On Call Brief – Week of July 5–11, 2026

2026-07-05 — 2026-07-11 Briefing: 2026-07-05 Last updated 21 hours ago (Jul 9, 2026 3:52 am EDT) 19 min read
Share
Category:
Tags:

This week's top stories

1. Cloudflare: 2 service incidents (Issues with network performance in North America, Elevated number of errors in

  • Category: Deep Dive
  • What happened: Cloudflare experienced two separate incidents affecting their network infrastructure this week. In North America, network performance degradation was detected starting July 3 and required multiple days of remediation work before resolution on July 6, though specific technical details were not disclosed in the status updates. Separately, customers routing through Cloudflare's Munich data center encountered elevated 4XX and 5XX error rates during a 12-minute window between 05:07 and 05:19 UTC, which has since been resolved. Operators using Cloudflare should review their monitoring dashboards for any correlated issues during these timeframes and verify that traffic routing has returned to normal baseline patterns.
  • Takeaway: This incident may have affected users relying on Cloudflare's services in North America, potentially leading to degraded performance or connectivity issues during the outage period.
  • Sources: Cloudflare Status
  • Tags:

2. NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off

  • Category: Deep Dive
  • What happened: A joint operation involving Google, the FBI, and other partners disrupted the NetNut residential proxy network, which had provided cybercriminals access to millions of compromised Android devices. This operation cut off access to approximately 2 million infected devices, including smart TVs and streaming boxes.
  • Takeaway: The disruption of the NetNut proxy network may affect organizations relying on similar proxy services for legitimate purposes, as well as increase scrutiny on device security and the potential for compromised devices in networks.
  • Source: Security Boulevard (FeedBurner mirror)
  • Tags:

3. Upgrade Amazon EKS clusters with confidence using Kubernetes version rollbacks - An undo button for Kubernetes

  • Category: Deep Dive
  • What happened: Amazon EKS now supports Kubernetes version rollbacks, allowing operators to revert to a previous version if an upgrade causes issues. This feature aims to reduce the risks associated with upgrades, which often require extensive preparation and can lead to downtime if not managed carefully.
  • Takeaway: This rollback capability provides a safety net for EKS upgrades, potentially reducing downtime and operational stress during version changes. It allows teams to respond more flexibly to issues that arise post-upgrade.
  • Source: AWS via Last Week in AWS
  • Tags:

4. ECS Service Connect now supports Zone-Aware routing

  • Category: Community
  • What happened: ECS Service Connect has introduced Zone-Aware routing, allowing traffic to be kept local by default, eliminating the previous charge of one cent per gigabyte for cross-zone traffic. This change aims to enhance resilience without incurring additional costs.
  • Worth reading: This update may reduce costs associated with cross-zone traffic in ECS, potentially impacting service architecture and cost management strategies.
  • Source: Receipts Lastweekinaws via Last Week in AWS
  • Tags:

5. Amazon CloudWatch supports creating alarms from log queries - Alarming on logs without first sacrificing a goat to

  • Category: Community
  • What happened: Amazon CloudWatch now allows users to create alarms directly from log queries, simplifying the process of monitoring logs. However, this feature comes with a caveat: users will incur costs based on the amount of data scanned by these scheduled queries, which could lead to unexpected billing increases during error spikes.
  • Worth reading: This change could affect production monitoring strategies, as operators need to be mindful of query frequency to avoid high costs associated with log data scanning.
  • Source: AWS via Last Week in AWS
  • Tags:

6. Uncover new performance insights using Amazon detailed performance statistics on Windows

  • Category: Community
  • What happened: Amazon EC2 Windows instances now offer detailed performance statistics for both Amazon EBS and Instance Store, enabling real-time monitoring of key metrics like latency, throughput, and IOPS. This enhancement allows operators to proactively identify and address performance bottlenecks. The new metrics provide sub-minute granularity and can be accessed via the NVMe device attached to the EC2 instance. A sample solution is provided to demonstrate how to use these statistics for monitoring and troubleshooting storage performance, particularly for latency-sensitive applications.
  • Worth reading: The introduction of detailed performance statistics can significantly improve the ability to monitor and optimize storage performance on EC2 Windows instances. This could lead to enhanced application reliability and performance, especially for workloads sensitive to I/O interruptions.
  • Source: AWS Compute Blog
  • Tags:

7. How IAG accelerated service-to-service communication with Amazon VPC Lattice

  • Category: Community
  • What happened: IAG accelerated their service-to-service communication by implementing Amazon VPC Lattice, eliminating the need for microservice traffic to traverse the public internet and reducing latency in their architecture. In a separate development, AWS published guidance on enforcing least-privilege authorization in multi-agent AI systems using Cedar, an open-source authorization language that implements a three-layer policy model to prevent unauthorized actions through delegation chains. SRE teams operating microservices architectures should evaluate VPC Lattice for reducing cross-service latency and network complexity, while those deploying multi-agent AI systems should review the Cedar authorization framework to implement proper security boundaries between agents. Both resources come from AWS official blogs and represent architectural patterns rather than security vulnerabilities requiring immediate patching.
  • Worth reading: This change could significantly reduce latency in service communications, which is crucial for performance-sensitive applications. Operators should consider the implications of adopting VPC Lattice for their own microservices architectures to improve efficiency.
  • Sources: AWS Networking Blog, AWS Security Blog
  • Tags:

8. Microsoft, Google and Cloudflare just made 2029 the new quantum deadline

  • Category: Community
  • What happened: Microsoft, Google, and Cloudflare have moved the deadline for adopting quantum-safe cryptography from 2030 to 2029, citing advancements in quantum computing that could pose risks sooner than expected. This shift emphasizes the need for organizations to begin preparations for a transition to post-quantum cryptography, which is recognized as a multi-year engineering effort. The urgency is driven by the potential arrival of cryptographically relevant quantum computers, necessitating early action to mitigate risks and costs associated with the transition.
  • Worth reading: Organizations must accelerate their plans for adopting quantum-safe technologies to meet the new 2029 deadline, which could impact security strategies and resource allocation. Delaying preparations could lead to increased risks and costs.
  • Source: The New Stack
  • Tags:

9. Fake Bug Report Shows AI Coding Agents Can Be Turned Into an Enterprise Attack Path

  • Category: Deep Dive
  • What happened: Researchers have identified a new attack method called 'agentjacking' that targets AI coding assistants by embedding malicious instructions within fake bug reports. This technique was tested on AI tools like Claude Code, Cursor, and Codex, which were able to retrieve compromised error logs, potentially exposing enterprises to security risks.
  • Takeaway: This attack vector highlights vulnerabilities in AI coding tools that could be exploited in production environments, necessitating increased scrutiny and security measures around the use of AI in software development.
  • Source: Security Boulevard (FeedBurner mirror)
  • Tags:

10. When TLS 1.3-only broke everything behind Akamai

  • Category: Deep Dive
  • What happened: An incident occurred when requests to a backend nginx server stopped due to a mismatch in TLS policies between Akamai and an External Load Balancer (LB). The LB was set to TLS 1.3 only, while Akamai was configured to negotiate down to older versions. This caused the TLS handshake to fail, leading to the perception of a certificate issue. The resolution involved changing the LB's TLS policy to support both TLS 1.2 and 1.3, restoring traffic flow.
  • Takeaway: This incident highlights the importance of aligning TLS policies between edge services like Akamai and backend load balancers. A mismatch can lead to service outages that may be misdiagnosed as certificate problems. Operators should ensure that any changes to TLS policies are communicated with all relevant stakeholders to prevent similar issues.
  • Source: dev.to (DevOps tag)
  • Tags:

CVE & Security

1. CVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-registry

  • Category: Security / Patch
  • What happened: CVE-2026-14471 is a critical SQL injection vulnerability in the metrics-service retention policy subsystem of the Amazon mcp-gateway-registry. An authenticated remote user can exploit this vulnerability by supplying a crafted table_name value, allowing them to execute arbitrary SQL queries against the metrics database. This can lead to unauthorized access to stored data, including sensitive information like API keys, and the ability to delete or modify data.
  • Do this Monday: This vulnerability poses a significant risk to any deployment using affected versions of the mcp-gateway-registry, as it allows authenticated users to manipulate the database, potentially leading to data breaches or loss.
  • Source: AWS Security Bulletins
  • Tags:

2. Novee Uncovers Cordyceps: The Latest Threat to CI/CD Pipelines

  • Category: Security / Patch
  • What happened: Novee has identified a new supply chain security flaw named Cordyceps that poses significant risks to CI/CD pipelines. This vulnerability allows unauthenticated users to hijack workflows and gain control over code repositories of major companies like Microsoft and Google. The flaw exploits weaknesses in CI/CD workflows, which are often not treated as security-critical, leading to potential command injection and credential theft. The rise of AI coding agents further complicates the issue by perpetuating insecure patterns across repositories.
  • Do this Monday: The Cordyceps vulnerability highlights critical security gaps in CI/CD processes that could lead to unauthorized code execution and credential theft. Organizations must reassess their CI/CD security practices to mitigate these risks, especially given the ease of exploitation by unauthenticated users.
  • Source: DevOps.com
  • Tags:

3. PostgreSQL: 42.7.12, 1.30.0, v5.0

  • Category: Security / Patch
  • What happened: The PostgreSQL ecosystem has released multiple security-focused updates that require operator attention, starting with PostgreSQL JDBC driver version 42.7.12 which patches CVE-2026-54291, a vulnerability allowing silent downgrades from SCRAM-SHA-256-PLUS to SCRAM-SHA-256 that bypasses channel binding requirements. CloudNativePG 1.30.0 introduces a new DatabaseRole Custom Resource Definition for GitOps-based role management and implements a Lease-based primary election mechanism to improve failover safety, though specific security enhancements were not detailed in the source. Additionally, the credcheck extension version 5.0 adds PostgreSQL 19 compatibility and password history replication awareness with enhanced credential validation rules during user and password operations. Operators using PostgreSQL JDBC connections with channel binding should prioritize upgrading to 42.7.12, while CloudNativePG users can evaluate the new role management features and failover improvements for their Kubernetes-based PostgreSQL deployments. Teams using credcheck should upgrade to v5.0 before migrating to PostgreSQL 19 to maintain password policy enforcement across replicated environments.
  • Do this Monday: This release is critical for users relying on channel binding for secure connections, as it mitigates a significant security risk. Operators should update to version 42.7.12 to ensure protection against potential man-in-the-middle attacks that exploit this vulnerability.
  • Sources: PostgreSQL News
  • Tags:

4. Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages

  • Category: Security / Patch
  • What happened: A vulnerability in Opera GX allowed malicious websites to automatically install browser add-ons, enabling data theft from visited pages without user interaction. Researchers demonstrated that they could extract a user's full Gmail address through this exploit. Opera has released a patch for the flaw and reported no evidence of exploitation in the wild.
  • Do this Monday: This vulnerability could have led to unauthorized access to sensitive user data, highlighting the importance of keeping browsers updated and being cautious with add-ons. The patch should be applied to mitigate potential risks.
  • Source: Thehackernews via The Hacker News (security)
  • Tags:

5. SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing

  • Category: Security / Patch
  • What happened: Researchers have developed a technique called SkillCloak that allows malicious AI agent skills to evade detection by static scanners. This method successfully bypassed over 90% of the tested scanners, highlighting vulnerabilities in current security measures against AI-related threats. The team also created a runtime checker that can identify most of these malicious skills.
  • Do this Monday: This development raises concerns about the effectiveness of existing security measures for AI systems, potentially leading to increased risks of malware in AI applications - operators should consider enhancing their detection capabilities to address these vulnerabilities.
  • Source: Thehackernews via The Hacker News (security)
  • Tags:

6. TuxCare Warns AI Will Weaponize Vulnerability Chains

  • Category: Security / Patch
  • What happened: TuxCare has issued a warning that AI-powered systems will increasingly automate the exploitation of vulnerability chains, where attackers leverage multiple interconnected vulnerabilities in sequence to compromise systems. According to Techstrong.ai's coverage, this represents an evolution in attack methodology where AI can rapidly identify and chain together vulnerabilities that might be individually low-severity but collectively enable system compromise. SRE teams should prioritize reducing their attack surface by addressing not just critical CVEs but also medium and low-severity vulnerabilities that could be chained together, and consider implementing automated vulnerability correlation analysis to identify potential chain exploits in their infrastructure. The warning emphasizes that traditional patch prioritization based solely on individual CVE severity scores may be insufficient against AI-driven attacks that exploit the relationships between multiple vulnerabilities.
  • Do this Monday: This warning suggests that organizations should reassess their vulnerability management strategies and consider the implications of AI in threat landscapes. Increased vigilance and proactive security measures may be necessary to defend against sophisticated attacks.
  • Sources: Techstrong.ai
  • Tags:

Releases

1. China-Linked Threat Group Expands Attacks on Southeast Asia’s Critical Infrastructure

  • Category: Release
  • What happened: Cybersecurity researchers have identified a China-linked threat group, CL-STA-1062, that is now targeting critical infrastructure organizations in Southeast Asia, including electricity and water providers, as well as government entities. This marks a shift from their previous focus on web-hosting infrastructure in Taiwan.
  • Do this Monday: Increased attacks on critical infrastructure could lead to potential disruptions in services and heightened security risks for organizations in Southeast Asia. Operators should assess their security posture and readiness against such targeted threats.
  • Source: Security Boulevard (FeedBurner mirror)
  • Tags:

2. Your Worker can now have its own cache in front of it

  • Category: Release
  • What happened: Cloudflare has launched Workers Cache, a tiered caching solution that sits in front of Cloudflare Workers. This feature allows cacheable requests to be served directly from Cloudflare's cache, reducing CPU usage and costs for developers. Configuration is straightforward, requiring only a single line in the Wrangler config and standard Cache-Control headers. The cache is automatically purged when content changes, and it supports advanced features like stale-while-revalidate and multi-tenant-safe cache keys.
  • Do this Monday: The introduction of Workers Cache can significantly improve performance and reduce costs for applications using Cloudflare Workers. By caching responses at the edge, it minimizes the need for Workers to execute for cacheable requests, which can lead to lower CPU time and faster response times for users.
  • Source: Cloudflare Blog
  • Tags:

3. Insignary Closes SBOM Accuracy Gap With Binary-Level Clarity for Regulatory Risk

  • Category: Release
  • What happened: Insignary has introduced a binary-first platform called Insignary Clarity that enhances software composition analysis (SCA) by analyzing the actual binaries deployed rather than just the declared components. This approach addresses the growing concern over unmanaged open-source dependencies and the accuracy of Software Bills of Materials (SBOMs), which are becoming regulatory requirements. The platform aims to provide better visibility into vulnerabilities and compliance risks associated with open-source components, especially in AI-generated code environments.
  • Do this Monday: The introduction of Insignary Clarity could significantly affect how organizations manage their software supply chains and compliance with emerging regulations around SBOMs. By validating software at the binary level, teams can better understand and mitigate risks associated with open-source components, which is crucial as regulatory scrutiny increases.
  • Source: DevOps.com
  • Tags:

4. Claude Reaches GA on Microsoft Foundry: European Enterprises Cannot Deploy It

  • Category: Release
  • What happened: Claude models are now generally available on Microsoft Foundry, featuring Azure-native billing and governance. However, there is no European data zone available, which means that European enterprises, particularly in regulated sectors like banking and healthcare, cannot deploy it for production use due to data residency concerns.
  • Do this Monday: The lack of a European data zone for Claude models on Microsoft Foundry limits deployment options for organizations in Europe, especially those in regulated industries that require strict data residency compliance.
  • Source: InfoQ DevOps
  • Tags:

Also this week

Deep dives & postmortems

12. ps5-linux-loader: Linux payload implementing HV exploits to run a custom bootloader

  • Category: Deep Dive
  • What happened: A new Linux payload has been developed for the PS5 that utilizes hypervisor exploits to run a custom bootloader. This could potentially allow for unauthorized modifications to the console's operating system.
  • Takeaway: This development may raise security concerns for environments using PS5 hardware, as it could lead to unauthorized access or modifications.
  • Source: GitHub via Lobsters
  • Discussion: https://lobste.rs/s/prfycy/ps5_linux_loader_linux_payload
  • Tags:

Community reads

11. DevOps'ish 316: ClickHouse Eats o11y, Vint Cerf Bows Out, Podman Breaks Things, and More

  • Category: Community
  • What happened: The CNCF's Kepler project is undergoing a re-architecture to improve power monitoring accuracy in Kubernetes environments, addressing limitations in the current implementation's ability to measure power consumption across cluster workloads. The Linux Foundation has launched Akrites, a new initiative specifically designed to combat AI-driven attacks and vulnerabilities targeting open-source software supply chains. ClickHouse is gaining attention in the observability space as an alternative backend for metrics and logs, with operators citing performance advantages over traditional observability data stores. SRE teams using Kubernetes should monitor the Kepler project's developments for more accurate power consumption metrics, which can inform capacity planning and sustainability efforts, while also evaluating whether ClickHouse fits their observability architecture needs based on data volume and query patterns (DevOps'ish newsletter 316).
  • Worth reading: The changes in Kepler may improve sustainability metrics in Kubernetes environments. Akrites could enhance security for open-source projects, which is critical given the rising threat of AI attacks. ClickHouse's performance improvements could influence decisions on observability tools, while the breaking changes in Podman 6.0 necessitate careful review before upgrading to avoid disruptions.
  • Sources: DevOps'ish
  • Tags:

Lightning links

Human Stories

When the FBI has to shut down a botnet of 2 million infected devices powering a proxy network, it's a stark reminder that the infrastructure we trust isn't always what it seems. But look at what else happened this week - Amazon gave us an undo button for Kubernetes upgrades, CloudWatch finally let us alarm on logs without arcane rituals, and ECS Service Connect stopped charging us for cross-zone traffic that should have been local all along. These aren't just feature releases; they're acknowledgments that the complexity we've been managing has crossed a line. The platforms are starting to admit what we've known in our bones: we've been carrying too much cognitive load, too much risk, and too many workarounds for problems that shouldn't be ours to solve. Maybe that's the real takeaway - whether it's cleaning up compromised infrastructure or getting a rollback button we should have had years ago, we're collectively pushing back on a status quo that made operations harder than it needed to be.

Also worth reading

Safely Releasing Frontier Models to Customers - A frontier model got so good at finding vulnerabilities that (Last Week in AWS)

A frontier model developed by Amazon became highly effective at identifying vulnerabilities, leading to concerns that prompted a call to the White House, resulting in its temporary withdrawal. The model has now been reintroduced with hopes that the incident will be forgotten.

The Supreme Court Just Put Limits on Geofence Warrants (Security Boulevard (FeedBurner mirror))

The Supreme Court has ruled that constitutional privacy protections apply to cellphone location history and geofence warrant data. This ruling limits the ability of law enforcement to access location data that can include information from many individuals in a given area, not just specific suspects.

GitLab CI skill for ai agents based on official docs (Reddit r/devops)

An engineer discusses their experience using AI agents to assist with GitLab CI pipeline creation and refactoring. They found existing AI skills unreliable and decided to create their own, which is based on official GitLab documentation. The skill addresses pipeline structure, debugging, and other c
Scroll to Top