That sounds like a security phrase, but I think it is really a platform phrase now. Modern systems are full of places where something gets permission to run, inspect, transform, block, or decide.
That something might be an IDE extension. It might be a language server. It might be an AI coding assistant. It might be a VS Code task. It might be a WAF parser. It might be a sandbox running user-generated code. It might be an advisory database feeding alerts into a vulnerability management process.
The common thread is execution.
Before something runs, trust is still mostly theoretical. After something runs, trust becomes a blast radius.
That is why the Amazon Q Developer and AWS Language Server CVEs matter. The scary part is not just that there were bugs in an IDE plugin. The scary part is where those tools sit.
They sit next to source code. They sit next to local credentials. They sit next to AWS profiles. They sit next to project configuration. They sit next to terminals, repo context, MCP configuration, and sometimes production access.
So when a workspace can cross into command execution, that is not just a weird local developer bug. It can become a cloud credential problem, a source control problem, or a CI/CD problem.
And yes, the user still had to trust the workspace. But that is exactly the uncomfortable part.
Developers trust workspaces constantly. You clone a repo, open it, click through the prompt, and get back to work. That is normal behavior. But normal behavior becomes risky when the repo is no longer just source code. The repo is config. The repo is tasks. The repo is language server behavior. The repo is MCP setup. The repo is local execution context.
That is a much bigger boundary than most teams treat it as.
The JFrog story pushes the same idea even harder.
The hijacked npm and Go packages were not relying on the usual npm lifecycle-script path. They used hidden VS Code tasks configured to run when a folder opens.
That is the part that should make people pause.
The ecosystem is getting better at package-manager security. npm is changing install-script defaults. CI pipelines are paying more attention to dependency execution. Teams are getting more suspicious of install-time code.
That is good. But attackers adapt.
If the package manager gets harder, they move into the IDE. And the IDE is a great execution surface because developers open folders all day.
Example repos. Proofs of concept. Vendor samples. Issue reproductions. AI-generated apps. Random repos from Slack, GitHub issues, Discord, or wherever else work happens.
The editor is not passive anymore. It runs extensions. It loads config. It starts language servers. It runs tasks. It reads environment variables. It can access terminals and local secrets.
So “don’t run random code” is not enough advice anymore.
Sometimes opening the folder is the thing that runs code.
The AWS WAF HTTP/2 story is different, but it still fits.
A WAF is supposed to inspect requests and block bad ones. But that only works if the WAF sees the request the same way the rest of the stack sees it.
If HTTP/2 request bodies are split across frames, and the inspection layer only evaluates part of the body before making a decision, then the security control is operating on an incomplete view.
That is the whole problem.
Security controls are not magic shields. They are parsers, policies, and defaults. And if the parser has a blind spot, the policy may be correct and still not protect you.
That is why “do we have WAF?” is not the right question.
The better question is: what does the WAF actually see?
Where does TLS terminate? Is HTTP/2 involved? Are request bodies accumulated before inspection? Does ALB behave the way the protection model assumes? Do the proxy, load balancer, WAF, app server, and backend framework all agree on what the request means?
Because when those layers disagree, attackers get room to move.
Then AWS Lambda MicroVMs are the other side of the same episode.
The first few stories are about unexpected execution paths. Lambda MicroVMs are about building a better place for execution to happen.
That matters because running untrusted code is becoming normal.
AI coding assistants need sandboxes. Users upload code. Agents generate scripts. Security tools analyze unknown payloads. Data platforms run user-defined logic. Developer platforms execute test cases. Plugin systems need isolation.
The question is no longer “will we run untrusted code?”
For a lot of teams, the better question is: where are we already running it, what can it reach, and how badly can it hurt us?
Containers are useful, but shared-kernel isolation is not always the right boundary for untrusted code. Full VMs are stronger, but heavier. Serverless is convenient, but not every sandbox use case fits the traditional request-response Lambda model.
So the product direction here is interesting even if you do not adopt this specific AWS feature. Sandboxing is becoming a first-class platform primitive.
That is the larger trend.
Execution is becoming something platform teams need to design, not something they inherit accidentally.
The lightning round keeps reinforcing the same point.
GitHub’s advisory database hitting record volume is a reminder that vulnerability management is not just about getting more feeds. It is about deciding what matters before the queue buries the team.
Git 2.55 is a reminder that developer platforms are infrastructure too. At enough scale, Git performance becomes engineering productivity.
Valkey 9.1 on ElastiCache is a reminder that cache engines are production systems. Memory efficiency, throughput, command behavior, and isolation matter when the cache sits directly in the request path.
And the Fable 5 callback is a reminder that AI dependency risk does not disappear just because the model came back online. If a model can go away for policy reasons and then return with new access rules or new behavior, that is still something reliability teams need to track.
That is why the closer lands where it does.
Execution is where trust becomes real.
A repo is not just source code if opening it can trigger an assistant, language server, or task runner. An IDE is not just an editor if it can run commands, load tools, and inherit credentials. A WAF is not just a checkbox if it only inspects part of the request. A sandbox is not optional if your product runs code from users, agents, or plugins. An advisory feed is not useful just because it is complete. Someone still has to decide what matters.
So the practical questions this week are pretty simple.
Where does code run? What can it reach? What can it read? What can it write? What authority does it inherit? What logs prove what happened? Who owns that boundary?
And if the answer is “we’re not sure,” that is the work.
This week on Ship It Weekly: Amazon Q Developer and the AWS language servers had a pair of trust-boundary CVEs, JFrog found hijacked npm and Go packages using hidden VS Code tasks to run malware when a workspace opens, AWS WAF had HTTP/2 request-body inspection issues, and AWS introduced Lambda MicroVMs for running user-generated and AI-generated code in isolated sandboxes.
The bigger theme: execution is the boundary now. The repo, the IDE, the AI assistant, the WAF, and the sandbox all sit at the point where something gets to run, inspect, block, or decide. Before execution, trust is a policy. After execution, trust is a blast radius.
In the lightning round, Brian covers GitHub’s record advisory volume, Git 2.55, Valkey 9.1 on Amazon ElastiCache, and a quick Fable 5 callback now that Anthropic’s Fable 5 is back online.
This episode is about execution boundaries.
That sounds like a security phrase, but I think it is really a platform phrase now. Modern systems are full of places where something gets permission to run, inspect, transform, block, or decide.
That something might be an IDE extension. It might be a language server. It might be an AI coding assistant. It might be a VS Code task. It might be a WAF parser. It might be a sandbox running user-generated code. It might be an advisory database feeding alerts into a vulnerability management process.
The common thread is execution.
Before something runs, trust is still mostly theoretical. After something runs, trust becomes a blast radius.
That is why the Amazon Q Developer and AWS Language Server CVEs matter. The scary part is not just that there were bugs in an IDE plugin. The scary part is where those tools sit.
They sit next to source code. They sit next to local credentials. They sit next to AWS profiles. They sit next to project configuration. They sit next to terminals, repo context, MCP configuration, and sometimes production access.
So when a workspace can cross into command execution, that is not just a weird local developer bug. It can become a cloud credential problem, a source control problem, or a CI/CD problem.
And yes, the user still had to trust the workspace. But that is exactly the uncomfortable part.
Developers trust workspaces constantly. You clone a repo, open it, click through the prompt, and get back to work. That is normal behavior. But normal behavior becomes risky when the repo is no longer just source code. The repo is config. The repo is tasks. The repo is language server behavior. The repo is MCP setup. The repo is local execution context.
That is a much bigger boundary than most teams treat it as.
The JFrog story pushes the same idea even harder.
The hijacked npm and Go packages were not relying on the usual npm lifecycle-script path. They used hidden VS Code tasks configured to run when a folder opens.
That is the part that should make people pause.
The ecosystem is getting better at package-manager security. npm is changing install-script defaults. CI pipelines are paying more attention to dependency execution. Teams are getting more suspicious of install-time code.
That is good. But attackers adapt.
If the package manager gets harder, they move into the IDE. And the IDE is a great execution surface because developers open folders all day.
Example repos. Proofs of concept. Vendor samples. Issue reproductions. AI-generated apps. Random repos from Slack, GitHub issues, Discord, or wherever else work happens.
The editor is not passive anymore. It runs extensions. It loads config. It starts language servers. It runs tasks. It reads environment variables. It can access terminals and local secrets.
So “don’t run random code” is not enough advice anymore.
Sometimes opening the folder is the thing that runs code.
The AWS WAF HTTP/2 story is different, but it still fits.
A WAF is supposed to inspect requests and block bad ones. But that only works if the WAF sees the request the same way the rest of the stack sees it.
If HTTP/2 request bodies are split across frames, and the inspection layer only evaluates part of the body before making a decision, then the security control is operating on an incomplete view.
That is the whole problem.
Security controls are not magic shields. They are parsers, policies, and defaults. And if the parser has a blind spot, the policy may be correct and still not protect you.
That is why “do we have WAF?” is not the right question.
The better question is: what does the WAF actually see?
Where does TLS terminate? Is HTTP/2 involved? Are request bodies accumulated before inspection? Does ALB behave the way the protection model assumes? Do the proxy, load balancer, WAF, app server, and backend framework all agree on what the request means?
Because when those layers disagree, attackers get room to move.
Then AWS Lambda MicroVMs are the other side of the same episode.
The first few stories are about unexpected execution paths. Lambda MicroVMs are about building a better place for execution to happen.
That matters because running untrusted code is becoming normal.
AI coding assistants need sandboxes. Users upload code. Agents generate scripts. Security tools analyze unknown payloads. Data platforms run user-defined logic. Developer platforms execute test cases. Plugin systems need isolation.
The question is no longer “will we run untrusted code?”
For a lot of teams, the better question is: where are we already running it, what can it reach, and how badly can it hurt us?
Containers are useful, but shared-kernel isolation is not always the right boundary for untrusted code. Full VMs are stronger, but heavier. Serverless is convenient, but not every sandbox use case fits the traditional request-response Lambda model.
So the product direction here is interesting even if you do not adopt this specific AWS feature. Sandboxing is becoming a first-class platform primitive.
That is the larger trend.
Execution is becoming something platform teams need to design, not something they inherit accidentally.
The lightning round keeps reinforcing the same point.
GitHub’s advisory database hitting record volume is a reminder that vulnerability management is not just about getting more feeds. It is about deciding what matters before the queue buries the team.
Git 2.55 is a reminder that developer platforms are infrastructure too. At enough scale, Git performance becomes engineering productivity.
Valkey 9.1 on ElastiCache is a reminder that cache engines are production systems. Memory efficiency, throughput, command behavior, and isolation matter when the cache sits directly in the request path.
And the Fable 5 callback is a reminder that AI dependency risk does not disappear just because the model came back online. If a model can go away for policy reasons and then return with new access rules or new behavior, that is still something reliability teams need to track.
That is why the closer lands where it does.
Execution is where trust becomes real.
A repo is not just source code if opening it can trigger an assistant, language server, or task runner. An IDE is not just an editor if it can run commands, load tools, and inherit credentials. A WAF is not just a checkbox if it only inspects part of the request. A sandbox is not optional if your product runs code from users, agents, or plugins. An advisory feed is not useful just because it is complete. Someone still has to decide what matters.
So the practical questions this week are pretty simple.
Where does code run? What can it reach? What can it read? What can it write? What authority does it inherit? What logs prove what happened? Who owns that boundary?
And if the answer is “we’re not sure,” that is the work.
Because before execution, trust is a policy.
After execution, trust is a blast radius.
Extra links worth including:
AWS security bulletin: Amazon Q / AWS Language Server CVEs
https://aws.amazon.com/security/security-bulletins/2026-047-aws/
JFrog: Hijacked npm packages using VS Code tasks
https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/
AWS security bulletin: AWS WAF HTTP/2 inspection issues
https://aws.amazon.com/security/security-bulletins/2026-048-aws/
AWS Lambda MicroVMs
https://aws.amazon.com/blogs/aws/run-isolated-sandboxes-with-full-lifecycle-control-aws-lambda-introduces-microvms/
GitHub Advisory Database record volume
https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records/
Git 2.55 highlights
https://github.blog/open-source/git/highlights-from-git-2-55/
Amazon ElastiCache Valkey 9.1
https://aws.amazon.com/blogs/database/announcing-valkey-9-1-for-amazon-elasticache/
Claude Fable 5 and Mythos 5 model docs
https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5
This week’s On Call Brief
https://learn.tellerstech.com/on-call-brief-news/2026-W27/
More Ship It Weekly episodes
https://shipitweekly.fm/