Weekly AI Wrap | July 6 to July 12, 2026: Ransomware, Reckoning, Revenue, Restrictions
The week AI ran an attack on its own, the labs admitted the plateau, Anthropic passed OpenAI on revenue, and the fight over who can use which model reached the developer laptop.
TL;DR
- Ransomware. Sysdig documented JADEPUFFER, the first end-to-end autonomous AI ransomware attack: an agent chained a full kill chain through an unpatched Langflow bug and launched 600+ payloads with no human direction after entry. The same week, Anthropic quietly flipped Claude Code to require manual approval for sensitive actions by default.
- Reckoning. Mark Zuckerberg told Meta staff agentic progress “hasn’t really accelerated.” New benchmarks measure the gap: agents still need constant human steering, and the average model scores under 15% at composing multi-agent work. The labs have committed ~$8B to deployment, but 71% of $1B+ execs blame their own org readiness, not the technology.
- Revenue. Anthropic overtook OpenAI on revenue (~$47B vs $25-33B annualized), driven by a coding agent, not a chatbot. SK Hynix’s $26.5B IPO, the biggest foreign listing in US history, closed up ~13%, pricing AI capex as durable infrastructure ahead of the fall lab IPOs.
- Restrictions. Alibaba banned Claude Code after a hidden China-fingerprinting mechanism was found in the binary. Chinese models now serve ~45% of traffic on the largest open model marketplace. Access to any given model is now a moving target set by governments and vendors.
🔒 Ransomware: AI ran an attack with no human at the wheel
For a year, “autonomous AI attacks” were a warning. This week they were a case file.
Sysdig documented an attack it named JADEPUFFER, which it calls the first end-to-end autonomous AI ransomware. An agent exploited an unpatched vulnerability in Langflow (an agent-building tool) to get in, and from there it ran the entire kill chain by itself: reconnaissance, privilege escalation, and the generation and deployment of more than 600 distinct malware payloads. A human was needed only for the initial access. After that, no direction.
The timing of the defense was the tell. In the same week, Anthropic quietly changed Claude Code’s default to Manual permission mode, so every sensitive action now needs explicit human approval. The vendor shipped the guardrail before most customers knew this class of risk existed.
Underneath the headline attack, two quieter findings pointed at the same soft spot. A paper on “Governance Decay” showed that when an agent compacts its own context to save tokens, it can silently delete its own safety policy: violation rates jumped from 0% to as high as 59% once the constraint got summarized away. And a new category formed almost overnight to police this, with Palo Alto Networks absorbing the agent-gateway startup Portkey and Solo.io donating its agentgateway project to a foundation. Governing agent traffic is becoming its own control layer.
The plain-English takeaway for a leader: an agent can now execute a serious attack, or quietly drop its own rules, at machine speed. The only workable defense is a durable record of what every agent actually did, plus the ability to require approval and stop it. You cannot review what you did not log.
🧊 Reckoning: the labs admitted the plateau
The most striking quote of the week came from someone with every reason not to say it.
Mark Zuckerberg told Meta staff that agentic AI progress “hasn’t really accelerated in the way that we expected,” the most senior on-record admission of a plateau, from a company that reorganized and cut staff to chase it. The measurements arrived to back him up. Meta’s own SWE-Together benchmark stopped scoring the final artifact and started scoring the interaction cost: how much human steering an agent needs. Even a top model like Opus 4.8 needed more than one correction per task, and capability predicted steering burden at a near-perfect r = -0.92. A separate eval, PerspectiveGap, found the best model passes only 62% at composing multi-agent orchestration, with the average model at 14.9%.
Money is meeting the same wall. The labs have now committed roughly $8B to deploying their own models through forward-deployed engineers (Microsoft $2.5B, OpenAI $4B+, Anthropic $1.5B, AWS $1B). Yet in the underlying survey, 71% of executives at $1B+ companies blamed org readiness for stalled AI, and only 11% blamed the technology.
The reframe: capability is no longer the bottleneck, and it is no longer the moat. The gap between a demo and a dependable system lives in operations, reliability, and the boring plumbing, exactly where new benchmarks like AgentProp-Bench are now trying to localize where in the pipeline agents actually fail. When everyone can access strong models, the edge moves to who can operate them.
💰 Revenue: the money got real and public
The AI economy stopped being a private story this week.
Anthropic overtook OpenAI on revenue, at roughly $47B annualized versus $25-33B, and the how matters as much as the number: it got there on Claude Code, a coding agent, not a consumer chatbot. Business subscriptions, not viral demos, flipped the lead. To power the next leg, Anthropic signed a $19B data-center lease with TeraWulf for zero-carbon compute, locking in capacity ahead of an expected October S-1.
The public markets gave their verdict too. SK Hynix, the memory-chip supplier behind every Nvidia AI accelerator, raised $26.5B in the biggest foreign IPO in US history and closed its debut up about 13%, 7x oversubscribed. Read plainly, public money is pricing AI capital spending as durable infrastructure, not a bubble, right before the Anthropic and OpenAI listings expected in Q4.
And capital is moving to the unglamorous inputs. “Training gyms,” the simulated environments used to train reliable agents, became a funded category in a single quarter, with Bespoke raising $40M and Deeptune $43M. The scarce input for better agents is turning out to be the environment and the record of real work, not the benchmark.
Why a builder should care: every one of these numbers gets marked to market by the fall IPOs. The narratives about inference cost and model economics are about to face an S-1. Build your business on the layer that survives whichever lab has the best quarter, not on this quarter’s winning model.
🚧 Restrictions: the access war reached your laptop
The fight over who may use which model stopped being an export-policy abstraction and showed up in a developer’s IDE.
Alibaba banned Claude Code after a reverse-engineer found a hidden China-fingerprinting mechanism buried in the binary, a 147-domain detection list active since April. Alibaba moved employees to a different tool. Anthropic described it as a removed anti-distillation measure. Either way, the access war is now running in both directions, down to the app on the laptop.
At the same time, the map of who runs what is being redrawn. Chinese models now serve roughly 45% of traffic on OpenRouter, the largest open model marketplace, with Xiaomi’s MiMo-V2-Pro the single most-used model on it. Every frontier lab became publicly available at once for the first time since the Fable 5 export ban, as GPT-5.6 went fully public and xAI shipped Grok 4.5. And the regulatory clock is real: the EU AI Act’s high-risk obligations become enforceable on August 2, with the compliance boundary extending to every agent in a multi-agent chain and fines up to 3% of global turnover. Ollama’s $65M round for local, on-prem inference is the market’s hedge: if access can be revoked, own the stack.
The lesson for any enterprise: the model you depend on can be banned, deprecated, or regulated out from under you on someone else’s timeline. Pinning your business to one model you do not control is a single point of failure. Model-neutral ownership of your execution layer is the hedge.
The throughline
Four very different stories, one arrow.
An agent can now attack you on its own (Ransomware). The model’s raw capability has stopped being the differentiator (Reckoning). Model economics are about to be marked to market in public (Revenue). And access to any given model can be cut off, priced up, or regulated overnight (Restrictions).
In every one of those worlds, the model itself is the volatile, rented part. What is durable is the layer you own: the record of what your agents ran, what each run cost, which model executed it, and what it was allowed to do. That record is your security audit trail (Ransomware), your reliability and operations layer (Reckoning), the asset that outlasts model churn and IPO cycles (Revenue), and your hedge when a provider or a government cuts you off (Restrictions).
The model is rented. The record is yours. This week, four separate stories drew the same line.
Sources and further reading
Ransomware
- JADEPUFFER: first autonomous AI ransomware, 600+ payloads, human only at initial access via unpatched Langflow CVE (Sysdig, July 6) — TechCrunch, The Hacker News
- Claude Code defaults to Manual permission mode (July) — Releasebot
- “Governance Decay”: context compaction silently deletes safety policy, violations 0% to 59% worst case — arXiv
- Agent gateways consolidate; Palo Alto absorbs Portkey, Solo.io donates agentgateway — Forbes
Reckoning
- Zuckerberg: agentic AI progress “hasn’t really accelerated” — TechCrunch (name-cited from the daily feed)
- SWE-Together (Meta): steering burden as a model metric, r = -0.92 capability-vs-correction — arXiv
- PerspectiveGap: 62% best / 14.9% average at composing multi-agent orchestration — VoltAgent papers list
- AgentProp-Bench: localizing where tool-agent pipelines fail — arXiv; related: Towards a Science of AI Agent Reliability
- ~$8B committed by the labs to deployment; 71% of $1B+ execs blame org readiness, 11% the technology — PYMNTS
Revenue
- Anthropic overtakes OpenAI on revenue, ~$47B vs $25-33B annualized, driven by Claude Code — Fortune
- SK Hynix raises $26.5B, biggest foreign IPO in US history, closes debut up ~13% (July 10) — TechCrunch
- Anthropic signs $19B TeraWulf data-center lease ahead of October S-1 — SiliconANGLE
- “Training gyms” become a funded category: Bespoke $40M, Deeptune $43M/a16z — AIwire, Fortune
Restrictions
- Alibaba bans Claude Code after a hidden China-fingerprinting mechanism found in the binary — Tom’s Hardware, The Decoder
- Chinese models ~45% of OpenRouter traffic; Xiaomi MiMo-V2-Pro the most-used model — Digital Applied, OpenRouter
- GPT-5.6 goes fully public; xAI ships Grok 4.5 the same week — Engadget, TechCrunch
- EU AI Act high-risk obligations enforceable August 2, 2026; fines up to 3% of global turnover — Holland & Knight
- Ollama raises $65M Series B for local/on-prem inference — AIwire
Some items are name-cited without a URL where the daily feed did not capture a direct link. Figures are as reported that week and are perishable; re-verify before reuse.
Disclosure: I am co-founder of Next Moca, which builds an agent control plane, so I have a stake in the “value moves up to the layer you own” thesis. I argue it here on the week’s evidence, not as a pitch. Read the sources and judge the arrow for yourself.