On Call Brief – Week of June 7–13, 2026
This week's top stories
1. Over 20,000 Instagram accounts stolen in Meta AI support hack
- Category: Deep Dive
- What happened: Meta disclosed that a security incident led to the hijacking of over 20,000 Instagram accounts. Attackers exploited Meta's AI-powered support system to reset passwords and gain unauthorized access to user accounts.
- Takeaway: This incident raises concerns about the security of AI support systems and the potential for similar attacks on other platforms - operators should review their own security measures around account recovery processes.
- Source: Bleeping Computer
2. A postmortem of our May 7, 2026 outage
- Category: Deep Dive
- What happened: This article provides a detailed postmortem of the outage that occurred on May 7, 2026, discussing the causes, impact, and lessons learned from the incident.
- Takeaway: Understanding the root causes and resolutions from this outage can help prevent similar incidents in the future and improve incident response strategies.
- Source: Coinbase via SRE Weekly
3. Holy git! Microsoft code-sharing site suffers downtime, despite move to Azure
- Category: Deep Dive
- What happened: GitHub has faced ongoing service availability issues amid a surge in traffic driven by AI-assisted coding. Despite efforts to expand capacity and migrate workloads to Azure, reliability remains inconsistent. The May 2026 GitHub Availability Report noted nine incidents affecting performance, a slight improvement from April. GitHub's SVP acknowledged the need for further structural changes to enhance reliability. The platform has seen a significant increase in commits, now handling 1.4 billion monthly, and is working on isolating its primary database to prevent cascading failures. However, Azure has also experienced capacity challenges, contributing to GitHub's ongoing issues.
- Takeaway: GitHub's reliability issues could affect development workflows and CI/CD processes that rely on its services. The ongoing incidents and capacity challenges may lead to disruptions in code sharing and collaboration, impacting productivity.
- Source: The Register (Software)
4. DevOps'ish 312: Nobody won the token race, rsync outrage, dev goes scorched earth on vibe coders, and more
- Category: Community
- What happened: Red Hat Cloud Services experienced a significant security breach where compromised npm packages were used to deploy credential-stealing malware, though specific CVE numbers and affected package versions are not detailed in the available reporting. SRE teams should immediately audit their npm dependencies for any Red Hat Cloud Services packages and rotate any credentials that may have been exposed during the compromise window. The Kubernetes Dashboard project is transitioning to Headlamp as its successor, requiring operators to plan migration timelines for dashboard functionality. Teams should review their current Kubernetes Dashboard deployments and begin evaluating Headlamp as a replacement solution. This information comes from DevOps'ish newsletter issue 312 reporting on recent security incidents and project transitions.
- Worth reading: The Red Hat npm package compromise could lead to credential theft for users of those packages, necessitating immediate audits of environments. The Kubernetes Dashboard transition may require teams to adapt to new tools and workflows. Microsoft's change in policy could affect how security disclosures are handled in the future.
- Sources: via DevOps'ish, Devopsish via DevOps'ish
5. Major US Telecom Providers Form C2 ISAC to Coordinate Cyber Threat Sharing
- Category: Community
- What happened: Eight major US telecommunications providers have established the Communications Cybersecurity ISAC (C2 ISAC) to improve coordination of cyber threat intelligence sharing and response strategies, according to Security Boulevard Newsletters. This initiative follows recent high-profile attacks targeting US telecom infrastructure that demonstrated gaps in industry-wide threat coordination. The C2 ISAC will enable participating carriers to share real-time threat indicators, attack patterns, and defensive measures across the telecommunications sector. SRE teams at telecom operators should engage with their security teams to understand how their organization plans to participate in this threat sharing initiative and what new threat intelligence feeds or response protocols may be implemented. Organizations not among the founding eight providers should evaluate joining the ISAC or establishing alternative threat intelligence sharing partnerships to benefit from coordinated industry defense efforts.
- Worth reading: This initiative may lead to improved threat detection and response capabilities across telecom networks, potentially affecting service reliability and security posture for operators.
- Sources: Security Boulevard Newsletters, Security Boulevard Newsletters
6. Successful" from the EKS API means the configuration was accepted, not that CoreDNS will survive it. Kannan's
- Category: Deep Dive
- What happened: Kannan's postmortem discusses a situation where a schema-valid Corefile in EKS was accepted by the API but ultimately led to issues after a node upgrade. This highlights the importance of validating add-on configurations more thoroughly to prevent similar incidents.
- Takeaway: This incident emphasizes the need for better validation practices for EKS add-on configurations to avoid unexpected failures during upgrades - especially for critical components like CoreDNS.
- Source: Kannanak via Last Week in AWS
7. Dynatrace observability is now a Kiro power
- Category: Deep Dive
- What happened: Dynatrace has introduced the Kiro power, which integrates live observability data and root cause analysis directly into the Kiro IDE. This feature allows developers to access real-time production insights without manual setup, enabling them to investigate incidents, query metrics, and receive remediation suggestions based on actual telemetry data.
- Takeaway: This change could streamline the incident response process for developers, reducing reliance on SRE teams and improving the speed of troubleshooting and remediation in production environments.
- Source: Dynatrace Blog
CVE & Security
1. CVE-2026-12043 - Heap double-free in AWS Common Runtime aws-c-http
- Category: Security / Patch
- What happened: CVE-2026-12043 is a vulnerability in the AWS Common Runtime aws-c-http library, which is used by AWS SDKs for HTTP requests. The issue arises from improper handling of HPACK dynamic table size updates, potentially allowing remote code execution through crafted HTTP/2 HEADERS frames. The affected versions include aws-c-http versions between 0.4.22 and 0.10.15, as well as specific versions of aws-sdk-cpp and aws-sdk-java-v2.
- Do this Monday: This vulnerability could lead to memory corruption and arbitrary code execution in client applications using the affected AWS SDKs, necessitating immediate updates to mitigate potential security risks.
- Source: AWS Security Bulletins
2. CVE-2026-11393 - Code Injection via Improper Triple-Quote Escaping in AgentCore CLI Bedrock Agent Import
- Category: Security / Patch
- What happened: CVE-2026-11393 is a code injection vulnerability in the AWS AgentCore CLI that allows authenticated users to inject arbitrary Python code into generated source files. This occurs due to improper handling of triple-quote characters in the collaborationInstruction field, which can lead to execution of malicious code with the user's credentials if the generated file is run.
- Do this Monday: This vulnerability could allow unauthorized code execution in environments where the AgentCore CLI is used, potentially compromising the security of AWS accounts and resources.
- Source: AWS Security Bulletins
3. CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer - "Under certain circumstances" is kissing cousins with
- Category: Security / Patch
- What happened: CVE-2026-10584 highlights a vulnerability in Graph Explorer where sensitive data may be sent over unencrypted HTTP if the SSL certificate is missing. This issue can lead to potential data exposure, and users are advised to update to version 3.0.1 to mitigate the risk.
- Do this Monday: Operators should prioritize updating Graph Explorer to version 3.0.1 to prevent sensitive data from being transmitted over unencrypted channels, which could lead to compliance issues and data breaches.
- Source: Aws Amazon via Last Week in AWS
4. C0XMO botnet spreads via DD-WRT router flaw, kills rival malware
- Category: Security / Patch
- What happened: The C0XMO botnet exploits a vulnerability in DD-WRT router firmware, allowing it to spread and potentially affect devices with different CPU architectures. This botnet variant is also capable of eliminating competing malware.
- Do this Monday: - Operators using DD-WRT routers should assess their firmware for vulnerabilities and consider applying patches to prevent exploitation by the C0XMO botnet.
- Source: Bleeping Computer
5. CVE-2026-10591 - Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths - Turns out the
- Category: Security / Patch
- What happened: CVE-2026-10591 describes a vulnerability in Kiro IDE where insufficient file write restrictions allow the IDE to execute arbitrary code from tasks.json when opening a folder. Users are advised to upgrade to version 0.11 as there are no workarounds available.
- Do this Monday: This vulnerability could lead to arbitrary code execution, posing a significant security risk if the IDE is used in production environments. Immediate upgrade is necessary to mitigate this risk.
- Source: Aws Amazon via Last Week in AWS
6. Federal government orders Anthropic to pull Fable 5 and Mythos 5, three days after launch
- Category: Security / Patch
- What happened: The US government ordered Anthropic to disable its AI models Fable 5 and Mythos 5 just three days after their launch due to concerns over potential jailbreak vulnerabilities. The directive affects all users, including Anthropic employees, leading to a complete shutdown of these models. Anthropic disagrees with the government's decision, arguing that the identified vulnerabilities are minor and similar to those found in other models. This abrupt action impacts users who recently integrated these models into their production systems, forcing them to seek alternatives.
- Do this Monday: Teams that integrated Fable 5 into production must quickly find replacements, as the model is now disabled for all users due to a federal directive. This could disrupt workflows and require immediate adjustments.
- Source: The New Stack
7. Broadcom Aims to Better Secure Spring Applications in the AI Era
- Category: Security / Patch
- What happened: Broadcom has released updates to the Spring framework to address a significant increase in vulnerabilities identified by AI tools. They are also introducing a managed service to secure Spring dependencies, leveraging Bitnami technology. The number of security advisories reported has surged, prompting enterprises to seek faster patch validation and application. The article discusses the evolving risk landscape in the AI era, where exploits can be developed rapidly, necessitating a shift in how organizations manage vulnerabilities and assess risk.
- Do this Monday: Broadcom's updates may require immediate attention from teams using the Spring framework to ensure their applications are secure against newly identified vulnerabilities. The shift in vulnerability management practices could affect DevSecOps workflows, necessitating more frequent patching and risk reassessment.
- Source: DevOps.com
8. Survey Surfaces Depth of DevSecOps Crisis in the Age of AI
- Category: Security / Patch
- What happened: A recent survey reveals that 96% of developers and security professionals are using AI in their application development, with nearly half of the code in production being AI-generated. However, 70% report an increase in vulnerabilities, and 93% acknowledge experiencing security breaches due to vulnerable applications. Many organizations feel pressured to delay reporting compliance-related security issues, leading to a culture of shipping vulnerable code. Despite claiming a mature security posture, nearly half of those with such postures faced multiple breaches in the past year, indicating significant gaps in DevSecOps practices.
- Do this Monday: The findings highlight a critical need for organizations to reassess their DevSecOps practices, especially as AI-generated code becomes more prevalent. Increased vulnerabilities and pressure to prioritize speed over security could lead to more breaches, affecting production stability and security compliance.
- Source: DevOps.com
9. Why Endpoint Protection Matters More than Ever in CI/CD Environments
- Category: Security / Patch
- What happened: The article discusses the importance of endpoint protection in CI/CD environments, emphasizing that developer endpoints often hold sensitive data such as cloud credentials and SSH keys. It highlights that compromised workstations can bypass existing CI/CD security measures, exposing deployment credentials and internal systems. The piece advocates for advanced endpoint security solutions to protect against malware and credential theft, especially as remote and hybrid work becomes more common.
- Do this Monday: Increased focus on endpoint security is crucial as compromised developer machines can lead to significant security breaches in CI/CD workflows. Organizations should enhance their security posture to include endpoint protection to mitigate risks associated with remote work.
- Source: DevOps.com
Releases
1. Silent Ransom Group targets law firms with fake IT support calls
- Category: Release
- What happened: The Silent Ransom Group is conducting social engineering attacks against U.S. law firms and professional services, posing as IT support to gain access and potentially steal data within hours of contact. This highlights the need for heightened vigilance and security awareness in these sectors.
- Do this Monday: Organizations, especially in the legal sector, should reinforce security training and protocols to mitigate risks from social engineering attacks - this could lead to data breaches if not addressed.
- Source: Bleeping Computer
2. Turning Cloudflare’s threat indicators into real-time WAF rules
- Category: Release
- What happened: Cloudflare has introduced a new integration that allows users to create proactive WAF rules using real-time threat intelligence data. This feature enables security teams to automate the blocking of high-risk IPs associated with known threat actors, enhancing application protection against attacks. The system operates on an 'always-on detection' framework, providing continuous threat insights without the need for pre-configured rules. This approach eliminates the trade-off between visibility and protection, allowing for better-informed security decisions.
- Do this Monday: This change could significantly improve the ability to mitigate threats in real-time, reducing the manual effort required to configure WAF rules and enhancing overall security posture.
- Source: Cloudflare Blog
3. AWS Releases Next Generation of Amazon OpenSearch Serverless
- Category: Release
- What happened: AWS has announced the general availability of the next generation of Amazon OpenSearch Serverless, featuring a redesigned architecture that allows for 20 times faster resource provisioning, true scale-to-zero capability, and up to 60% lower costs compared to provisioned clusters during peak loads.
- Do this Monday: This release could significantly reduce costs and improve performance for applications using OpenSearch, making it a compelling option for workloads that experience variable demand.
- Source: InfoQ DevOps
4. IP allow list coverage for EMU namespaces in general availability
- Category: Release
- What happened: GitHub Enterprise Cloud now allows enterprises using Enterprise Managed Users (EMUs) to enforce IP allow list configurations across user namespaces. This feature ensures that EMU users can only access their repositories from specified IP addresses, applying to all access methods including web UI, Git protocol, and APIs.
- Do this Monday: This change enhances security for enterprises by restricting access to repositories based on IP addresses, which may require updates to network configurations for users accessing GitHub.
- Source: GitHub Changelog
5. Integrating Event Source Mappings with AWS Lambda tenant isolation mode
- Category: Release
- What happened: AWS Lambda's tenant isolation mode allows for building event-driven multi-tenant SaaS applications with improved security and reduced operational complexity. This mode associates execution environments with specific tenant identifiers, ensuring that workloads run in dedicated environments without the need for separate Lambda functions per tenant. The article explains how to implement IAM permissions, validate tenant context, and use routing mechanisms for tenant-isolated backends, providing sample code for practical implementation.
- Do this Monday: This change simplifies the architecture for multi-tenant applications, potentially reducing costs and improving security by avoiding cross-tenant data leakage. Operators should consider adopting this model for new or existing SaaS applications to enhance isolation and efficiency.
- Source: AWS Compute Blog
6. “A dangerous combination”: The 2 factors that can “corrupt” AI agent workflows
- Category: Release
- What happened: The article discusses the implications of AI agents on identity and access management (IAM), highlighting the risks associated with poorly managed credentials. It emphasizes that traditional IAM models are inadequate for the dynamic and unpredictable nature of AI agents, which can access critical infrastructure and execute actions autonomously. The authors warn that without proper oversight and management of credentials, AI agents could negatively impact production workloads and expose sensitive information.
- Do this Monday: AI agents accessing critical infrastructure without proper IAM controls can lead to data corruption, outages, and security vulnerabilities - organizations must adapt their IAM strategies to mitigate these risks.
- Source: The New Stack
7. For years, Apache Cassandra handed this work to your team — 6.0 takes it back
- Category: Release
- What happened: Apache Cassandra 6.0 introduces significant changes by taking back responsibilities previously handled by application code, particularly in multi-partition workflows. The new Accord consensus protocol provides ACID transaction semantics with strict serializable isolation, shifting some coordination work from the application layer into the database. Additionally, the release features improved Transactional Cluster Metadata (TCM) for better metadata coordination, addressing challenges related to schema changes and token ownership that have historically relied on eventual consistency.
- Do this Monday: The shift of coordination tasks into the database may simplify application logic and improve reliability, but teams will need to assess the impact on their current architecture and upgrade paths.
- Source: The New Stack
8. From reactive to proactive: How NAIC embedded AI‑powered observability directly into the IDE
- Category: Release
- What happened: NAIC has integrated AI-powered observability directly into their IDE using Kiro and Dynatrace, reducing the time developers spend switching between tools to investigate issues. This integration allows developers to access production insights and perform root-cause analysis in minutes instead of hours, significantly enhancing productivity and reducing dependency on SRE teams.
- Do this Monday: This change could streamline incident response and improve developer efficiency, potentially reducing downtime and speeding up the resolution of production issues.
- Source: Dynatrace Blog
9. OpenAI models and Codex on Amazon Bedrock are now generally available - There's now a second model provider
- Category: Release
- What happened: AWS has released several new services to general availability as of June 8, 2026, according to AWS What's New. The AWS IoT Device SDK for Swift is now GA with MQTT 5 connectivity and device management capabilities for Swift developers, while Amazon RDS for SQL Server has added bring-your-own-media (BYOM) functionality. Additionally, OpenAI models and Codex are now generally available on Amazon Bedrock, marking the introduction of a second model provider alongside the existing Anthropic models, as reported by Last Week in AWS. SRE teams using Swift for IoT development should evaluate the new SDK for MQTT 5 migration opportunities, while teams managing SQL Server workloads should assess BYOM for potential cost optimization. Organizations currently using Amazon Bedrock should review the new OpenAI model options for potential performance or cost improvements over existing Anthropic implementations.
- Do this Monday: This expansion may affect how teams leverage AI models for their applications, potentially offering more options for integration and development.
- Sources: AWS What's New, Aws Amazon via Last Week in AWS
Lightning links
- Operationalizing AWS security: A maturity roadmap (AWS Security Blog) -- This roadmap provides a phased approach to enhance AWS security using foundational tools.
- 5 Software Supply Chain Security Best Practices for Development Teams (Docker Blog) -- Enhance your software supply chain security with these five essential best practices.
- AWS Introduces CDK Mixins for Composable Infrastructure Abstractions (InfoQ DevOps) -- CDK Mixins allow developers to add reusable capabilities to AWS resources, enhancing flexibility.
- Enterprise Live Migrations: Moving from Azure DevOps Repo to GitHub (Azure DevOps Blog) -- This feature enables seamless migration of repositories from Azure DevOps to GitHub with minimal disruption.
- Try the new console experience in Amazon Bedrock (TLDR AI) -- Amazon Bedrock's new console experience optimizes workflows for Anthropic and OpenAI-compatible APIs.
- How we made GitHub Copilot CLI more selective about delegation (GitHub Blog) -- Improvements to Copilot CLI have reduced tool failures by 23% through smarter delegation.
- ICYMI: May 2026 @AWS Security (AWS Security Blog) -- This digest highlights new AWS security features and compliance updates worth noting.
- PostgreSQL 19 Beta 1 Released! (TLDR Data) -- The latest PostgreSQL beta introduces major updates including autoscaling async I/O and improved observability.
Human Stories
Looking at this week's stories, what strikes me most is how the gaps between "working" and "actually working" keep widening as our systems grow more complex. Meta's AI support system functioned exactly as designed - until attackers figured out how to weaponize that functionality against 20,000 Instagram users. GitHub's migration to Azure checked all the technical boxes, yet reliability still suffers under real-world load. Kannan's EKS postmortem perfectly captures this disconnect: the API cheerfully accepted a configuration that would later fail catastrophically, because "successful" only meant the syntax was valid, not that the system would survive contact with reality. As we layer on more automation, AI assistance, and abstraction, we're not just managing infrastructure anymore - we're managing the dangerous illusion that our tools understand context the way we do.
Also worth reading
IIS Website Showing Thai Casino Spam Only to Googlebot - Can't Find Source (Reddit r/sysadmin)
A user reports an issue with their IIS 10 website on Windows Server 2019, where normal visitors see the correct content, but Googlebot receives altered HTML that displays Thai casino spam. This issue affects multiple unrelated domains hosted on the same server, suggesting a potential server-side mod
A debugging story with a twist: reducing the cache size caused 270 SIGKILLs, and the memory metric everyone trusts (Last Week in AWS)
The article discusses a debugging incident where reducing the cache size led to 270 SIGKILLs due to memory issues. It highlights that the memory metric commonly trusted is actually a high-water mark that does not reset, which was confirmed by AWS support. The insights provided are particularly relev
Customers over control: how we measure On-call reliability (SRE Weekly)
The article discusses the approach to measuring on-call reliability by prioritizing customer impact over strict control metrics. It emphasizes the importance of understanding customer needs and experiences during incidents rather than solely focusing on internal performance metrics.