TinyFish | Daily Brief — Issue 4

Daily Brief

CURRENT

A journal for living in the agentic age

Practitioner's Corner

ISSUE #4

Monday, June 29

ISSUE #4

Monday, June 29

A Chinese Open-Weight Model Beat Claude on Cybersecurity Benchmarks. Then the Scaffolding Beat Everyone.

by Rina Takahashi — June 29, 2026

Feature image for article: A Chinese Open-Weight Model Beat Claude on Cybersecurity Benchmarks. Then the Scaffolding Beat Everyone.

Semgrep just published benchmarks showing GLM-5.2, Zhipu AI's open-weight model, outscoring Claude Code on vulnerability detection (39% F1 vs. 32%, at seventeen cents per bug found). Researchers at Graphistry allege it's an illegal distillation of GPT-5.5 and Opus 4.8. Zhipu hasn't responded. But the wildest number in the whole report is getting the least attention: Semgrep's own scaffolded pipeline crushed both models at 53–61% F1. The wrapper beat the brain. Heading into a July 4th week already thick with export control debate, the timing is something.

Feature image for article: A Chinese Open-Weight Model Beat Claude on Cybersecurity Benchmarks. Then the Scaffolding Beat Everyone.

A Chinese Open-Weight Model Beat Claude on Cybersecurity Benchmarks. Then the Scaffolding Beat Everyone.

by Rina Takahashi — June 29, 2026

Semgrep just published benchmarks showing GLM-5.2, Zhipu AI's open-weight model, outscoring Claude Code on vulnerability detection (39% F1 vs. 32%, at seventeen cents per bug found). Researchers at Graphistry allege it's an illegal distillation of GPT-5.5 and Opus 4.8. Zhipu hasn't responded. But the wildest number in the whole report is getting the least attention: Semgrep's own scaffolded pipeline crushed both models at 53–61% F1. The wrapper beat the brain. Heading into a July 4th week already thick with export control debate, the timing is something.

The AI Arms Race Heats Up

Happy Monday. The Fourth of July weekend is right there, but the AI industry apparently runs on a different calendar.

A Stanford dataset tracking historical memory prices is making the rounds. The cost of one gigabyte of storage has dropped from roughly $10 million in 1960 to fractions of a cent today. The curve never stops being wild.
"Speculative decoding" is having a moment. The idea: a small, fast model drafts tokens and a larger model checks them. Think autocomplete for AI models themselves. Multiple teams are shipping implementations at once.
The diplomatic vocabulary around frontier models now includes phrases like "hosting rights" and "access sovereignty." A year ago those terms didn't exist in this context.

Pour a big coffee. Monday came in hot.

TODAY'S BIG MOMENT

The AI Arms Race Heats Up

Happy Monday. The Fourth of July weekend is right there, but the AI industry apparently runs on a different calendar.

A Stanford dataset tracking historical memory prices is making the rounds. The cost of one gigabyte of storage has dropped from roughly $10 million in 1960 to fractions of a cent today. The curve never stops being wild.
"Speculative decoding" is having a moment. The idea: a small, fast model drafts tokens and a larger model checks them. Think autocomplete for AI models themselves. Multiple teams are shipping implementations at once.
The diplomatic vocabulary around frontier models now includes phrases like "hosting rights" and "access sovereignty." A year ago those terms didn't exist in this context.

Pour a big coffee. Monday came in hot.

Google Caps Meta's Access to Gemini Models

Google told Meta it can't have as much Gemini compute as it wants. Meta's response: telling employees to use tokens more efficiently. Trillion-dollar companies rationing infrastructure to each other is a new flavor of supply chain problem.

Grok 4.5 Goes Live at SpaceX, Tesla

Musk says Grok 4.5 is in private beta at SpaceX and Tesla, built on a 1.5T-parameter foundation with Cursor data from the Anysphere acquisition. Claims it rivals Opus. New models monthly through year-end. Zero independent benchmarks so far.

DeepSeek's DSpark Makes V4 85% Faster

DeepSeek open-sourced DSpark, a speculative decoding module that speeds up V4 inference by 60–85% with identical output. Not a new model. Just making the existing one dramatically cheaper to run. The serving-cost war is on.

Anthropic Says Alibaba Ran 25,000 Fake Accounts

Anthropic alleges Alibaba used 25,000 fraudulent accounts to extract 28.8 million Claude exchanges, boosting Qwen toward Mythos-level capabilities. Called it a subsidy for geopolitical competitors. Anthropic, OpenAI, and Google are now sharing intelligence on distillation attacks. Alibaba hasn't responded.

Austria Lobbies EU to Host Anthropic's AI

Austria is pushing the EU to host Anthropic within its borders, a direct response to US export curbs blocking foreign access to Mythos and Fable. "Hosting rights" and "access sovereignty" are now part of the diplomatic vocabulary. That's genuinely new.

Microsoft's MAI-Code-1-Flash Hits General Availability

Microsoft's 5B-parameter coding model is live for Copilot Business and Enterprise. Beats Claude Haiku 4.5 on SWE-Bench Pro by 16 points, uses up to 60% fewer tokens. Some enterprise users report it still hasn't appeared in their model pickers. Classic.

Meanwhile, in the Rest of Tech

HackerRank's AI Resume Scorer Is a Slot Machine

A developer ran HackerRank's open-source ATS on the same resume 100 times. Scores ranged from 66 to 99. With an 85 cutoff, that candidate fails 65% of the time. Same person, same qualifications, different luck each run.

One Employee's Vibe Coding Cost $81K in Tokens

Fintech startup Slash rewrote its AI usage policy after an employee burned $81,267 in tokens building a small video game. Adoption outpaced spend governance. The story is becoming a cautionary fable for every team without token budgets.

Fake DMCA From Uninhabited Island Delists Journalist

Google removed Gergely Orosz's investigation into Pollen's collapse after a DMCA claim from someone supposedly on the uninhabited Bouvet Islands, alleging plagiarism of a 1998 New Yorker piece. The two articles share zero sentences. Google complied without checking.

Privacy & Speech

Age Verification Laws Are Really Identity Systems

A viral anonymous essay argues age verification laws, now active in half of US states, exist to tie digital identities to physical ones. The EFF has long maintained every age-verification system is a surveillance system. The post is generating hundreds of comments.

Linux Kernel Exploit Gains Root, Integrity Checks Pass

CVE-2026-46331 lets unprivileged users gain root by poisoning cached copies of setuid binaries in memory. File-integrity checks see nothing wrong. A working public exploit dropped within a day of the CVE assignment. Patch your kernels.

Cloudflare Found a Bug in Rust's hyper

Cloudflare published a detailed write-up on a bug they discovered in hyper, the Rust HTTP library that quietly underpins a significant chunk of web infrastructure. Worth a read for anyone building on Rust's networking stack.

Colorado AI Act Delayed and Gutted Before Deadline

The Colorado AI Act was set for tomorrow, but Governor Polis pushed enforcement to January 2027 while stripping key provisions. Gone: the duty of care for algorithmic discrimination, deployer impact assessments, and several AG reporting requirements.

Meanwhile, in the Rest of Tech

HackerRank's AI Resume Scorer Is a Slot Machine

A developer ran HackerRank's open-source ATS on the same resume 100 times. Scores ranged from 66 to 99. With an 85 cutoff, that candidate fails 65% of the time. Same person, same qualifications, different luck each run.

One Employee's Vibe Coding Cost $81K in Tokens

Fintech startup Slash rewrote its AI usage policy after an employee burned $81,267 in tokens building a small video game. Adoption outpaced spend governance. The story is becoming a cautionary fable for every team without token budgets.

Fake DMCA From Uninhabited Island Delists Journalist

Google removed Gergely Orosz's investigation into Pollen's collapse after a DMCA claim from someone supposedly on the uninhabited Bouvet Islands, alleging plagiarism of a 1998 New Yorker piece. The two articles share zero sentences. Google complied without checking.

Privacy & Speech

Age Verification Laws Are Really Identity Systems

A viral anonymous essay argues age verification laws, now active in half of US states, exist to tie digital identities to physical ones. The EFF has long maintained every age-verification system is a surveillance system. The post is generating hundreds of comments.

Linux Kernel Exploit Gains Root, Integrity Checks Pass

CVE-2026-46331 lets unprivileged users gain root by poisoning cached copies of setuid binaries in memory. File-integrity checks see nothing wrong. A working public exploit dropped within a day of the CVE assignment. Patch your kernels.

Cloudflare Found a Bug in Rust's hyper

Cloudflare published a detailed write-up on a bug they discovered in hyper, the Rust HTTP library that quietly underpins a significant chunk of web infrastructure. Worth a read for anyone building on Rust's networking stack.

Colorado AI Act Delayed and Gutted Before Deadline

The Colorado AI Act was set for tomorrow, but Governor Polis pushed enforcement to January 2027 while stripping key provisions. Gone: the duty of care for algorithmic discrimination, deployer impact assessments, and several AG reporting requirements.

Favorite Featured Stories

The OTel GenAI Spec Has an Implicit Reader

The OTel GenAI Spec Has an Implicit Reader

The OpenTelemetry GenAI semantic conventions define how to trace agent workflows: which agent ran, what tools it called,...

The Furniture Is Arriving Before the House Is Built

The Furniture Is Arriving Before the House Is Built

Across the agent ecosystem, multiple players are simultaneously shipping the same category of development: admin console...

What a Click Carries

What a Click Carries

When a person clicks a button on a webpage, the infrastructure only sees the click. It never sees the reading, the conte...

What the Click Was Holding Together

What the Click Was Holding Together

A mouse click is four assertions compressed into one gesture: I'm here, I see what I'm doing, I have the authority, and ...

Favorite Featured Stories

The OTel GenAI Spec Has an Implicit Reader

The OTel GenAI Spec Has an Implicit Reader

The OpenTelemetry GenAI semantic conventions define how to trace agent workflows: which agent ran, what tools it called,...

The Furniture Is Arriving Before the House Is Built

The Furniture Is Arriving Before the House Is Built

Across the agent ecosystem, multiple players are simultaneously shipping the same category of development: admin console...

What a Click Carries

What a Click Carries

When a person clicks a button on a webpage, the infrastructure only sees the click. It never sees the reading, the conte...

What the Click Was Holding Together

What the Click Was Holding Together

A mouse click is four assertions compressed into one gesture: I'm here, I see what I'm doing, I have the authority, and ...