Having my finger on the pulse of all the blog posts coming out across the API providers I profile as part of API Evangelist continues to build my confidence in the value of my work, as well as my understanding of what is happening across the market. This work has moved me back to the 500K view above the market fog, out of any specific siloes or echo chambers, allowing me to do what I do when it comes to API discovery and governance.

Three threads defined the week. Anthropic launched Claude Fable 5 and Claude Mythos 5 — the first generally available Mythos-class model — and then the US Government forced it off the market three days later under an export-control directive, a story that propagated through the network from AWS's own "What's New" feed outward. MCP stopped being a wave of announcements and became a list of GA products: HashiCorp shipped Terraform MCP Server 1.0, AWS shipped OpenSearch MCP Apps, Redis, DigitalOcean, Zoho, and Databricks all shipped MCP, and the gateway and governance layer kept scrambling to catch up. And the supply-chain worm campaign that defined last week didn't slow down — it crossed from npm into PyPI and, more importantly, started explicitly targeting MCP developers and AI coding agents as the attack surface.

Let me walk through what I saw.

Anthropic Shipped a Model the Government Pulled in Three Days

The single most-covered story in the network this week, and one of the stranger ones I have tracked: on June 9th, AWS announced Claude Fable 5 on Amazon Bedrock, billing it as the first generally available Mythos-class model — Mythos-level capability with built-in safeguards designed to make it safe for broad release. Snowflake announced it on Cortex AI the same week. For about three days, the network filled with posts from developers one-shotting work they expected to take days: large code reviews, migrations, long-running builds.

Then it disappeared. On June 12th, AWS quietly appended an update to the same announcement: "To support compliance with the US Government export control directive, Anthropic has asked AWS to revoke access to Claude Fable 5 and Claude Mythos 5 for all users." Socket and Slashdot both ran it: the federal government ordered Anthropic to pull Fable 5 and Mythos 5, three days after launch. Opus 4.8 and the rest of the model line were explicitly unaffected and remained available.

I am reporting this the way the API Evangelist network surfaced it — across AWS's official feed, Snowflake's, and multiple security and tech outlets in the same 72-hour window — not as something I have independently confirmed beyond those feeds. But the shape of the story matters regardless of the details: we now live in a world where a frontier model can be generally available on the largest cloud on Tuesday and export-controlled off it by Friday. That is a new kind of platform risk. If you build a product on a model tier, the question is no longer just "will the price change" or "will it be deprecated" — it is "could this capability class be pulled by a government directive while my product is in production." That is a procurement and architecture conversation the API ecosystem has not had to have before.

The model belief systems has a regulatory ceiling now, and we just watched one of the leaders hit it. I am much more pro-regulatory on this stuff then I used to be. Even with this administration. Fascinating times.

MCP Stopped Announcing and Started Shipping GA

Last week MCP crossed into "enterprise infrastructure mandate." This week it crossed into general availability — the announcements turned into 1.0 release notes and "now GA" banners across the network.

• HashiCorp shipped Terraform MCP Server 1.0 GA — consistent infrastructure across an organization with flexible deployment options, agents driving Terraform via natural language. This is the infrastructure-as-code layer formally opening to agents.

• Amazon OpenSearch Service launched MCP Apps for agentic observability — surfaced across a dozen AWS service feeds in the pull. Agents querying observability data directly.

• Redis shipped RedisVL MCP — connecting a Redis vector index to AI agents.

• DigitalOcean published "How to Build an MCP Server in Python" — MCP has reached the "here's the tutorial" phase, which is the phase where a protocol stops being a frontier and becomes a default.

• Atropos Health launched its Evidence Agent MCP on Databricks Marketplace, and Zoho shipped a Recruit MCP server. MCP is now showing up in vertical SaaS, not just developer infrastructure.

• Stack Overflow announced "Stack Overflow for Agents" in beta — if your coding agent has questions, Stack Overflow now has an answer surface built for the agent rather than the human. That one is worth sitting with: the canonical human Q&A site of the last fifteen years is now building a product for the machines that replaced its traffic.

And Anthropic launched Claude Managed Agents — a fully managed runtime for autonomous agents with sandboxed execution and persistent sessions. The most interesting post about it wasn't from Anthropic; it was Finout's "Let's Talk About How We're Going to Pay for This." The FinOps community immediately recognized what a managed autonomous-agent runtime does to a cloud bill, and started writing about cost governance before most teams have even deployed one. That instinct is correct. Let’s talk about how much we’ve spent.

The MCP Gateway and Governance Layer Is Racing the Deployment Wave

With MCP servers now shipping GA from every direction, the gateway and governance layer is visibly sprinting to get ahead of the sprawl. Zuplo had the most prolific week of anyone in the network on this theme, publishing four posts that together sketch the whole problem space:

• Why Enterprises Need an MCP Gateway — the case for a central layer to govern MCP tool use and access control at scale.

• Wrap a Token-Only MCP Server in OAuth — fronting the many MCP servers that ship with a single paste-in static token, so clients get a real OAuth flow while the token stays sealed in the gateway.

• Bind Every MCP Token to One Server — scoping tokens so a leaked credential can't be replayed against a different server.

• Your Team Already Installed Shadow MCP — the one I keep coming back to. Developers are pasting GitHub, Slack, and Stripe keys into editor configs to wire up MCP servers nobody approved. Zuplo's argument: don't ban shadow MCP, govern it. That is the right instinct, and it is exactly the same pattern as shadow IT and shadow APIs before it — the thing already happened, and the only question is whether you have visibility into it.

"Shadow MCP" is going to be a term of art by the end of the year. Every organization that has developers and an editor already has it. I like Zuplo’s gateway view of things.

The Worm Reached the Agents

Last week's npm Shai-Hulud campaign did not burn out. It evolved, and it crossed two important lines: from npm into PyPI, and from "steal developer credentials" into "target AI agents and MCP developers specifically."

• Socket reported "Shai-Hulud Descends to Hades" on June 7th — the Miasma worm campaign spreading and mutating across new package families.

• Socket then reported the campaign targeting bioinformatics and MCP developers via malicious PyPI wheels — a PyPI wave that started at 37 malicious wheels and had added 23 more package-version artifacts by the time of writing. The threat actors are iterating across delivery mechanisms, package themes, and runtime triggers faster than the ecosystem can pull them.

• Cequence published the sharpest agent-specific piece — a breakdown of a Mitiga Labs demonstration of a five-step attack that hijacks Claude Code's MCP traffic and steals the OAuth bearer tokens that grant access to Jira, Confluence, and GitHub. No privilege escalation, no memory corruption, no new CVE. It abuses how an agentic developer tool routes MCP traffic. The token theft hides in plain sight because the agent is supposed to be making those calls.

Put the two big threads of the week next to each other and the picture is clear: MCP is shipping GA everywhere at exactly the moment attackers have figured out that the MCP layer — the tokens, the tool calls, the agent's trust in its own context — is the soft target. The Cequence attack is the concrete version of the abstract warning everyone was issuing a month ago. It is here, it is demonstrated, and it works against the most popular agentic coding tool in the market.

This is why the governance layer racing the deployment wave (the section above) is not an academic concern. The gateway that wraps a token-only MCP server in OAuth and binds the token to one server is, very specifically, a mitigation for the attack class Cequence just walked through.

Agent Secrets Management Became a Product Category

Continuing the thread from last week's agent-identity wave, the credential-handling side of the problem matured this week from principle into how-to.

• WorkOS published "How to manage API keys, tokens, and secrets for AI agents" — encrypted storage, OAuth connection management, and session-scoped access for autonomous agents. A practical guide, not a manifesto, which is the signal that the category is maturing.

• Cequence followed its attack writeup with "Why the Security Controls Built Into LLMs Aren't Enough" — the argument that model-level guardrails do not substitute for infrastructure-level containment around what an agent can actually reach.

• Nango shipped a run of agent-integration content — comparing self-hosted integration platforms for AI agents on infra, license terms, and agent support, plus hands-on guides for building Google Sheets and Notion integrations with Codex and Claude. The "integration platform, but the consumer is an agent" positioning is becoming its own product lane.

The consistent message across all of these: the secret an agent holds is more dangerous than the secret a human holds, because the agent will use it automatically, at machine speed, across systems, in response to context it didn't author. Session-scoped, revocable, narrowly-bound credentials are the answer everyone is converging on.

A Few Other Threads Worth Noting

Felt closed a $15M round and launched its public beta — and shipped new developer APIs alongside it, with the pitch that you can build mapping apps 6x faster. Geospatial tooling opening up its API surface to the agent-building wave is a pattern I expect to see more of.

The SpaceX IPO rippled across the network's fintech and crypto feeds all week — tokenized SpaceX stock launching on Solana the same day it listed on Nasdaq, and a wave of "two weeks of consequential data" macro commentary. Not an API story directly, but the capital-markets enthusiasm is the backdrop against which all the AI infrastructure funding keeps happening.

Datadog ran DASH 2026 with a heavy slate of observability-for-AI announcements — the company is positioning itself squarely at the "you deployed agents, now monitor them" layer, which is the natural commercial follow-on to the MCP-everywhere wave.

Apple announced Siri AI and the next generation of Apple Intelligence alongside macOS 27 "Golden Gate" — notable for the API ecosystem mostly because of the EU angle: the bloc said Apple's decision not to launch Siri AI in Europe is Apple's alone, a reminder that the regulatory fragmentation of AI capability (see the Anthropic story above) is now a structural feature of the market, not an edge case.

What I Am Watching Going Into Next Week

The Anthropic export-control aftermath. A model going GA and then being pulled by government directive in three days is unprecedented, and the second-order effects are going to take a while to surface. Watch for the cloud providers and downstream products that built quick demos on Fable 5 to publish "what now" posts, and watch for the broader conversation about whether capability-tier export controls are going to become a recurring feature of frontier model releases. If they are, the API ecosystem needs a much more serious story about model portability and fallback.

Whether MCP governance ships fast enough. Terraform MCP, OpenSearch MCP, Redis MCP, Zoho MCP, Databricks MCP — all GA this week. The Zuplo gateway content, the WorkOS secrets guides, the Cequence containment argument — all the right pieces. The question is the same as last week, only sharper now that the Cequence/Mitiga attack is a demonstrated reality: do the gateways and the token-binding mature fast enough to be in front of the deployments, or do we spend 2027 cleaning up shadow MCP the way we spent years cleaning up after OAuth.

The worm's next target. Shai-Hulud went from npm to PyPI to MCP developers in a fortnight. The malicious-PyPI-wheel wave targeting bioinformatics and MCP developers is the kind of escalation that tends to get copied. I expect more "we were affected" disclosures and, specifically, more attacks aimed at the agent layer — the context window, the tool calls, the tokens — because that is where the trust is now, and that is where the soft target lives.

I am neck in the MCP discovery and governance realm right now. As a storyteller the Anthropic "Fable" and Shai-Hulud threat fascinate me. We seem to be our own worst eney on this stuff. The move fast and break things. The replace humans with automation when we don't even have a full understanding of the infrastructure we have in place. There is so much that can go wrong in the sprawl we seem destinated to possess in endless geological layers. Good times. I hope you are able to find your way in the madness and sprawl as we move into the summer. If nothing else, get outside and touch grass and spend time with the hoomans you love.

"We live in a rainbow of chaos." — Paul Cezanne