I continue to get a handle on sifting through the noise. I still need to properly weight fundamental API signals, alongside the MCP, Agent Skills, and other things that dominate the landscape. It’s hard to wade through 30+ MCP posts from AWS, Salesforce, and others who have quite a megapohone. I will keep attempting to put the finger on the scale for litter guys, but it will take a few more weeks to do so properly.

Four threads defined the week. Anthropic filed for IPO, making it the first frontier AI lab to pursue public markets. A coordinated npm supply chain attack campaign — the Shai-Hulud worm — hit hundreds of packages and reached production at Vapi.ai. MCP crossed the line from "interesting protocol" to "enterprise infrastructure requirement," with Google Cloud, Salesforce, and AWS all shipping GA MCP servers and the governance layer beginning to take shape. And the agent identity and security problem stopped being theoretical — real vendors shipped real tooling this week for the question of how you manage credentials, permissions, and audit trails for software that acts on its own.

Let me walk through what I saw.

Anthropic Confidentially Filed Its S-1

The biggest individual news item by coverage volume: Anthropic confidentially submitted a draft S-1 to the SEC on June 1st, making it the first frontier AI lab to pursue a public offering. Mashable and TechCrunch called it correctly — Anthropic beat OpenAI to the IPO filing.

The timing is worth sitting with. The same week OpenAI's models became available on AWS Bedrock (not just Azure), Anthropic moved toward public markets. These are not coincidental. The AI infrastructure layer is maturing enough that the major players are thinking about what the next five years look like from a capital structure perspective, not just a research one.

The broader capital picture for the week: Supabase closed a $500M Series F at a $10B valuation. Suno (AI music) closed a $400M Series D at $5.4B. OpenRouter announced a $113M Series B with 100 trillion tokens routed monthly. Money is still moving into AI infrastructure at extraordinary scale, and it is not slowing down.

I have been tracking Anthropic's API surface for a while now. The IPO filing is the moment where the research lab stops being a research lab and starts being a public company with all the disclosure obligations that come with that. That transparency is going to be interesting for the API ecosystem — we will finally see the actual usage numbers behind the API. I remember when Apigee IPO’d, It was big for the API space.

npm Is On Fire — and AI Agents Are Now a Target

The most alarming story of the week, and the one most likely to be underreported because it unfolded in pieces across multiple security vendor blogs: a coordinated, multi-actor npm supply chain attack campaign ran all week and reached production.

The thread:

June 1 — Socket.dev reported the "Shai-Hulud Campaign" hitting Red Hat Cloud Services npm packages. Encrypted payloads via preinstall hooks, stealing CI/CD secrets and cloud tokens from developer machines. Sonatype and Aikido confirmed independently.

June 3 — Sonatype reported a Lazarus Group brandjacking campaign on npm, impersonating Buffer and React packages.

June 4 — Snyk published "Node-gyp Supply Chain Compromise" — a self-propagating worm abusing binding.gyp to bypass standard package lifecycle script detection, steal credentials, and self-propagate by infecting other maintainers. The same day, Sonatype confirmed the Shai-Hulud campaign had escalated: 304 compromised package versions in the "Miasma Wave."

June 4 — Vapi.ai published an incident response post confirming their GitHub repositories were hit by the Miasma worm. Contained in 3 hours, zero customer data accessed. The response was handled well. The fact that it reached production at a live AI voice infrastructure company is the story.

The one that should get more attention than it is getting: Snyk reported a jqwik 1.10.0 "protestware" incident on June 2nd. An open source maintainer of the jqwik testing library deliberately embedded hidden prompt injection instructions in the package using terminal escape codes invisible to humans. The payload targets AI coding agents — specifically, agents that read code comments and file contents as part of their context. This is a new attack category. The assumption that AI agents and human developers read the same text is now exploitable. A maintainer who has lost faith in the process can embed instructions that only machines can see.

The security community is going to be working through the implications of that one for a while.

MCP Crossed Into Enterprise Infrastructure Mandate

Last week's newsletter noted that MCP governance content was starting to arrive. This week, the major cloud platforms all shipped GA MCP servers, and the governance and gateway infrastructure layer began to take serious shape. We are past the "will MCP become a standard" question. The question now is what the MCP infrastructure stack looks like at enterprise scale.

The GA announcements:

• Salesforce's MCP Server for Marketing Cloud Engagement is GA — agents manage data extensions, journeys, and automations via natural language. This is a flagship enterprise product, not a demo.

• Google Cloud's AlloyDB Remote MCP Server is GA — agents querying structured databases. A companion GCS MCP Server connects agents to unstructured data; Palo Alto Networks, Airwallex, and Snap were cited as early users.

• Amazon shipped Bedrock AgentCore Gateway with extended MCP support and Amazon Q adding VPC connectivity for private MCP servers.

The infrastructure layer:

• Zuplo launched an MCP Gateway in public beta and published "What the Best MCP Gateways Do in 2026" — the category now has established standards you can benchmark against.

• Gravitee published "The AI Gateway: One Runtime for LLM, MCP, and A2A" — the argument that unified governance across all AI traffic types matters more than point solutions.

• Solo.io donated Agentgateway to the Agentic AI Infrastructure Foundation (AAIF) under Linux Foundation governance. Rust-based, 7M+ downloads, 300+ contributors from 60+ organizations. This is the industry moving before any single vendor captures the MCP gateway layer.

The governance framing:

• WorkOS published "The Security Risks Specific to MCP Servers" — five critical vulnerabilities: unauthenticated tool access, prompt injection, excessive permissions, token exposure, missing audit trails. This is the counterweight to all the "ship your MCP server" posts.

• Gravitee introduced the concept of "Composite MCP Servers" — curating focused toolkits (a "customer-success-toolkit" rather than giving agents access to everything). This is the governance pattern that enterprise procurement is going to demand.

• Tetrate shipped parameter-level authorization on live MCP tool calls — checking not just which tools an agent can invoke but what values it can pass. This is the fine-grained enforcement layer that the abstract "we need MCP governance" posts have been gesturing at.

The AAIF donation is the one I am watching most closely. The Linux Foundation takes things in because the industry is trying to establish vendor-neutral standards before any one player locks down the market. The fact that it happened this week — the same week Google, Salesforce, and AWS all shipped GA MCP servers — suggests the industry is trying to move the governance layer in parallel with the deployment wave, not after it. That is a better pattern than what happened with OAuth.

The Agent Identity Bill Came Due

The abstract problem — "AI agents need their own identity model" — turned into shipped product this week across multiple vendors. The underlying problem is consistent: organizations are deploying agents that can chain together API calls, and existing identity models built for human delegated access do not model what agents actually do.

• Ory launched Ory Talos — replacing static API keys with dynamic, revocable Macaroon-based credentials for non-human identities. The number that caught my attention: over 80% of organizations have deployed AI agents, but only 21% have documented governance policies. That gap is what Ory Talos is targeting.

• Auth0 published two posts in the same week — "Why AI Agents Need Their Own Permission Model" and "The Many Faces of OAuth 2.0 Token Exchange." The second one walks through RFC 8693 in the context of AI agent access management specifically.

• HashiCorp published "Rethinking Infrastructure Access in the Age of Agentic AI" — the argument for just-in-time credentials via Vault and dynamic provisioning via Boundary rather than long-lived agent service accounts.

• Microsoft introduced MXC SDK (Microsoft eXecution Containers) — policy-driven security boundaries for Windows platform AI agents.

• F5 Networks: "Behavior and Boundaries: The Agentic Security Shift" — behavioral governance through constraint-based policies rather than perimeter rules.

The pattern across all of these: they are not patching existing identity infrastructure. They are arguing that agents require a new credential lifecycle — dynamic, scoped, time-limited, auditable at the call level — and shipping the tooling to implement it. The 80%/21% Ory statistic feels about right to me from what I am seeing in the network. Most organizations that have deployed agents have not thought carefully about what happens when those agents start chaining API calls across systems with different permission models.

API Providers Are Rebuilding Tooling for Agent-First Consumption

A wave of vendors shipped developer tooling explicitly designed to be consumed by AI coding agents rather than humans. This is the beginning of a meaningful rethinking of what "developer experience" means.

• Hugging Face redesigned the hf CLI to detect agent vs. human context and switch output format automatically. The metric: agents using hf CLI complete Hub tasks with 1.3x to 6x fewer tokens than curl or the Python SDK. They measured it. That number is going to be in every CLI redesign pitch deck for the rest of 2026.

• Twilio shipped "AI Skills" — structured knowledge files teaching Claude, Cursor, and other agents how to use Twilio's 1,800+ endpoints. Four types: Setup, Planner, Product, Guardrail. This is Twilio acknowledging that their traditional documentation is not how agents consume an API surface.

• Amplitude rebuilt their docs as an agent-first system and published the data: LLM crawlers requested more pages than humans (198K vs 124K) in the first 18 days post-launch. They open-sourced a Builder Skills Library that hit 100+ GitHub stars in two months. The framing I keep coming back to: they called the new docs "a programmable interface." That is the right framing.

• Postman published a detailed walkthrough of generating client SDKs and AI-ready CLIs from OpenAPI specs in nine languages, specifically covering how to enable Claude Code to drive those CLIs.

• Inngest shipped official tooling for Claude Code, Codex, and Cursor to write durable infrastructure code — agents writing infrastructure, with the tooling specifically designed so agents understand the constraints of durable execution.

The Neon "slop fork" post is the one I keep coming back to. A developer built a complete Neon console clone in half a Saturday using only Neon's public API and about $100 in Claude credits. Neon held this up as proof of agent-native platform design working. The argument: if your API is good enough for an agent to build a production-quality tool in half a day, you have the right abstraction. If it isn't, you don't. That is a clean benchmark.

A Few Other Threads Worth Noting

Sierra AI published "Outcomemaxxing" — the argument that AI-powered enterprise software must shift pricing from seats or usage to measurable business outcomes. This has direct implications for how API providers price agentic products. If agents complete tasks rather than consume resources, the billing model has to follow. Watch this one.

Cloudflare launched spend limits for AI Gateway — track actual dollar spending by model, provider, or custom metadata. Closed beta for per-user budget controls integrated with Cloudflare Access. The post title: "Your AI Bill Is Out of Control. Cloudflare Can Fix It Now." That is a market-defining move — positioning Cloudflare as the place you go when you finally open your AI bill and have questions.

LangChain published "Why Model Neutrality Matters More Than Cloud Neutrality" the same week OpenAI models became available on AWS Bedrock. The argument: the competitive moat is in the agent orchestration layer, not model access, and open-source orchestration is the only way to avoid being locked into a vendor's vision of what agents should look like. This is going to be the central tension in enterprise AI procurement for the next two years.

MiniMax released M3 — a model that exceeds GPT-5.5 and Gemini 3.1 Pro on key benchmarks at 5-10% of the cost, with open weights and a 1M token context window. The Chinese AI lab story is not going away. M3 is a meaningful data point in the argument that frontier performance does not require frontier pricing.

On API Evangelist

The blog pull pipeline is now running at full scale — 2,713 new posts from 857 providers this week, across all repos in the network with declared Blog or BlogRSS entries. The pull covers both RSS/Atom feeds (fetched directly) and HTML-scraped blogs (fallback for providers without feeds), which is why the coverage this week is higher than any prior run. The methodology section of this newsletter is going to get its own page soon because the number of people asking about how I am producing this has exceeded what I can answer individually.

The supply chain story this week underscores why the blog pull exists. I do not have a good automated way to detect the Shai-Hulud campaign or the jqwik protestware from the signal I am seeing — but the fact that Socket, Sonatype, Snyk, Aikido, and Checkmarx all published on the same cluster of incidents in the same week showed up cleanly in the pull, and I can now surface "the security community is all writing about the same thing" as a signal rather than having to read every blog individually. That is the point of the network.

What I Am Watching Going Into Next Week

Three things.

The Shai-Hulud worm aftermath. 304 compromised package versions in one week is not a one-off incident. The security community is going to be pulling packages and auditing preinstall hooks for weeks. Watch for more incident response posts from AI-adjacent startups and the inevitable "we were affected but contained it" disclosures. The jqwik protestware vector — invisible prompt injection targeting coding agents — is the one I expect to see copied.

Whether MCP governance tools ship before the next wave of enterprise deployments. The AAIF donation, the Tetrate parameter-level enforcement, the Zuplo gateway — these are the right pieces. The question is whether they mature fast enough to be in procurement conversations before the enterprise AI deployment wave (which is clearly arriving, based on the Salesforce and Google GA announcements) runs ahead of the governance tooling. Last time this happened was OAuth. It took years to clean up.

The Anthropic S-1 disclosure timeline. A confidential filing means the public S-1 is coming, but the timing is not known. When it drops, we will get real usage and revenue numbers from Anthropic's API for the first time. That is going to reset a lot of assumptions about the size of the market.