Skip to main content
News

Company & Industry Updates

Announcements, technology updates, and industry news from Private DevOps LTD.

27 news items7 topics

Showing 1-27 of 27 news items

Page 1 of 1

SecurityJun 4, 2026

One Click Can Steal Your GitHub OAuth Token

A one-click attack on github.dev could hand an attacker a GitHub OAuth token with read and write access to all your repos, including private ones. Microsoft says it is now mitigated. Here is what actually happened and how to reduce your exposure.

Read more about One Click Can Steal Your GitHub OAuth Token
SecurityJun 4, 2026

Your HTTP/2 Server Can Be OOM-Killed In Under A Minute: What To Do Now

A newly published exploit combines two HTTP/2 weaknesses to exhaust 32 GB of server RAM in under 20 seconds, no authentication required. nginx, Apache, IIS, and Envoy are all affected. Here is what the attack does, who is exposed, and the exact patch or config change that closes it.

Read more about Your HTTP/2 Server Can Be OOM-Killed In Under A Minute: What To Do Now
SecurityMay 30, 2026

What The New Spectra RCE Means For Multi Author WordPress Sites

Wordfence disclosed CVE-2026-7465 on May 30, 2026, a remote code execution flaw in the Spectra Gutenberg Blocks plugin (versions up to 2.19.25, fixed in 2.19.26). It needs only Contributor access, so the real exposure is sites with open registration or many low-trust authors. Who is at risk and how to close it.

Read more about What The New Spectra RCE Means For Multi Author WordPress Sites
StrategyMay 28, 2026

What Claude Opus 4.8 Changes For DevOps Teams

Anthropic shipped Claude Opus 4.8 on May 28, 2026, with a fourfold reduction in silent code flaws, Dynamic Workflows for parallel subagent orchestration, Effort Control for cost dialing, and pricing parity with 4.7. What it changes for DevOps teams running Claude in CI and dev tooling.

Read more about What Claude Opus 4.8 Changes For DevOps Teams
SecurityMay 22, 2026

How npm's New Staged Publishing Closes the Stolen CI Token Window

npm shipped staged publishing in CLI v11.15.0 on May 22, 2026. Adopted publishes now require a human 2FA approval that no OIDC token, automation token, or stolen CI credential can satisfy. Here is how it works and the CI changes it requires.

Read more about How npm's New Staged Publishing Closes the Stolen CI Token Window
SecurityMay 22, 2026

How a TanStack npm Compromise Got Grafana's GitHub Codebase Stolen

Grafana Labs confirmed that attackers downloaded source code from its GitHub environment after a TanStack npm package compromise leaked one developer's GitHub workflow token. One token missed in the rotation, in one of the better-instrumented companies on the internet.

Read more about How a TanStack npm Compromise Got Grafana's GitHub Codebase Stolen
SecurityMay 21, 2026

TeamPCP Breaches GitHub via Poisoned Nx Console Extension

TeamPCP exfiltrated about 3,800 GitHub-internal repositories after a poisoned Nx Console VS Code extension reached a GitHub employee. The full supply-chain chain, and what to do.

Read more about TeamPCP Breaches GitHub via Poisoned Nx Console Extension
CloudMay 20, 2026

Railway 8-Hour Outage: GCP Auto-Suspended Their Account

Google Cloud auto-suspended Railway's production account on May 19, 2026, taking the platform offline for 8 hours. The cross-cloud dependency lesson, in detail.

Read more about Railway 8-Hour Outage: GCP Auto-Suspended Their Account
SecurityMay 20, 2026

Mini Shai-Hulud Worm Hits Microsoft's durabletask PyPI

TeamPCP's Mini Shai-Hulud worm backdoored durabletask v1.4.1-1.4.3 on PyPI, stealing AWS, GitHub and Vault secrets and spreading via SSM and kubectl exec.

Read more about Mini Shai-Hulud Worm Hits Microsoft's durabletask PyPI
SecurityMay 19, 2026

ssh-keysign-pwn (CVE-2026-46333): Kernel Secret Leak

CVE-2026-46333 (ssh-keysign-pwn) lets any local Linux user read SSH host keys and /etc/shadow via a kernel ptrace exit race. Who is exposed and how to fix it.

Read more about ssh-keysign-pwn (CVE-2026-46333): Kernel Secret Leak
SecurityMay 18, 2026

Apple's M5 Memory Integrity Enforcement Bypassed in Five Days with AI Help

Researchers built the first public macOS kernel exploit on Apple M5 silicon, defeating Memory Integrity Enforcement in five days with Claude Mythos. The real story is the velocity.

Read more about Apple's M5 Memory Integrity Enforcement Bypassed in Five Days with AI Help
SecurityMay 16, 2026

Google GTIG Confirms the First AI-Developed Zero-Day Used in the Wild

On May 11, 2026, Google's Threat Intelligence Group published the first confirmed evidence of a criminal group using AI to build a working zero-day. Here is what it means for your threat model.

Read more about Google GTIG Confirms the First AI-Developed Zero-Day Used in the Wild
SecurityMay 15, 2026

NGINX Rift (CVE-2026-42945) - An 18-Year-Old RCE in the World's Most Deployed Web Server

NGINX Rift (CVE-2026-42945) is a CVSS 9.2 heap overflow in the nginx rewrite module. A single unauthenticated request can reach RCE. PoC is public. Here is who is exposed and how to patch.

Read more about NGINX Rift (CVE-2026-42945) - An 18-Year-Old RCE in the World's Most Deployed Web Server
SecurityMay 15, 2026

Fragnesia (CVE-2026-46300) - The Linux Kernel LPE That the Dirty Frag Patch Created

Fragnesia is a new Linux kernel local privilege escalation introduced by the Dirty Frag patch itself. Public PoC is out. Ubuntu still unpatched. Here is the mitigation playbook.

Read more about Fragnesia (CVE-2026-46300) - The Linux Kernel LPE That the Dirty Frag Patch Created
SecurityMay 15, 2026

May 2026 Linux and cPanel CVE Storm: What to Patch Now

Three high-severity Linux kernel CVEs and a critical cPanel authentication bypass are being actively exploited in May 2026. Here is what to patch and how.

Read more about May 2026 Linux and cPanel CVE Storm: What to Patch Now
MagentoMay 13, 2026

What To Patch First In Adobe's APSB26-49 Magento Update

Adobe's APSB26-49 covers every maintained Magento branch from 2.4.4 to 2.4.9-beta1 with RCE, auth bypass, and privilege escalation fixes. Headline CVSS 8.7. The patch order, the rollout sequence, and what to monitor for two weeks after.

Read more about What To Patch First In Adobe's APSB26-49 Magento Update
SecurityMay 7, 2026

Dirty Frag (CVE-2026-43500) - Linux Kernel RxRPC Root Escalation, Public Exploit Out

Dirty Frag (CVE-2026-43500) is a high-severity Linux kernel local privilege escalation in the RxRPC subsystem. Public exploit is already out - the disclosure embargo broke. Patch and mitigation playbook below.

Read more about Dirty Frag (CVE-2026-43500) - Linux Kernel RxRPC Root Escalation, Public Exploit Out
SecurityMay 3, 2026

Copy Fail (CVE-2026-31431) - Patch Every Linux Server You Run

Copy Fail (CVE-2026-31431) is a Linux kernel local privilege escalation that turns any local account into root in seconds. Every major distribution is affected. This is the patch and mitigation playbook.

Read more about Copy Fail (CVE-2026-31431) - Patch Every Linux Server You Run
SecurityApr 26, 2026

Major Vercel Breach Disclosed - Rotate Every Token Now

A high-impact supply chain breach hit Vercel customers in April 2026. Plaintext environment variables - API keys, database credentials, signing keys - were exposed. This is the rotation playbook.

Read more about Major Vercel Breach Disclosed - Rotate Every Token Now
WordPressMar 10, 2026

WordPress 6.9.2 Security Release Is Now Available

WordPress 6.9.2 shipped as a March 2026 security release, making it the safer reference point than older 6.8-focused update coverage.

Read more about WordPress 6.9.2 Security Release Is Now Available
Server & DevOpsFeb 26, 2026

Kubernetes 1.35.2 Becomes the Latest Supported Patch

Kubernetes 1.35 remained in active support as 1.35.2 shipped in late February 2026, giving platform teams a clearer current upgrade target.

Read more about Kubernetes 1.35.2 Becomes the Latest Supported Patch
Server & DevOpsFeb 20, 2026

Docker Desktop 4.36 Introduces Resource Saver Mode

Docker Desktop 4.36 adds resource saver mode that reduces CPU and memory usage by up to 80% when containers are idle. Key update for developers.

Read more about Docker Desktop 4.36 Introduces Resource Saver Mode
CloudFeb 18, 2026

Amazon OpenSearch Service Expands Graviton4 Support

AWS expanded Amazon OpenSearch Service support for Graviton4-based c8g, m8g, r8g, and r8gd instances in more regions during February 2026.

Read more about Amazon OpenSearch Service Expands Graviton4 Support
CloudFeb 5, 2026

Terraform 1.8 Released with Provider Functions

HashiCorp releases Terraform 1.8 with provider-defined functions, improved refactoring support, and better state management capabilities.

Read more about Terraform 1.8 Released with Provider Functions
Next.jsJan 20, 2026

Inside Turbopack: Next.js Doubles Down on Faster Dev Loops

The January 2026 Next.js engineering update focused on how Turbopack reduces work during development, making it a better current reference than older 15.1 launch posts.

Read more about Inside Turbopack: Next.js Doubles Down on Faster Dev Loops
Server & DevOpsJan 8, 2026

PHP 8.4 Release: What It Means for Developers

PHP 8.4 brings property hooks, asymmetric visibility, and HTML5 DOM support. Here is how these changes affect Laravel and Magento projects.

Read more about PHP 8.4 Release: What It Means for Developers
SecurityFeb 11, 2025

OpenSSL CVE-2024-12797 - Raw Public Key TLS Authentication Bypass Patched

OpenSSL has patched CVE-2024-12797, a high-severity TLS authentication flaw that lets a server bypass Raw Public Key verification without aborting the handshake. Affects OpenSSL 3.2, 3.3, and 3.4. Update immediately.

Read more about OpenSSL CVE-2024-12797 - Raw Public Key TLS Authentication Bypass Patched