OpenAI model solves 80-year-old geometry conjecture, SpaceX S-1 reveals Anthropic's $1.25B/month compute deal, and GitHub hit by poisoned VS Code extension

Simon Willison / SEC

SpaceX S-1 Reveals Anthropic Is Paying $1.25 Billion Per Month for Colossus Compute

SpaceX filed its S-1 IPO registration document with the SEC, and the compute economics embedded in it are striking. The filing discloses that Anthropic has entered Cloud Services Agreements paying SpaceX $1.25 billion per month through May 2029 for access to compute capacity at COLOSSUS and COLOSSUS II — the data centers also used to train Grok 5. Capacity is ramping through May and June 2026 at a reduced rate. Either party can terminate with 90 days' notice. At $15 billion annually, this is one of the largest disclosed compute agreements in AI history, and it reveals the infrastructure bet Anthropic is making to remain competitive at the frontier. SpaceX's filing also coincides with a separate report that OpenAI is confidentially filing for its own IPO, marking what may be a pivotal week in the public market history of frontier AI.

TechCrunch

Intuit Cuts 3,500 Employees to Pivot to AI Despite Strong Financials

Intuit is laying off more than 3,500 people — roughly 17% of its workforce — to restructure operations around artificial intelligence, even as the company posted 17% revenue growth and a 48% profit surge. The pattern is becoming familiar: financially healthy companies treating headcount reduction not as a cost-cutting measure but as a strategic reallocation toward AI capabilities. CEO Sasan Goodarzi framed the cuts as simplifying the organizational structure to accelerate AI-first product development. The juxtaposition of strong results and mass layoffs has drawn sharp criticism, with particular scrutiny on the absence of any parallel reductions in executive compensation. For enterprise software incumbents like Intuit — whose products include TurboTax, QuickBooks, and Credit Karma — the question is whether AI-native competitors can undercut them before the restructuring delivers results.

GitHub Blog

GitHub's Internal Repositories Breached via Poisoned VS Code Extension

GitHub disclosed that on May 18 it detected and contained a compromise of an employee device caused by a malicious third-party VS Code extension. The attacker claimed to have exfiltrated approximately 3,800 of GitHub's internal repositories — a figure GitHub says is 'directionally consistent' with its own investigation so far. The company immediately removed the malicious extension version, isolated the endpoint, and rotated critical secrets, prioritizing highest-impact credentials first. GitHub states there is currently no evidence of impact to customer data stored outside internal repositories, though some internal repos contain excerpts of support interactions, and investigation is ongoing. The incident is a concrete illustration of the supply chain risk posed by IDE extension ecosystems: an employee's development environment becomes an attack surface for reaching source code infrastructure at any software company.

Node.js

Node.js 26 Ships with Temporal API Enabled by Default

Node.js 26.0.0 is released, with the headline feature being Temporal — the long-awaited replacement for JavaScript's notoriously problematic Date API — now enabled by default. Temporal provides immutable date/time objects, proper timezone handling, and a coherent API surface that addresses virtually every pain point developers have worked around for years. The release also upgrades to V8 14.6, adding new Map methods and iterator helpers. Several legacy APIs are removed, and build requirements have been tightened to GCC 13.2 and Python 3.9+. Node.js 26 will be the Current release until October 2026, when it transitions to Long-Term Support. For the broader JavaScript ecosystem, Temporal in Node.js without a flag is a significant unlock — it removes the dependency on third-party libraries like date-fns and Luxon for many date-handling use cases.

Flipper Docs

Flipper One Revealed: A Pocket Computer with Serious Specs

The Flipper One — successor to the popular Flipper Zero — has had its technical specifications published. Where the Zero was a minimalist radio hacking tool, the One is a pocket computer: a Rockchip RK3576 ARM processor up to 2.2 GHz, a secondary RP2350B MCU for low-power tasks, 8GB LPDDR5 RAM, 64GB UFS storage, a 24,000 mAh battery, dual USB-C 3.1 ports, HDMI 2.1 out, Gigabit Ethernet, WiFi 6, and Bluetooth 5.2. The display remains a monochrome 256×144 LCD, preserving the Zero's aesthetic identity. The specs position the Flipper One as a serious portable platform for embedded development, security research, and field work — far beyond the Zero's scope, though the community will be watching whether the software ecosystem and openness match the ambition of the hardware.

LeadDev

AI-Generated Abandonware Is Hollowing Out Open Source

AI code generation tools have dramatically lowered the cost of creating repositories — but not the cost of maintaining them. The result is an accelerating accumulation of abandoned AI-generated projects that clog package registries, erode search signal, and consume maintainer time on low-quality submissions. 93% of commercial codebases already contain unmaintained components, and the problem is worsening as AI workflows bypass the traditional engagement loops — issues, discussions, sponsorships — that give maintainers visibility and sustainability. Real numbers from active projects are sobering: curl creator Daniel Stenberg reports a surge in AI-generated submissions requiring expensive human review; Tailwind CSS has reportedly seen documentation traffic drop 40% and associated revenue fall 80% since early 2023. The scarce resource in open source has shifted: anyone can build, but maintainers remain human.

LegiScan

Colorado Amends Age Verification Bill to Exclude Open Source Projects

Colorado's SB26-051 — which would require operating system providers and app developers to implement age verification mechanisms to protect minors, with penalties of $2,500–$7,500 per affected minor — has been amended to exclude open source projects from its requirements. The amendment addresses a core concern raised by the developer community: that the bill's obligations would be technically unworkable for volunteer-maintained open source software that has no mechanism to collect age data or enforce compliance. The bill's remaining scope requires OS providers to offer birth date APIs and mandates that apps query age signals at launch or account creation, with compliance timelines running from July 2027 through January 2029. The open source carve-out sets a useful precedent for how legislatures can scope technology regulation away from infrastructure software that was never part of the policy problem being addressed.

Weird Gloop

Aggressive AI Scrapers Are Making It Miserable to Run Wikis

The operators of the Old School RuneScape and RuneScape wikis have published a detailed account of the damage aggressive AI scraper bots are causing to community-run wiki infrastructure. The bots consume up to 10x more server resources than legitimate human traffic, employ sophisticated browser impersonation to evade bot detection, use rotating proxy networks to defeat IP-based blocking, and issue massive volumes of low-value requests — often crawling pages in inefficient, redundant patterns that suggest no concern for the cost they impose on hosts. The post details the arms race between wiki operators using Cloudflare challenge pages, custom firewall rules, and rate limiting, against bots that adapt quickly. The broader concern: wikis are a critical part of open web knowledge infrastructure, and the current scraping economy — where AI training and inference products extract value without cost or contribution — threatens the human-maintained commons that makes that value available in the first place.

Scott Helme

XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None

Security researcher Scott Helme documents a high-severity attack chain that undermines passkey authentication: when a website uses `attestation: 'none'` mode — the default and most common configuration — a successful XSS attack can silently register a malicious passkey on a victim's account. The attacker gains persistent access that survives password resets and is essentially invisible to users who assume passkeys are phishing-resistant. The root cause is a deliberate design trade-off: strict hardware attestation would prevent these phantom registrations but would lock out users of synced credential managers like 1Password, Bitwarden, and iCloud Keychain, since synced passkeys can't provide hardware attestation. Sites that want to support both security researchers with hardware keys and the general public using password managers end up at `attestation: none` by default. The article is a timely reminder that 'passkeys replace passwords' is an oversimplification — the security guarantees are conditional on deployment details most developers don't read.