Wednesday, 20 May 2026

GitHub Hack 2026: 3,800 Internal Repos Stolen via VS Code

GitHub Breach: 3,800 Internal Repos Stolen via Poisoned VS Code Extension | NeuralWired

Cybersecurity May 21, 2026 · 9 min read

GitHub Breach: 3,800 Internal Repos Stolen via Poisoned VS Code Extension

A single malicious IDE extension compromised a GitHub employee device, giving attackers enough access to clone thousands of internal repositories. Customer data wasn't touched, but the incident rewrites the threat model for every developer shop on the planet.

The breach didn't start with a zero-day. It didn't start with a phishing email targeting an executive or a firewall misconfiguration caught too late. It started with a VS Code extension, the kind of tool developers install without a second thought, that turned one employee's workstation into a foothold inside one of the world's most critical software infrastructure companies.

GitHub confirmed on May 19, 2026 that a poisoned Visual Studio Code extension had compromised an employee device, enabling attackers to exfiltrate roughly 3,800 internal private repositories. The company says it detected and contained the compromise the same day, isolated the endpoint, and removed the malicious extension version from circulation. Critically, GitHub states it found no evidence that customer repositories or customer data outside its own internal systems were affected.

That's the reassuring part. The unsettling part is everything the incident reveals about where enterprise security perimeters actually sit in 2026.

What Happened: A Confirmed Supply-Chain Breach

GitHub's official account, confirmed via a post on X on May 19, frames this as a supply-chain compromise: a developer tool trusted by the employee was weaponized to gain access to their machine. From there, the attacker was able to reach GitHub's internal source-code systems and begin cloning repositories.

The company's own investigation found the attackers' claimed figure of approximately 3,800 repositories to be "directionally consistent" with the evidence, according to InfoWorld's summary of GitHub's statements. GitHub was careful to draw a clear line: the exfiltration was limited to repositories used internally by GitHub itself, not the millions of repositories hosted on behalf of customers.

Confirmed facts at time of publication: Attack vector: poisoned VS Code extension. Victim: GitHub internal systems. Estimated exfiltration: ~3,800 internal private repositories. Customer repos and customer data: no confirmed impact. Threat actor: self-identified as TeamPCP, also tracked as UNC6780. Investigation status: ongoing.

Shortly after the breach became public knowledge, reports emerged that the stolen data had been listed for sale on a cybercrime forum. According to the International Business Times Singapore, the asking price was at least $50,000. That figure, drawn from underground-forum claims, should be treated as reported rather than confirmed until a primary source verifies it directly.

How the Attack Worked: The Extension as Entry Point

The mechanism here is what makes this incident so instructive. VS Code is the dominant code editor across the industry. Its extension marketplace hosts tens of thousands of plugins, and developers install them constantly, often during onboarding, often without scrutiny. A malicious actor who can get a poisoned extension onto a developer's machine doesn't need to break through network perimeters or exploit unpatched services. They're already inside.

Once the attacker gained a foothold on the compromised endpoint, the path to internal repositories was short. Developer workstations are, almost by design, privileged environments. They hold cached credentials, authentication tokens, SSH keys, OAuth grants, and access to internal tooling that no external attacker would typically reach. The Next Web's analysis of the incident highlights exactly this dynamic: once an attacker reaches a workstation that already has tokens and access to internal tools, they can pivot into source-code systems and clone repositories without needing to defeat GitHub's external controls at all.

"Malicious IDE extensions are such effective footholds precisely because developer machines are pre-authorized to do the things attackers want to do."
Analysis from The Next Web's incident coverage

This is the core technical reality of the attack: no sophisticated server-side exploit was needed. The extension did the hard work of establishing presence on an authorized machine, and the rest followed naturally from the access that machine already had.

The Timeline

Date	Event	Source
May 19, 2026	GitHub detects and contains compromise of employee device via poisoned VS Code extension	GitHub on X
May 19, 2026	Malicious extension version removed; endpoint isolated; incident response initiated	The Next Web
May 19, 2026	GitHub states no evidence of customer data impact outside internal repositories	BleepingComputer
May 19-20, 2026	Reporting and GitHub assessment align on ~3,800 internal repositories exfiltrated	InfoWorld
May 19-20, 2026	Stolen data reportedly listed for sale on cybercrime forum for at least $50,000	IB Times SG (reported)
Ongoing	GitHub continues monitoring for follow-on activity and investigating the full scope	BleepingComputer

The Threat Actor: TeamPCP and UNC6780

The group behind the attack has identified itself publicly as TeamPCP. Sophos' incident summary, which corroborates GitHub's account and adds threat-intelligence context, also tracks this actor under the designation UNC6780. That dual naming reflects the standard industry practice of different security vendors applying their own internal tracking identifiers to the same cluster of activity.

Attribution caveat: The TeamPCP / UNC6780 attribution is based on GitHub's own statements and third-party security reporting, not an official law-enforcement determination. Treat this as working attribution rather than confirmed identity.

Sophos' investigation, as reported by The Next Web, focused its threat hunt on anomalous activity around tokens, secrets, OAuth grants, webhooks, and download behavior. That scope of inquiry suggests the attackers were methodical about using existing access rights rather than attempting to escalate privileges in ways that might trigger conventional detection.

Whether TeamPCP is a financially motivated criminal group (consistent with the reported forum sale) or a state-linked actor using financial activity as cover is not yet established. The $50,000 asking price is relatively modest for internal source code from a company of GitHub's scale, which could suggest opportunistic monetization, an attempt to obscure the real intent, or simply an opening bid.

Developer Tools Have Become the New Enterprise Perimeter

This incident isn't primarily a story about GitHub getting hacked. It's a story about where the attack surface of modern software organizations actually lives, and the answer is uncomfortable: it lives on developer laptops, inside IDE plugins, inside package managers, inside the dependency trees of build tools that no one has audited in years.

The VS Code extension marketplace has tens of thousands of published extensions. Microsoft applies automated scanning, but the review process isn't equivalent to, say, the scrutiny applied to kernel modules or enterprise software packages. Developers install extensions quickly, often based on download counts and star ratings, and rarely with the same skepticism they'd apply to, say, granting a third-party app access to their corporate email.

That trust gap is exactly what supply-chain attackers exploit. It's the same dynamic that made the SolarWinds compromise in 2020 so effective, and the XZ Utils backdoor in 2024 so alarming. Trusted tooling, trusted update channels, trusted developers, all targeted precisely because the trust makes detection harder and lateral movement easier.

"The initial compromise happened on a developer endpoint rather than in a perimeter system, which is exactly why malicious IDE extensions are such effective footholds."
Analysis from The Next Web

The CyberScoop coverage of this incident notes the same structural vulnerability. When developer machines are the target, the attacker doesn't need to find a hole in your cloud infrastructure. They need to find a developer who installs a popular-looking extension that has been quietly modified to exfiltrate credentials in the background.

🔓

Credential Harvest

Developer endpoints hold cached tokens, SSH keys, and OAuth grants that provide direct access to internal systems without needing to break external controls.

🧩

Extension Trust Gap

Developers install IDE extensions with minimal vetting. Automated marketplace scans don't catch all malicious code, especially if obfuscated or dormant at publish time.

🔄

Supply Chain Pivot

Compromising a trusted tool in the developer workflow is more efficient than attacking network perimeters. One infected update reaches every machine that auto-updates.

📁

Repo Cloning at Scale

Once inside an authorized machine, bulk repository cloning is indistinguishable from normal developer activity without granular behavioral baselines in place.

What Defenders Should Do Now

The GitHub incident provides a practical model for what every security team should be inspecting in their own environment. Sophos' threat hunt, as detailed by The Next Web, concentrated on anomalous activity in five specific areas: token usage, secret access, OAuth grant behavior, webhook configuration changes, and bulk download or clone activity. Those five categories form a reasonable starting checklist for any organization that runs developer workflows at scale.

Beyond detection, the structural fixes fall into a few clear categories:

Extension allowlists: Maintain an approved list of VS Code (and other IDE) extensions. Require security review before adding new entries. Block installation of unapproved extensions on corporate devices via policy.
Short-lived tokens: Replace long-lived personal access tokens and SSH keys with short-lived, scoped credentials wherever possible. A stolen token that expires in an hour is dramatically less useful than one valid for a year.
Endpoint isolation protocols: Establish and rehearse the procedure for isolating a compromised developer machine within minutes, not hours. GitHub's same-day detection and isolation is notable; many organizations would have taken much longer.
Secret rotation triggers: Any time an endpoint is suspected of compromise, immediately rotate all secrets that machine could have accessed. Don't wait for forensic confirmation before rotating.
Behavioral baselines for repo access: Establish what "normal" looks like for developer repository access patterns. Bulk cloning of repositories outside a developer's usual scope should trigger automated alerts.
Audit OAuth and webhook grants regularly: Revoke OAuth applications and webhooks that haven't been used recently or that have broader scopes than necessary. These are often forgotten and become persistent access paths after initial compromise.

None of these controls is new. What the GitHub breach does is illustrate, in concrete terms, what happens when developer-endpoint security doesn't get the same rigor as network or cloud security. The developer security posture of an organization is now a direct determinant of its overall breach risk.

For VS Code specifically: Microsoft's extension marketplace guidance recommends verifying publisher identity and reviewing extension permissions before installation. Organizations can enforce extension policies via the VS Code extensions.allowedExtensionIDs setting in managed environments.

Frequently Asked Questions

Was customer data on GitHub.com exposed in the breach?

GitHub stated on May 19, 2026 that it found no evidence of impact to customer repositories or customer data outside its own internal systems. The confirmed exfiltration was limited to roughly 3,800 repositories used internally by GitHub, not repositories belonging to GitHub's users.

Which VS Code extension was responsible for the GitHub breach?

GitHub and reporting outlets have not publicly named the specific extension as of publication. GitHub confirmed it removed the malicious extension version from circulation and isolated the affected endpoint. Security researchers recommend treating any recently installed, less-verified extension with heightened scrutiny while the investigation continues.

Who is the threat actor behind the GitHub hack?

The group has self-identified as TeamPCP and is also tracked as UNC6780 by Sophos. Attribution is based on GitHub's statements and third-party security reporting, not a confirmed law-enforcement determination. The group reportedly listed the stolen data for sale on a cybercrime forum for at least $50,000.

How did the attackers exfiltrate 3,800 repositories without being detected sooner?

Bulk repository cloning from an authorized developer machine can look like normal activity without behavioral baselines in place. GitHub detected and contained the compromise on the same day it occurred, which is notably fast response. The exact detection method hasn't been publicly disclosed.

What should developers do to protect themselves from malicious VS Code extensions?

Verify publisher identity and check extension permissions before installing anything. Prefer extensions from verified publishers with a long track record. Disable auto-updates for extensions in production environments, and report any extension that requests unusual system permissions. Organizations should maintain an approved extension allowlist.

How does this breach compare to the SolarWinds or XZ Utils supply-chain attacks?

All three incidents involve compromising a trusted tool in the software development workflow rather than attacking network perimeters directly. SolarWinds poisoned a software update; XZ Utils targeted a widely-used open-source library; this GitHub incident poisoned an IDE extension. The common thread is that developer toolchains have become high-value attack surfaces.

Is the stolen GitHub source code actually for sale?

Reports from the International Business Times Singapore indicate the data was listed on a cybercrime forum for at least $50,000. This figure comes from underground-forum claims and should be treated as reported rather than independently verified. GitHub has not publicly confirmed details about the sale listing.

What internal GitHub systems could be at risk from leaked internal source code?

Internal repositories can contain proprietary tooling, infrastructure-as-code, authentication logic, and configuration that might expose internal architecture or vulnerabilities. GitHub is investigating whether the stolen repositories contained sensitive secrets and monitoring for follow-on exploitation attempts. No downstream customer impact has been confirmed.

What This Means Going Forward

GitHub's rapid response, same-day detection and containment, is worth acknowledging. Most organizations don't move that fast. The breach's confirmed scope, internal repositories only, reflects both the speed of that response and the effectiveness of GitHub's architecture in keeping customer systems separated from internal ones.

But the incident's real legacy isn't the specific repositories that got cloned. It's the confirmation that the IDE, the developer's most intimate working environment, is now a primary attack surface. Extension marketplaces are difficult to fully police. Developers are under constant pressure to install new tools. And once a malicious extension lands on a machine with repository access, the damage can be done faster than most detection systems respond.

The controls exist. Extension allowlists, short-lived tokens, behavioral monitoring for bulk repo access, rapid secret rotation. What the GitHub breach illustrates, vividly, is that these aren't theoretical best practices anymore. They're table stakes for any organization where developers have privileged access to production systems, internal infrastructure, or proprietary source code.

Every company that runs engineering teams should be asking, right now, whether they'd catch the same attack that GitHub caught. The honest answer, for most, is that they aren't sure.

Watch For

01 GitHub's follow-up disclosures about the specific extension and whether any secrets or credentials were present in the exfiltrated repositories, which would expand the blast radius significantly.

02 Microsoft's response to this incident via VS Code marketplace policy changes, including whether it will implement stricter publisher verification or mandatory permission disclosure for extensions with filesystem or network access.

03 Whether TeamPCP/UNC6780 attempts follow-on exploitation using information from the stolen repositories, which would escalate the incident from a theft to an active ongoing threat.

04 Broader industry movement toward signed, audited extension ecosystems across VS Code, JetBrains, and other major IDEs, as vendor pressure mounts following a breach of this visibility.

Stay ahead of the curve. More on cybersecurity, supply-chain risk, and developer security at NeuralWired.

Explore Cybersecurity

Gemini 3.5 Flash: Google's New Default AI Model (2026)

Google Bets Its AI Future on Gemini 3.5 Flash — NeuralWired

AI Models May 19, 2026 · 10 min read

Google I/O 2026: Gemini 3.5 Flash Is Now the Default, and Agents Are the Point

Google didn't just ship a new model at I/O 2026. It rewired Gemini from a chat interface into an operating layer across Search, Android, Workspace, and wearables, and named Gemini 3.5 Flash the engine underneath all of it.

The most important number from Google I/O 2026 isn't a benchmark score. It's the word "default." TechCrunch confirmed that Gemini 3.5 Flash went live on May 19 as the immediate default in the Gemini app and AI Mode in Google Search, bypassing the usual preview-to-rollout cycle and putting a brand-new model in front of hundreds of millions of users on day one.

That's a confident move. It's also a calculated one. Flash is priced well below flagship models, runs at what Google calls "frontier performance at Flash-level latency and scale," and is positioned explicitly for agentic workflows rather than single-turn chat. The implication is clear: Google isn't chasing the "smartest AI" crown right now. It's chasing the one that does things, at scale, across everything it already owns.

That framing touches everything announced at this year's I/O, from the background agent called Gemini Spark to a pair of intelligent eyewear products built around hands-free Gemini access. The bet is on distribution, not just capability, and Google has more distribution than almost anyone.

Gemini 3.5 Flash Arrives as the New Center of Gravity

Flash is a multimodal model. Google's official model page lists text, image, video, audio, and PDF as accepted input types, with a 1 million token context window and 64,000 token output capacity. For developers building agents that need to ingest large documents, run long-horizon tasks, or loop through multi-step workflows, those numbers matter.

Availability is unusually broad for a first-day launch. Google confirmed Flash is live in the Gemini App, the Gemini API, Gemini Enterprise, the Gemini Enterprise Agent Platform, Google AI Mode, Google AI Studio, Google Antigravity, and Android Studio. That's eight surfaces, simultaneously, on launch day.

Model specs at launch: Gemini 3.5 Flash supports text, image, video, audio, and PDF input. Context window: 1M tokens in, 64k tokens out. Pricing: $1.50 per 1M input tokens, $9.00 per 1M output tokens. Context caching listed as free in current documentation.

The framing on Google's model page is notably specific. Flash is described as "best for frontier performance across agents and coding" and brings "advanced reasoning at Flash-level latency and scale." That's not a general-purpose pitch. It's an explicit targeting of the developer and enterprise workloads where agent usage is highest.

"Our most impressive model yet for agentic workflows."
Google DeepMind, official Gemini 3.5 Flash model page, May 19, 2026 -- Google DeepMind

The consumer framing is different but complementary. In the Gemini app and Search AI Mode, Flash isn't sold as an agent platform; it's just the model that powers answers. Most users won't know it's there. That invisibility is the point.

Benchmarks: Where Google Leads, and Where It Doesn't

Google published a benchmark table alongside Flash's launch. It's worth reading carefully, because the picture isn't uniform. Flash leads in agentic and multimodal categories, but competitors still edge it out in some coding and long-context tasks.

Benchmark	What It Tests	Gemini 3.5 Flash
MCP Atlas	Multi-step workflows using MCP	83.6%
OSWorld-Verified	Agentic computer use	78.4%
Terminal-bench 2.1	Agentic terminal coding	76.2%
MRCR v2 (128k)	Long-context human recall	77.3%
Finance Agent v2	Financial analysis and decisions	57.9%
Toolathlon	Real-world general tool use	56.5%
SWE-Bench Pro	Single-attempt coding tasks	55.1%

The MCP Atlas score of 83.6% is the headline number for Google's enterprise pitch. MCP, the Model Context Protocol, has become a key interoperability standard for agents connecting to external tools, so a strong score there directly supports the claim that Flash can run real agentic workflows, not just toy benchmarks.

OSWorld-Verified at 78.4% is also notable. It measures how well a model can actually operate a computer, click through interfaces, complete tasks, and do it reliably. That score is directly relevant to Gemini Spark's pitch as a background task agent.

Where Flash doesn't lead: Google's own benchmark table shows GPT-5.5 ahead in certain terminal coding and long-context categories. The story here isn't that Google won every category, it's that Google is strong where it needs to be for its agent-first strategy, and weaker in areas where it's less exposed right now.

SWE-Bench Pro at 55.1% is the number most developers will scrutinize. Single-attempt coding on real-world software engineering tasks is a harsh test. It's a competitive number, not a dominant one, but Google's positioning of Flash as an agent model rather than a pure coding model gives it some cover.

Gemini Spark and the Always-On Agent

Gemini Spark is the most structurally significant product Google announced at I/O 2026. It's not a chatbot or a feature. Google describes it as a 24/7 personal AI agent that runs in the background, connects to Google apps, and handles tasks without requiring constant user input.

The autonomy framing is careful but meaningful. Google says Spark is "designed to check with you before taking major actions." That's an important constraint. It means Spark isn't a fully autonomous executor; it's an agent with a human-in-the-loop guardrail built in from the start. Whether that's a trust-building measure or a genuine architectural limit depends on how the product evolves.

"Works in the background 24/7, designed to check with you before taking major actions."
Google, Gemini Spark product page, May 19, 2026 -- Gemini.google

Access is limited at launch. Google's product page lists availability as trusted testers, AI Ultra subscribers in the U.S., and select business users. That's a small initial base, which means the real test of Spark's reliability and user adoption is still ahead.

🤖

Always On

Runs continuously in the background, handling tasks without requiring user-initiated sessions each time.

🔗

Google-Connected

Integrated with Gmail, Calendar, Drive, and other Google apps to execute multi-app workflows.

🛡️

Checks In First

Built-in human confirmation before major actions, keeping users in control of consequential steps.

🔬

Limited Access

Currently available to trusted testers, AI Ultra subscribers in the U.S., and select business users.

The strategic logic is straightforward: if you can get users to trust an always-on agent inside Google's own app ecosystem, you don't need them to switch to a competing platform. Every task Spark completes inside Google's walls is a task that didn't go to a rival agent. That's not a coincidence.

Smart Glasses, Two Ways: Audio First, Display Later

Google's wearables push at I/O 2026 was framed around "intelligent eyewear" rather than a single product. The official Android XR blog post describes two distinct form factors: audio glasses, which ship first, and display glasses, which follow. Both are built around hands-free Gemini access.

Audio glasses are launching "later this fall," according to Google. Users can invoke Gemini by saying "Hey Google" or tapping the frame, then ask it to complete tasks on their behalf. The pitch is "heads up, hands free," keeping users engaged with their environment rather than looking at a screen.

Display glasses haven't received a specific launch date. Google's blog groups them with audio glasses as part of the same intelligent eyewear line, but the sequencing suggests display hardware needs more time. That's consistent with the broader industry pattern where AR display quality remains a harder engineering problem than audio delivery.

What Google is calling this: The primary Google blog source uses "intelligent eyewear" throughout, not "Project Aura," which appears in secondary press coverage. The distinction matters if you're tracking official product naming versus early codenames.

The glasses aren't a standalone product pitch. They're a hardware extension of the same Gemini agent strategy. A pair of glasses that can execute tasks via Gemini in the background, for a user who's walking around, driving, or working with their hands, is a different use case than any phone-based agent. Google is building toward persistent ambient AI, and the glasses are the most visible expression of that direction.

The Real Cost of Running Agents at Scale

Flash is priced at $1.50 per 1M input tokens and $9.00 per 1M output tokens, per Google's official API pricing. Context caching is currently listed as free. On a per-token basis, that looks competitive with other frontier models.

The catch is how agents actually use tokens. A single agentic task can involve multiple tool calls, retries on failed steps, reading long documents as context, and generating detailed structured outputs. The effective bill for a real agent workload can multiply quickly, even at Flash prices.

Token Type	Price per 1M Tokens	Notes
Input tokens	$1.50	Includes text, image, video, audio, PDF
Output tokens	$9.00	6x more expensive than input; significant in generation-heavy agents
Context caching	Free (current)	Reduces repeated input costs; policy subject to change

The output token price deserves attention. At $9.00 per 1M tokens, output is six times more expensive than input. Agents that generate long-form responses, write code, or produce structured data at scale will see that ratio dominate their bills. Developers building on Flash need to design for output efficiency, not just input efficiency.

There's also a longer-term pricing risk. Context caching is currently free, which substantially reduces the cost of agents that re-read the same documents across multiple calls. That's a strong incentive to build on Flash now. But free caching is a promotional condition, not a guaranteed permanent one, and developers building production systems should model the cost with caching at some nonzero price.

Distribution vs. Trust: The Real Competition

The honest read on Google's I/O 2026 announcements is that this is a distribution play as much as a capability play. The Verge's I/O coverage captured the breadth: Gemini is now threaded across Search, Android, Workspace, and wearables. No competitor has a comparable installed base to push against.

That's the upside. The downside is that Google is making strong claims about agent reliability at a moment when agentic AI is still proving itself in production. Spark's "check with you before major actions" language is a hedge. It signals that Google knows users won't trust a fully autonomous agent yet, especially one with access to email, calendar, and documents.

The benchmark gaps matter here too. GPT-5.5 leading in some coding and long-context categories means enterprise developers evaluating agents for high-stakes workflows have real reasons to comparison-shop rather than default to Google. Distribution gets Google into the conversation; it doesn't close it.

Always-on agents in email and calendar raise data access and privacy questions that Google hasn't fully addressed in public documentation yet.
Bundling many launches at once can create the appearance of momentum while real-world adoption lags behind the announcement cadence.
Wearables depend on user behavior change, not just product quality, and behavior change takes longer than a product cycle.
Flash's benchmark table is self-reported by Google, so independent third-party verification will be the real test of the agentic claims.

None of those risks makes the I/O announcements less significant. They just define what "Google winning AI" would actually have to prove, which is real-world agent reliability, privacy trust, and user habit formation, not just launch-day benchmark tables.

Frequently Asked Questions

When is Gemini 3.5 Flash available?

Gemini 3.5 Flash is available immediately as of May 19, 2026, across the Gemini App, AI Mode in Search, Gemini API, Gemini Enterprise, Gemini Enterprise Agent Platform, Google AI Studio, Google Antigravity, and Android Studio.

How much does Gemini 3.5 Flash cost?

Google's official API pricing lists Gemini 3.5 Flash at $1.50 per 1 million input tokens and $9.00 per 1 million output tokens. Context caching is currently free, though this is a promotional condition subject to change.

What is Gemini Spark?

Gemini Spark is Google's 24/7 background AI agent, designed to connect to Google apps and execute tasks without requiring constant user input. It's built to confirm with users before taking major actions, and is currently available to trusted testers, AI Ultra subscribers in the U.S., and select business users.

When are Google's smart glasses launching?

Google confirmed audio glasses will launch "later this fall" in 2026. Display glasses are part of the same intelligent eyewear line but haven't received a specific release date. Both form factors use Gemini as the underlying AI layer.

Is Gemini 3.5 Flash multimodal?

Yes. Google's model page confirms Gemini 3.5 Flash accepts text, image, video, audio, and PDF as input types. It supports a 1 million token context window and up to 64,000 tokens of output.

How does Gemini 3.5 Flash compare to GPT-5.5?

Google's benchmark table shows Flash leading in agentic and multimodal categories, including MCP Atlas at 83.6% and OSWorld-Verified at 78.4%. GPT-5.5 leads in certain terminal coding and long-context benchmarks. Neither model dominates across all categories.

What surfaces does Gemini 3.5 Flash power?

As of launch, Flash powers the Gemini App, Google Search AI Mode, the Gemini API, Gemini Enterprise products, Google AI Studio, Google Antigravity, and Android Studio, covering consumer, developer, and enterprise surfaces simultaneously.

What is Google Antigravity?

Google Antigravity is listed as one of the eight surfaces where Gemini 3.5 Flash is available at launch, per Google's official model page. Specific product details weren't fully elaborated in launch documentation but it appears to be a developer or experimental platform surface.

The Bottom Line: A Platform Move, Not Just a Model Launch

Google used I/O 2026 to make Gemini 3.5 Flash the default model across its most important consumer surfaces, launch an always-on background agent, and announce a hardware line built around ambient AI access. Taken separately, each of those is a product update. Taken together, they're a coherent strategy: turn Gemini from a product you visit into infrastructure that runs underneath everything you already do.

The strategy is credible precisely because Google's distribution advantage is real. Hundreds of millions of users don't have to choose Gemini. They'll encounter it in Search, in Android, in Workspace, in the glasses they might put on this fall. That reach is something no challenger model, however strong on benchmarks, can replicate quickly.

What Google still has to prove is that agents work reliably enough to earn user trust, and that "reliable enough" translates into habit formation rather than a novelty cycle. The benchmark table is Google's self-assessment. The real scorecard is what Spark's users report six months from now, and whether the audio glasses create behavior change or end up in a drawer.

Watch For

01 Gemini Spark reliability reports from AI Ultra subscribers -- expect the first credible assessments within 60-90 days of broader rollout, and they'll define whether the always-on agent framing holds up outside controlled demos.

02 Audio glasses availability and reception this fall -- the "later this fall" launch window gives a narrow target; watch for preorder dates and whether Google expands access globally or limits initial availability to the U.S.

03 Third-party Gemini 3.5 Flash benchmarks -- Google's self-reported numbers tell one story; independent evaluations from developers running real agentic workloads will either confirm or complicate the MCP Atlas and OSWorld claims.

04 Context caching pricing -- currently listed as free, which makes Flash's effective cost substantially lower for agent-heavy workloads; any change to that policy will immediately reshape the developer economics Google is counting on to drive adoption.

Stay ahead of the curve. More on AI models and the agent era at NeuralWired.

Explore AI Models

Anthropic AI Agents Hit Wall Street: 10 Finance Tools (2026)

Anthropic's 10 AI Agents Just Hit Wall Street — And the Jobs Math Is Getting Uncomfortable | NeuralWired

AI & Finance May 18, 2026 · 11 min read

Anthropic's 10 AI Agents Just Rewired Wall Street, and the Jobs Math Is Getting Uncomfortable

In 48 hours, Anthropic unveiled 10 ready-to-run banking agents, a $1.5 billion joint venture with Blackstone and Goldman Sachs, and a new model that leads every finance benchmark. The pitch: Claude becomes the operating layer for global capital markets. The catch: junior bankers are first in line.

Jamie Dimon and Dario Amodei don't share a stage by accident. When the CEO of JPMorgan Chase and the co-founder of Anthropic appeared together at an invite-only financial services briefing in New York on May 5, 2026, both men knew the cameras were watching. Dimon built a live Treasury asset-swap analysis dashboard from a blank Excel sheet in under 20 minutes. The message was unmistakable: this isn't a pilot program. It's production.

The New York event capped what Fortune called a "48-hour blitz" that saw Anthropic drop 10 pre-built AI agent templates for financial services, debut a Microsoft 365 integration spanning Excel, Word, PowerPoint and Outlook, announce new data partnerships with Moody's, FactSet, Morningstar, S&P Global and Dun & Bradstreet, and reveal a $1.5 billion joint venture with Blackstone, Hellman & Friedman and Goldman Sachs to embed Claude directly into hundreds of enterprises. The underlying model powering it all, Claude Opus 4.7, now leads the Vals AI Finance Agent benchmark with a score of 64.37%.

Anthropic first entered financial services in July 2025. Thirteen months later, it has Claude in production at JPMorgan Chase, Goldman Sachs, Citi, AIG and Visa. The trajectory isn't incremental. It's a structural push to become what every software vendor dreams of being: infrastructure.

The 48-Hour Wall Street Blitz

The timing was deliberate. On May 4, the day before the flagship New York event, FIS announced a partnership with Anthropic to build a Financial Crimes AI Agent. FIS isn't a minor player. The company powers roughly 12% of the global economy's transactions, deposits, payments, and credit operations. Embedding Claude inside that infrastructure means reaching thousands of financial institutions without asking any of them to switch vendors.

The Financial Crimes AI Agent compresses anti-money-laundering investigations from days to minutes. It automatically assembles evidence across a bank's core systems, evaluates activity against known typologies, and surfaces the highest-risk cases for human investigator review. BMO and Amalgamated Bank are the first development partners, with general availability planned for the second half of 2026. Crucially, client data stays within FIS-controlled infrastructure at all times; Claude functions as the reasoning layer, one step removed from the source data.

"The future is about a trusted provider who manages the data, who governs the agents, and who stands between your customers and the AI making decisions about their money."
Stephanie Ferris, CEO, FIS — FIS Press Release, May 4, 2026

Then came the joint venture. Anthropic, Blackstone and Hellman & Friedman each contributed roughly $300 million, with Goldman Sachs at $150 million; Apollo Global Management, General Atlantic, Leonard Green, GIC and Sequoia Capital also participated. The Wall Street Journal reported the $1.5 billion total, which Anthropic hasn't formally confirmed. Whatever the exact figure, the structure is novel: a private equity-backed entity designed to forward-deploy Claude directly into the portfolios of some of the world's largest PE firms. No AI company has previously had distribution at that scale.

Enterprise demand context: Anthropic CFO Krishna Rao said at the joint venture announcement that "enterprise demand for Claude is significantly outpacing any single delivery model." Separately, CEO Dario Amodei disclosed at the May 5 event that the company had projected 10x growth internally, only to see 80x adoption instead.

10 Agents, One Mission

The ten agent templates released May 5 aren't tools. They're reference architectures. Each packages three components: skills (domain knowledge and instructions for the task), connectors (governed, real-time access to external data), and subagents (additional Claude models called in for specific sub-tasks like comparables selection or methodology checks). The architecture is designed so that a bank's compliance, risk, and engineering teams can customize the templates without touching the underlying model.

📊

Pitch Agent

Hand it a target list. Get back a comps model in Excel, a pitchbook drafted in PowerPoint, and a cover note in Outlook. A full pitch package in hours.

🔍

KYC Screener

Screens know-your-customer files against verified identity data from Dun & Bradstreet's Commercial Graph and D-U-N-S system for auditable onboarding.

📅

Month-End Close

Handles accounting reconciliation, cross-checks entries against linked workbooks, and produces close narratives against a firm's own templates in Word.

📈

Market Researcher

Tracks sector and issuer developments, synthesizes news, filings, and broker research, and flags items for credit and risk review automatically.

⚖️

DCF / Comps Agent

Builds discounted cash flow models from filings and data feeds, audits formulas across linked workbooks, and runs sensitivity analyses in Excel.

🔐

Financial Crimes Agent

Via the FIS partnership: compresses AML investigations from days to minutes, assembles evidence, evaluates typologies, and surfaces high-risk cases for review.

The Microsoft 365 integration is what makes the whole stack practically usable. Once the Claude add-ins are installed, context carries across applications. An analyst who starts a DCF model in Excel doesn't re-explain the deal when the work shifts to a PowerPoint pitchbook. The cross-application memory is a genuine workflow change, not a cosmetic one. Outlook integration is listed as "coming soon."

Data access scales to match. Claude now connects to FactSet, S&P Capital IQ, MSCI, PitchBook, Morningstar, Chronograph, LSEG, Daloopa, IBISWorld, SS&C Intralinks, Third Bridge, and Verisk, alongside internal data warehouses, research repositories, and CRMs. All connections operate under governed access controls. The question of which connectors a firm enables, and what permissions each carries, is where compliance teams will spend most of their implementation time.

Compliance note: Anthropic explicitly states in its GitHub repository documentation that all agent outputs are drafts requiring qualified human review. The agents don't execute transactions, don't approve onboarding independently, and don't write directly into books of record. Every output requires sign-off from a licensed professional.

What the Banks Are Actually Saying

The closing panel at the May 5 event was unusual for how specific it got. Goldman Sachs CIO Marco Argenti, JPMorgan Chase CIO Lori Beer, and AIG CEO Peter Zaffino each described real deployment data, not roadmaps.

Argenti outlined three sequential waves of AI adoption at Goldman. First: empowering the technology team, roughly a third of the firm, to work at what he called "a completely different pace." Second: reimagining operational processes end-to-end. Third, and most consequential long-term: using AI to improve risk and investment decisions themselves.

"This is the first time that instead of buying infrastructure, you can actually buy intelligence."
Marco Argenti, CIO, Goldman Sachs — Fortune, May 5, 2026

AIG's Zaffino shared what may be the most striking benchmark from the event: Claude, out of the box, scored 88% accuracy against expert-level claims assessors in AIG's underwriting workflow. He was careful to frame the implication correctly. "The theory is, can it get better? Yes. But that assumes that the claims expert doesn't get better," he said. The human professional isn't static either.

Beer's remarks from JPMorgan were more cautionary. The bank has built a cyberthreat model for security analysts and integrated security intelligence directly into its software development process. Her point was structural: governance and risk frameworks have to be built into the platform from day one, not retrofitted. "There are capabilities we need, platforms we need to build, agent orchestration to protect and secure... We don't measure ROI on those things. They are must-dos," she told the audience.

Institution	Deployment Stage	Key Use Case	Notable Data Point
Goldman Sachs	Wave 2: operational redesign	Trade accounting, client onboarding, research acceleration	AI deployment scaling without proportional new hiring; COO John Waldron confirmed the bank is "scaling up without requiring much more hiring"
JPMorgan Chase	Production across front and back office	Cyberthreat modeling, wealth management coaching, dev tooling	Connect Coach AI product boosted advisor capacity to handle more clients per advisor
AIG	Production in underwriting and claims	Claims assessment, policy underwriting support	Claude scored 88% accuracy vs. expert claims assessors out of the box
BMO / Amalgamated Bank	Development (general availability H2 2026)	AML investigation via FIS Financial Crimes Agent	First institutions to deploy the FIS co-designed agent
Commonwealth Bank of Australia	Production	Fraud prevention, customer service	CTO Rodrigo Castillo called the partnership "foundational to our strategy to become a global leader in AI innovation in banking"
Bridgewater (AIA Labs)	Production since 2023	Investment Analyst Assistant: Python code generation, data visualization, financial analysis	Claude Opus 4 passed 5 of 7 levels of the Financial Modeling World Cup; 83% accuracy on complex Excel tasks

The Junior Banker Problem

Nicholas Lin spent two and a half years on Morgan Stanley's M&A team before moving to tech investing at Singapore's sovereign wealth fund. He's now Anthropic's product lead for financial services. Speaking to Bloomberg shortly before the May 5 launch, Lin said financial AI applications are "just a few months behind" coding applications, "which we've seen massive acceleration in." Thousands of coding jobs have already disappeared.

The ten agent templates released May 5 cover the exact tasks that define a junior analyst's day: pitchbooks, comps, earnings reviews, financial model construction, valuations. A video in the product announcement showed comparable company analysis completing in seconds. It's not a subtle implication.

"A lot of these problems we're hoping to solve are just so near and dear to my heart because I spent probably 75% of my time just doing this manual data analysis, PowerPoint creation, making sure that the text boxes really match."
Nicholas Lin, Product Lead for Financial Services, Anthropic — eFinancialCareers, May 2026

One junior banker, speaking anonymously to eFinancialCareers, confirmed the internal pressure is already real. His team has stopped hiring at analyst level. He's now expected to produce more output than before, with AI tools described by managing directors as a productivity multiplier rather than a workload reducer.

The macro picture is less clear-cut. A 2026 Cambridge Judge Business School report on AI in financial services found that 24% of industry respondents expect a net reduction in roles, up from 13% in the prior three years. But 25% expect significant reskilling without large net losses, and 10% expect a net increase in jobs. The distribution of outcomes is widening, not converging.

Deloitte's research puts potential upside at $3.5 million in additional front-office revenue per employee at the top 14 global investment banks, from productivity gains of 27% to 35% via generative AI. Those gains don't require firing people. They require the same headcount doing more, faster. Whether that translates to fewer new hires or fewer existing jobs depends on whether deal volumes grow to absorb the additional capacity. Right now, Goldman Sachs has actually cut its 2026 deal count outlook to roughly 100 IPOs, down from earlier projections, signaling the demand side isn't yet expanding to match AI supply.

What roles are actually at risk

Junior analyst and associate roles focused on modeling, formatting and data processing face the most direct pressure from agent templates.
KYC and AML analysts in compliance operations are the target of both the FIS Financial Crimes Agent and the standalone KYC Screener template.
Financial reporting roles at mid-market firms: 87% of CFOs at that tier are already turning to AI for financial reporting work, per PYMNTS research.
Senior and client-facing roles remain more insulated. They require contextual judgment, negotiation, and the kind of long-term relationship capital AI doesn't accumulate.

Regulators and the Mythos Shadow

Sitting behind all of Anthropic's financial services ambitions is a harder conversation that surfaced at the same May 5 event. Amodei warned publicly that Anthropic's restricted-access model, Claude Mythos Preview, has identified tens of thousands of high-severity software vulnerabilities, including nearly 300 in Firefox alone, and that there's a six-to-12-month window to patch them before adversarial AI systems catch up. Most of those vulnerabilities haven't been publicly disclosed because they remain unpatched.

An earlier Claude model found roughly 20 vulnerabilities in Firefox. Mythos found nearly 300. The scale of potential exploits has grown with each model generation. Anthropic has limited Mythos to a small number of partner companies precisely because of concerns about what criminals or adversarial nation-states could do with the same capability.

"The bad guys will exploit them if they are identified."
Dario Amodei, CEO, Anthropic — CNBC, May 5, 2026

UK financial regulators are taking the concern seriously. Officials from the Bank of England, Financial Conduct Authority and HM Treasury are holding urgent talks with banks and cybersecurity officials. The National Cyber Security Centre is involved. Major banks, insurers, and exchanges are to be warned about findings at a meeting scheduled within the fortnight following the Mythos disclosure. The matter is also set for discussion at the Cross Market Operational Resilience Group, co-chaired by the Bank of England's executive director for supervisory risk.

In the US, Treasury Secretary Scott Bessent convened Wall Street bank leaders separately to assess exposure. The dual reality is uncomfortable: the same company selling Wall Street its AI operating layer is simultaneously disclosing that AI has created a systemic vulnerability window the industry has roughly a year to close.

Regulatory signal: The Cambridge Judge 2026 report found that 78% of surveyed regulators view AI as significant or transformative for financial supervision by 2030, and that regulators are more concerned than industry about AI concentration risk, 43% versus 28%. Regulators are also more likely than industry to place primary accountability for AI outcomes on the regulated financial institution, not on the AI vendor.

OpenAI Is Watching

Anthropic isn't operating in a vacuum. OpenAI is pursuing a similar enterprise joint venture, reportedly raising $4 billion against a $10 billion valuation to create new channels for large-scale enterprise AI deals, per Bloomberg. The competitive dynamic is straightforward: both companies need enterprise contracts to justify the capital expenditures going into compute. Consumer subscriptions don't generate the kind of multi-year, high-margin commitments that make frontier model development economically viable at scale.

Anthropic's positioning in financial services rests on three differentiators: safety-first reputation, coding performance via Claude Code, and the depth of its vertical integration, specifically the combination of pre-built agents, Microsoft 365 plugins, and a growing ecosystem of data connectors. OpenAI's strength is brand recognition and developer mindshare. Which matters more to a Fortune 500 CIO depends on whether the bank's primary use case is customer-facing product development or back-office workflow automation.

Dimension	Anthropic / Claude	OpenAI / GPT
Finance-specific benchmark	64.37% on Vals AI Finance Agent (Claude Opus 4.7, category leader)	Not disclosed on Vals AI Finance Agent as of publication
Pre-built finance agents	10 templates released May 2026; marketplace available now	Finance-focused tools via plugins; no equivalent marketplace
Financial data partnerships	FactSet, Moody's, Morningstar, PitchBook, S&P Capital IQ, MSCI, LSEG, Daloopa, Dun & Bradstreet, Verisk, Third Bridge	Partnerships in progress; fewer publicly confirmed financial-data connectors
Enterprise joint venture	$1.5B JV with Blackstone, H&F, Goldman Sachs (announced May 4, 2026)	Reportedly pursuing similar structure; $4B raise against $10B valuation
Systemic risk posture	Mythos vulnerability disclosure; proactive regulator engagement	No equivalent public disclosure as of publication

The market data partnerships are where Anthropic's moat is deepest in the near term. A Claude agent that can natively reason over Moody's credit ratings, PitchBook private market data, and a firm's own internal research repository simultaneously is operationally different from a general-purpose chatbot with document upload. That kind of grounded, auditable reasoning is what enterprise risk officers need before signing off on production deployment.

Frequently Asked Questions

What are Anthropic's Claude finance agents?

Anthropic's Claude finance agents are 10 pre-built AI agent templates released in May 2026 for tasks including pitchbook creation, KYC screening, financial modeling, month-end close, and market research. Each runs as a plugin in Claude Cowork or Claude Code, and connects to major financial data providers like FactSet and Moody's. All outputs require human review before use.

Which banks are using Anthropic's Claude?

As of May 2026, Claude is in production at JPMorgan Chase, Goldman Sachs, Citi, AIG, Visa, Commonwealth Bank of Australia, and Bridgewater (via AIA Labs). BMO and Amalgamated Bank are in development with the FIS Financial Crimes AI Agent, with general availability planned for H2 2026.

Will AI replace investment banking jobs?

The short-term evidence shows hiring freezes at junior analyst levels rather than mass layoffs. A 2026 Cambridge report found 24% of financial industry respondents expect net job reductions, up from 13% in recent prior years. The jobs most at risk are modeling, formatting, KYC screening, and AML review. Senior client-facing roles are more insulated from near-term automation.

What is the Vals AI Finance Agent benchmark?

The Vals AI Finance Agent benchmark tests AI models on realistic financial analysis tasks, including equity research, financial modeling, and data synthesis. Claude Opus 4.7 currently leads the benchmark with a score of 64.37%. It is one of the primary publicly available evaluation frameworks for comparing AI performance on financial work.

What is the FIS Financial Crimes AI Agent?

The FIS Financial Crimes AI Agent is a tool co-designed by Anthropic and FIS that compresses anti-money-laundering alert investigations from days to minutes. It assembles evidence across a bank's core systems, evaluates transactions against known fraud typologies, and presents high-risk cases for human investigator review. Client data remains within FIS infrastructure throughout.

What is the Anthropic, Blackstone, and Goldman Sachs joint venture?

The joint venture, announced May 4, 2026, is a private equity-backed AI services company designed to embed Claude across hundreds of enterprises via forward-deployed engineering teams. Anthropic, Blackstone, and Hellman & Friedman each contributed roughly $300 million; Goldman Sachs contributed $150 million. The WSJ reported a $1.5 billion total, which Anthropic has not formally confirmed.

How does Claude Opus 4.7 differ from earlier Claude versions for financial work?

Claude Opus 4.7 is Anthropic's current flagship for financial tasks and leads industry benchmarks on the Vals AI Finance Agent evaluation. When deployed by FundamentalLabs on Excel work, Claude Opus 4 passed 5 of 7 levels in the Financial Modeling World Cup and scored 83% accuracy on complex Excel tasks. Earlier Claude models showed capable but lower performance across the same task categories.

What regulatory concerns exist around AI in financial services?

UK regulators from the Bank of England, FCA, and HM Treasury are currently assessing risks linked to Anthropic's Mythos model, which has identified tens of thousands of software vulnerabilities. The Cambridge Judge 2026 report found 78% of regulators view AI as transformative for financial supervision by 2030, with regulators more concerned than industry about AI concentration risk and accountability gaps.

The Operating Layer Play

Anthropic's financial services push makes sense as a business strategy only if you accept one underlying premise: that enterprise AI is a winner-take-most market, not a diversified one. If banks end up with one primary AI reasoning layer embedded across their Excel models, their compliance workflows, their AML systems, and their pitchbook assembly, then the company that occupies that layer collects the compound interest on every deal, every investigation, every quarter-end close. That's the prize Anthropic is building toward.

The joint venture with Blackstone and Goldman Sachs is the clearest signal of that ambition. Private equity firms have portfolio companies in manufacturing, healthcare, logistics, retail, and real estate. A forward-deployed Claude inside those companies, deployed through a PE-backed services firm, doesn't need Anthropic to sell each deal individually. The distribution builds itself.

What remains unresolved is the regulatory question. Anthropic has been unusually forthcoming about AI-generated vulnerabilities and systemic risks, a posture that distinguishes it from competitors but also raises the question of whether the product and the risk can be cleanly separated. You can't sell a bank on Claude as its compliance operating layer while simultaneously disclosing that AI has created a vulnerability window that bad actors may exploit before the industry patches it. Both things are true, and financial institutions are not historically comfortable operating in that kind of ambiguity.

The workforce question compounds the tension. Anthropic's own product lead describes the agent templates as solving problems that were "near and dear" to his heart as a junior banker. That's an honest framing. It's also a company describing its product as a direct replacement for early-career financial labor, in public, while pitching that same product to the firms that employ that labor. The banks aren't going to stop buying. But the junior analysts already on payroll are watching what their managing directors do next.

Watch For

01 FIS Financial Crimes AI Agent general availability, planned H2 2026. If BMO and Amalgamated Bank publish outcome data on AML investigation times and false-positive rates, it will be the first hard evidence of whether the agent performs in production as claimed.

02 Bank of England / FCA guidance on AI concentration risk in financial services, expected in the next regulatory cycle. The Cross Market Operational Resilience Group meeting within the fortnight of the Mythos disclosure will likely produce formal risk guidance for UK-regulated institutions.

03 Junior analyst headcount data at tier-one banks through Q3 2026 earnings calls. Goldman Sachs COO John Waldron has already confirmed the bank is scaling without proportional new hiring. Whether that trend appears in disclosed headcount figures will determine how quickly the workforce conversation moves from anecdote to data.

04 OpenAI's competing enterprise joint venture structure, reportedly being finalized against a $10 billion valuation. Its composition and distribution model will define whether Anthropic's $1.5 billion JV retains a structural advantage in PE-backed enterprise distribution or faces a direct counteroffer.

Stay ahead of the curve. More on AI and enterprise finance at NeuralWired.

Explore AI & Finance