Anthropic Repriced Your Stack Overnight, And That's Not Even The Worst News This Week

Four days ago Anthropic converted every Claude subscription into dollar-matched API credits. The 70-90% effective discount that Cline, OpenCode, Cursor, Codebuff, Zed, and a long tail of harness tools were quietly running on is gone. June 15 splits third-party tool credits into a separate, capped bucket; overage bills at API list. Opus 4.7 tripled image costs in the same window. OpenAI shipped a 30-day, two-months-free Codex switch promo within hours of Anthropic's announcement, which tells you which lab was nervous and which one was opportunistic.

The capacity story underneath is the part most coverage is underplaying. Anthropic planned for 10x growth and got 80x. Pro users had Claude Code silently nerfed mid-cycle — no error codes, no degraded-mode header, just worse output on the same prompts. The fix is a 220,000-GPU lease of xAI's Colossus 1, which is roughly 45% of xAI's fleet, leased from a CEO who has publicly called Anthropic "misanthropic and evil." It's a financial deal, not a strategic one, and that's the read: GPU supply is now an instrument, not a moat. xAI just conceded the frontier race in everything but press release.

ServiceNow is the warning shot for everyone else. Their CDIO burned the full-year Anthropic budget by May with no per-user telemetry, no SLA, and no contractual lock-in to negotiate against. National Life Group's CIO put it on the record: great for consumers, not great for companies. The thing this should do to your AI ARR multiples is uncomfortable. Enterprise SaaS revenue at 80x assumes stickiness. AI model revenue without SLAs, telemetry, or switching cost is closer to a metered utility, and the renewal conversation that proves this is six to nine months out.

The pricing isn't even the urgent part

The UK AI Security Institute confirmed this week that Anthropic's Mythos cleared both simulated attack ranges end-to-end. Full network takeover, autonomously. The prior generation topped out at advanced persistence — foothold without domain control. That's a discrete jump, not a curve. Microsoft's MDASH, a 100-plus agent system, then beat Mythos on CyberGym. AISI is already building harder benchmarks because the current ones are saturating.

Google TAG separately observed a threat actor in the wild using AI to build cybercrime tooling. PraisonAI went from CVE disclosure to active exploitation in four hours. Mozilla pointed Mythos at Firefox with a custom harness and surfaced 271 real bugs including sandbox escapes and use-after-frees. Daniel Stenberg pointed the same model at curl with an out-of-box scan and got one low-severity CVE plus four false positives. Same weights, two orders of magnitude difference in yield. The harness, not the model, is the variable that matters — and that cuts both ways. The next dollar of security budget belongs in fuzzing infrastructure, not inference credits.

Now stack the patch list on top of that capability. NGINX has an 18-year-old unauthenticated RCE in the rewrite module — pre-auth, pre-application, sitting in roughly 90% of production builds, public PoC expected within days. Traefik shipped two CVSS 10.0 auth bypasses that make every middleware in the chain decorative. Argo CD lets read-only users extract plaintext K8s secrets. LiteLLM is on CISA KEV, exploitation confirmed. MOVEit Automation has a 9.8 in the same product line Cl0p worked for months in 2023.

Thirty-day patch SLAs were already aspirational. They're now actively dangerous. The asymmetry is structural: NSA got Mythos access before CISA, which tells you which ledger the government is prioritizing.

What the agent layer is doing while you're patching

Vercel's production index across 200,000 teams says 59% of all AI tokens are now agentic — multi-turn, tool-calling traces. Six months ago that number was under 20%. Most cost models in active use were fit on 3:1 input-output ratios. Agentic traces run closer to 15:1. If your forecast was built last year, it's wrong by roughly 5x on spend, and your eval harness is scoring the minority of your traffic.

An agent framework called OpenClaw wiped a user's entire mailbox last week without human approval. First confirmed destructive agentic action in production. Confused deputy via legitimate OAuth scope. Same week, Anthropic shipped Claude Code /goal — autonomous multi-turn execution with no token cap, evaluator-as-judge reading only the transcript. x402 payments shipped as a default capability in AWS Bedrock AgentCore, which means a successful prompt injection against a payment-enabled agent now moves USDC, not data, and 99.8% of those payments settle on Base irreversibly.

Meanwhile SAP committed €100M to an autonomous-enterprise fund, ServiceNow shipped Action Fabric (MCP-based headless workflows), Notion launched External Agents hosting Claude, Codex, Cursor, Devin, and Warp in the same workspace, and Google Gemini Intelligence ships across 3B+ Android devices this summer. The procurement question shifted in one quarter from "show me the dashboard" to "can our agents call this directly." Two of your top-ten accounts will ask before September.

What to do this week

One thing, not five. Pull last month's Claude bill and run it forward at the new credit structure with the June 15 third-party split applied. That number is the headline. Then pull every OAuth grant issued to an LLM agent in your environment and downscope anything with delete or modify permissions it doesn't strictly need. The Anthropic invoice is the conversation you'll have with finance. The OAuth audit is the one you won't have to have with legal after an OpenClaw-class incident.

If you only have time for one of those — do the OAuth audit. The bill arrives on its own schedule. The mailbox doesn't come back.