Try reloading the player or open this episode directly on YouTube.
In this episode of Ship It Weekly, Brian discusses the expanding boundaries of operations, including AWS issues in Bahrain/UAE amid Iran strikes, and GitOps failures with ArgoCD.
Now Playing
AWS Bahrain/UAE Data Center Issues Amid Iran Strikes, ArgoCD vs Flux GitOps Failures, GitHub Actions Hackerbot-Claw Attacks (Trivy), RoguePilot Codespaces Prompt Injection, Block “AI Remake” Layoffs, Claude Code Security
Ship It Weekly
0:0018:20
Chapters
Jump to a section in this episode.
Speed & share
Transcript
This week is another reminder that the boundary
of ops keeps expanding. Sometimes the incident
trigger isn't a bad deploy. It's physical disruption
in a cloud region. Sometimes it isn't your app.
It's your GitOps control plane getting stuck.
Sometimes it isn't a vuln in prod. It's your
CI getting actively hunted. And sometimes it's
your company saying AI remake while expecting
the same reliability with fewer humans. All right,
let's get into it. Hey, I'm Brian Teller. I work
in DevOps and SRE, and I run Teller's Tech. This
is Ship It Weekly, where I filter the noise and
focus on what actually changes how we run infrastructure
and own reliability. Show notes and links are
on shipitweekly .fm. If the show's been useful,
follow it wherever you listen. Also, ratings
help way more than they should. Six main stories
today, then the lightning round, and then the
human closer. Story 1 is AWS flagging issues
in Bahrain and the UAE data centers amid Iran's
strikes, and what this means for regional resilience.
Story 2 is Argo CD to Flux and the specific Argo
CD failure mode that makes GitOps feel like a
pager generator. Story 3 is HackerBot Claw, an
automated campaign exploiting GitHub Actions
and Trivy getting hit as part of it story 4 is
rogue pilot a github code spaces co -pilot attack
chain it's basically prompt ejection meets real
credentials story 5 is block cutting 4 000 jobs
framed as an ai remake and why that's an ops
execution story story six is anthropic pushing
frontier cyber security capabilities for defenders
and what that means when these tools move from
scan to suggest fixes then the lightning round
then the human closer all right story one So
Reuters reported AWS flagged power and connectivity
issues tied to incidents at facilities in the
UAE and Bahrain amid the regional conflict. The
practical takeaway is simple. Multi -AZ is not
multi -region, and cloud outages now include
physical risk. If the region is degraded for
hours or days, the question becomes, can you
operate elsewhere and how fast can you decide?
A lot of teams say we're highly available, and
what they really mean is we can lose an AZ. That's
great, you should do that. But it's not the same
as losing an entire region's capacity, networking,
or connectivity to the outside world. This is
where a DR plan stops being a diagram and becomes
a decision tree. Here's how this bites real orgs.
Your apps might technically still run, but your
dependencies don't. Payments provider timeouts.
Queue backlogs. Outbound traffic gets weird.
Latency goes from fine to unusable. And suddenly
you are in the ugly space where nothing is fully
down, but everything is failing. That's also
where people make the wrong call. They wait too
long because it's partially working. Then failover
gets harder because data divergence grows and
backlogs pile up. Do this Monday. Pick one region
you rely on heavily and run this thought experiment.
Assume it's impaired for 48 hours. Who makes
the failover call? Not we would, a name or a
role. And what signals trigger it? Error rate?
Latency? Provider status? Customer impact? What's
the DNS plan? Do you use weighted routing? Failover
routing? Manual cutover? How long does it take?
What's the rollback plan? What's the data plan?
not the app plan. If your database is regional,
your app is regional. If your queue is regional,
your app is regional. If your identity system
is regional, your app is regional. Have you tested
this in the last year? Even a tabletop, even
a low -risk exercise, anything besides we totally
could if we had to. If you are in edge regions
or high -risk geos, you don't get to pretend
this is theoretical. Next up, story two. Story
two is GitOps pain. There's a great write -up
on migrating from Argo CD to Flux, and the best
part is the section literally titled The Problem
with Argo CD. The complaint is a specific failure
mode. A sync fails. Argo CD marks the app sync
failed, and then it can get stuck retrying the
failed state instead of progressing to the newer
commit that fixes it. The CRD ordering example
is the one everyone runs into at least once.
You push a commit that creates a custom resource.
The CRD isn't there yet, so sync fails. You push
a new commit, adding the CRD. And Argo CD can
keep banging its head against the old failed
commit. This is the moment where GitOps stops
feeling like declarative desired state and starts
feeling like a controller stuck in a loop that
needs a human rescue. The fastest way to hate
GitOps is getting paged by GitOps. And here's
the thing. Argo CD is good. Lots of teams run
it successfully. But the operational foot guns
are real. And if you haven't been burned yet,
you will be. GitOps tools are control planes.
When the control plane is wrong, it's not one
service down. It's your deployment mechanism
becoming the incident. So what do you actually
do with this story if you're not migrating to
Flux tomorrow? Do this Monday. If you run Argo
CD, make sure you have a runbook for sync failed
and won't progress. What do you do when it's
stuck on a bad desired state? What's the break
glass path that doesn't involve turning off all
automation? How do you handle CRDs and ordering
safely? Do you use sync waves? Do you split CRDs
into a separate app? do you pre -install them
whatever your pattern is write it down and standardize
it and make sure the on -call knows the recovery
moves manual sync refresh hard refresh prune
behavior deleting resources recreating app the
mechanics matter when you're under pressure now
on the flux side if you are considering flux
don't migrate your fleet first pick one low risk
service run it side by side Learn the failure
modes. Don't make this a religious war. Make
it an operational decision. Alright, story three.
This story is spicy in the way ops teams should
care about. Step Security documented an automated
campaign they call HackerBot Claw. It targeted
GitHub Actions workflows across major repos,
remote code execution in several targets, and
token theft, including a token with right permissions.
Then Trivy maintainers posted their own incident
report saying Trivy was attacked via GitHub Actions
as part of the same campaign. And they believe
the vulnerability came from a specific workflow
which they fixed. This is the your pipeline is
production story. Attackers are not waiting for
your app to have a bug. They are going after
the thing that can publish artifacts, ship releases,
For this episode, the theme that kept showing up was control planes under pressure.
Not just the obvious ones like Kubernetes or CI/CD.
But the broader set of systems we now depend on to run infrastructure: GitOps controllers, developer workspaces, agent tooling, and even the geopolitical reality behind cloud regions and AI supply chains.
A lot of the stories this week look unrelated on the surface.
An AWS region dealing with infrastructure disruptions in the Middle East. A GitOps migration story from ArgoCD to Flux. CI pipelines being actively hunted by automated attackers. Prompt injection turning into token theft in developer environments. Companies restructuring around “AI productivity.” And security tooling itself becoming AI-driven.
But if you zoom out a little, they’re all variations of the same underlying shift.
The automation layer has become the real control plane of modern infrastructure.
And once that happens, two things follow very quickly.
First, attackers target the control plane.
Second, organizations try to scale it faster than their guardrails.
You can see the first part clearly in the GitHub Actions attacks that StepSecurity documented.
This wasn’t someone finding a bug in an application.
It was an automated campaign targeting CI workflows across open source repositories.
The attacker isn’t interested in the application logic. They want the release mechanism.
If you compromise CI, you don’t need a vulnerability in the app. You can modify the artifacts, steal tokens, publish malicious packages, or pivot into infrastructure.
That’s why the Trivy maintainers’ response was interesting. They quickly published details about the attack vector and the workflow that was responsible.
Another version of this control plane expansion is happening in developer environments.
The RoguePilot research is a good example of that.
A malicious GitHub issue can contain instructions that get interpreted when a developer launches a Codespace.
That’s essentially prompt injection as a supply chain vector.
And the problem isn’t just the model.
It’s the environment.
If the agent reading that issue has access to a GITHUB_TOKEN, or can run commands, or can open pull requests, the attacker has a pathway into real operations.
If you step back from all of these stories, the through-line becomes pretty clear.
Infrastructure reliability used to be mostly about applications and servers.
Now it’s about the systems that operate the systems.
CI pipelines GitOps controllers Developer environments Agent frameworks Security automation Cloud regions
These are the new control planes.
And the work of DevOps and SRE increasingly revolves around making sure those layers are safe, observable, and recoverable when something inevitably goes wrong.
That’s all for this week’s commentary.
If you want the full breakdown of the stories discussed in the episode, check the show notes and episode page.
And if this show has been useful, consider sharing it with a teammate or another engineer who’s living in the same automation-heavy world we all are right now.
Thanks for listening. See you next week.
📝 Notes
Show Notes
This week on Ship It Weekly, Brian looks at how the boundary of ops keeps expanding.
We cover AWS flagging issues in Bahrain/UAE amid Iran strikes, ArgoCD vs Flux and why ArgoCD can get stuck in failed sync states, GitHub Actions being exploited at scale (plus Trivy’s incident), RoguePilot prompt injection meeting real credentials in Codespaces, Block’s “AI remake” layoffs, and Anthropic’s Claude Code Security for defenders.
Lightning round: DeepSeek model access geopolitics, Vercel’s agentic security boundaries, a KEV CVE to patch, an MCP-atlassian SSRF-to-RCE chain, and Claude Cowork scheduled tasks.
For this episode, the theme that kept showing up was control planes under pressure.
Not just the obvious ones like Kubernetes or CI/CD.
But the broader set of systems we now depend on to run infrastructure: GitOps controllers, developer workspaces, agent tooling, and even the geopolitical reality behind cloud regions and AI supply chains.
A lot of the stories this week look unrelated on the surface.
An AWS region dealing with infrastructure disruptions in the Middle East.
A GitOps migration story from ArgoCD to Flux.
CI pipelines being actively hunted by automated attackers.
Prompt injection turning into token theft in developer environments.
Companies restructuring around “AI productivity.”
And security tooling itself becoming AI-driven.
But if you zoom out a little, they’re all variations of the same underlying shift.
The automation layer has become the real control plane of modern infrastructure.
And once that happens, two things follow very quickly.
First, attackers target the control plane.
Second, organizations try to scale it faster than their guardrails.
You can see the first part clearly in the GitHub Actions attacks that StepSecurity documented.
This wasn’t someone finding a bug in an application.
It was an automated campaign targeting CI workflows across open source repositories.
The attacker isn’t interested in the application logic.
They want the release mechanism.
If you compromise CI, you don’t need a vulnerability in the app.
You can modify the artifacts, steal tokens, publish malicious packages, or pivot into infrastructure.
That’s why the Trivy maintainers’ response was interesting. They quickly published details about the attack vector and the workflow that was responsible.
That’s the right instinct.
CI incidents are supply chain incidents now.
StepSecurity hackerbot-claw analysis
https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
Trivy incident discussion
https://github.com/aquasecurity/trivy/discussions/10265
The second theme was control planes that fail in subtle ways.
The ArgoCD story is a good example.
GitOps sounds beautiful in theory.
Git is the source of truth.
The cluster reconciles to match it.
Everything is declarative.
But operationally, the controller itself becomes part of the reliability story.
If it gets stuck on a failed state, it can block the path to recovery.
And the CRD ordering problem mentioned in that migration write-up is something many teams eventually encounter.
It’s not a catastrophic bug.
It’s a behavior mismatch between how engineers expect reconciliation to work and how the system actually behaves.
That’s the dangerous category of failure.
Because it usually shows up during an incident, when you’re trying to deploy the fix.
Migration write-up
https://hai.wxs.ro/migrations/argocd-to-flux/
Another version of this control plane expansion is happening in developer environments.
The RoguePilot research is a good example of that.
A malicious GitHub issue can contain instructions that get interpreted when a developer launches a Codespace.
That’s essentially prompt injection as a supply chain vector.
And the problem isn’t just the model.
It’s the environment.
If the agent reading that issue has access to a
GITHUB_TOKEN, or can run commands, or can open pull requests, the attacker has a pathway into real operations.RoguePilot overview
https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.html
Original research
https://orca.security/resources/blog/roguepilot-github-copilot-vulnerability/
There’s also a bigger conversation happening about agent boundaries.
Vercel published a good write-up on this recently.
The core idea is simple: most agents today run generated code with the same privileges as the developer or system running them.
Which means the real question becomes:
Where is the trust boundary?
Is the agent allowed to read untrusted content?
Is it allowed to execute commands?
Does it have access to secrets?
Those are the same questions we’ve been asking about CI systems for years.
We’re just asking them again for AI tools.
Security boundaries in agentic architectures
https://vercel.com/blog/security-boundaries-in-agentic-architectures
The AWS regional disruption story fits into this theme in a different way.
It’s a reminder that cloud infrastructure still exists in the physical world.
Power events, connectivity problems, geopolitical instability — all of these can show up as “cloud issues.”
And that’s why the phrase multi-AZ is not multi-region matters.
Availability zones protect you from localized failures.
Regions protect you from systemic ones.
And organizations that treat those as interchangeable eventually discover the difference during a very long outage.
Reuters coverage
https://www.reuters.com/world/middle-east/amazon-cloud-unit-flags-issues-bahrain-uae-data-centers-amid-iran-strikes-2026-03-02/
Then there’s the organizational side of all this.
The Block layoffs framed as an “AI remake” are part of a pattern we’re seeing across the industry.
Companies expect automation and AI to increase productivity.
And in many cases, they’re right.
But there’s a hidden constraint.
Automation scales faster than human oversight.
That idea has been explored really well by Uwe Friedrichsen in his Ironies of Automation series.
The key insight is that automation concentrates responsibility rather than eliminating it.
Systems get faster.
Systems get more capable.
But humans do not scale at the same rate.
Which means failures propagate faster than organizations can understand them.
Ironies of Automation series
https://www.ufried.com/blog/ironies_of_automation/
Ironies of AI (Part 2)
https://www.ufried.com/blog/ironies_of_ai_2/
We actually touched on that idea in an earlier Ship It Weekly episode when talking about control planes and automated RCA.
That conversation still applies here.
Earlier episode reference
Episode 10Jan 2, 2026⏱️ 17:45Fail Small, IaC Control Planes, and Automated RCAEpisode: Fail Small, IaC Control Planes, and Automated RCA
One more interesting development this week was Anthropic announcing Claude Code Security.
Tools like this aim to scan codebases for vulnerabilities and propose fixes automatically.
In theory, that’s extremely powerful.
Security teams spend huge amounts of time triaging issues that developers never get around to fixing.
If AI can propose safe patches and reduce that backlog, that’s a real win.
But it also raises the same operational question we’ve been talking about throughout this episode.
Is the tool suggesting changes, or making them autonomously?
Because the moment a system can modify code, open pull requests, or deploy changes, it’s no longer just a scanner.
It’s part of the control plane.
Claude Code Security
https://www.anthropic.com/news/claude-code-security
Finally, a quick note on the AI supply chain angle we mentioned in the lightning round.
DeepSeek reportedly withheld access to a new model from certain U.S. chipmakers while making it available earlier to domestic firms.
This is another reminder that AI infrastructure is now intertwined with geopolitics and hardware supply chains.
Which means “what model can we run” may become just as much a business or regulatory question as a technical one.
DeepSeek coverage
https://www.reuters.com/world/china/deepseek-withholds-latest-ai-model-us-chipmakers-including-nvidia-sources-say-2026-02-25/
If you step back from all of these stories, the through-line becomes pretty clear.
Infrastructure reliability used to be mostly about applications and servers.
Now it’s about the systems that operate the systems.
CI pipelines
GitOps controllers
Developer environments
Agent frameworks
Security automation
Cloud regions
These are the new control planes.
And the work of DevOps and SRE increasingly revolves around making sure those layers are safe, observable, and recoverable when something inevitably goes wrong.
That’s all for this week’s commentary.
If you want the full breakdown of the stories discussed in the episode, check the show notes and episode page.
More episodes are available at
https://shipitweekly.fm
And if this show has been useful, consider sharing it with a teammate or another engineer who’s living in the same automation-heavy world we all are right now.
Thanks for listening. See you next week.