Vercel Got Hacked, Lovable Blamed Users, and Opus 4.7 Costs More Than You Think - This Week in AI

A Vercel employee's Google Workspace was compromised via a third-party AI tool — attackers pivoted from the OAuth app into Vercel's environment variables, moving at a speed attributed to AI assistance. René Brandel, founder of Casco (YC X25) and ex-founding member of AWS's Generative AI team, joins live to break down the attack chain and walk through the exact Google Workspace admin setting that could have prevented it. In a separate incident, every Lovable project created before November 2025 was readable by any free account, exposing database credentials and chat histories. Their response blamed unclear documentation rather than the underlying issue — and the contrast with Vercel's handling is stark. Beyond security: Claude Opus 4.7 launched to mixed reactions. The benchmarks look good, but Simon Willison measured the new tokenizer at 1.46x the tokens of 4.6 on identical content — at unchanged prices, that's ~40% cost increase, and 3x for images. Anthropic's own docs said 1–1.35x. Independent measurements landed at 1.47x. Theo called the redesign "vibe-coded," and a locally run open-source Qwen model drew a better pelican SVG than Opus 4.7 at thinking level max. Anthropic launched Claude Design, which lets you make prototypes, slides, and one-pagers by talking to Claude, powered by Opus 4.7. OpenAI shipped a major Agents SDK update with Codex memory and GPT-Rosalind for biomedical research. Cloudflare shipped Artifacts and memory primitives for agents, Factory AI raised $150M at $1.5B, Qwen 3.6-35B went Apache 2.0.