Five stories from this week that, taken together, share a temperament: the bill arrived.

Hackers learned to poison open-source packages at unprecedented scale. Office users won the right to remove an annoying Copilot button. Irish Rail wrote down €50 million on a train IT project. Samsung chip workers extracted average annual bonuses of $340,000 by threatening to strike. And the cleanest clean-energy story of the week involved 200 hot carbon blocks at a South Dakota ethanol plant.

Five arcs:

  1. Supply-chain attacks went industrial.
  2. Users pushed back on the Copilot button.
  3. Public-sector tech kept failing the same way.
  4. Chip workers cashed in.
  5. The clean-energy story got refreshingly weird.

1) Supply-Chain Attacks Went Industrial

For a long time, software supply-chain security was something the security team worried about and everyone else ignored. That arrangement is failing.

The New Stack covered JFrog’s 2026 supply-chain report, which frames the new picture plainly: the perimeter is no longer just code and open-source dependencies. It now includes AI models, agentic dev tools, package proliferation, and the increasingly blurry boundary between human-written code, generated code, downloaded artifacts, and deployed systems.

Ars Technica had the sharper edge: a hacker group is poisoning open source code at unprecedented scale. Supply-chain compromise used to be a rare nightmare. It is becoming a baseline operating condition. Instead of trying to break the skin, attackers have learned to contaminate the transfusion bag.

Then The Register supplied the farce. A researcher said the Trump Mobile website was leaking thousands of customers’ data through a basic request path. No zero-day. No exploit chain. Just a sloppy interface answering the wrong question for the wrong caller.

The honest read: every new AI permission grant is a new trust boundary, and most teams are still pretending generated code is somehow exempt from code review. It isn’t. The boring posture — narrower credentials, signed artifacts, build provenance, dependency review, tool allowlists, generated code that goes through the same gate as everything else — is also the right one.

2) Users Pushed Back on the Copilot Button

There is a difference between shipping an AI feature and making people live with it. Microsoft is learning this in Office.

The Verge reported that Microsoft is letting users remove an annoying floating Copilot button after complaints that it obstructed work, especially in Excel. Sounds small. Isn’t. It’s the whole enterprise AI story in miniature: vendor inserts a model into a workflow, engagement metrics go up, users ask for control back.

Generative video had the more expensive version. The Next Web reported that Critterz missed the Cannes market window, partly because the OpenAI video model the production pipeline depended on no longer existed in the form they needed. If your creative pipeline depends on someone else’s model lifecycle, your schedule depends on someone else’s roadmap.

DeepSeek supplied the counter-melody. Its founder is reportedly telling investors that AGI is the goal and that the lab will keep releasing open-source models rather than chasing near-term revenue. Part research ambition, part positioning, part geopolitical theater — and a reminder that model strategy is also a question of who gets to build on top.

Steve Wozniak gave the commencement-speech version of the backlash, telling graduates they already have AI in the form of actual intelligence. A little cute, but it landed because people are tired of being told every surface of life needs a model-shaped sticker. The Register’s BOFH gag about vibe-coded solutions for problems nobody has belongs in the same pile. Satire works when the org recognizes itself.

The user revolt isn’t going to sound ideological. It’s going to sound like “move this button,” “why did the workflow change,” “who approved this data flow,” “why did the model disappear,” and “why is my spreadsheet now negotiating with me?”

That’s where the adoption fight actually lives.

3) Public-Sector Tech Kept Failing the Same Way

Government tech failures usually get covered as waste. Waste is real, but it isn’t the interesting diagnosis.

The Register reported that Irish Rail wrote down €50 million on a troubled train traffic management system, with lawmakers asking how the project drifted for years while more public money kept moving through it. The question that matters isn’t the outrage. It’s who was in charge of knowing whether the system could actually be delivered.

The same question sits under the UK’s digital ID politics. The Register noted that the plans could be imperiled if Andy Burnham succeeds Starmer — Burnham has warned about another ID-card-style project that consumes political and operational oxygen without landing. The point isn’t “digital ID good” or “digital ID bad.” It’s that identity infrastructure is a state-capacity test. Govern badly, build poorly.

Health policy had the immediate American version. Ars Technica reported that medical groups are alarmed after RFK Jr. fired two leaders of the U.S. Preventive Services Task Force, leaving the panel half empty. That panel helps decide what counts as recommended preventive care — mammograms, colonoscopies, statins, depression screening. Change the panel, change the clinical default and the coverage that follows.

Truthout’s piece on USAID cuts potentially hindering management of an Ebola outbreak in Congo and Uganda points the same direction. Public health isn’t an opinion layer. It’s funding channels, expert panels, logistics, trust, and boring continuity. Cut the boring layer and the crisis response gets worse.

Even the UK nuclear story is a state-capacity story in financial clothing. The Register covered the National Audit Office warning that Sizewell C investors may pocket high returns while consumers carry low-control risk through higher bills. That is what happens when delivery, financing, and public accountability are one system but get debated as three.

The throughline is not that governments should stop building hard things. They have to. Rail control, digital identity, preventive medicine, outbreak response, and energy infrastructure are all too important to leave to vibes. The throughline is that capacity is the ability to specify, govern, audit, adapt, and — when necessary — kill a program before drift becomes destiny. The state needs real product management. Not the LinkedIn version.

4) Chip Workers Cashed In

The week’s labor signal came from a very modern place: memory chips.

The Verge reported that Samsung semiconductor workers negotiated a tentative deal that could make some employees eligible for average annual bonuses of $340,000 after 48,000 workers threatened to strike unless bonus caps were lifted. The number is eye-catching. The structural lesson is more useful.

AI demand made memory chips more valuable. That made the people closest to the bottleneck more powerful. The strike threat turned abstract chip scarcity into concrete labor leverage.

This is the part of the AI economy that gets flattened in macro takes. Compute isn’t just GPUs and capex. It’s fabs, supply chains, technicians, engineers, logistics, maintenance, power, cooling, and labor arrangements. When a boom concentrates value in a bottleneck, the workers inside the bottleneck sometimes see it before the analysts do.

The Atlantic’s piece on the $15 minimum wage as an economic experiment that upended reality belongs next to it — also a story about an old model breaking on contact with evidence. The policy consensus said $15 would be absurd. The actual outcomes forced a reassessment. Reality didn’t care how confident the spreadsheet was.

The Argument’s essay on young people being rich and miserable adds the cultural beat. If younger workers objectively earn more than prior cohorts at the same age but still feel cornered, the wage number isn’t capturing the lived system. Housing, debt, healthcare, family formation, platform precarity, and the size of the asset wall in front of them all sit outside the clean salary line.

You cannot build an economy on bottlenecks and then act surprised when the bottlenecks bargain.

5) The Clean-Energy Story Got Refreshingly Weird

The energy and industrial coverage this week was useful because it wasn’t clean.

CleanTechnica covered a plan to use more than 200 hot carbon blocks to store wind energy and displace natural gas at a South Dakota ethanol plant. The headline went with white-hot toaster ovens. Underneath the joke is a serious point: decarbonization is increasingly about weird, local, industrial substitutions. Not solar panels in the abstract. Heat, process energy, storage media, plant economics, and whether a retrofit actually pencils out in one ugly real facility.

The Next Web reported that Chinese EV brands crossed 15 percent of European EV sales, with Britain leading the way, even as Europe keeps tariff walls up and incumbents sit on underused plants. Industrial policy meets consumer choice meets manufacturing reality. You can tariff a supply chain. You cannot wish a competitive product ecosystem into being.

REPS, an Austrian startup, raised money to turn road traffic into electricity by embedding generation slabs into roads. Maybe it survives contact with economics, maybe it doesn’t. That is also the point. The energy transition is full of ideas that sound great until maintenance, throughput, weather, installation cost, and grid interconnection show up with clipboards.

Nvidia’s venture arm adding Alice & Bob to its quantum portfolio is another infrastructure bet. Lenovo posting a strong quarter with AI revenue nearly doubling is another. Not the same category, but rhyming signals: capital is still hunting for the next compute, energy, and hardware advantage underneath the software layer.

The mistake is treating infrastructure as background. AI needs chips. Chips need workers, fabs, memory, power, water, and geopolitical supply chains. Electrification needs vehicles, chargers, grid upgrades, storage, tariffs, industrial policy, and maintenance. Nuclear needs financing structures that don’t quietly socialize risk while privatizing returns. Quantum probably needs more patience than the pitch deck admits.

The optimistic version of any of these is the one that survives the spreadsheet, the public hearing, the union negotiation, the procurement review, and the maintenance budget. Everything else is a render.

What to Watch Next Week

  • AI supply chains: whether vendors start talking about model provenance, generated-code review, artifact signing, and agent permissions with the same seriousness they bring to package scanning.
  • Interface backlash: Copilot-button-style fights are early warnings. Watch where users get control back and where vendors decide engagement metrics outrank workflow ownership.
  • Public-sector delivery: Irish Rail, UK digital ID, preventive-care governance, outbreak response, and nuclear financing are all the same kind of test. Watch who owns failure.
  • Chip labor: Samsung’s bonus deal is a reminder that compute bottlenecks create worker leverage. AI infrastructure is not laborless.
  • Energy realism: the useful clean-energy stories are moving from rhetoric to plant-level substitution, grid constraints, tariffs, financing, and maintenance.

The week’s pattern wasn’t collapse. It was contact.

Software met attackers. AI features met the users who have to live with them. Government IT met institutional capacity. Capital met labor leverage. Clean-energy ambition met the maintenance budget.

Most weeks the spreadsheet is confident. This one, it pushed back.