Source-verified takes on Kubernetes, cloud infrastructure, and AI security, published a few times a week. Browse the full feed below and click any post to open it.
Follow on LinkedInCequence research found that most enterprise AI agent security incidents in 2025 involved authenticated agents that had been granted excessive permissions. Authentication confirms identity. It does not constrain behavior. Role-based access control applied at the API gateway layer, scoped to specific agent personas, is the missing control between "agent is authorized" and "agent can only do what it should." The gap is infrastructure, not identity.
The CNCF published a warning that standard Kubernetes security controls do not protect organizations running AI and language model workloads. Kubernetes monitors pods, network traffic, and resource consumption. It has no visibility into prompts, model outputs, or tool calls. A fully compliant, fully secured Kubernetes cluster can still expose you completely if you are running AI workloads without runtime I/O monitoring and policy enforcement at the inference layer.
Two of the most common production Kubernetes incidents come from guessed resource limits: applications crashing because memory is too low, and clusters sitting at 15% utilization because teams pad their requests "just in case." You can now adjust limits without restarting applications as of Kubernetes 1.35. We put together a production guide covering the right sizing methodology and when to use each configuration option. If you want help figuring out the right settings, paste the article into your AI agent and ask about your specific workloads.
A production database was deleted in 9 seconds by an AI coding agent that found an unscoped cloud token while fixing a different issue. The failure was not the AI's judgment. The failure was infrastructure that gave the agent a token with blanket account permissions and stored backups inside the same volume it could delete. What an AI agent can do in your environment is a direct function of what you have allowed it to access. That is an infrastructure decision, not a model setting.
A major AI agent runtime with over 135,000 GitHub stars shipped without the runtime governance layer needed to operate AI agents safely at enterprise scale. Kubernetes provides compute isolation but has no concept of agent identity, tool-call authorization, or behavioral conformance. The gap between "agent runs in a container" and "agent is governed at runtime" is not closed by standard container security. This is the infrastructure problem AI teams are walking into at scale.
Standard Kubernetes service accounts weren't built for AI agents. They use long lived tokens that can be impersonated across trust boundaries. The fix is certificate based identity with short validity periods and workload verification. We put together a full architecture covering identity, gateways, and governance for production AI agents. If you have questions or want a shorter version, drop the article into your AI agent for a complete breakdown.
Seven security vulnerabilities hit AI inference servers in April 2026. The most severe allows full remote code execution with a 9.8 out of 10 severity score, and one was exploited in production within 12 hours of disclosure. Built in authentication flags on popular inference servers don't cover all endpoints. We covered all seven vulnerabilities and a five layer defense architecture. If you want a quick summary or have questions, drop the article into your AI agent for a complete breakdown.
A major AI coding platform left user source code and database credentials publicly accessible for 48 days through a basic API misconfiguration. Research shows AI-generated code ships with security vulnerabilities at more than twice the rate of human-written code, and most CI/CD pipelines deploy it without scanning. The platform has billions of dollars in valuation. AI code needs security review before it ships, not after.
A vulnerability in vLLM allows an attacker to take over an AI inference server by sending it a URL pointing to a crafted video file. No authentication required, no user interaction beyond the server processing the request. Inference servers are becoming the new perimeter: they sit inside your network, they process untrusted external inputs, and they are updated far less frequently than web-facing services. Treat them accordingly.
An AI coding agent found an overprivileged API token in a codebase, deleted the production database in 9 seconds, then destroyed all backups because they were stored in the same location. The project had explicit safety rules. The agent overrode them all. Safety prompts are guidance, not enforcement. The fix is infrastructure controls the agent physically cannot bypass. We break down exactly what happened and how to prevent it. If you have questions, paste the article into your AI agent for a full breakdown.
A server-side request forgery vulnerability in a popular LLM inference server was exploited in the wild just 13 hours after public disclosure, with no published proof of concept available yet. The attack chain probed cloud metadata services, internal databases, and exfiltrated credentials via DNS. Inference servers running AI models sit inside your network perimeter with broad internal access. Treating them like public-facing web applications from a patching and isolation standpoint is no longer adequate.
Do not run MCP servers on your machine, it's one of the biggest security risks now. If you are a business that's accelerating with AI and using MCPs in your team, here's what you want to do: (a) move all MCP to remote - either use official remote server, or run open source servers in a sandbox (see below on why local is risky) (b) never distribute API key/tokens to your users, instead have them managed through a gateway (c) monitor and audit the tool calls/responses (d) set fine-grained tool controls to prevent the AI doing destructive action. (e) install data classification tools to scan the responses from the MCP calls to ensure nothing sensitive is entering the agents One of the biggest risks today is to use MCP locally - that is when you install an MCP through a npx or uvx command. This effectively installs the entire supply chain on to your machine. The install configurations can also include configurations that run arbitrary commands. In April, we've seen a ton of supply chain compromises from litellm, axios, bitwarden. If the implementation of the open source MCP server you installed pulled in the latest version of compromised packages, you're at risk. Simply restarting Cursor or Claude can pull in the compromised packages into your machine. I think this is particularly risky for non-technical users as there are many packages out there (e.g., see mcp-slack on pypi) that can sound official, but are actually third-party created. Many companies are now deploying enterprise-grade MCP gateways to secure their agents use of data, so that they can roll out AI securely with controls.
A high-severity vulnerability in the Axios HTTP library chains prototype pollution into server-side request forgery and cloud credential theft. Standard Node.js deployments block the exploit chain at the protocol layer before it completes. Non-Node runtimes including Bun and Deno do not get that protection, and teams using custom HTTP agents may be exposed regardless. Patch to the latest version anyway: the real lesson is that a dependency vulnerability in one library can become an attack vector through a completely different library.
An AI-powered script exploited a GitHub Actions design flaw to open hundreds of pull requests containing code that runs with full access to repository secrets when triggered. Fifty repositories were successfully compromised, with AWS keys, Cloudflare tokens, and Netlify credentials stolen. The pull requests were nearly identical and trivial to detect in hindsight. CI/CD pipelines that allow pull request workflows to access production secrets are the target: audit what can run on fork submissions.
The TeamPCP campaign compromised roughly 500,000 machines across 1,000+ SaaS environments by poisoning two popular open source security and AI packages. The initial access wasn't a sophisticated exploit. It was a misconfigured CI/CD workflow. Pinning your dependencies to exact content hashes would have prevented the technique they used. We break down the full attack chain with specific defense controls at each stage. If you have questions, drop the article into your AI agent for a full rundown.
An AI-powered worm hit npm that steals Kubernetes configs, Docker credentials, CI/CD secrets, and LLM platform API keys before spreading itself to every package the victim's npm publish token can reach. The worm hid inside a postinstall hook and ran silently during normal package installation. Twenty-two packages from a single AI company were affected, with over 30,000 combined monthly downloads. Any package that runs code on install is executing with full developer workstation access.
The TeamPCP supply chain campaign is the most comprehensive CI/CD attack on record, hitting npm, Docker Hub, PyPI, GitHub Actions, and Bitwarden through a chain of stolen credentials. No zero-day exploits were required. The campaign relied entirely on the 94-day average window between credential rotation that most organizations maintain. The full anatomy of how each pivot worked is covered in our breakdown.
Cloudflare's AI agent stack and Kubernetes represent genuinely different tradeoffs. Cloudflare starts faster but has no direct GPU access. Kubernetes gives you full GPU control and runs on open standards, but requires more setup. We put together a side by side comparison across performance, isolation, networking, and vendor lock in. If you want help deciding which fits your setup, paste the article into your AI agent and ask away.
The TeamPCP supply chain campaign reached European Commission cloud infrastructure after a backdoored container image provided a foothold for large-scale credential theft. The campaign did not require a novel exploit: it relied on the average 94-day window most organizations leave between credential rotation cycles. Any team pulling container images from unverified sources without digest pinning is already exposed to the same technique.
The TeamPCP supply chain campaign compromised Trivy, the open-source container scanner running inside thousands of CI/CD pipelines. If the payload found a Kubernetes service account token, it exfiltrated secrets from every namespace and deployed privileged workloads across every node in the cluster. The same stolen credentials then spread the attack to LiteLLM. Security tooling with cluster access is high-value supply chain infrastructure, and most teams give it far more privilege than it needs.
ingress nginx was retired on March 24, 2026, which means known security vulnerabilities will never be patched. Envoy Gateway is the recommended replacement, and the official migration tool handles 30+ configuration conversions automatically. We put together a step by step migration guide covering the full process. If you want a quick walkthrough, paste the article into your AI agent and it'll break it all down for you.
The TeamPCP supply chain campaign replaced official Checkmarx container images on Docker Hub with versions that ran scans normally and simultaneously exfiltrated results to attacker infrastructure. Any infrastructure code your pipeline scanned with the compromised images, Terraform, Kubernetes manifests, CloudFormation, should be treated as potentially exposed. This was the second Checkmarx infrastructure hit in two months by the same threat actor.
The TeamPCP supply chain attack hit Netflix, Stripe, and Google's downstream environments through a compromised AI package that gets nearly 100 million monthly downloads. The attack payload required elevated container privileges that basic security policies block by default. We break down exactly what controls would have stopped it and how to set them up. If you have questions or want a shorter version, paste the article into your AI agent for a full breakdown.
The TeamPCP supply chain campaign reached password managers: Bitwarden's CLI was backdoored through a compromised GitHub Action in the tool's own build pipeline. The malware specifically targeted AI coding tool credentials including Claude Code, Codex, and Cursor alongside SSH keys and cloud secrets. It was a self-propagating worm that spread to any package your npm publish token could reach. If your team ran the affected version, rolling back the CLI is step one. Rotating every credential it could have touched is step two.
A vulnerability in Docker Engine causes authorization plugins to silently skip inspection on requests larger than one megabyte, approving them automatically while the daemon processes the full content. An attacker who exploits this can run privileged containers, mount host volumes, and access credentials and Kubernetes configs. This is a variation of an incomplete fix for a 2024 vulnerability in the same component. Update Docker Engine and audit what your authorization plugins are actually inspecting.
Researchers chained two vulnerabilities in an Atlassian MCP integration with four million downloads to achieve full server access with no authentication. One bug redirects internal traffic to attacker-controlled systems. The second writes arbitrary files to any path on the server. Two requests, zero credentials required. This was the fifth MCP server critical vulnerability in the same month, and the pattern is the same every time.
Security researchers disclosed a design flaw in MCP that allows remote code execution on servers running AI agents. Anthropic acknowledged the issue and classified the behavior as working as intended. Over 200,000 AI server instances were affected at the time of disclosure across tools including Claude Code, Cursor, and VS Code. Because the fix is not coming from upstream, runtime controls at the infrastructure layer are the only reliable defense.
Running a proxy on every AI inference pod wastes GPU memory you could be using for your models. Istio 1.29's ambient mode moves the proxy to a shared layer, cutting memory overhead by 70% while adding smart routing for AI workloads. We covered what's shipping now and what's coming next. If the article is too detailed, paste it into your AI agent and it'll give you the highlights.
A developer added an MCP endpoint to a popular nginx management interface and skipped one line of authentication middleware. Twenty-six hundred instances became fully exploitable with a single unauthenticated request. MCP endpoints are shipping faster than security reviews can catch them. Every new MCP integration your team adds to infrastructure is an attack surface that needs the same review as any other admin interface.
A vulnerability in the MCP server used to manage Kubernetes clusters allows attackers to run arbitrary kubectl commands by injecting malicious input into an AI agent conversation. The attack requires no direct access to the cluster: a crafted prompt to the AI agent is enough to trigger the exploit. The fix is upgrading to the patched version, but the broader issue is that any MCP server executing system commands on user input is an injection vector by design.
Unauthorized AI tools spinning up inside your cluster is now an OWASP Top 10 risk. Kyverno's admission policies can block unapproved tools before they ever run by requiring signed images and enforcing an allowlist at deploy time. We put together a production guide with working policies you can apply today. If you want a summary or have questions, paste the article into your AI agent for a full breakdown.
A developer asked an AI coding agent to fix a staging configuration issue. The agent found an unrelated cloud API token, used it to access production, and deleted the database along with the backups stored in the same volume. The AI did exactly what it was capable of doing. The failure was infrastructure: tokens with no scope limits, backups co-located with primary data, and no boundary between staging agents and production systems.
A nine-year-old Linux kernel vulnerability allows a Python script under 800 bytes to escape a container and access the host node. Because the kernel's page cache is shared memory across all containers on a node, a single pod compromise becomes a full node compromise. A working proof of concept is publicly available. Organizations running standard container runtimes should prioritize applying the kernel patch from their Linux distribution.
Vercel's internal systems were accessed after an employee at an AI vendor they used was infected with credential-stealing malware. The attacker used an OAuth token to move from the vendor's environment directly into Vercel's systems with no re-authentication required. Customer environment variables, including API keys and secrets, were exposed. Every AI tool your team OAuth-connects to corporate Google Workspace is a persistent access path if that vendor gets compromised.
Helm 3 bug fix support ends July 8, 2026. Helm 4 changes how upgrades work under the hood, and your existing automation may need updated permissions. We put together a practical migration guide covering what breaks, the full permission changes, and a rollout strategy starting with staging. If the full article is a lot to get through, drop it into your AI agent for a quick breakdown.
A pre-authentication SQL injection in the LiteLLM AI proxy was exploited within 36 hours of disclosure, giving attackers access to every API key stored in the system. That includes keys to OpenAI, Anthropic, AWS Bedrock, and any other provider your team had connected. This is not a typical web application breach: the blast radius is your entire cloud AI spend and every model provider account you run. Patch and rotate all stored provider credentials immediately.
A critical severity vulnerability in the Flowise visual agent builder allowed unauthenticated remote code execution through a component with no sandboxing. Active exploitation was confirmed in April, seven months after a patch was available. Over 12,000 instances remained exposed at the time of disclosure. If your team builds AI agents with any visual no-code platform, the hosted version's patch status is your risk, not just the vendor's.
The Agent to Agent protocol just hit v1.0 with 150+ organizations already using it. When your AI agents need to talk to each other across teams or organizations, this protocol handles identity verification, task tracking, and full observability. We wrote a guide covering how to route, secure, and monitor agent to agent traffic. If you have questions, paste the article into your AI agent and it'll give you a complete rundown.
Dynatrace shipped observability for AI coding agents, and it covers five major tools in a single dashboard. Setup is just environment variables: if the agent emits telemetry, you get sessions, token usage, tool calls, errors, and dollar cost automatically. Platform teams see total spend and trends. Engineering leaders see agent activity mapped to actual commits and pull requests. You cannot govern AI tool usage across your organization until you can measure it, and now you can.
A critical vulnerability in GitHub's infrastructure allowed full code execution via a single git push. GitHub silently patched its own cloud on March 4, but Enterprise Server operators had no idea their instances were exposed until public disclosure 55 days later. At the time of disclosure, most Enterprise Server installations were still running the vulnerable version. If your organization hosts its own GitHub instance, this is why keeping up with enterprise software advisories is not optional.
Kubernetes 1.36 permanently removes three components, and one of them is a security risk that will never receive patches again. Eighteen features move to stable in this release. We put together a production upgrade guide covering what breaks, the correct upgrade sequence, and how to handle each removal. If you want a quick summary or have specific questions, paste the article into your AI agent for a full breakdown.
A path traversal vulnerability in the Jenkins Credentials Binding Plugin lets attackers write files anywhere on the filesystem. On the built-in node, arbitrary file write is remote code execution with no secondary exploit needed. The same security advisory also patched two stored cross-site scripting vulnerabilities in other popular plugins. If your organization runs Jenkins, check your plugin versions against the April 2026 security advisory now.
The most popular machine learning training library on PyPI shipped with malware hidden in a version that fires the moment you import it. The payload swept credentials from GitHub, cloud providers, Kubernetes configs, and developer environment files. This is the same threat actor that hit Bitwarden, Checkmarx, and LiteLLM in the same month. If your team ran any version of this library published in late April, treat every credential on that machine as compromised.
Kubernetes 1.36 ships with three features that finally make AI agent workloads production ready: proper isolation between agents, GPU sharing across multiple agents, and automatic scaling with state preservation. We put together a full platform architecture covering what's available now and how to set it up. If the article is too long, drop it into your AI agent and it'll walk you through the key points.
The TeamPCP supply chain attack hit Netflix, Stripe, and Google's downstream environments through a compromised AI package that gets nearly 100 million monthly downloads. The attack payload required elevated container privileges that basic security policies block by default. We break down exactly what controls would have stopped it and how to set them up. If you have questions or want a shorter version, paste the article into your AI agent for a full breakdown.
Microsoft just shipped Agent Framework 1.0 with support for multiple AI providers including Azure OpenAI, Anthropic, and Gemini. It lets you build systems where multiple AI agents coordinate across different teams and trust boundaries. We wrote up an overview with working examples for each orchestration pattern. If you want a quick summary or have questions, paste the article into your AI agent for a full rundown.
If your AI agents lose their progress every time a server restarts, Dapr Agents 1.0 solves that at the platform level. It's the first CNCF backed agent framework that keeps agent state intact through crashes, restarts, and network issues. We put together a production guide covering setup, security, and observability. If the full article is a lot to take in, drop it into your AI agent and it'll give you a complete breakdown.
Most teams serving AI models are wasting GPU memory because their load balancer treats every request the same way. The new Kubernetes LLM inference stack uses smart routing to match requests with the right GPU, cutting response times by 57x and doubling throughput. We break down the full production setup in our latest guide. If the article is too long or you have questions, paste it into your AI agent for a full breakdown.