
Issue #28 · Weekly Digest
Weekly AI Dev News Digest: July 11 - 17, 2026
Moonshot shipped the largest open-weight model ever built the same week GitHub, Anthropic, and OpenAI spent their releases fencing in the coding agents. The cheaper and more capable the models feeding those agents get, the more the guardrails around them start to matter.
On July 16, Moonshot AI launched Kimi K3, a 2.8-trillion-parameter model it calls the largest open-weight release to date, with a 1-million-token context window and an API live the same day. On July 14, three coding tools moved the other direction: GitHub Copilot CLI hard-blocked file edits during plan mode, Anthropic's Claude Code shipped fixes that stop invisible characters from altering an approval prompt, and two days later OpenAI's Codex tightened its dangerous-command detection.
The reason those fences went up landed on July 14 too. Attackers compromised the release pipelines of four core AsyncAPI repositories and pushed five trojanized packages to npm. An agent that installs dependencies on a developer's behalf is exactly the blast radius that kind of compromise reaches.
46%
peak Chinese-model share of US OpenRouter tokens
$1.25/$4.25
Meta's first paid model API per 1M tokens
4.2x
fewer output tokens, Grok 4.5 vs Opus 4.8
295B
parameters in Tencent's Apache-2.0 Hy3
27x
Vercel's GLM-5.2 token growth in week one
In Focus
Moonshot Released Kimi K3, the Largest Open-Weight Model Yet
Moonshot AI, backed by Alibaba, launched Kimi K3 on July 16: a Mixture-of-Experts model with roughly 2.8 trillion total parameters, a 1-million-token context window, and native multimodal input. Moonshot says the weights go public on July 27, which would make K3 the largest open-weight model released to date, more than double the roughly 1 trillion in the prior Kimi K2 line and clear of DeepSeek's 1.6-trillion V4-Pro. In blind testing by the Arena evaluator, developers preferred K3 over every leading US model, though Moonshot's own numbers put it behind GPT-5.6 Sol and Claude Fable 5 in some areas. At around $12 per million tokens, it is priced higher than the deep discount Chinese labs are usually known for. (Axios)
In Focus
Coding Tools Added Guardrails Against Their Own Agents
GitHub Copilot CLI's July 14 update hard-blocks workspace-mutating tool calls during plan mode. Before the change, a model could drift mid-plan and trigger a file edit while a developer thought the agent was only sketching an approach. The fix moves the block to the runtime layer instead of relying on the prompt to hold the line, and it extends the sandbox filesystem policy to cover Language Server Protocol access paths. The release also brought the canvas API into the terminal and a /voice devices command for saving a preferred microphone. (TechTimes)
Claude Code's releases across the week ran on the same theme. One fix stops permission previews from being spoofed by bidirectional-override, zero-width, and look-alike quote characters, so a tool's inputs can no longer visually rewrite the approval message a developer sees. Another floors a PreToolUse hook's ask decision so auto mode can't override it for unsandboxed Bash, and background task notifications now state plainly that no human input occurred, which blocks a fabricated in-transcript approval from being acted on. A separate shell-injection fix rejects ${user_config.*} in shell-form plugin commands. (Claude Code changelog)
OpenAI's Codex 0.144.5, out July 16, improved its dangerous-command detection, catching more forced rm forms and returning clearer reasons when a command is denied. On its own it is a patch. Read next to the GitHub and Anthropic changes, it is the third coding agent in one week to spend a release tightening what its own automation is allowed to run. (Codex changelog)
In Focus
A Supply-Chain Attack Hit AsyncAPI's npm Packages
On July 14, attackers compromised the release pipelines of four core AsyncAPI GitHub repositories and published five trojanized packages to npm under a campaign calling itself miasma-train-p1. Palo Alto Networks' Unit 42, which has tracked an escalating run of registry attacks through 2026, identified the payload as a descendant of the Miasma remote access trojan. The attack bypassed code review by injecting into the build and release path rather than a pull request. (Unit 42)
In Focus
Anthropic and GitHub Added Enterprise and API Controls
Anthropic opened an Admin API beta for Claude Enterprise organizations on July 14. Admins can list and look up members by email, change roles, remove people, manage invites and groups, and read custom roles over the API instead of the dashboard. Group and custom-role calls require the ce-user-management-2026-07-13 beta header, and an Admin API key scoped to read:org_audit can call every user-management GET endpoint. The platform also made mid-conversation system messages generally available on the Claude API, Amazon Bedrock, and Google Cloud with no beta header, across Claude Fable 5, Claude Mythos 5, and Claude Opus 4.8. (Claude release notes)
The same day, Anthropic made HIPAA configuration self-serve for both Claude Enterprise and the Claude Platform. An eligible admin can now review the Business Associate Agreement, download the implementation guide, and switch on the HIPAA configuration in a single flow, without routing the request through a sales or support cycle. (Anthropic support)
GitHub added a /security-review slash command to the GitHub Copilot app in public preview, bringing the AI vulnerability scan that already lived in Copilot CLI into the everyday coding surface. It analyzes in-flight changes, scores findings by severity and confidence, and offers fixes a developer can apply and re-verify without leaving the app. (GitHub Changelog)
Copilot for JetBrains added bring-your-own-key support for OpenAI-compatible custom endpoints, so teams can point the assistant at their own models across every plan tier. (GitHub Changelog)
Visual Studio's Copilot update introduced trust validation for MCP servers: at startup it now compares an MCP server's configuration and asset fingerprint against a trusted baseline, flagging drift before the server is used. That, plus general availability for the first C++ modernization-agent scenarios, rounded out GitHub's July 14 batch. (GitHub Changelog)
Signals
Signals from the Edges
Cursor 3.11 added Side Chats for parallel agents
The Cursor update lets developers run parallel agent conversations, search full transcripts, and reach more granular agent controls and project selection. It is the kind of multi-agent management surface that shows up once one agent per task stops being enough.
OpenAI shipped a physical Codex keypad
The Codex Micro is a small hardware controller with real-time RGB status lights and customizable controls, aimed at developers juggling several running agents at once. A novelty, but a telling one about how many agents people are now running in parallel.
Anthropic launched Claude for Teachers
Verified US K-12 educators get free access to Claude, including Claude Code and Cowork, plus an open-source repository of the teaching skills and new education connectors. The build-it-yourself angle, not the free tier, is what makes it worth a developer's attention.
A harness claimed 99% on ARC-AGI-3, self-reported
Impossible Research introduced Schema, an agent harness that reaches 99% on the ARC-AGI-3 Public set with Opus 4.8 and Fable 5 by wrapping the models in an executable world-model loop rather than changing weights. The number is self-reported and not verified by ARC Prize, and the public set is the easier, saturable one, so read it as a technique worth watching, not a solved benchmark.
Looking Ahead
What to Watch
- 1
Gemini 3.5 Pro's slip
Google's flagship missed the July 17 window, its third delay since June, with Bloomberg reporting that coding performance fell short of internal goals and Alphabet shares down around 3%. That leaves Google as the only major lab without a 2026 flagship in general production. Watch for the next target, reported around late July, and whether Google ships a stopgap Flash release instead of the Pro.
- 2
DeepSeek V4's move off preview
The official V4 release carries peak-and-off-peak API pricing, doubling rates during Beijing business hours, the first time a major model API meters by time of day. The legacy
deepseek-chatanddeepseek-reasonerendpoints retire July 24, so integrations built on those aliases need to migrate. - 3
Cloudflare's crawler default flips September 15
For new domains, Training and Agent crawlers get blocked by default on ad-supported pages, and multi-purpose crawlers like Googlebot fall under the most restrictive rule. Anyone standing up a site behind Cloudflare before then should check the zone security settings deliberately.
The agents can open apps, edit files, and pull packages on their own now, and the models behind them are getting cheaper and more open by the month. The work of the next few releases is making sure a poisoned dependency or a spoofed prompt cannot turn that cheap, capable autonomy against the person running it.