DevOps'ish 311: Poisoned Repos, Hallucinating Executives, and More

Make smarter application decisions with Azure Copilot Migration Agent (Sponsor)
Stop guessing what to modernize. This playbook from Microsoft’s Azure Copilot Migration Agent team gives you strategies to decide what to re-platform, refactor, and what to leave as is. Try it yourself — download a copy today.

Reconciling the Past: Correcting Records for Unfixed Kubernetes CVEs - The Kubernetes Security Response Committee will correct CVE records on June 1, 2026 for three long-standing unfixed vulnerabilities that represent architectural design trade-offs rather than code bugs, with remediation approaches provided for cluster admins.

Nvidia to spend $150 billion a year in Taiwan, ’epicentre’ of AI revolution, says CEO - Jensen Huang announced Nvidia will commit roughly $150 billion annually to Taiwan operations and break ground on a new 4,000-person Taipei headquarters called Constellation, up from just $10-15 billion a year five years ago.

Tech CEOs are apparently suffering from AI psychosis - Box CEO Aaron Levie argues that tech executives have become dangerously disconnected from practical AI implementation realities, leading them to overestimate productivity gains and justify mass layoffs on automation assumptions that don’t hold up.

Wix to cut 1,000 jobs in largest layoff round in company history - The Israeli website-building company is laying off roughly 20% of its workforce as it absorbs rising AI computing costs and a near 50% stock price collapse.

AI Agents Plunged the Tech World Into Chaos. Here’s Exactly How That Happened - The definitive account of how Claude Code and OpenClaw kicked off what may be computing’s biggest transformation and exactly what the ripple effects have looked like.

Amazon Thinks the Future of Data Centers Depends on a Technical Problem It Just Solved - Amazon says a breakthrough in data center networking has dramatically accelerated information flow through its cloud infrastructure, with real ramifications for how AI workloads scale.

This major AI bottleneck could be solved using light - Nvidia is investing billions of dollars into photonics companies as chip makers look to use light to push past the speed and efficiency ceilings currently constraining AI infrastructure.

Anthropic, Microsoft in talks about Maia AI chip deal - Microsoft and Anthropic are reportedly in discussions about putting Microsoft’s internally developed Maia 200 chips, currently used only in its own data centers, to work powering Anthropic’s AI workloads.

Mitigating CVE-2026-31431 (“Copy Fail”) in Docker Engine - Docker Engine v29.4.3 ships AppArmor, SELinux, and seccomp protections to block a Linux kernel privilege escalation flaw after an initial fix broke 32-bit binary compatibility.

Disgruntled 0-day hunter ‘humiliated’ by Microsoft pledges ‘bone shattering drop’ as Redmond calls cops - Researcher Nightmare Eclipse has already dropped six Windows zero-days and is threatening more on July 14, claiming Microsoft withheld compensation and deleted their vulnerability reporting account after a failed coordinated disclosure.

Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites - Attackers are exploiting an unpatched SQL injection flaw (CVE-2026-26980) in Ghost CMS to compromise over 700 websites and redirect visitors to ClickFix social engineering pages that deliver malware.

Google API keys keep working after you delete them - Aikido’s testing found deleted Google API keys remain valid for up to 23 minutes across Google’s infrastructure, a revocation window Google has so far declined to close.

Megalodon chums the waters in 5.5K+ GitHub repo poisonings - The Megalodon campaign infected more than 5,500 GitHub repositories with malicious CI/CD commits designed to exfiltrate cloud credentials and secrets from developer pipelines.

GitHub breach: The development ecosystem is in the hot seat - TeamPCP’s compromise of GitHub through a poisoned VS Code extension exposes how vulnerable the developer toolchain has become and what meaningful software supply chain hygiene actually requires.

TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages Across npm, PyPI, and Crates.io - A coordinated malware campaign deployed 36 malicious packages targeting crypto, DeFi, AI, and security developers across three major ecosystems with credential-stealing payloads tailored to each runtime.

How Vercel Cut Build Wait Times From 90 Seconds To 5 - Vercel built a custom infrastructure platform called Hive on Firecracker microVMs with warm cell pools and fast boot processes to dramatically accelerate CI/CD builds across hostile multi-tenant workloads.

10 Years of SPIFFE - A decade ago the SPIFFE design doc was written; this is the story of how workload identity got here and why it is finally having its moment.

How to find your open source community hiding outside the repo - Most open source communities live well beyond code contributors; effective approaches for finding and engaging with the wider networks that actually keep projects alive.

“The User Is Visibly Frustrated” - Coding agents irritate users not because they are bad tools, but because their conversational human-like behavior triggers social expectations they are structurally incapable of meeting.

Migrating from Go to Rust - A practical comparison of Go and Rust for backend services covering correctness guarantees, runtime tradeoffs, and developer experience, with strategies for incrementally migrating an existing codebase.

Harness, Scaffold, and the AI Agent Terms Worth Getting Right - HuggingFace’s glossary cuts through the AI agent terminology fog, clarifying what harness, scaffold, agent, and related terms actually mean so practitioners can communicate without talking past each other.

pkalogiros/AudioMass - Other - Free, full-featured, web-based audio and waveform editing tool.

thobiasn/tori-cli - MIT License - Docker server monitoring without the stack: metrics, logs, and alerts from your terminal, single binary, zero exposed ports, SSH-only.

perplexityai/bumblebee - Apache License 2.0 - Read-only developer endpoint scanner for on-disk package, extension, and developer-tool metadata, built to check exposure to known software supply-chain compromises.