0:00
A lot of infrastructure stories sound small right
0:03
up until they change how people build. S3 gets
0:06
a file system interface. A fake plugin turns
0:09
into a foothold. A security incident comes back
0:12
for a second round and gets worse. An old Kubernetes
0:16
path starts running out of runway. And the next
0:19
generation of workloads is already pushing the
0:22
platform to act differently. That's the story
0:25
this week. Not just new features. more like the
0:28
layers around the system are becoming the system
0:31
hey i'm brian teller i work in devops and sre
0:52
and i run teller's tech this is ship it weekly
0:56
where I filter the noise and focus on what actually
0:58
changes how we run infrastructure and own reliability.
1:01
Show notes and links are on shipitweekly .fm.
1:05
If the show's been useful, follow it wherever
1:07
you listen. Ratings help way more than they should.
1:10
And if you want more signal between episodes,
1:12
check out oncallbrief .com. We have five main
1:16
stories today, then the lightning round, and
1:18
we'll wrap with the human closer. we're starting
1:21
with amazon s3 files because aws just changed
1:24
the way that s3 can show up in applications and
1:27
i think people are going to oversimplify that
1:30
story really fast then we've got the malicious
1:32
npm packages pretending to be Strapi plugins
1:36
which is just a very 2026 supply chain story
1:40
after that trivia again but this time as the
1:43
uglier follow -on we talked about the earlier
1:46
incident before and now the sequel is broader
1:49
and hits the ci path even harder then we'll hit
1:53
kubernetes ingress to gateway 1 .0 and the bigger
1:56
reality that teams are going to have to migrate
1:59
towards gateway api without pretending that this
2:02
is a one -click swap and finally kubernetes agent
2:06
sandbox because the platform is already starting
2:09
to admit that agent -style workloads are different
2:16
Story one. Amazon S3 files is interesting, but
2:20
I would not call it S3 is EFS now. Let's start
2:23
there. AWS launched S3 files this week, and the
2:27
headline version is simple. You can expose an
2:29
S3 bucket as a file system and mount it from
2:33
EC2, ECS, EKS, or Lambda. AWS says it supports
2:39
NFS version 4 .1 operations, syncs changes back
2:43
to S3, and uses a high -performance active data
2:46
layer to make file access fast. What I think
2:50
is interesting here is how this compares to the
2:53
old S3FS or generic FUSE -style pattern. Because
2:57
people have been trying to make S3 feel like
2:59
a file system forever. But that old approach
3:02
usually came with the usual caveats. Weird semantics.
3:06
performance trade -offs, caching weirdness, consistency
3:09
questions. General, yes, it mounts, but should
3:13
it? Energy. This feels smarter than that. Not
3:16
because it magically turns object storage into
3:18
a perfect shared file system, but because AWS
3:21
is very clearly building and managing the translation
3:25
layer for you instead of leaving you to duct
3:28
tape it together yourself. So this is related
3:30
to the old S3FS and FUSE idea in the sense that
3:34
it solves the same human problem. which is my
3:37
app or tool wants files, not bucket APIs. But
3:41
it is not just a nicer wrapper around the same
3:44
old hack. It is AWS putting a managed service
3:47
boundary around the pattern. That said, I still
3:51
would not read this as S3 is basically EFS now.
3:54
I think the better read is that AWS put a managed
3:57
file system layer in front of S3 so file -based
4:01
tools and workloads can interact with bucket
4:04
data more naturally. especially AI and ML -style
4:08
workflows, without everybody inventing their
4:11
own copy pipeline or mount trick. Where I still
4:14
have questions is real -world behavior once this
4:18
is under pressure, multi -writer contention.
4:21
Sync behavior. What the latency story looks like
4:24
once the happy path cache assumptions stop being
4:27
happy. So for me, the takeaway is not S3 replaced
4:30
file storage. It is more like the object store
4:33
just got a much friendlier interface for workloads
4:36
that were never really written to think in buckets.
4:39
And that matters because once the interface changes,
4:43
people start building differently. Story 2. The
4:50
fake Strapi plugin story is ugly, but very believable.
4:54
Next up, the supply chain mess. Researchers found
4:57
36 malicious NPM packages disguised as Strapi
5:02
plugins. They followed the Strapi plugin naming
5:05
pattern, used post -install scripts, and came
5:08
with different payloads aimed at Redis and Postgres
5:11
SQL. credential harvesting, reverse shells, and
5:15
persistence. That is the part that I think lands.
5:18
Not just NPM had malware again, more like this
5:21
is what the modern trust problem looks like.
5:24
The package ecosystem, the install workflow,
5:27
the environment variables, the local services,
5:30
the containers, the database paths. All of that
5:33
is fair game once developers or pipelines run
5:37
something they should not have trusted. And I
5:40
think the Strapi angle is useful too. Because
5:42
it plays on something real. Developers expect
5:45
there to be plugins. They expect those plugins
5:47
to be named in ways that feel obvious. Attackers
5:51
know that. So the trick is not brilliance. It
5:54
is just getting close enough to expected behavior
5:56
that nobody slows down. That's why these stories
5:59
matter. Not because every team uses Strapi. Because
6:03
every team uses something with a plugin model,
6:06
a package manager, and a little too much trust
6:09
in what shows up during install. Story 3. Trivia
6:16
is back, and this one is the uglier sequel. Next
6:19
up, the trivia follow -up. We talked about the
6:22
earlier trivia incident back in episode 24. This
6:25
is not just the same story repeated. This is
6:28
the second chapter, and Aqua's own write -up
6:31
says that pretty clearly. On March 19th, Aqua
6:34
said a threat actor used compromised credentials
6:37
to publish malicious releases of trivia. trivia
6:41
action and set up trivia and that this was a
6:44
follow -up from the march 1st incident because
6:47
the original containment was incomplete that
6:50
matters because now we are not just talking about
6:53
repo disruption or suspicious activity around
6:56
the project now we are talking about official
6:59
releases and ci tooling being turned into a distribution
7:03
path for credential theft aqua said affected
7:06
users should treat reachable secrets as compromised
7:09
and rotate them Multiple security write -ups
7:13
also called out that the compromised actions
7:15
and releases were used to target CICD environments
7:19
directly. This is the nightmare version of security
7:22
shifted left. The scanner is not outside the
7:25
blast radius. The security tool is not outside
7:28
the blast radius. The thing scanning your code
7:30
may need the same level of paranoia as the thing
7:34
deploying it. And I think that is why this one
7:36
is worth covering even though we already talked
7:39
about Trivi before. The first story was something
7:42
is wrong. The follow -on story is the earlier
7:45
compromise turned into malicious releases and
7:48
broader CI impact because the attacker still
7:51
had a path back in. That is new enough and ugly
7:55
enough to justify a follow -up. Kubernetes' ingress
8:04
to Gateway is the kind of migration story platform
8:07
teams actually live through. Now let's get back
8:09
to platform work. Kubernetes announced ingress
8:12
to Gateway 1 .0, and the framing is pretty direct.
8:16
With Ingress Engine X retired as of March 2026,
8:21
the question is not really whether teams will
8:23
move towards Gateway API, but how they do it
8:26
safely. That is why I like this story. Because
8:29
it is honest. A lot of migration stories get
8:32
told like they are basically just YAML translation
8:35
and maybe a few find and replaces. But anybody
8:38
who has lived through one of these knows the
8:41
hard part is not converting manifests. The hard
8:44
part is discovering all of the weird behavior
8:46
your current setup has been carrying for years
8:49
and deciding what actually needs to survive the
8:51
move. And Gateway API is a real shift. More modular.
8:56
More expressive. Better separation of concerns.
8:59
Great. But the migration still has to happen
9:01
in environments where teams have old annotations,
9:04
old controller -specific assumptions, and production
9:07
traffic that does not care how elegant the destination
9:11
architecture looks on a blog post. So I think
9:14
this is one of those very real platform stories
9:16
where the value is not the destination alone.
9:20
It is having a safer path off the thing everybody
9:23
relied on for years. Story five. Agent Sandbox
9:31
is Kubernetes admitting the workload model is
9:34
changing. Last main story. Kubernetes also published
9:38
a piece on Agent Sandbox. And I think it is worth
9:41
paying attention to. Not because everybody needs
9:43
it tomorrow, but because it signals where the
9:46
platform sees things going. The argument is basically
9:49
that long -running AI agents do not behave like
9:52
normal short -lived stateless workloads. They
9:55
need stable identity, workspace persistence,
9:58
isolation, scale to zero behavior, and warm pulls
10:02
so they do not feel painfully cold every time
10:05
they wake up. That feels right to me. Because
10:07
even if you are not all in on agent hype, the
10:11
platform problem is real. Once you have workloads
10:14
that hold context longer, need tool access, spin
10:17
up and down differently, and may need tighter
10:20
isolation than a normal web app, the old abstractions
10:24
start feeling a little off. And that is part
10:26
of why I like this story paired with S3 Files.
10:30
S3 Files says here's a friendlier interface for
10:33
data because these newer workflows want file
10:36
semantics. Agent Sandbox says here's a friendlier
10:40
runtime shape because these newer workloads want
10:43
different lifecycle semantics. Those are different
10:46
stories, but they rhyme. the platform is getting
10:49
nudged by new usage patterns, whether we want
10:52
to call that AI, agents, or just another round
10:55
of abstraction pressure. A few quick ones before
11:05
we wrap. Fortinet customers have an actively
11:08
exploited problem on their hands. Fortinet released
11:11
an emergency update for Fortinet EMS after CVE
11:15
-2026 35616. A critical flaw was exploited in
11:21
the wild, and CISA added it to the known exploited
11:25
vulnerabilities list on April 6th. Karpathy had
11:28
one of those posts making the rounds again that
11:31
taps into the bigger conversation around how
11:34
much software work is shifting from direct coding
11:37
towards orchestration, review, and steering.
11:41
I do not think the useful takeaway there is blind
11:43
hype. I think it is that a lot of engineers are
11:46
already feeling the interface to software work
11:49
changing, even if the results are still uneven.
11:52
And then there is Proofshot, which I actually
11:55
think is a pretty fun tool mention. It is an
11:57
open -sourced CLI that tries to give AI coding
12:01
agents eyes by recording browser sessions. capturing
12:05
screenshots, collecting console and server errors,
12:08
and bundling proof artifacts for humans to review
12:11
or attach to pull requests. If agents are going
12:15
to claim they built something, they should probably
12:17
bring receipts. I think the cleanest closer for
12:28
this one is this. The interface layer is becoming
12:31
the story. Not just the database. Not just the
12:35
bucket. Not just the cluster. And not just the
12:38
scanner. The layer in front of it. The workflow
12:41
around it. The migration path off of it. The
12:44
trust assumptions baked into it. This is where
12:47
a lot of the real action is now. S3 is still
12:50
S3. But the file system interface changes who
12:54
can use it and how. Until the second incident
12:57
shows it can turn into a broader distribution
13:00
path for secret theft if the first breach was
13:03
not fully closed. Ingress is still just ingress.
13:07
Until the controller everybody built around it
13:10
starts aging out and you realize how much invisible
13:14
behavior you were carrying the whole time. And
13:17
Kubernetes is still just Kubernetes, but even
13:20
it is starting to say out loud that newer workloads
13:23
may need different shapes, different assumptions,
13:26
and different guardrails. That's the human side
13:29
of this stuff. A lot of ops pain comes from realizing
13:32
too late that the helper layer was never really
13:35
a helper layer. It was part of the system, maybe
13:39
the important part. And the teams that do well
13:42
are usually the ones that figure that out before
13:45
the incident does. All right, that's it for this
13:48
week of Ship It Weekly. Quick recap. Amazon S3
13:52
files and why I think it is more managed file
13:55
layer over S3 than S3 is EFS now, especially
14:00
compared with the old S3FS and Fuse -style approach.
14:05
Malicious Strapi flavored NPM packages, the
14:08
trivia follow -on incident, and why it was worth
14:11
revisiting. Kubernetes ingress to gateway and
14:14
the bigger gateway API migration pressure and
14:17
agent sandbox as a look at where the platform
14:20
may be headed next. Links and show notes are
14:23
on shipitweekly .fm. You can also find the video
14:26
versions on YouTube. And if you want more signal
14:29
before the episode, check out on callbrief .com.
14:33
If this episode was useful, follow or subscribe
14:35
wherever you listen, and send it to the person
14:38
on your team who keeps having to explain that
14:40
the thing everybody calls just glue is usually
14:43
sitting directly on the blast radius. Thanks
14:46
for listening, and I'll see you next week.
This week’s episode really came together around one idea: the interface layer is becoming the story.
That’s why the S3 Files launch stood out to me. People are going to flatten it into “S3 is basically EFS now,” and I do not think that is the right read. To me, this feels more like AWS taking a problem people have been awkwardly solving for years with things like s3fs and FUSE mounts, then wrapping it in a managed service boundary with better semantics and less DIY weirdness. Same general problem, very different level of ownership. It is still worth being a little skeptical of how the latency and consistency story holds up under real contention, but the shift itself is meaningful.
The security side of the episode fit that same theme from the uglier direction. The malicious Strapi-themed npm packages are a good reminder that attackers do not always need some brilliant new trick. Sometimes they just need to look normal enough to slide into an existing install habit. Plugins, package names, postinstall hooks, local service access, CI context, that whole surface area is fair game once trust gets handed out too casually.
And Trivy felt worth revisiting specifically because this was not just the exact same story from before. The March 19 incident was Aqua’s own admission that the earlier March 1 compromise had not been fully contained, and that the second round escalated into malicious releases and compromised GitHub Actions paths with real CI/CD secret exposure implications. That makes it less “same story again” and more “the worse sequel that proves the first one was not really over.”
I also liked that the Kubernetes pieces gave the episode some platform depth instead of making it one long supply chain panic spiral. Ingress2Gateway is exactly the kind of migration story infra teams actually live through. Not “look at this shiny new API,” but “how do we move off the thing everyone quietly built around for years without breaking weird controller-specific behavior in production?” And Agent Sandbox is interesting because even Kubernetes is now signaling that newer agent-style workloads may need different lifecycle assumptions, stronger isolation, and a different runtime shape than the old stateless-app model.
So my big takeaway from this week is pretty simple. The helper layer is not really a helper layer anymore. The wrapper around storage, the plugin path, the scanner in CI, the migration tooling, the runtime model for new workloads, that is where a lot of the operational truth lives now. And usually, that is also where a lot of the hidden risk lives.
Extra links / further reading
Amazon S3 Files official announcement
s3fs-fuse GitHub repo
SafeDep’s original write-up on the malicious Strapi npm packages
Original Trivy incident discussion from March 1
Aqua’s continued remediation and timeline update on the Trivy supply chain attack
Gateway API docs