Today’s TechScan: Open LLMs, Backup Panic, and Hardware Comebacks

The week’s most consequential AI story isn’t a splashy product demo or a new chatbot voice—it’s the widening gap between what’s openly published and what’s practically runnable. DeepSeek Labs has released DeepSeek‑V3, a 671B‑parameter Mixture‑of‑Experts language model, out in the open on Hugging Face with a headline‑grabbing 128K context length and unusually specific guidance for local deployment. It’s not a toy release: the model activates 37B parameters per token, was pre-trained on 14.8 trillion tokens, and comes with a stack of training tricks—Multi-head Latent Attention (MLA), DeepSeekMoE, an auxiliary-loss-free load-balancing strategy, and a Multi-Token Prediction (MTP) objective—designed to make something this large more efficient to train and serve. Even the cost narrative is unusually explicit: DeepSeek describes FP8 mixed-precision at scale and cross-node communication optimizations that cut training cost to about 2.788M H800 GPU hours. Post-training leaned on distillation of chain-of-thought reasoning from a DeepSeek‑R1 model, plus supervised and RL fine-tuning, to improve reasoning behavior.

If that sounds like the open-model world closing the gap with closed giants, it is—at least on paper and in licensing posture. But the second half of today’s story is about the gravitational pull of compute concentration. The Financial Times reports Google controls roughly 25% of global AI compute, estimated at 3.8 million TPUs and 1.3 million GPUs. Put those two facts side by side and you get the uncomfortable truth of modern “open”: releasing a frontier-scale model is increasingly feasible for a well-funded lab, while training and serving frontier-scale models remains dominated by organizations that own vast fleets of bespoke accelerators. The open ecosystem can absolutely innovate on architectures (DeepSeek’s MoE and MTP choices are a case in point), but the ability to iterate quickly—train, evaluate, retrain—still tends to accrue to whoever has the chips, the interconnect, and the budget to keep them hot.

That tension shows up again in developer tooling—this time through pricing rather than silicon. GitHub is moving Copilot toward usage-based billing, shifting away from the simple promise of “pay a flat subscription and just use it.” GitHub frames the change as aligning costs with consumption, a move with obvious implications for procurement and predictability when Copilot is embedded into day-to-day engineering work. The announcement is explicitly tied to the scaling of Copilot to millions of users and thousands of organizations under GitHub’s AI leadership, which makes this feel less like an experiment and more like a new normal: in-IDE AI is being treated as metered infrastructure.

The developer reaction captured on Hacker News is less “new normal” and more “new invoice anxiety.” In the discussion, people zero in on how model multipliers can inflate costs—multipliers for newer models reportedly ranging from 1x up to 27x—and how that undermines the psychological value of the subscription. When the tool lives inside your editor, the spending risk is uniquely sneaky: a developer doesn’t experience “calling an API,” they experience “autocomplete and chat,” and those can balloon under pressure (deadline week, incident week, refactor week). A metered Copilot nudges teams to consider alternatives that offer clearer cost controls: using direct API providers, routing through intermediaries, or running local models where the main meter is hardware you already paid for. Which loops right back to today’s bigger theme: compute access shapes choices, and pricing is one of the most effective ways to enforce that.

Meanwhile, the infrastructure we assume will always be there continues to remind us it’s run by fallible humans and brittle systems. npm’s status page showed the npm website is down, disrupting access to the package registry and related web services, with no cause or timeline in the excerpt. It’s difficult to overstate how quickly that kind of outage turns “software development” into “archaeology”: digging through caches, rebuilding lockfiles, trying mirrors, and explaining to nontechnical stakeholders why a web page being down can halt a release train. Even brief disruptions push teams toward operational hedges—cached dependencies, private registries, or alternative workflows—because the cost of being blocked isn’t theoretical when CI/CD pipelines are waiting.

Security, too, gets its own pair of wake-up calls—one visceral, one constitutional. The visceral one: a report says 4TB of data stolen from about 40,000 contractors who recorded and labeled speech for Mercor was posted by the extortion group Lapsus$ on April 4, including studio-quality voice recordings and government ID scans. Analysts quoted in the piece warn that this pairing is close to a worst-case combination: clean audio that voice-cloning systems love, plus verified identity documents that attackers can use for credibility. The article doesn’t treat “deepfakes” as a vague future menace; it lists pragmatic abuse paths—bypassing bank voice verification, “vishing” HR and finance to redirect payroll, insurance claim scams, and elder-targeted impersonation cons—while noting lawsuits alleging contractors were misled about the permanence of biometric data. The line that sticks is the practical advice: treat your voice like a leaked credential. We’re used to rotating passwords; we’re less prepared for the idea that something as personal and non-resettable as your voice can become a commodity in fraud markets.

The constitutional wake-up call comes via the U.S. Supreme Court, which will hear a challenge involving geofence warrants—police requests for location data from all devices in a defined area over a defined time window. In the case described by The New York Times, a Virginia bank robbery investigation used a geofence sweep covering a 60-minute window to identify and convict Okello T. Chatrie. Critics argue this practice vacuums up sensitive movement data of bystanders, raising Fourth Amendment concerns, and the case arrives in the shadow of the Court’s 2018 ruling that generally required warrants for historical cell-tower location records. Whatever the ruling, the underlying tension is unavoidable: location data is both incredibly useful for investigations and incredibly revealing for everyone else, and “everyone else” is typically most of the dataset. The court’s decision could redraw boundaries around law enforcement access to third-party location information—boundaries that, at the moment, are still being discovered by the public one case at a time.

If you want a pure operations panic story, today’s is open-source and quietly existential. pgBackRest, a widely used PostgreSQL backup and restore tool, is being retired by its long-time maintainer after 13 years, with the stable release at v2.58.0. The maintainer cites lack of sustainable sponsorship and the need to pursue other work; future development and support are ending unless new maintainers fork and rebrand. The project’s feature set—parallel backup/restore, lz4/zstd compression, remote TLS/SSH protocol, multiple repositories, full/differential/incremental and block-level backups, integrity checks—reads like a checklist of “things you only miss when they’re gone,” which is exactly why this lands as more than community drama. Backups are not a place where “it still works for now” is comforting. Every unpatched dependency, every future PostgreSQL change, every emerging security expectation becomes a question mark you now own.

What makes this a supply-chain moment is that it forces enterprises and DBAs into real choices: adopt a fork, find new maintainers, or migrate to alternatives. None of those are free, and all of them require time—the scarcest resource in incident response. It’s also a reminder that operational tooling often has the worst mismatch between value and funding: when it works, nobody notices; when it falters, everything is on fire. The most rational outcome here would be a sober wave of succession planning across critical ops tools—because “we rely on it” is not a maintenance plan.

Not all the news is heavy. Some of today’s most charming momentum is happening at the maker level, where cheap hardware keeps gaining surprising leverage. DSPi firmware turns a Raspberry Pi Pico—or other RP2040/RP2350 boards—into a full-featured USB audio DSP and sound card. The feature list is delightfully ambitious for such small boards: room correction, parametric EQ, crossovers, time alignment, loudness compensation, headphone crossfeed, support for 16-/24-bit PCM at 44.1–96 kHz, 24-bit S/PDIF or I2S outputs, matrix mixing, up to 10 PEQ bands per channel, RMS-based leveling with lookahead, ISO‑226 loudness compensation, per-output delay, presets, telemetry, and dual-core DSP processing. This is the kind of project that turns a hobby board into a credible prototype platform for embedded audio products—precisely because it wraps gnarly signal-processing plumbing into something you can build from source.

In parallel, Easyduino is publishing complete KiCad production projects that replicate common devboards—Arduino Uno/Nano, ESP32 (including S3), Raspberry Pi Pico, STM32 Bluepill—with USB‑C support, standardized jobsets, BOMs, centroid files formatted for JLCPCB, gerbers, PDFs, datasheets, and production notes. This matters less for people who want yet another clone board and more for people who want the confidence of a reproducible manufacturing path. When a repository includes the unglamorous stuff—footprints, pick-and-place formatting, stackup notes—it lowers the friction between “I designed a thing” and “I can actually make ten of them.” In a world where AI is increasingly centralized, there’s something quietly subversive about making hardware replication and customization easier.

That push-and-pull between centralization and sovereignty also shows up in cloud policy. Techzine reports the Dutch central bank, De Nederlandsche Bank, plans to sign a major contract with Schwarz Digits (Schwarz Group, known for Lidl) to adopt its Stackit cloud, shifting away from AWS to reduce dependence on U.S. hyperscalers. Announced at Hannover Messe, the move is framed as a deliberate preference for European cloud sovereignty, with Stackit promising data governed under European law and backed by an €11 billion data center investment. It’s a high-profile bet: that regional providers can offer not just compliance comfort, but the operational maturity institutions rely on.

The article also doesn’t pretend the transition will be painless. The central question is whether European alternatives can match decades of U.S. cloud feature depth and ecosystem gravity. That’s the tradeoff governments and regulated institutions keep circling: legal and geopolitical reassurance versus platform completeness. Each migration adds evidence—good or bad—about what “sovereign cloud” looks like in practice, beyond the slogans.

Finally, the day’s most unusual science story reads like folklore until you hit the lab work. A Vice report follows biologist Colin Domnauer revisiting recurring reports from China’s Yunnan province: people hospitalized after eating Lanmaoa asiatica and hallucinating “tiny elflike people,” with locals long saying the mushroom must be thoroughly cooked to avoid effects. The species was only formally described in 2015, earlier health authority investigations reportedly stalled after inconclusive tests, and yet the pattern persisted strongly enough to earn a name—“lilliputian hallucinations”—with similar accounts noted in Yunnan in the early 1990s and even Papua New Guinea. Domnauer’s fieldwork included market sourcing, vendor identification, genetic confirmation, and lab studies where extracts caused major behavioral changes in mice. The active compound appears not psilocybin, symptoms can start 12–24 hours after ingestion, and effects can last long enough to require observation.

Why does this belong in a tech briefing? Because the story sits at the intersection of public-health surveillance, toxicology, and how we classify neuroactive agents—and because our cultural intuition about psychedelics (“you know it’s a trip”) doesn’t necessarily apply. Even the Hacker News discussion around the piece gravitates toward that distinction, comparing convergent hallucinations to deliriant-like experiences where visions feel fully real. Whether or not you care about ethnomycology, the broader lesson is relevant: some risks don’t announce themselves with predictable signatures, and “we tested for the obvious compound and found nothing” is not the same as “there’s nothing there.”

Today’s throughline is that capability keeps rising—open models get bigger, maker boards get smarter, alternative clouds get bolder—but the dependencies are getting sharper too. Compute is concentrated, pricing is getting metered, essential open-source tools can go dark when maintainers burn out, and personal biometrics are becoming durable attack surfaces. The next few months will likely be shaped less by any single breakthrough than by who learns to build resilient workflows—technical and legal—around these realities before the next outage, breach, or policy ruling forces the lesson.