AI Dev Weekly is a Thursday series where I cover the week’s most important AI developer news, with my take as someone who actually uses these tools daily.

Anthropic doubled Claude Code limits overnight. GitHub confirmed usage-based billing starts June 1. A supply chain attack hit 170+ packages in under 6 minutes. And Google I/O previewed what Android looks like when AI runs the show. Big week. Let’s get into it.

Anthropic doubles Claude Code limits after SpaceX compute deal

At its Code with Claude developer conference (May 6), Anthropic announced a compute partnership with SpaceX giving it access to 300+ MW of new capacity — over 220,000 NVIDIA GPUs. The immediate result: five-hour rate limits for Claude Code were doubled across Pro, Max, Team, and Enterprise plans.

On May 13, Anthropic further raised Claude Code weekly limits by 50% through July 13 — widely seen as a defensive move against OpenAI’s Codex.

Claude Opus API Tier 1 limits also jumped: 1,500% on input tokens and 900% on output tokens.

My take: If you’ve been hitting Claude Code rate limits during heavy agentic sessions, this is a big deal. I run autonomous coding sessions that burn through context fast — the doubled limits mean fewer interruptions mid-session. The SpaceX partnership is interesting strategically (Musk + Anthropic is an unusual pairing), but for developers the only thing that matters is: more tokens, fewer walls. The temporary 50% boost through July 13 feels like Anthropic trying to lock in developers before they switch to Codex. Use it while it lasts.

GitHub Copilot goes usage-based June 1

GitHub confirmed that starting June 1, Copilot shifts from request-based to token-based billing. Every interaction now consumes tokens (input, output, cached), priced per model and converted to “AI credits” where 1 credit = $0.01.

Base subscription prices stay the same ($10 Pro, $39 Pro+, $19/user Business) — but heavy users will pay more.

Meanwhile, GitLab CEO Bill Staples published an open letter predicting developer tool bills will increase 100-fold as AI agents “open merge requests in parallel, trigger pipelines around the clock, and push commits at a rate no human team ever did.” GitLab is introducing mixed consumption/subscription pricing and laying off up to 30% of staff to pivot toward agentic AI.

My take: The era of predictable flat-rate AI coding tools is ending. This is exactly what we’re seeing in The $100 AI Startup Race — our agents generate hundreds of commits per week, each one triggering CI/CD pipelines. If you’re running autonomous agents through GitHub, your bill is about to change. Start monitoring token consumption now. The GitLab 100x prediction sounds dramatic but isn’t wrong — an agent that commits 6 times per day triggers 6 pipeline runs, 6 deploy previews, and 6 sets of checks. Multiply by a team of agents and the math gets ugly fast.

Supply chain attack hits TanStack, Mistral AI SDK, and 170+ packages

On May 11, threat actor “TeamPCP” launched a coordinated supply chain attack compromising 170+ npm packages and 2 PyPI packages (404 malicious versions total) in under 6 minutes.

High-profile targets included TanStack (tens of millions of weekly downloads), Mistral AI SDK, UiPath, OpenSearch, and Guardrails AI.

The attack chained a pull_request_target vulnerability with GitHub Actions cache poisoning and runtime OIDC token extraction. This wasn’t a credential theft — it exploited CI/CD pipelines directly.

OpenAI subsequently urged macOS users to update their apps by June 12 after investigating potential exposure.

My take: This is the scariest attack vector for AI developers right now. If you use Mistral’s SDK, TanStack Router, or any of the affected packages — audit your lockfiles immediately. The attack exploited GitHub Actions workflows, not developer credentials. Even well-secured maintainer accounts weren’t enough. Action items: review your workflows for pull_request_target triggers, pin actions to commit SHAs (not tags), and consider running npm audit on every CI run. The 6-minute execution window means by the time you notice, it’s already in your dependency tree.

Google I/O preview: Gemini Intelligence and proactive agents

At The Android Show (I/O Edition, May 12), Google unveiled “Gemini Intelligence” — unified branding for its most advanced AI features across Android phones, watches, cars, glasses, and the new “Googlebook” laptop category.

Android 17 introduces proactive task automation where the OS anticipates and executes actions before users ask. Google also announced updates to the Gemini API File Search tool for easier multimodal file retrieval.

Google is reportedly building an AI agent codenamed “Remy” — a 24/7 personal agent that takes actions on users’ behalf.

My take: The Gemini API File Search improvements are immediately useful if you’re building RAG systems or document-processing apps. Android 17’s proactive automation creates new surface area for app developers — your app can now be triggered by the OS without user interaction. The full I/O keynote is May 19-20, where we expect Gemini 3.2 to officially launch. That’s the one developers should actually watch for.

Quick hits

• Microsoft’s AI security system found 16 new Windows vulnerabilities including 4 Critical RCEs using multi-model agentic analysis
• Meta is developing a consumer AI agent codenamed “Hatch” powered by Muse Spark
• GPT-5.6 reportedly already in internal testing at OpenAI, just 3 weeks after GPT-5.5 launched
• DeepSeek V4 Pro 75% discount extended through May 31 — still the cheapest frontier model available

---

That’s AI Dev Weekly #10. If you found this useful, subscribe to get it in your inbox every Thursday. See you next week — with full Google I/O coverage.