AI in 15 — June 01, 2026

One poisoned spreadsheet. Twelve workbooks silently exfiltrated. A human-approval toggle that does absolutely nothing. And the official ChatGPT extension installed by a hundred and eighty-five thousand Google Sheets users in less than a month.

Welcome to AI in 15 for Monday, June first, 2026. I'm Kate, your host.

And I'm Marcus, your co-host.

Big slate to kick off the week, Marcus. PromptArmor drops a critical vulnerability in OpenAI's official Google Sheets extension. Figure AI's humanoid robot does a two-hundred-hour nonstop shift and sorts a quarter of a million packages. Microsoft Build kicks off tomorrow with leaked plans for in-house coding models and a Windows Agent Store. A twenty-nine-year-old gamer's Beijing startup hits unicorn status on text-to-three-D. PewDiePie ships an open-source self-hosted AI workspace. Meta officially launches paid subscriptions across Instagram, Facebook, and WhatsApp. Groupon cuts a quarter of its workforce in an AI-native restructuring. And Gemini 3.5 Flash hits general availability with Pro right behind it.

OpenAI's Sheets extension leaks your entire Drive.

A humanoid robot works a week without stopping.

And Microsoft prepares its boldest break from OpenAI yet.

Lead story, Marcus. Walk me through the Sheets vulnerability.

This is a bad one, Kate. Security firm PromptArmor disclosed yesterday that OpenAI's official ChatGPT for Google Sheets extension — the one with over a hundred and eighty-five thousand downloads in under a month — is vulnerable to a chained indirect prompt injection. A single poisoned sheet, imported into your workspace, can silently exfiltrate not just that workbook, but every workbook your Google account has access to. In the proof-of-concept, PromptArmor demonstrated twelve separate workbooks being pulled out through an attacker-controlled Google Apps Script.

And the human-in-the-loop protection?

Bypassed entirely, Kate. Users can explicitly toggle on, quote, require human approval before ChatGPT edits workbooks. The attack succeeds anyway. The approval gate is for direct edits, not for code that the model generates and silently executes elsewhere.

The disclosure timeline is the part that really stings, Marcus.

It is. PromptArmor sent the initial report to OpenAI on May eighth. For three weeks, nothing back but an automated acknowledgement. PromptArmor published publicly on May twenty-seventh. Only on May thirty-first — after Hacker News piled on with a hundred and fifty-one points — did OpenAI's security team show up in the thread. Max Burkhardt confirmed they had, quote, removed the model's ability to generate Apps Script code as an emergency mitigation, and were re-auditing similar capabilities across other ChatGPT integrations.

So this is the canonical agentic-AI failure mode, in production, in a first-party OpenAI product.

Exactly, Kate. Every CFO, every analyst, every bookkeeper is being nudged to install AI extensions into the tools that hold their financial data. PromptArmor's broader complaint is that OpenAI's own documentation never describes what permissions the model gets or what an indirect injection can do with them. The pro-Western libertarian read — markets work. PromptArmor disclosed, the public pressured, OpenAI patched within hours. The uncomfortable read — three weeks of silence on a critical vulnerability in a first-party integration, fixed only after public shaming, suggests indirect prompt injection still doesn't have a real owner inside OpenAI. Expect this to feed every we're-not-letting-AI-near-our-spreadsheets memo from corporate IT for the next quarter.

Quick hits. Marcus, Figure 03.

Remarkable benchmark, Kate. Figure AI announced last week that three of its Figure 03 humanoids — including one now nicknamed Rose — completed a two-hundred-hour continuous package-sorting run at the Sunnyvale facility, live-streamed since May fourteenth. Two hundred and forty-nine thousand, five hundred and sixty packages handled on a warehouse conveyor at roughly twelve hundred and forty-eight per hour. Zero hardware failures. No human takeover. Each robot is one hundred seventy-three centimeters, sixty-one kilos, running autonomously on Figure's in-house Helix-02 vision-language-action model. No teleoperation.

The original test target?

Eight hours, Kate. The team kept extending it because the robots simply didn't stop. Honest caveats — some packages were oriented with the barcode facing the wrong way, which is a downstream cost in a real fulfillment center. But the headline — two hundred hours, zero hardware failures — is the threshold robotics investors have been waiting for. The previous public benchmark was measured in tens of hours, with frequent battery swaps and maintenance interventions.

So this is the moment humanoid warehouse work stops being a demo.

That's the read across the industry, Kate. A near-week of continuous autonomous operation at warehouse speed is the threshold where these stop being venture-capital cosplay and start being a serviceable replacement for the lowest-margin shifts in logistics. Amazon, UPS, and FedEx all have package-sorting pipelines that look exactly like this conveyor. If a Figure 03 costs around thirty thousand dollars and works two-hundred-hour shifts at human-comparable throughput, the labor math gets ugly fast. And the strategic detail — the robot ran on Figure's in-house Helix-02 model, not a third-party VLA. Figure controls the entire vertical stack, which is exactly the moat investors paid for.

Microsoft Build kicks off tomorrow, Marcus. What's the leaked agenda?

The most strategically significant Build in five years, Kate. Reuters and The Information report Satya Nadella's keynote tomorrow morning will unveil a full suite of in-house MAI models — including a coding-specialized model designed to power GitHub Copilot directly rather than routing requests to OpenAI or Anthropic. New speech, transcription, image, and reasoning models alongside it.

And the Windows pitch.

Windows as the platform for AI agents, Kate. A new Windows Agent Framework. A curated Windows Agent Store with an eighty-five-fifteen revenue split mirroring the Microsoft Store. And an Azure Agent Mesh that lets agents execute across on-prem Windows servers, Windows 365 Cloud PCs, and Azure Arc edge devices interchangeably. Microsoft Agent 365 went GA on May first. Tomorrow is when they extend that into the developer ecosystem.

The competitive subtext, Marcus.

Copilot has been losing enterprise share to Claude Code throughout Q2, Kate. Microsoft disclosed that Copilot now writes forty-six percent of the code committed on its platform, up from forty. An in-house coding model lets Microsoft control the margins on that forty-six percent, which under the current OpenAI revenue share looks expensive. This is also the first Build since the Anthropic valuation flip we covered Friday, and the most explicit move yet to reduce Microsoft's dependence on OpenAI — which two years ago was unimaginable. For developers, the Windows Agent Store is the first time a major OS vendor has put agents on the same commercial footing as apps. Expect coverage to dominate the news cycle Tuesday and Wednesday.

Marcus, China's newest AI unicorn.

Bloomberg reported this morning, Kate. Vast — Beijing-based, founded by a twenty-nine-year-old gamer in 2023 — raised roughly two hundred million dollars at a valuation north of one billion. Ince Capital and a China Life Insurance-backed fund led, with Genesis Capital and Primavera participating. The flagship product, Tripo AI, converts text and image prompts into detailed three-D assets — meshes, textures, the lot — for games, e-commerce visualization, and consumer AR. They claim twenty million users globally, built on a fifty million dollar Series A from March backed by Alibaba and Baidu Ventures.

Why text-to-three-D specifically?

Tripo's commercial wedge is the asset pipeline, Kate. Not just generating a single object, but generating production-ready meshes with usable UVs, rigging hints, and PBR textures — the things a working three-D artist actually needs. Three signals here. First, China's AI ecosystem is still producing unicorns at speed despite export controls, and the application layer is increasingly where the funding goes. Second, text-to-three-D is becoming a real product category, not a research demo — twenty million users is bigger than most Western three-D tools combined. Third, the labor it replaces — three-D modelers — is qualitatively more expensive than the illustrators displaced by text-to-image. Western competitors like Meshy and Luma should be paying attention.

PewDiePie ships open-source AI, Marcus. This one I love.

Genuinely interesting cultural moment, Kate. YouTube's most-subscribed individual creator, Felix Kjellberg, released version one-point-zero of Odysseus over the weekend. Free, open-source, self-hosted AI workspace. Multi-turn chat, autonomous agents, local serving for over two hundred and seventy catalogued models, file and web tools, IMAP and SMTP email triage, a document editor, persistent memory. MCP-compatible. Debuted at the top of Hacker News with a hundred and fifty-two points. And a non-trivial chunk of the codebase was reportedly written from a phone using Termux.

Security implications.

The Hacker News thread immediately surfaced the prompt-injection surface, Kate. The bash tool is loaded. PewDiePie published a thirty-minute walkthrough explaining he wants a privacy-respecting alternative to ChatGPT and Claude that runs entirely on his own hardware. The cultural significance is the part that matters. Self-hosted local AI workspaces — Open WebUI, LibreChat, AnythingLLM — have been niche. The biggest individual creator on the internet bringing his audience into that conversation changes the consumer mindshare math overnight. Whether Odysseus survives the inevitable prompt-injection bug bounty is a separate question, and given the lead story today, not a small one.

Meta finally goes paid, Marcus.

Globally, this time, Kate. TechCrunch confirmed last week. Instagram Plus at three-ninety-nine a month, Facebook Plus at three-ninety-nine, WhatsApp Plus at two-ninety-nine. Free-tier features are profile customization, super reactions, story analytics — the usual cosmetic stuff. But the real news is Meta One, a bundled subscription in testing, starting at seven-ninety-nine and going up to nineteen-ninety-nine for Meta One Premium, with AI features built in. Testing starts in Singapore, Guatemala, and Bolivia.

The strategic point.

Meta is on track for one hundred twenty-five to one hundred forty-five billion in 2026 capex, mostly AI data centers, Kate. Wall Street has been pushing hard for a non-advertising revenue line to offset that spend. Meta has been the world's purest advertising company for twenty years — it is now bolting a consumer-subscription business onto the side specifically to fund AI infrastructure. The Hacker News thread, a hundred and eighty-five points, was split between this-is-good-pay-for-the-product and this-is-the-beginning-of-the-end-of-free-social-media. Either way, every other ad-funded consumer AI company, Google very much included, is now being graded against this experiment.

Groupon, Marcus. A quarter of the workforce gone.

The canary, not the story, Kate. Groupon's board approved an initial restructuring phase on May twenty-first to cut up to four hundred positions — roughly twenty-three to twenty-four percent of the employee base — by end of Q3. The framing is Project Foundry, a multi-year initiative to embed AI agents into the core of every function. Expected annual savings of twenty to twenty-five million, with up to half being reinvested in AI infrastructure and, quote, talent density. The eight-K language explicitly says this is the initial phase and that Groupon is evaluating additional, quote, material cost-reduction and automation actions through end of 2027. The stock rose on the announcement.

So this is the template.

Exactly, Kate. A twenty-three percent workforce cut justified explicitly as an AI-agent strategy — with the stock rewarded for it — sets the template for every mid-cap company looking for a credible cost story. Expect a parade of similar AI-native restructuring announcements through Q3 earnings season. The wrinkle — Groupon is doing this from a position of weakness. Revenue is flat. Which raises the question of whether Project Foundry is genuinely AI-driven or whether AI is being used as the politically acceptable cover for layoffs that were coming anyway. The pro-market read — both can be true, and the discipline is healthy. The uncomfortable read — this connects directly to the AI job grief piece we covered yesterday. Profitable companies cutting headcount to fund AI capex is no longer the controversial line. It's just the template.

Last quick hit, Marcus. Gemini 3.5 Flash.

Quick one, Kate. Gemini 3.5 Flash hit general availability May nineteenth at Google I/O. One dollar fifty per million input tokens, nine per million output. One-million-token context window. Benchmark scores beat the previous Gemini 3.1 Pro across Terminal-Bench at seventy-six-point-two percent versus seventy-point-three, MCP Atlas at eighty-three-point-six versus seventy-eight-point-two, and Finance Agent v2 at fifty-seven-point-nine versus forty-three. Throughput roughly four times other frontier models in output tokens per second. Gemini 3.5 Pro was teased by Sundar Pichai as, quote, next month — pointing to June, with Vertex AI early access already open for enterprise.

Caveats.

Pricing tripled versus 3.0 Flash, Kate. SMBs in Asia are loudly complaining about the migration math. But Flash is now Google's volume tier and is competitive with last generation's frontier models — the same play Anthropic is making with Haiku. With Pro arriving in June, Google's positioning against the Claude Mythos preview and Microsoft's MAI models — which we'll hear about tomorrow — defines the second half of 2026.

Big picture, Marcus. How does today fit together?

One theme, Kate. The AI capability layer is finally crossing into operational reliability — and it's exposing real economic, security, and trust costs we hadn't priced in. Figure 03's two-hundred-hour shift proves the physical-world execution is real. The Anthropic and Opus 4.8 news we covered Friday proves the revenue and orchestration sides are real. But today's ChatGPT-for-Sheets vulnerability, last week's Amazon Kirorank shutdown, and the Groupon layoffs prove the operational, security, and labor costs are also real — and starting to bite. The pro-Western libertarian read — PromptArmor disclosed, the market punished OpenAI's silence, OpenAI patched. Markets discipline themselves. Figure shipped real hardware reliability. Microsoft is breaking its OpenAI dependence rather than waiting for antitrust. The uncomfortable read — every CFO watching tomorrow's Microsoft Build keynote is also reading PromptArmor's writeup. The very same product category Nadella will pitch as the future of enterprise software just demonstrated that a single shared spreadsheet can exfiltrate an entire Drive. Capability and trust are no longer moving at the same rate. That's the gap that defines the rest of this year.

That's your AI in 15 for today. See you tomorrow.