AI ACTUALLY
Issue No. 16 — Sunday, June 7, 2026
This is late. Not “fashionably over coffee” late — “it’s the afternoon and you’ve already mowed the lawn” late. No excuse worth printing, just a person who runs this thing around an actual life and lost a few hours to one today. Worth saying plainly, since it’s the kind of week where the news is mostly about software pretending to be people: a human made this. Slowly. With one too many coffees. Here’s the week.
Someone can hijack your AI assistant with a text you never open
Here’s the scenario. A normal-looking message lands in WhatsApp. You don’t tap it. You don’t reply. But your phone’s AI assistant quietly reads the notification, follows a set of hidden instructions buried inside it, and starts leaking your data — all without a single action from you.
That’s not a hypothetical. Researchers at SafeBreach Labs demonstrated exactly this against Google’s Gemini assistant, and it’s the second time the same team has broken Gemini this way (their last trick hid the commands inside calendar invites). The technique is called indirect prompt injection — smuggling orders into content the AI reads rather than typing them in yourself — and the new wrinkle dresses the malicious instructions up to look like a normal part of your own conversation, which sails right past Google’s existing defenses. It works across WhatsApp, Slack, Signal, SMS, Instagram, and Messenger, and the researchers showed it could do five different things: steal data, take unauthorized actions, relay phishing, prep an account takeover, and run silent surveillance. They told Google before going public. Google has defenses. The defenses got beaten. Twice.
Why it matters. This isn’t a bug in one app that a patch makes go away — it’s a side effect of how AI assistants work. The whole point of them is to read your stuff so they can be helpful, which means every message they can see is a door someone might walk through. The more access you hand your assistant, the bigger the blast radius when this goes wrong. The boring, effective fix in the meantime: go check what your assistant is allowed to touch, and turn off anything you’re not actually using.
ChatGPT now remembers you — and will finally show you the file
Tell ChatGPT you’re going to Singapore in July, and the new version will quietly update that note to “went to Singapore in July 2026” once the month is over. That small example is OpenAI’s way of explaining a fairly big change it started rolling out June 4 to paid users in the US (everyone else over the coming weeks).
The system is called Dreaming — ChatGPT building and tidying a profile of you in the background by reading across your past chats, instead of only remembering the specific things you ask it to. OpenAI says this fixes the old problem where saved notes went stale or contradicted each other (”training for a marathon” sitting next to “sprained my ankle”). The genuinely useful part for normal humans: there’s now a memory summary page where you can read everything it’s decided about you, edit it, or delete it. By OpenAI’s own numbers, the new setup recalls facts about you far more accurately than last year’s — though those are the company’s internal figures, not independently checked.
Why it matters. Up to now, ChatGPT mostly forgot you between conversations unless you told it not to. Now it’s keeping a running impression of you without being asked — your projects, your habits, the thing you mentioned once in March. The upside is real: less re-explaining yourself to a chatbot. The catch is that it now knows more about you than most people will bother to check, and “managing” that isn’t one clean off-switch. The first thing worth doing isn’t turning it off — it’s reading the file.
AI has started building the next AI
Here’s the number that should make you sit up: roughly 80% of the new code at Anthropic — one of the companies actually building these systems — is now written by its own AI, Claude. Their engineers are reportedly shipping about 8x more code than they were a couple of years ago. The people are still there. They’ve just become editors of a very fast intern.
This week Anthropic put out a piece on what it calls recursive self-improvement — the idea of AI systems helping design and build their own successors. In plain terms: you use this year’s model to help make next year’s model, which then helps make the one after that, each generation speeding up the next. Some of the coverage framed Anthropic’s write-up less as a brag and more as a warning, because that loop is exactly the part of AI progress that’s hardest to predict or slow down once it gets going.
Why it matters. For most of computing history, humans were the bottleneck — software got better only as fast as people could build it. The thing being described here is a world where the tool starts improving itself, and the curve stops waiting for us. That’s the entire promise of AI and the entire worry about it, sitting in the same sentence. You don’t need to panic about it on a Sunday. You do want to be the kind of person who saw it coming.
Remember Meta mining its own employees? They just won
Back in April, we flagged something Meta was doing quietly: logging its own employees’ mouse clicks and keystrokes to feed its AI — while, in the same stretch, handing some of those same employees pink slips. File that under “things that do not stay quiet.”
This week the staff pushed back, hard. More than 1,500 Meta workers signed an internal petition branding the program an “Employee Data Extraction Factory,” and Meta blinked — scaling the tracking back rather than ride out the revolt. It’s a genuinely rare outcome: internal pressure at a company this size usually gets absorbed into a memo and forgotten, not reversed. What gave this one teeth was the timing. It’s one thing to be monitored at work. It’s another to be monitored as training data while you’re also wondering whether your job survives the next round of cuts.
The kicker landed the same week. Meta is reportedly weighing a price for its upcoming consumer AI agent, “Hatch” (until recently codenamed OpenClaw): up to $200 a month, right alongside the priciest plans from OpenAI and Anthropic. So the message inside the building is “stop watching us,” and the message to you is “two hundred dollars and we’ll watch your inbox.”
Why it matters. This is the clearest sign yet that AI at work isn’t something being done politely with employees — it’s being done to them, and they’ve started saying no. The same company that couldn’t get keystroke-harvesting past its own staff wants to put an always-on agent on your phone for the price of a car payment. When the people closest to a product refuse to become its raw material, that’s the most honest review it’s going to get.
Safe to ignore this week
DeepSeek raising ~50 billion yuan — about $7.4 billion — with its founder reportedly throwing in 20 billion (roughly $3 billion) of his own. Enormous number. Changes nothing about your Tuesday unless you’re a Chinese venture capitalist.
The “Oceanus” model leak. A rumor about an unreleased Anthropic model, reportedly paused after someone in the test program resold access through a Chinese proxy. Spy-novel energy, no actual product to see.
Google “Dreambeans.” Turns your Gmail and Photos into a daily AI-generated cartoon of your life. We respect the chaos. We will not be covering the chaos.
Reddit’s AI spam problem. Real, growing, depressing — and exactly what you already assumed was happening.
This week’s model churn (Gemma 4, Reve 2, a new Qwen, et al.). The version numbers went up. The version numbers always go up.
That’s the week. Made by a person, late. Reply if something here confused you or if you think I got it wrong — it goes to a human, who reads it, eventually, between coffees.
See you Wednesday. On time, probably :)