In partnership with

Hey, welcome back.

In This Issue

🔐  Vercel hacked by ShinyHunters Supply chain attack via Context.ai OAuth compromise
💥  Lovable's 48-day exposure BOLA flaw affecting 8 million users
🤖  Anthropic's Mythos model leaked Cyberweapon accessed by unknown hackers via Mercor
🚀  Cursor + SpaceX deal $60B acquisition option with xAI Colossus compute
🎨  ChatGPT Images 2.0 Thinking, browsing, near-perfect text, 2K resolution
🎙  Grok Voice APIs 10x cheaper than ElevenLabs, already outperforming it
📱  Telegram agentic bots Two taps, no code, TON blockchain + Jupiter API

Vercel Got Hit by ShinyHunters

The group behind the Ticketmaster breach is back. This time the target was Vercel, the platform hosting Next.js and millions of production web apps including major DeFi protocols like Uniswap and Aave.

The attack did not come through Vercel directly. It came through Context.ai, a third-party AI tool used by one Vercel employee.

Security - Vercel | April 19, 2026

Supply Chain Attack via Context.ai OAuth Compromise

→ Entry point: Context.ai, a third-party AI tool used by one employee
→ Method: Google Workspace OAuth hijack, then lateral movement into Vercel systems
→ Data listed on BreachForums: database, access keys, source code - asking price $2M
→ Potential blast radius: NPM packages, GitHub tokens, DeFi protocol frontends
→ Vercel response: confirmed breach, engaged Mandiant, stated NPM packages unaffected

The scariest part is not the breach itself. It is the entry point. One employee's third-party AI tool. That is the new threat model. Every external tool your team uses is now a potential door into your production systems.

Read Vercel's official bulletin →

Lovable's 48-Day Data Exposure

This one is worse in a different way. Not a sophisticated nation-state attack. A basic API flaw that was reported, acknowledged, partially patched, and left open for 48 days.

A security researcher demonstrated that any free Lovable account could access another user's source code, Supabase database credentials and AI chat histories from any project created before November 2025.

Security - Lovable | April 20, 2026

BOLA Flaw Exposed 8 Million Users for 48 Days

→ Any free account could access other users' source code, database credentials, and AI chat histories
→ Affected projects: everything created before November 2025
→ Bug reported March 3 via HackerOne, patched for new projects only, then closed as duplicate
→ Root cause: February 2026 backend unification accidentally re-enabled public chat history access
→ New attack surface: developers routinely paste raw API keys and credentials into AI chat
→ Status: Lovable says fully patched as of April 21, chat data on public projects now locked down

The deeper issue this exposes: millions of developers are pasting sensitive credentials directly into AI chat contexts without realizing those conversations might be accessible to anyone. This is not just a Lovable problem. It is a habit problem across the entire vibe coding ecosystem.

Read the full TNW investigation →

Here’s What to Do Next.

Costs are rising. Clients are paying slower. Hiring feels riskier than ever.

And every day brings another hit.

The Survival Hub gives you practical, in-the-trenches support to respond:

  • how to cut costs without breaking operations

  • how to stabilize cash flow

  • how to keep leads and clients from slipping

  • how to stay organized when everything feels reactive

Built for leaders navigating uncertainty.

Staying standing isn’t about doing more. It’s about knowing what to do next.

Explore BELAY’s Survival Hub.

Anthropic's Secret Cyberweapon Got Out

Anthropic built a model called Mythos. They described it as capable of identifying thousands of zero-day vulnerabilities across every major OS and browser, including critical ones two decades old. They considered it too dangerous to release.​​

Security - Anthropic | April 21, 2026

Claude Mythos: The Model Too Dangerous to Release, Now in Unknown Hands

→ Mythos: Anthropic's unreleased cyberweapon model, capable of finding zero-day vulnerabilities at scale
→ Entry point: Mercor, an AI training contractor previously breached in early April
→ Method: combined Mercor breach data with contractor access to guess internal URL patterns
→ Group also claims access to other unreleased Anthropic models beyond Mythos
→ Anthropic statement: "investigating a report of unauthorized access through a third-party vendor environment"

A model Anthropic built to find zero-day vulnerabilities is now in the hands of an anonymous group. The irony of a safety-focused lab's most dangerous model being the first to leak through a contractor is hard to miss.

Read the Gizmodo report →

Cursor + SpaceX - A $60 Billion Option

SpaceX announced a partnership with Cursor on April 21, 2026, with an option to acquire the company for $60 billion. The deal gives Cursor access to xAI's Colossus supercomputer, roughly one million H100-equivalent chips, to dramatically scale its model training. Cursor's valuation has risen approximately 20x in 18 months.

Big Deal - Cursor | April 21, 2026

SpaceX Has the Option to Buy Cursor for $60 Billion

→ SpaceX holds an acquisition option for $60B, or pays $10B for joint development
→ Cursor gets access to xAI's Colossus: ~1 million H100-equivalent chips for model training
→ Goal: build what SpaceX calls "the world's most useful AI models" for software engineering
→ Cursor's valuation up approximately 20x in the past 18 months

Cursor is the most widely used AI code editor right now. Giving it access to Colossus-level compute means its models could get dramatically better, fast. This is Elon consolidating AI developer tooling under his orbit.

Read the TechCrunch report →

ChatGPT Images 2.0 Is Here

OpenAI launched ImageGen 2.0 on April 21, 2026. This is not an incremental update. The new model has thinking capabilities: it can browse the web, generate multiple images from a single prompt, and double-check its own outputs before delivering them.

OpenAI - April 21, 2026

ChatGPT Images 2.0: Thinking, Browsing, 2K Resolution

→ Browses the web to inform image generation with up-to-date context
→ Generates multiple image variants from a single prompt
→ Self-checks outputs before delivering, catches errors the old model missed
→ Near-perfect text rendering inside images, previously a major weakness
→ Up to 2K resolution output, color accuracy indistinguishable from photography
→ Available to all ChatGPT and Codex users now, advanced outputs for paid subscribers

The text rendering improvement alone is a significant unlock for designers. Generating UI mockups, social cards, and marketing assets with accurate small text has been reliably broken for years. That problem appears to be genuinely solved here.

Read the TechCrunch review →

Grok Just Killed the Voice AI Pricing Model

xAI launched two voice APIs this week: Speech-to-Text and Text-to-Speech. Both are already outperforming ElevenLabs, Deepgram, and AssemblyAI on word error rate across 25+ languages. The pricing is what stops people cold.

xAI - Grok Voice APIs

10x Cheaper Than ElevenLabs. Already Outperforming It.

Provider STT Pricing TTS Pricing
ElevenLabs ~$1.00/hr ~$42/1M chars
Deepgram ~$0.59/hr ~$15/1M chars
Grok (xAI) $0.10/hr batch $4.20/1M chars

ElevenLabs built a strong position on voice quality. xAI just made that position much harder to defend at 10x the price. For builders shipping voice-enabled products, this changes the unit economics of everything.

Supported By

What If Your Money Had an Autopilot?

Piere app

Piere connects to any bank and builds a fully automated plan for where your money goes. No manual budgeting. No spreadsheets. It just runs.

Auto-transfers on payday - funds route themselves to the right account instantly
Smarter bill handling - Piere figures out which accounts to clear and when
Checking stays lean - only monthly expenses remain, the rest moves to better-rate accounts
Results-backed - if you are not ahead by at least $120 after 12 months, they cover the gap

Telegram Agentic Bots - Two Taps, No Code

Pavel Durov announced that Telegram users can now create agentic AI bots in just two taps, no coding required. These bots can hold multi-step conversations, use external tools, and manage other bots.

Telegram - Pavel Durov

Agentic Bots in Two Taps, No Code, No Wallet Setup

→ Any Telegram user can now create a fully agentic AI bot in two taps, no coding required
→ Bots can hold multi-step conversations, use external tools, and manage other bots autonomously
→ Natively connected to TON blockchain and Jupiter API for on-chain financial task execution
→ Agents can execute financial and social tasks end-to-end without any technical setup from the user
→ Telegram is positioning itself as an AI distribution and execution layer, not just a messaging app

Most platforms are still arguing about where AI fits in their product. Telegram just made every one of its 900 million users a potential AI agent deployer. The distribution advantage here is enormous and almost nobody is talking about it.

Partner Offer

Build Your Newsletter on the Platform That Just Added $4.5M ARR in One Quarter

The story above is about Beehiiv surviving one of the hardest years a startup can have and coming out ahead. The platform itself is what made that possible, built specifically for serious newsletter creators who want to grow, monetize, and own their audience.

What you get using this link:

→ 30 day free trial, no credit card pressure
→ 20% discount on your first 3 months of any paid plan
→ Full access to monetization, analytics, and automations from day one
Start Free on Beehiiv →

Affiliate link. You get the discount, I get a small commission. No extra cost to you.

Bonus

The Smarter Way to Use AI Is to Let It Challenge You

Instead of this:

"Summarize this article for me."

Try this:

"Act as a developmental editor for The Atlantic. Read my thinking on this topic and tell me where my argument is weakest, what I'm avoiding, and what a skeptical editor would cut."

Summarization removes friction. Developmental editing adds it back in a useful direction. One makes you feel informed. The other makes you actually better at thinking.

🏆 Top products of the day

1

Brila

One-page sites built from your Google Maps reviews

 ▲ 1,258 View
2

Figma for Agents

Design natively inside AI agent workflows

 ▲ 528 View
3

Fathom 3.0

AI meeting notes that now auto-write follow-ups and briefs

 ▲ 581 View
4

NovaVoice

Real-time AI voice cloning with sub-200ms latency

 ▲ 586 View
5

Influcio

Find and contact micro-influencers automatically with AI

 ▲ 541 View

Stay sharp,
Better Every Day

Reply

Avatar

or to participate

Keep Reading