Funding Highs, Shutdown Lows
Funding Highs, Shutdown Lows
The venture landscape has split into parallel universes. While Starcloud sprints to unicorn status in 17 months and Rebellions commands a $2.3 billion valuation pre-IPO, Rec Room shuts down with 150 million users and Allbirds sells for a 90% discount to its IPO raise. This isn't market correction. It's categorical sorting.
What separates winners from casualties isn't scale or growth metrics. Rec Room had the users. Allbirds had the brand recognition. Both had the capital. The dividing line runs through infrastructure positioning. Starcloud and Rebellions sell capabilities, not experiences. They're building the rails, not running trains on someone else's track. Consumer platforms, meanwhile, discovered that attention and affection convert poorly to defensible value.
The npm supply chain attack punctuates this moment differently. As capital concentrates in infrastructure bets, the actual infrastructure billions of developers depend on remains alarmingly fragile. One compromised maintainer account turned a library with 100 million weekly downloads into a malware vector. The companies raising nine-figure rounds to reimagine computing infrastructure might consider: the old infrastructure is barely holding together.
Deep Dive
Space data centers bet everything on rockets that don't fly yet
Starcloud's $170 million Series A and billion-dollar valuation point to a deeper shift in infrastructure thinking: data centers constrained by terrestrial limits (power, cooling, permitting) might find relief in orbit. But the business model only works if Starship launches become routine and cheap. That's the gap between vision and viability.
The startup has launched exactly one satellite with an Nvidia H100 GPU. It processed data for another spacecraft and ran some AI tasks. Meanwhile, terrestrial hyperscalers bought nearly 4 million advanced GPUs in 2025. The scale mismatch is staggering. Starcloud's third-generation spacecraft is designed for Starship deployment, targeting cost parity with Earth-based compute at $0.05 per kilowatt-hour. But Starship isn't flying commercially yet. CEO Philip Johnston expects access in 2028 or 2029, maybe later. Until then, the company launches smaller satellites on Falcon 9 rockets and acknowledges they won't be cost-competitive on energy.
This matters because infrastructure bets require infrastructure. VCs are funding business models that depend on launch vehicles still in development, cooling systems not yet proven at scale, and laser links between spacecraft that remain theoretical for the hardest workloads. The technical challenges (synchronizing thousands of GPUs across multiple satellites, generating enough power, dissipating heat in vacuum) aren't just engineering problems. They're timeline risks that could stretch funding runways past breaking points.
The broader competitive landscape includes SpaceX itself, which has asked permission to operate a million satellites for distributed compute. Going head-to-head with the company that controls launch access is a precarious position. Starcloud argues they're positioning as infrastructure players serving multiple customers while SpaceX focuses on internal workloads. That distinction might matter, or it might evaporate if SpaceX decides to offer third-party services. For founders considering space infrastructure plays, the question isn't whether the technology works. It's whether you can survive the decade it takes for the economics to catch up.
The npm attack exposed infrastructure everyone ignored
A compromised maintainer account turned axios, one of npm's most popular packages with 100 million weekly downloads, into a malware delivery system. The attack succeeded not because of sophisticated zero-day exploits but because foundational developer infrastructure has almost no meaningful security controls.
The attackers didn't need to break encryption or exploit code vulnerabilities. They hijacked an npm account, swapped the email to a ProtonMail address, and published two poisoned releases manually via the npm CLI. This bypassed the project's GitHub Actions pipeline entirely. The malicious code wasn't hidden in axios itself but tucked into a new dependency, plain-crypto-js, which had no legitimate purpose. Its post-install script fetched platform-specific payloads: a macOS daemon, Windows PowerShell scripts, a Python backdoor for Linux. All designed to self-destruct after execution.
What makes this significant isn't the technical sophistication but the supply chain fragility it reveals. Package managers are trust-based systems. Developers assume that packages from known maintainers are safe. But maintainer accounts are often protected by nothing more than password authentication, sometimes without two-factor enforcement. When those accounts get compromised, the blast radius is massive.
For engineering teams, this changes operational assumptions. Pinning dependencies to specific versions isn't enough when new malicious versions can appear in the registry. The StepSecurity analysis notes the attack showed unusual planning: the malicious dependency staged 18 hours early, three OS-specific payloads pre-built, both release branches hit within 39 minutes. This wasn't opportunistic. It was coordinated.
The real cost isn't just the immediate cleanup (rotating credentials, rebuilding machines, auditing what got exposed). It's the ongoing operational tax. Teams now need to treat every dependency update as a potential security event, implement runtime monitoring for unexpected network calls from build processes, and maintain parallel CI environments that can catch suspicious behavior. Developer productivity tools just became security surfaces that require active defense. That's a cost structure change that affects every company building software.
Rec Room had 150 million users and still couldn't survive
Rec Room's shutdown reveals the brutal economics of user-generated content platforms. The company built a Roblox competitor, reached 150 million players and creators, achieved a $3.5 billion valuation, and still couldn't figure out sustainable unit economics. This isn't a cautionary tale about growth. It's about business models that don't work even at scale.
The company said directly: "our costs always ended up overwhelming the revenue we brought in." For a platform dependent on user-generated content, costs scale with engagement. More users mean more hosting, more moderation, more infrastructure for creation tools, more support for a creator ecosystem. Revenue, meanwhile, comes from in-game purchases and virtual goods that require constant content creation to drive demand. That's a treadmill where costs often outpace monetization.
The VR market shift the company mentioned matters, but not how it sounds. Rec Room started as a VR-first experience but expanded to mobile and console. The real issue was competing in a space where network effects and platform lock-in favor early winners. Roblox has 70 million daily active users and a mature creator economy with established revenue-sharing models. Epic's Fortnite Creative has similar network advantages. Late entrants face not just competition for users but for creators, who rationally choose platforms with larger audiences and better monetization.
For VCs and founders, this clarifies something important about platform businesses. User count and engagement are lagging indicators of defensibility, not leading ones. Allbirds sold for $39 million after raising $348 million in its IPO. Both companies had users, brand recognition, and growth. Both struggled with the same problem: attention doesn't automatically convert to sustainable economics. The platforms raising massive rounds today on user growth metrics should be able to articulate specifically how their cost structure improves with scale, not just their revenue. If costs scale linearly with users while revenue requires constant intervention to maintain, you've built a subsidy machine, not a business.
Signal Shots
Whoop Hits Billion-Dollar Revenue on Global Expansion: Fitness wearable maker Whoop raised $575 million at a $10.1 billion valuation, reaching $1 billion in annual recurring revenue by the end of 2025. Notably, 60% of sales came from outside the US, showing the company moved beyond its athlete-focused origins. This matters because wearables typically struggle with retention once the novelty fades, but subscription models with sticky health data create different economics. Watch whether international markets sustain growth or follow the typical pattern where initial enthusiasm gives way to drawer-bound devices as competitors like Apple and Garmin add similar features.
Code Verification Emerges as AI Bottleneck: Qodo raised $70 million for AI agents that verify code quality and security as tools like Claude Code flood development pipelines with generated code. The startup topped recent benchmarks by catching cross-file bugs that human reviewers and competing tools miss. This matters because enterprises adopting AI coding face a new problem: faster output without corresponding verification creates technical debt and security risks at unprecedented scale. Watch whether verification becomes a separate market layer or gets absorbed by the code generation providers themselves, which would determine whether independent verification companies can build defensible positions.
AI Exploit Development Enters Industrial Phase: Security researcher Thomas Ptacek warns that AI coding agents will fundamentally alter exploit economics, automating the discovery of zero-day vulnerabilities that currently require specialized human expertise. This matters because the security industry's defensive advantage has partly relied on the high cost and skill requirements for finding novel exploits. Watch how quickly nation-state actors and criminal groups deploy these capabilities versus how fast defenders can instrument AI-assisted vulnerability scanning, because the timeline gap determines whether we face a brief window of chaos or a sustained asymmetric threat.
Australia's Social Media Ban Reveals Platform Evasion: Australia's eSafety Commission found that Meta, YouTube, TikTok and Snapchat haven't adequately enforced the country's ban on social media for users under 16, with 70% of parents reporting their children still have accounts despite platforms blocking five million accounts. The regulator documented platforms encouraging repeated age verification attempts until users got the desired result. This matters because Australia's law is a model for other countries, and early enforcement data shows platforms prioritizing user retention over compliance. Watch whether civil penalties in mid-2026 change behavior or whether the fundamental business incentives make meaningful enforcement impossible without architectural changes.
Bluesky's AI Assistant Becomes Second-Most Blocked Account: Bluesky's new AI tool Attie has been blocked by 125,000 users in just days, making it the platform's second-most blocked account after Vice President Vance, with 83 times more blocks than followers. The tool helps users design custom algorithmic feeds, but the backlash reflects deeper tensions about AI encroachment. This matters because Bluesky grew specifically as a refuge from AI-heavy platforms, and user reaction signals that AI features may damage rather than enhance value for communities skeptical of the technology. Watch whether Bluesky makes Attie optional or doubles down, because the decision will define whether the platform prioritizes its existing community or chases mainstream adoption through AI features.
OpenAI Patches DNS Data Exfiltration in ChatGPT: Check Point researchers discovered ChatGPT allowed data leakage through DNS queries despite OpenAI's claims that its code execution environment cannot make outbound network requests. The flaw let malicious GPT apps transmit sensitive user data to external servers while ChatGPT confidently told users no data left the system. This matters because enterprises deploying AI services for regulated data (healthcare, finance) now face concrete evidence that vendor security claims require independent verification. Watch whether other AI platforms have similar gaps between stated security controls and actual implementation, because ChatGPT's architecture is broadly similar to competing services.
Scanning the Wire
Mistral AI raises $830M in debt for Paris data center: The French AI company secured financing to build and operate a facility near Paris starting in Q2 2026, adding European compute capacity as hyperscalers concentrate infrastructure buildout in the US. (TechCrunch)
PyPI supply chain attack hits Telnyx after Trivy breach: The same cybercrime crew behind the recent Trivy compromise pushed malicious Telnyx package versions to PyPI, targeting developers with credential-stealing malware through poisoned dependencies. (The Register)
RCS Universal Profile 4.0 enables cross-platform video calls: The finalized standard introduces Messaging-Initiated Video Calls, letting iPhone and Android users turn RCS chats into video calls, though carrier and platform adoption timelines remain unclear. (The Verge)
US PC shipments projected to fall 13% as memory crisis persists: Omdia forecasts declining demand across education, consumer, commercial and public sectors through 2026, with budget systems hit hardest by component shortages. (The Register)
UK regulator tells auditors AI failures remain their responsibility: The Financial Reporting Council published guidance making clear that auditors cannot blame AI tools for audit failures, emphasizing human oversight requirements in what it calls the world's first such regulatory framework. (Financial Times)
Judge blocks Pentagon's Anthropic supply chain designation: A California court temporarily halted the Defense Department from labeling Anthropic a security risk and ordering agencies to stop using its AI, marking a significant setback for the military's attempted regulatory pressure. (MIT Technology Review)
Saronic raises $1.75B to build autonomous military vessels: The defense startup more than doubled its valuation to $9.25 billion, reflecting investor appetite for companies modernizing US naval capabilities with uncrewed systems. (CNBC)
Raspberry Pi revenue jumps 25% despite stock decline: The company reported $323.2 million in 2025 revenue driven by US and China demand, though shares dropped 21% over the past year on memory chip cost concerns before rising 27% on the earnings report. (Bloomberg)
Microsoft commits over $1B to Thailand cloud and AI infrastructure: The investment over two years targets growing regional demand for AI computing as tech giants expand Asian data center presence. (WSJ)
Nebius plans major European AI data center buildout: The company unveiled plans for one of Europe's largest AI facilities as the region scrambles to build compute infrastructure competitive with US and Asian capacity. (CNBC)
Samsung-backed Rebellions raises $400M ahead of IPO: The AI chip company focused on inference workloads secured funding at a $2.3 billion valuation, positioning itself against Nvidia and startups like Groq and Cerebras. (CNBC)
Outlier
Laser-Sealed Paper Packaging Hints at Post-Adhesive Manufacturing: German researchers developed a process that seals paper packaging with lasers instead of glue, eliminating adhesive contamination that complicates recycling. This matters less for packaging itself than as a signal of manufacturing's quiet shift toward subtraction. As material science advances, industrial processes increasingly remove rather than add: fewer binders, coatings, and joining agents. The pattern shows up in construction (friction-fit timber), electronics (pressure contacts replacing solder), and now packaging. What emerges is manufacturing that optimizes for end-of-life from the start, not as an afterthought. The economic incentive isn't environmental virtue but material recovery value in systems where virgin resources cost more than reclaimed ones.
Space data centers waiting on rockets that don't fly yet, code verification racing AI that writes faster than humans can check, and laser-sealed paper that needs no glue. The gap between what we're funding and what actually works keeps growing, which means either the future arrives soon or a lot of term sheets turn into expensive lessons about physics.