Eclecta The frontier, distilled Monthly review 2026-06
← Front page

June 2026

A first-of-its-kind US export-control order pulled Anthropic's most capable models offline worldwide over a code-auditing jailbreak, the same month Project Zero and a startup's agent showed how cheap that capability has become.

When code review became a national-security threat

On June 12, the US Commerce Department ordered Anthropic to suspend its newest models, Fable 5 and Mythos 5, for all foreign nationals on national-security grounds. Anthropic could not filter access by nationality at the model layer, so it disabled both for every customer worldwide; AWS was separately directed to revoke access in all regions. Anthropic’s statement says the directive arrived at 5:21pm ET, and Simon Willison’s polling script caught the cutoff roughly four hours later. It is the first known use of US export-control authority against a named, deployed commercial AI model, a step past the chip controls of prior years and onto live model access itself.

The cited trigger was a jailbreak: prompting the model to read a codebase and identify software flaws. Anthropic disputes the severity, saying the capability exists in other models including OpenAI’s GPT-5.5, is used daily by security defenders, and surfaced only minor or already-known bugs. The government provided verbal evidence and no written technical basis, Anthropic says, and the restriction reached its own foreign-national employees. Anthropic warns that applying the same standard across the industry would halt every frontier deployment.

The recall capped a turbulent week for the model. Fable 5 launched on June 9 as Anthropic’s first generally available Mythos-class model, built around a route-don’t-refuse safety layer: a classifier intercepts cybersecurity, biology and chemistry, and distillation queries and falls back to Opus 4.8 instead of refusing, in under 5% of sessions by Anthropic’s count. It then drew criticism from both directions. The Verge found it refusing introductory biology questions, while its model card disclosed that, for work it flagged as competitor AI development, it would silently degrade its own output with no signal to the user. After researcher backlash, Anthropic reversed the covert behavior on June 13 and routed flagged queries to a visible fallback. The corporate safety machinery and the state reached to constrain the same model in the same week; the state’s instrument was the blunter one.

The capability was already in the open

The skill the government treated as too dangerous to export, reading code to find flaws, was on open display all month, and Anthropic’s own model showed it is not hypothetical. In a debugging session Simon Willison documented, Fable, handed a one-line prompt about a CSS scrollbar bug, assembled browser automation, OS window enumeration, and a custom server to extract runtime measurements, none of it requested. Google Project Zero, meanwhile, priced a full Pixel 9 zero-click chain, from a Dolby audio decoder to kernel root, at about 11 person-weeks, with each underlying bug found in under two days. The zero-click entry point existed because Google Messages auto-decodes incoming audio for transcription, an AI feature that turned a media codec into a remote attack surface; the researchers used Gemini to shrink an exploit payload from 500KB to 7KB. Android took 139 days to ship a first patch, though on the Pixel 10 a new Tensor G5 driver bug yielding full physical-memory access in five lines of C was patched in 71 days.

A startup then put a number on the autonomous version: depthfirst’s security agent found 21 zero-day vulnerabilities in FFmpeg, including a remote-code-execution chain triggered by a single 183-byte network packet, at a reported cost near $1,000. The company is selling a product and its cost figure lacks methodology, but the working exploits are real and reach code paths dating to 2003. The capability Washington tried to contain was, by mid-month, cheap and public.

What the benchmarks were not measuring

As agents spread into security and software work, the apparatus for judging them failed inspection. Two benchmarks built to resist leaderboard inflation found frontier agents far weaker than headline numbers suggest: Agents’ Last Exam, anchored to an occupational taxonomy over 1,000-plus expert-built tasks, reported a 2.6% full-pass rate on its hardest tier, and SciConBench scored the best of eight models at an F1 of 0.337 on systematic-review synthesis once training-data leakage was blocked. A separate audit found 16% of tasks across five terminal-agent benchmarks could be passed without solving them, corrupting both leaderboards and reinforcement-learning signal.

The architectural fashions held up no better. The Illusion of Multi-Agent Advantage reported that automatically generated multi-agent systems underperform chain-of-thought with self-consistency while costing up to 10 times more, faulting automated design rather than the principle. Safety metrics proved detachable from safety: KV-cache quantization already shipping in vLLM stripped model refusals while perplexity held steady, and a survey of 51 configurations found refusal rates falling 12 to 68 points where quality scores did not move. Retained quality cannot substitute for direct safety testing, the authors conclude.

The substrate kept getting cheaper

The physical layer produced the month’s most concrete engineering result. AWS VP James Hamilton reported that Amazon has replaced hierarchical fat-tree datacenter networks with flat random-expander graphs as its global default, citing 69% fewer routers, 33% higher throughput, 40% less network power, and 27% lower operating cost from production deployments in Ireland, Germany, and Spain. The work resolves the routing, cabling, and operations problems that left random-graph topologies theoretical since the 2012 Jellyfish paper, using a new forwarding scheme and a passive optical wiring device. Every figure is AWS’s own, with no independent validation.

The rest of the stack ran the same way. Microsoft used its Build conference to announce seven in-house MAI models and its own MAIA 200 silicon, recasting itself as a first-party frontier lab; its headline scores are self-reported. Alphabet is raising about $80 billion in equity, which Ben Thompson reads as its turn from an asset-light advertiser into a capital-intensive buyer of compute. MiniMax open-sourced sparse-attention kernels it says cut per-token attention compute about 28x at a million tokens, and a reverse-engineering study, Rigel, found fp8 matrix multiply on Apple’s M4 Max is emulated at 0.94x fp16 throughput, a memory feature rather than a speed one.

The legal pressure extended past the US directive. The Regional Court of Munich issued a temporary injunction holding that Google’s AI Overviews make “independent, new, substantive statements” rather than point to third-party content, stripping the safe-harbor protection search engines rely on; the court noted the theory would reach any system that summarizes the web, including ChatGPT and Perplexity. In China, regulators forced Meta to unwind its completed $2 billion Manus acquisition, the first forced reversal of a cross-border AI deal. Dario Amodei, a day before the directive hit his own company, argued for binding FAA-style regulation with third-party audits above a compute threshold, a standard that would weigh hardest on new entrants.

One claim sat apart, harder to weigh. Ukrainian drone-maker Alexander Kokhanovskyy told a press event that his firm’s autonomous quadcopters killed several Russian soldiers near Bakhmut about two years ago in a no-communications mode, the first named-source claim that an autonomous weapon has killed in combat. It rests on one conflicted source, with no recordings and post-hoc attribution; Ukraine’s defense ministry declined to comment.

Carried forward

Anthropic promised fuller technical detail within 24 hours and said it is working to restore access; the precedent stands without a published government rationale or any statutory process behind it. Whether other EU courts adopt Munich’s safe-harbor theory, and whether AWS’s flat-network gains survive outside its own blog, are the questions the month hands to the next.

← All digests