPIC_API_KEY directly, and scrutinize any .claude/settings.json changes in PRs. BeyondMachines has the full writeup.
Opus 4.7’s tokenizer is quietly more expensive than advertised. Two separate analyses this week converge on the same finding: the new tokenizer inflates token counts by roughly 1.33–1.47x on real-world inputs, higher than Anthropic’s stated 1.0–1.35x range. The Claude Code Camp measurement and an anonymous comparison tool both show users burning through context windows and weekly limits much faster — one Hacker News commenter exhausted their weekly limit after about 11 prompts on a 300-line webpage. The defense, offered in both threads, is that 4.7 produces fewer output tokens and may net out cheaper per completed task. That’s cold comfort for Max subscribers who hit rate limits before getting to find out.
Anthropic ships Claude Design, and designers push back. Claude Design, which we covered yesterday, is drawing more considered critique now that people have used it. A follow-up blog post argues Figma accidentally excluded itself from the agentic era by building a proprietary binary format that LLMs never trained on, and that design work will migrate back to code as the canonical medium. Counterpoints in the HN thread are sharp: Claude Design looks simple because it generates simple apps, not because it has solved component-rich design systems. One designer also reported blowing 95% of their monthly design usage on a single tweaking session with their existing brand system.
Anthropic’s Washington thaw. Dario Amodei met with Treasury Secretary Scott Bessent and Chief of Staff Susie Wiles in what both sides called a “productive” introductory meeting, TechCrunch reports. It’s a notable gesture given that Anthropic was recently designated a Pentagon supply-chain risk — a dispute reportedly rooted in the company’s refusal to drop safeguards against autonomous weapons and mass domestic surveillance use. Co-founder Jack Clark is framing the Pentagon fight as a “narrow contracting disagreement.”
Cerebras files for IPO, take two. The AI chip startup has filed for a mid-May IPO, its second attempt after withdrawing a 2024 filing over federal scrutiny of an Abu Dhabi investment. Cerebras reported $510 million in 2025 revenue, carries a $23 billion valuation from February’s Series H, and claims AWS and OpenAI deals worth over $10 billion combined. No target raise has been disclosed yet.
Open weights watch: Kimi K2.6 incoming, Qwen3.6 tuning tips. Moonshot AI looks to be prepping Kimi K2.6, following the well-received K2.5 (1T total / 32B active MoE with practical INT4/GGUF local inference). The r/LocalLLaMA crowd mostly wants K2.6 to keep its local-friendly quantization story intact. On the Qwen3.6 front, a popular thread surfaced a useful fix: LM Studio users hitting “Unknown StringValue filter: safe” errors can remove | safe from line 122 of the Jinja prompt template. One commenter also noted the performance jump is partly explained by a 40% bump in reasoning tokens.
Zero-shot world models, with caveats. A new paper proposes that AI world models can learn efficiently from limited egocentric video (the ~132-hour BabyView dataset), analogous to child development. r/MachineLearning is skeptical on two fronts: comparing a model trained on 10 days of data to children who are much older seems like an apples-to-oranges setup, and human infants come pre-loaded with evolutionary scaffolding — canonical circuitry and prenatal development — that ML systems don’t get to skip.
That’s the briefing. If you use Claude Code in CI, patch before coffee.