On Call Brief – Week of June 21–27, 2026

2026-06-21 — 2026-06-27 Briefing: 2026-06-21 Last updated 2 weeks ago (Jun 27, 2026 3:07 am EDT) 22 min read
Share
Category:
Tags:

This week's top stories

1. I discovered a large-scale malware distribution on GitHub

  • Category: Community
  • What happened: A large-scale malware distribution campaign has been found on GitHub, involving 10,000 repositories containing Trojan malware disguised under various names. The repositories regularly update their readme files with links to a zip archive containing the malicious software and frequently delete and re-add the same commits, making detection more difficult.
  • Worth reading: This discovery highlights a significant security risk for organizations using GitHub, as malicious repositories can compromise systems if users inadvertently download and execute the malware. Operators should enhance their monitoring and scanning practices for third-party code.
  • Source: Orchidfiles via TLDR Dev
  • Tags:

2. Rokarolla Android Banking Trojan Turns Smartphones Into Weapons Against Users

  • Category: Community
  • What happened: The Rokarolla Android banking Trojan has been observed targeting 217 cryptocurrency and banking applications, combining credential harvesting capabilities with extensive device surveillance features. The malware is being distributed through fraudulent websites that impersonate legitimate applications such as TikTok and Chrome to trick users into installation. SRE teams managing Android device fleets or providing mobile access to corporate resources should verify that mobile device management policies block sideloaded applications and enforce installation only from official app stores. Organizations should alert users about this distribution method and review authentication logs for any suspicious access patterns from Android devices, particularly those accessing financial or cryptocurrency services. Security teams should also ensure endpoint detection systems are updated to identify this threat variant and consider implementing additional authentication controls for high-risk transactions originating from mobile devices.
  • Worth reading: This Trojan poses a significant risk to users of affected banking and cryptocurrency applications, potentially leading to unauthorized access and financial loss. Operators should be aware of the distribution methods to mitigate risks.
  • Sources: Security Boulevard Newsletters
  • Tags:

3. MSG Breach: Knicks Take the NBA Championship, ShinyHunters Takes the Data

  • Category: Community
  • What happened: The ransomware group ShinyHunters has leaked 45GB of data from Madison Square Garden after the venue failed to meet an extortion payment deadline, according to Security Boulevard Newsletters. This represents the second major cyber breach for MSG, illustrating a pattern of successful attacks targeting sports and entertainment organizations. While this incident primarily affects MSG's business operations rather than technical infrastructure, SRE teams managing similar venue operations or ticketing systems should review their backup strategies and incident response procedures, particularly around payment systems and customer databases that may have been compromised. Organizations in the sports and entertainment sector should verify their detection capabilities for lateral movement and data exfiltration, as threat actors are demonstrably focusing on this vertical.
  • Worth reading: Organizations in the sports sector should reassess their cybersecurity measures, particularly regarding payment processes and data protection, to mitigate risks of similar breaches.
  • Sources: Security Boulevard Newsletters
  • Tags:

4. Amazon EKS now supports customer-routed control plane egress - Compliance teams have spent years begging EKS to

  • Category: Community
  • What happened: Amazon EKS has introduced support for customer-routed control plane egress, allowing compliance teams to route control plane traffic through their own VPC without additional costs. However, this may lead to unexpected charges when the traffic passes through a NAT Gateway, highlighting potential billing implications.
  • Worth reading: This change enables better compliance and control over network traffic for EKS users, but operators should be aware of potential costs associated with NAT Gateway usage.
  • Source: AWS via Last Week in AWS
  • Tags:

5. Friday Five — June 19, 2026

  • Category: Community
  • What happened: Project Lightwell is a collaborative initiative between Red Hat and IBM aimed at securing the software supply chain. This $5 billion project involves a group of financial and critical infrastructure leaders working together to create a secure enterprise clearinghouse for software.
  • Worth reading: This initiative may influence production environments by enhancing the security of software supply chains, which is critical for enterprises relying on open-source solutions.
  • Source: Red Hat Blog
  • Tags:

6. Credentials Lost the Top Spot. They Didn't Lose Their Teeth

  • Category: Community
  • What happened: The 2026 Verizon Data Breach Investigations Report (DBIR) shows that vulnerability exploitation has surpassed credential abuse as the leading initial access method in security breaches, marking a significant shift in attacker tactics according to Security Boulevard. Despite losing the top position, credential-based attacks remain a substantial threat vector that organizations cannot ignore. SRE teams should maintain a dual-focus security posture that prioritizes both rapid patch management for known vulnerabilities and robust credential protection measures including multi-factor authentication, password policies, and credential rotation. This tactical shift likely reflects increased organizational investment in identity security over recent years, pushing threat actors toward exploiting unpatched systems as an easier entry point.
  • Worth reading: This change in breach tactics suggests a need for heightened focus on vulnerability management and patching, while not neglecting the ongoing risks associated with credential abuse and MFA circumvention.
  • Sources: Security Boulevard Newsletters
  • Tags:

7. Production-Ready Autonomous Incident Resolution with AWS DevOps Agent (now GA) and Datadog MCP Server

  • Category: Deep Dive
  • What happened: AWS DevOps Agent and Datadog MCP Server are now generally available, enabling autonomous incident resolution across AWS and multicloud environments. The integration allows AI agents to access observability data from Datadog, facilitating faster incident resolution by correlating monitoring data with infrastructure. The AWS DevOps Agent automates incident triage and response, optimizing application reliability and performance while providing proactive prevention recommendations. It supports integration with tools like Slack and PagerDuty for streamlined communication during incidents.
  • Takeaway: The general availability of AWS DevOps Agent and Datadog MCP Server may significantly enhance incident response times and reduce manual effort in operations. Teams can leverage these tools to automate incident resolution processes, which is crucial as applications become more complex and distributed. This could lead to improved reliability and performance of applications in production environments.
  • Source: AWS DevOps Blog
  • Tags:

8. Accelerate Incident Resolution with PagerDuty and AWS DevOps Agent

  • Category: Deep Dive
  • What happened: The integration of PagerDuty with the AWS DevOps Agent aims to accelerate incident resolution by enabling the DevOps Agent to initiate investigations automatically when a PagerDuty incident is triggered. This integration allows for real-time analysis and correlation of data across various observability tools, reducing the time spent manually gathering information. The AWS DevOps Agent can also provide proactive recommendations to improve observability and infrastructure, ultimately helping teams resolve incidents more efficiently.
  • Takeaway: This integration could significantly reduce incident resolution times by automating the investigation process and providing immediate insights, which may lead to improved uptime and customer satisfaction. Teams using AWS and PagerDuty should consider implementing this integration to enhance their incident response capabilities.
  • Source: AWS DevOps Blog
  • Tags:

9. Amazon ECS introduces new high-resolution metrics for faster service auto scaling

  • Category: Community
  • What happened: Amazon ECS has added support for 20-second high-resolution CloudWatch metrics for service auto scaling. This enhancement allows for a quicker response to workload changes, achieving up to 76% faster scale-out and 72% faster end-to-end provisioning. The update aims to improve performance, reduce over-provisioning costs, and simplify scaling configurations using target tracking policies across Fargate, EC2, and managed instances.
  • Worth reading: This change could lead to more efficient resource utilization and cost savings in production environments by enabling faster scaling in response to workload fluctuations. Operators should consider updating their scaling configurations to leverage these new metrics.
  • Source: AWS via TLDR DevOps
  • Tags:

10. Amazon ECS service auto scaling now supports 20-second high-resolution CloudWatch metrics, enabling significantly

  • Category: Community
  • What happened: Amazon ECS service auto scaling now supports 20-second high-resolution CloudWatch metrics, replacing the previous lower-resolution metric intervals and enabling faster responses to workload changes. This enhancement allows ECS services to scale up or down more rapidly based on near real-time metric data, which can improve resource utilization and application responsiveness during traffic spikes or drops. SRE teams using ECS should review their existing auto scaling policies to determine if adjusting evaluation periods to leverage these high-resolution metrics would benefit their workloads, particularly for applications with rapid traffic fluctuations. Organizations implementing this capability should note that high-resolution metrics may incur additional CloudWatch costs compared to standard 60-second resolution metrics.
  • Worth reading: This change could lead to improved scaling performance for ECS services, allowing operators to respond more quickly to workload fluctuations - it may require adjustments in monitoring and scaling policies.
  • Sources: Chronosphere via TLDR DevOps
  • Tags:

CVE & Security

1. Issue with containerd CRI Plugin - CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262

  • Category: Security / Patch
  • What happened: Containerd has released patches for five critical CVEs (CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262) affecting the CRI plugin across versions 1.7 through 2.3, with vulnerabilities including checkpoint import issues, arbitrary command execution, annotation smuggling, arbitrary file read, and denial of service. Patched versions are now available as 1.7.33, 2.0.10, 2.1.9, 2.2.5, and 2.3.2, with version 1.7.33 also updating runc to v1.3.6 and Go to 1.26.4/1.25.11 according to containerd releases. Operators should upgrade immediately to the appropriate patched version for their major release branch and test thoroughly, as these vulnerabilities affect core container runtime security boundaries. AWS Security Bulletins independently confirmed the severity of these issues, emphasizing the need for urgent remediation across containerized environments.
  • Do this Monday: Operators using AWS managed container services should prioritize patching containerd to mitigate these vulnerabilities, as they could lead to serious security risks including command execution and denial of service.
  • Sources: AWS Security Bulletins, containerd releases
  • Tags:

2. DevOps'ish 314: GitHub Ignored the Reports, Norway Didn't, AI Needs More Discipline, and More

  • Category: Security / Patch
  • What happened: GitHub has reportedly ignored multiple security vulnerability reports that are now actively being exploited by a supply-chain worm, resulting in the compromise of numerous packages and developer accounts according to DevOps'ish 314. The incident represents an active supply-chain attack targeting the GitHub ecosystem, though specific CVE numbers and affected package names were not disclosed in the available reporting. Operators should immediately audit their GitHub dependencies for unexpected changes, review account access logs for unauthorized activity, and implement additional verification steps for package updates until GitHub provides detailed remediation guidance. Organizations using GitHub packages should consider temporarily pinning dependencies to known-good versions and enabling enhanced security monitoring for their CI/CD pipelines given the ongoing nature of this supply-chain compromise.
  • Do this Monday: The exploitation of vulnerabilities in GitHub could lead to significant security risks for organizations relying on its repositories. The introduction of Mendral could help teams enhance their security posture by ensuring dependencies are reviewed for potential threats before integration.
  • Sources: DevOps'ish
  • Tags:

3. YouTrack Security Update: Upgrade Required for YouTrack Server

  • Category: Security / Patch
  • What happened: YouTrack administrators are advised to upgrade to fixed versions due to several identified security vulnerabilities. YouTrack Cloud has already been patched, but YouTrack Server users must upgrade to versions 2024.2 or newer to mitigate risks. The vulnerabilities include potential admin account takeovers and email verification bypasses, with specific CVEs assigned for tracking.
  • Do this Monday: Failure to upgrade YouTrack Server could expose systems to critical vulnerabilities, including admin account takeovers and email verification bypasses. Immediate action is recommended for affected installations.
  • Source: JetBrains Blog
  • Tags:

4. pgAdmin 4 v9.16 Released

  • Category: Security / Patch
  • What happened: pgAdmin 4 version 9.16 has been released, featuring 64 bug fixes and new functionalities. This version addresses seven security vulnerabilities, including critical SQL injection and cross-site scripting issues. Notable enhancements include improved UI features for server identification and configurable security contexts in Helm charts.
  • Do this Monday: The release includes critical security fixes that should be applied to prevent potential exploits in production environments. The new features may improve user experience and operational efficiency when managing PostgreSQL databases.
  • Source: PostgreSQL News
  • Tags:

5. Claude Fable 5 on Bedrock Requires Sharing Inference Data with Anthropic

  • Category: Security / Patch
  • What happened: Using Claude Fable 5 or Mythos 5 on Amazon Bedrock necessitates opting into data sharing, which involves sending prompts and outputs to Anthropic for a 30-day retention period with human review. This marks a change from previous Bedrock models that retained inference data within AWS. Shortly after the launch, Anthropic requested AWS to revoke access to both models due to compliance with US export control regulations.
  • Do this Monday: This change in data handling practices may affect how organizations using Bedrock manage their data privacy and compliance, particularly regarding sensitive information and export controls - operators should review their data sharing policies.
  • Source: InfoQ DevOps
  • Tags:

Releases

1. Upgrading Lambda function runtimes at scale with AWS Transform custom

  • Category: Release
  • What happened: AWS has released two new developer tools aimed at improving operational efficiency at scale. AWS Transform custom is a new service designed to help teams upgrade Lambda function runtimes across large fleets by identifying risks and ensuring test coverage during the migration process (AWS Compute Blog). Separately, the Kiro power for AWS DevOps Agent integrates cloud operational intelligence directly into IDEs, enabling developers to troubleshoot production issues without context switching by connecting Kiro's AI-powered IDE with AWS DevOps tooling (AWS DevOps Blog). SRE teams managing large Lambda deployments should evaluate AWS Transform custom for upcoming runtime upgrades, while those seeking to reduce mean time to resolution may benefit from piloting the Kiro integration for production troubleshooting workflows.
  • Do this Monday: Organizations using AWS Lambda need to be aware of upcoming deprecation timelines for runtimes like Node.js and Python to avoid security risks and compliance issues. The introduction of AWS Transform custom can significantly reduce the engineering effort required for large-scale upgrades, allowing teams to focus on feature development while maintaining compliance.
  • Sources: AWS Compute Blog, AWS DevOps Blog
  • Tags:

2. AWS Security Agent announces support for Threat Modeling - An AI now tells you all the ways your architecture

  • Category: Release
  • What happened: AWS Security Agent has introduced support for Threat Modeling, utilizing AI to identify potential vulnerabilities in user architectures. This feature is currently free during its preview phase, highlighting various threats, including concerns about pricing transparency.
  • Do this Monday: This new AI-driven threat modeling tool could help teams proactively identify security risks in their AWS architectures, potentially improving security posture and compliance efforts.
  • Source: AWS via Last Week in AWS
  • Tags:

3. Bcachefs exits experimental status in new 'performance release'

  • Category: Release
  • What happened: Bcachefs version 1.38.6 has been released, marking its exit from experimental status. This release includes performance optimizations, bug fixes, and increases the number of devices in a filesystem to 255. The filesystem's Reconcile operation is now faster and more parallel. Additionally, the userspace code has been converted to Rust, with plans for further integration into the DKMS module. Performance comparisons show bcachefs achieving competitive speeds against XFS, although some benchmarks indicate it may be slower in certain scenarios.
  • Do this Monday: The transition of bcachefs to a non-experimental status and its performance enhancements could influence filesystem choices in production environments, especially for those considering alternatives to traditional filesystems like XFS. The ongoing Rust conversion may also affect future compatibility and performance.
  • Source: The Register (Software)
  • Tags:

Also this week

Community reads

11. Amazon ECS service auto scaling now supports 20-second high-resolution CloudWatch metrics, enabling significantly

  • Category: Community
  • What happened: Amazon ECS service auto scaling now supports 20-second high-resolution CloudWatch metrics, down from the previous 1-minute standard resolution, enabling the service to respond to workload changes up to three times faster than before. This enhancement applies to target tracking scaling policies that use CloudWatch metrics and is available immediately across all AWS regions where ECS operates. SRE teams running latency-sensitive or bursty workloads should consider enabling high-resolution metrics on their CloudWatch alarms and updating their ECS service auto scaling policies to take advantage of the improved responsiveness, particularly for applications that experience rapid traffic spikes or require sub-minute scaling reactions. The feature requires no code changes to existing ECS services but does require enabling high-resolution metric collection in CloudWatch, which may increase CloudWatch costs due to the higher metric resolution and increased data point frequency.
  • Worth reading: The ability to utilize high-resolution metrics can lead to more efficient resource management and cost savings by allowing ECS to scale in and out more effectively based on real-time workload demands - operators should consider adjusting their scaling policies to take advantage of this feature.
  • Sources: Octopus via TLDR DevOps, Netflixtechblog via TLDR DevOps, AWS via TLDR DevOps
  • Tags:

12. Losing Fable made the best case yet for AI models you can run yourself

  • Category: Community
  • What happened: The article discusses the recent shutdown of the AI model Fable due to U.S. export-control directives, highlighting the risks of relying on hosted models. It emphasizes the importance of open-weight models, such as Z.ai's GLM-5.2, which users can download and run independently. The situation serves as a cautionary tale for enterprises that built automation on Fable, illustrating the potential consequences of losing access to a hosted service. The piece also notes the growing interest in GLM-5.2, which is being touted as a leading open-weight model for coding tasks.
  • Worth reading: The shutdown of Fable underscores the risks associated with hosted AI models, prompting a shift towards open-weight models that can be self-hosted. This may influence operational decisions regarding AI model deployment and reliance on third-party services.
  • Source: The New Stack
  • Tags:

13. Google has been on fire lately proposing new protocols in the agentic AI era. Just last week they proposed the

  • Category: Community
  • What happened: AWS has launched S3 annotations, a new feature that allows users to store mutable and queryable metadata directly on S3 objects, addressing the previous limitation of immutable object metadata (source: readysetcloud.io). Unlike standard S3 metadata which is set at object creation and cannot be changed without replacing the entire object, annotations can be modified independently and queried across objects, enabling use cases like data cataloging, access tracking, and lifecycle management without object rewrites. Operators should evaluate S3 annotations for workflows currently using external metadata stores or DynamoDB tables to track S3 object state, as the native integration may reduce complexity and costs for metadata management. The feature provides richer context for stored data and eliminates the need to maintain separate metadata systems alongside S3 buckets.
  • Worth reading: This feature allows for more flexible data management and querying capabilities directly within S3, which could improve workflows that rely on metadata for object retrieval and processing.
  • Sources: readysetcloud.io
  • Tags:

14. GitHub ships code quality to GA; Estonia hands AI agents official IDs; Chevron and Microsoft go gigawatt. The

  • Category: Community
  • What happened: GitHub has moved its Code Quality feature to General Availability (GA), enabling developers to assess and improve code quality directly within GitHub repositories through automated checks, static analysis, and integrated insights according to the Techstrong Brief. The feature provides tools for identifying issues early in the development process, suggesting improvements, and enhancing code maintainability while reducing technical debt across the codebase. Organizations using GitHub should evaluate integrating these automated quality checks into their existing code review workflows and CI/CD pipelines to standardize code quality enforcement. Teams can access the feature natively within their GitHub repositories without requiring additional third-party integrations for basic code quality assessments.
  • Worth reading: The GA release of GitHub Code Quality may lead to improved code practices within teams, potentially reducing bugs and technical debt in production environments. Teams should consider integrating this feature into their CI/CD pipelines to leverage its benefits.
  • Sources: Techstrong Brief
  • Tags:

15. AWS previews AI-native release management for DevOps agents; OpenAI revenues surge but losses dwarf them; memory

  • Category: Community
  • What happened: AWS has announced a preview of AI-native release management designed specifically for DevOps agents, representing a shift towards integrating artificial intelligence capabilities directly into deployment and release processes according to Techstrong Brief. The new system aims to streamline deployment workflows, enhance automation efficiency, and potentially reduce errors in the release management process by leveraging AI capabilities. SRE teams currently using AWS deployment tooling should evaluate this preview feature to assess how AI-assisted release management might improve their deployment pipelines and automation workflows. Organizations should monitor AWS announcements for general availability timelines and pricing details before planning integration into production environments.
  • Worth reading: The introduction of AI-native release management could significantly improve deployment efficiency and automation for DevOps teams. Organizations may need to evaluate their current release processes and consider adopting these new tools to stay competitive. The shift in memory technology could also necessitate hardware upgrades to support AI workloads more effectively.
  • Sources: Techstrong Brief
  • Tags:

16. AWS Previews Release Management Capabilities Added to DevOps Agent

  • Category: Community
  • What happened: AWS has announced a preview of AI-native release management capabilities for its DevOps agents, which aims to enhance the release process by integrating AI functionalities. This development could streamline deployment workflows and improve efficiency in managing software releases.
  • Worth reading: The introduction of AI-native release management could significantly affect how teams handle deployments, potentially reducing errors and improving speed. Operators should evaluate how these new capabilities can be integrated into their existing workflows.
  • Source: Techstrong Brief
  • Tags:

Lightning links

Human Stories

The pendulum keeps swinging between building faster and defending harder, and this week makes it clear we're not getting off that ride anytime soon. While AWS and Datadog are giving us autonomous agents that can resolve incidents without human intervention, we're simultaneously watching 10,000 malware-laden repositories flood GitHub and banking trojans like Rokarolla turn our users' phones into surveillance devices. The irony isn't lost on me that the same week Amazon finally gives compliance teams customer-routed EKS egress - a feature begged for over years - we're learning that attackers have shifted from credential theft to vulnerability exploitation as their primary entry vector. Project Lightwell's $5 billion investment in supply chain security tells you everything about how seriously the financial sector is taking this, because when banks and critical infrastructure providers pool that kind of money, they've seen something that scared them. We're automating our way forward while simultaneously fortifying every layer beneath us, and maybe that's just what modern operations looks like now.

Also worth reading

When failover isn't safe: Building high-availability PostgreSQL on Kubernetes (TLDR DevOps)

A gameday at Datadog revealed a vulnerability in PostgreSQL failover processes on Kubernetes, where network latency led to replication lag, resulting in an unsafe standby for promotion. The article discusses the implications of this issue and strategies for building a more reliable high-availability

“Time to clean up human slop”: Why AI now reviews code better than your teammate. (The New Stack)

The article discusses the evolving role of AI in code reviews, suggesting that AI can outperform human reviewers by reducing common human errors, referred to as 'human slop'. It highlights the inefficiencies of current peer review processes, where delays and lack of context can lead to suboptimal ou

Conan O'Brien Deadpans Deepfakes (Security Boulevard Newsletters)

Adaptive Security has collaborated with comedian Conan O'Brien to create engaging training videos focused on deepfake and phishing awareness. This initiative aims to replace traditional training modules with comedic content, addressing the rising threat of AI-driven fraud, which is expected to reach
Scroll to Top