Gaëtan

🚨 SDLC Security '26 report is here! Wiz Research analyzed real dev envs, repos & prod telemetry on SDLC risk shifting upstream. 50% GH Actions reuse risk clusters 86% macOS AI amplifies risk Full report ↓ wiz.io/reports/sdlc-s…

@upwindsecurity now scans Chainguard Libraries for Python, so resolving a CVE in Flask or Django actually quiets your scanner, not just your to-do list. Learn more about our new partnership: bit.ly/4u0IuNg

🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.​io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets #crypto, #DeFi, AI, and security developers, stealing wallets, SSH keys, cloud credentials, GitHub tokens, browser data, env vars, and API keys. Socket detected releases with a median detection time of 5 minutes, 27 seconds. The fastest detection occurred 58 seconds after publication.

Pluto is a utility to help users find deprecated Kubernetes API versions in their code repositories and their helm releases ➤ ku.bz/ZVvQZg0L0

Chainguard Containers are unaffected by an attack on the Laravel Lang PHP project. Attackers injected credential harvesting malware into 700 versions across four projects overnight. Learn more: chainguard.dev/solutions/ai-t…

MinIO's MemKV promises 95% better GPU utilization by ending AI recompute tax thenewstack.io/minio-memkv-re…

🛑 Supply Chain Attack Alert: 700+ Laravel-Lang package versions compromised. thehackernews.com/2026/05/larave… The malicious code auto-runs via Composer, drops a cross-platform PHP stealer, and targets cloud keys, CI/CD tokens, browser data, crypto wallets, password managers, SSH keys, and .env files. Laravel/PHP devs: check your composer.lock immediately.

From changing your search engine to installing a network-wide ad blocker, you can make privacy happen. itsfoss.com/privacy-wins-l…

"Code as Agent Harness" Agents are becoming less like chatbots that write code and more like systems that run on code. This new Meta paper reframes code as the harness around an agent, the executable layer for reasoning, acting, memory, verification, and coordination. The key shift is from prompt to answer toward plan, execute, observe, revise, where tests, traces, tools, sandboxes, and repos make agents stateful and checkable.

Backlogs in #DistributedSystems are arithmetic, not mysteries. Key ideas: drain time, consumer headroom, autoscaling. Failure modes: retries, metastability, cascading bottlenecks. Sometimes shedding load > draining: bit.ly/4dtfoQp #DevOps #Performance #Queue #InfoQ

This article explains why reducing requests and limits does not always lower Kubernetes cost, and shows how node scale-down blockers can keep autoscalers from actually removing idle infrastructure ➤ ku.bz/MVjlJVQ99

Sympozium runs AI agents as isolated pods with CRDs, Jobs, RBAC, and network policies, so teams can orchestrate agent workflows and let agents diagnose or remediate cluster issues safely ➤ ku.bz/Myt3WxhGT

This article compares major Kubernetes log collectors with a reproducible benchmark focused on: - throughput, - CPU, - memory, - and log loss under production-like load ➤ ku.bz/4Lf8MjBYz

⚠️ Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now! Source: cybersecuritynews.com/nginx-poolslip… A newly disclosed flaw in one of the world’s most widely deployed web servers is forcing administrators into another emergency patch cycle. Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip, the vulnerability affects both NGINX Plus and NGINX Open Source, and can be triggered by a remote, unauthenticated attacker over plain HTTP. The vulnerability resides in the ngx_http_rewrite_module, the same component implicated in the recent “NGINX Rift” flaw (CVE-2026-42945). F5 released updated versions and mitigations to fix the vulnerability. #cybersecuritynews

🔥 npm now requires human 2FA approval before staged package releases become installable — even from CI/CD workflows. thehackernews.com/2026/05/npm-ad… New package versions uploaded with staged publishing are placed into a queue and must be explicitly approved by a maintainer before release. Requirements: • npm CLI 11.15.0+ • 2FA enabled • Existing npm package • Use npm stage publish npm also added new install controls: --allow-file --allow-remote --allow-directory The updates are designed to strengthen defenses against software supply chain attacks targeting open-source ecosystems.

GNOME Commander 2.0 modernizes the classic two-pane file manager with Rust, GTK4, an embedded terminal, and UI improvements. linuxiac.com/gnome-commande… #OpenSource

Source: infostealers.com/article/infost…

‼️🚨 Research shows infostealers are the origin of the compromised accounts pushing the malware for the Megalodon 5,000+ repo supply chain attack. Further analysis suggests similar attacks may be imminent: over 24,000 companies have employees with compromised GitHub credentials sitting in infostealer logs. Hudson Rock cross-referenced the Megalodon GitHub usernames against their cybercrime intelligence database and matched 331 of 978 unique usernames (33%) to computers already infected by infostealers. Deeper manual lookups (pulling old commit emails and rechecking) push the compromised rate close to 100%. The wider exposure: Accenture alone has 10+ infected employees with GitHub access. Dell's partner ecosystem maps 11,000+ compromised third parties, including ABB. Anheuser-Busch InBev is also on the list. Infostealer logs are now the fuel feeding mass GitHub supply chain attacks.

【採用情報】「Software Engineer」の5ポジションが現在オープン！ sakana.ai/careers 「AIが進化すれば、ソフトウェアエンジニアの仕事はなくなるのか？」 Sakana AIは、全く逆だと考えています。 AIツールの登場で開発効率が劇的に向上する一方、ジェボンズのパラドックス（Jevons paradox） が示すように、私たちが解決できる課題の幅と規模が拡大し、優秀なSoftware Engineerの需要はかつてなく高まっています。 事実、Sakana AIでは、AI支援ツールを駆使して最前線で活躍し、AIそのものを社会実装していくSoftware Engineerの採用をかつてない規模で強化しています！ 現在、以下の5つの専門領域で募集を公開中です。詳細はリンク先をご覧ください。 🐙 こんな挑戦が待っています ・Enterprise: AI技術を組み込んだアプリケーションのFrontend〜Backendまでの一貫した設計・開発および運用 ・Defense & Intelligence: 日本の防衛・インテリジェンス分野に、AIを活用したソフトウェアで貢献 (※本ポジションは性質上、日本国籍保有等の要件がございます) ・Product: 自社AIプロダクトのUI/UXからバックエンド・インフラまでのフルスタック開発 ・Platform: LLMエージェントを支える強固なインフラ・データプラットフォームの設計・構築 (English req, 日本語 is a plus) ・Research and Development: ML研究と製品開発を繋ぎ、研究を加速させるツールやフルスタックインフラを構築 (English req, 日本語 is a plus) 🐡 こんな方を求めています ・Frontend / Backend / Infrastructureのいずれか複数領域での実務経験をお持ちの方 ・AI支援コーディングツールを活用し、チームで自律的に開発を進められる方 ・AIシステム開発や、0→1でのプロダクト立ち上げ経験がある方はさらに歓迎！ フルタイムに加え、業務委託・インターンシップと柔軟な働き方が可能です（※ポジションにより異なります）。 最先端のAI技術を自らの手で社会へ届け、変革の波を創り出したい方。ぜひご応募ください。

It Twitter's too busy for you, try birdclaw.sh