Orbital AI Compute, DeepMind's Pointer Revolution, and the Open Source Supply Chain Under Siege

Every week, the boundaries between physical infrastructure, artificial intelligence, and cybersecurity grow thinner. This time, we're looking at a convergence of stories that paint a vivid picture of where the tech industry is heading — and the dangers lurking along the way.

From data centers being planned for outer space to a devastating supply chain attack that compromised some of the most trusted packages in the JavaScript ecosystem, these five stories represent the most consequential developments across AI, cybersecurity, developer tools, and startup funding. Here's the full breakdown.

The Shai-Hulud Attack: When Your Build Pipeline Becomes the Weapon

In what may be the most consequential supply chain attack of 2026, a threat group called TeamPCP launched a sophisticated campaign codenamed "Shai-Hulud" that compromised over 400 artifacts across npm and PyPI — including some of the most widely-used packages in modern web development.

The targets read like a who's who of the JavaScript ecosystem: TanStack confirmed 84 malicious versions were published across 42 of their packages. Mistral AI, Guardrails AI, and UiPath were also hit. What makes this attack particularly devastating is its sophistication — the attackers stole OIDC tokens to publish versions with SLSA Level 3 provenance attestations that were cryptographically valid. From a developer's perspective, these packages looked completely legitimate.

The malware specifically targeted developer credentials: GitHub Actions tokens, AWS credentials, SSH keys, and even Claude Code configuration files. If your CI/CD pipeline pulled one of these packages between the compromise window and the takedown, your secrets may have been exfiltrated.

This is the exact kind of attack that [Zero Trust Architecture](/zero-trust-security-the-essential-cybersecurity-model-in-the-ai-era-why-your-castle-and-moat-strategy-just-died/) was designed to mitigate — but only if you're actually implementing it. If your build system implicitly trusts packages with valid signatures, Shai-Hulud just proved that trust is misplaced. The open source community needs to have a serious conversation about how SLSA provenance can be subverted and what additional verification layers are needed.

DeepMind's AI Pointer: The End of the Keyboard As We Know It

Google DeepMind introduced a concept that sounds simple but carries profound implications: the AI Pointer. Backed by Gemini, this technology transforms the humble mouse cursor from a position indicator into a context-aware entity that understands what it's pointing at and why it matters.

The team outlined four interaction principles. Maintain the flow — AI works seamlessly across applications without interrupting your workflow. Show and tell — the pointer captures both visual and semantic context. Embrace "This and That" — natural shortcuts like "Fix this" or "Move that here." And turn pixels into actionable entities — every UI element becomes something AI can understand and manipulate.

Early implementations are already live: Gemini in Chrome supports "point to ask" functionality, and the Magic Pointer is being tested in Googlebook. For developers, this represents a paradigm shift from text-based AI interaction to pointer-based context. The way we design user interfaces may fundamentally change — instead of building forms and menus, we might start building pointer-friendly surfaces that AI agents can navigate and manipulate directly.

Google and SpaceX: When AI Compute Goes Orbital

In a move that sounds like science fiction but is reportedly in active discussion, Google and SpaceX are exploring the possibility of launching data centers into space. The initiative, potentially called "Project Suncatcher," could see prototype satellites launched as early as 2027.

The motivation is clear: the AI industry is running out of terrestrial compute capacity. As we've covered in our analysis of [the AI power crisis](/the-ai-power-crisis-is-real-why-data-centers-are-becoming-the-industrys-biggest-bottleneck/), the demand for compute is outstripping the ability to build and power data centers on the ground. Orbital facilities could theoretically access unlimited solar energy and operate in naturally cold environments, solving two of the biggest challenges simultaneously.

SpaceX, which is preparing for a staggering $1.75 trillion IPO, is reportedly positioning orbital compute as a long-term cost advantage. The economics are currently described as "brutal" compared to terrestrial data centers, but the trajectory is clear — when the cost of launching mass to orbit drops low enough (and Starship is designed to do exactly that), space-based compute could become competitive. This isn't just about building data centers — it's about the fact that the AI boom is pushing infrastructure into fundamentally new territory.

Anthropic's Legal Play: The $90 Billion Company Comes for Lawyers

Anthropic expanded its Claude for Legal offering with new plugins and MCP connectors for commercial, privacy, corporate, and AI compliance domains. But the real story is strategic: with direct integrations into DocuSign, Box, and Thomson Reuters/Westlaw, Anthropic is positioning Claude as the infrastructure layer for legal work — not just another chatbot.

This puts Anthropic in direct competition with well-funded legal AI startups like Harvey (valued at $11 billion) and Legora (valued at $5.6 billion). What Anthropic brings to the table is a critical differentiator: instead of standalone chatbots that have already produced flawed legal documents in court cases, Claude connects to the existing legal software infrastructure. We explored this dynamic in our recent piece on [Anthropic's "Claude Cowork" and the Legal Tech SaaSpocalypse](/anthropics-claude-cowork-sparks-legal-tech-saaspocalypse/).

The approach is deliberate: Anthropic isn't trying to replace legal software — it's embedding itself into it. By providing the AI layer that works within DocuSign for contract review, Westlaw for legal research, and Box for document management, Claude becomes the glue between existing tools rather than a replacement for them. For a legal industry that's notoriously cautious about adopting new technology, this "infrastructure play" is significantly more likely to gain traction than a standalone product.

DuckDB's Quack Protocol: The Little Database That Could Just Went Network

DuckDB — beloved by data engineers for its blazing-fast in-process analytics — released Quack, its first client-server protocol. Built on HTTP with a custom application/duckdb serialization format, Quack can transfer 60 million rows (equivalent to a 76 GB CSV) in under 5 seconds, and it outperforms PostgreSQL by up to 8 threads for small writes at approximately 5,500 transactions per second.

This addresses the single biggest limitation that's kept DuckDB from being a universal solution: the inability to handle multiple concurrent writers. Quack comes with flexible security through customizable auth and authorization via SQL macros. It also opens new use cases like remote DuckLake catalog servers and DuckDB-Wasm connections directly from the browser.

For the developer ecosystem, this is a significant evolution. DuckDB was already the go-to for local analytics — now it's becoming viable for shared, networked environments. The combination of in-process speed with server-grade concurrency could reshape how teams think about analytical infrastructure, especially for organizations that want something simpler than a full PostgreSQL or ClickHouse deployment but more powerful than SQLite.

The Big Picture

What connects these stories isn't just timing — it's the theme of infrastructure under pressure. The AI boom is pushing compute into orbit because we can't build data centers fast enough on Earth. It's pushing supply chains to their breaking point, with attackers finding devastating new vectors through the package ecosystems we all depend on. And it's pushing traditional industries — law, finance, data analytics — to adopt AI not as an experiment, but as core infrastructure.

DeepMind's AI Pointer might be the most future-facing story here. If the way we interact with computers fundamentally shifts from typing and clicking to pointing and talking, every industry — from legal tech to orbital engineering — will need to reimagine its workflows. The question isn't whether these changes are coming. It's whether your infrastructure is ready for them.

The Shai-Hulud supply chain attack is an urgent reminder: check your dependency trees, rotate your credentials, and verify that your CI/CD pipelines aren't blindly trusting signed packages.