Platform Engineering Monthly — June 2026
Welcome to the thirty-first edition of Platform Engineering Monthly. As always, if you have suggestions or ideas for the next edition, let me know!
📰 News
A public Sentry key is all it takes to hijack Claude Code, Cursor, and Codex
Prompt injection via a compromised MCP tool is exactly the kind of attack vector that was obvious in hindsight. Any tool your agent calls is now part of your attack surface.
Microsoft pulled 73 GitHub repos after malware attack — but still won’t say who’s compromised
73 repos pulled and no disclosure of what was in them. If your dependency tree touches GitHub-owned packages, you’re probably doing an audit right now and Microsoft’s silence isn’t helping.
Google API keys keep working after you delete them
PSA if you’re relying on Google API key revocation as a security control: it doesn’t actually work. Rotate and revoke isn’t enough here, you need to know where those keys have been used.
Malware in AI instruction files, plus 1,230+ leaking API keys
Turns out your AI instruction files are now attack vectors. Prompt injection via CLAUDE.md-style files is a genuinely nasty supply chain angle, and 1,230 leaking keys suggests most teams haven’t thought any of this through.
European Commission lines up Amazon and Microsoft for cloud gatekeeper status
EU gatekeeper status means real obligations: data portability, interoperability, and no more lock-in by default. AWS and Azure will hate this, which is basically all the endorsement it needs.
Miasma Campaign Poisons 20+ npm Packages, Hunts for Developer Secrets
A self-propagating worm compromised 32 @redhat-cloud-services npm packages then used stolen tokens to republish itself into other packages the victims maintain. First supply chain attack that actively replicates through developer credentials.
AWS Interconnect Multicloud Reaches General Availability with Google Cloud as Launch Partner
You can now provision a dedicated low-latency VPC-to-VPC link between AWS and GCP entirely from the AWS console. Two major clouds acting like one network is no longer a thought experiment.
📚 Learning
GitHub Actions security checklist for supply chain attacks
Good checklist, and most teams will fail it on at least three points. Pinning actions to commit SHAs instead of tags is still the one people most consistently skip.
Solving secret sprawl in multi-account Kubernetes with External Secrets Operator
Secret sprawl across multiple accounts is one of those problems that seems manageable until suddenly it very much isn’t. ESO is the right answer and this is a decent guide to doing it properly.
Building high-availability PostgreSQL on Kubernetes
Datadog running HA Postgres on Kubernetes and writing about it is a good sign the pattern is mature enough to trust. Patroni on K8s has come a long way.
87% of Organizations Are Running Software With Known, Exploitable Vulnerabilities — Datadog State of DevSecOps 2026
Only 4% of organizations pin GitHub Actions to a full commit SHA while 71% leave them completely unpinned, the same attack surface TeamPCP exploited all year, now quantified at scale.
🧪 Interesting Projects
klustr
A Kubernetes GUI that runs entirely on your desktop without deploying anything into your cluster is a much better proposition than the usual web-based dashboards. Helm releases, Argo CD, Flux, cert-manager, permission matrices, all in one view without the “who owns this thing running in prod” question.
no-mistakes
A local Git proxy that runs AI review, linting, and tests before your push reaches the remote. Interesting angle for teams leaning into AI coding agents where the quality bar on what gets pushed is more variable than it used to be.
warpgate
Self-hosted bastion that handles SSH, HTTPS, Kubernetes, MySQL, and Postgres with session recording and no client-side software required. Basically what Teleport does, without the price tag. Worth a look if you’ve been putting off a proper bastion setup because the options felt too heavy.
tabularis
Another database GUI, but the MCP integration letting AI assistants directly query your schemas is the bit that makes it interesting. Probably not displacing whatever your team already uses, but worth watching as a pattern.
doco-cd
GitOps for Docker Compose and Swarm. Niche, but exactly right for the teams not on Kubernetes who still want declarative deployments without migrating an entire platform to get them.
📅 Events
Mumbai Maha Mahotsav – KubeCon + CloudNativeCon India edition
KubeCon making it to Mumbai is genuinely great for the community. The cloud native scene in India has been growing fast and deserves its own event.
KubeCon + CloudNativeCon Japan 2026
July 28-30, 2026 — Yokohama, Japan
CNCF’s flagship Kubernetes and cloud native conference returning to Japan with tracks on AI, observability, platform engineering, and security across 10+ technical content areas.
KubeCon + CloudNativeCon + OpenInfra Summit + PyTorch Conference China 2026
September 8-9, 2026 — Shanghai, China
Combined CNCF, OpenInfra, and PyTorch event serving the Asia-Pacific cloud native and open infrastructure community with Kubernetes, AI/ML, and open source infrastructure content.
DevOpsDays London 2026
September 17, 2026 — London, United Kingdom
Community-run DevOps conference blending technical talks with open-space discussions on DevOps culture, tooling, and organizational practices for practitioners.
DevOpsDays Prague 2026
October 5, 2026 — Prague, Czech Republic
Community-run DevOps conference focused on the intersection of development, operations, and platform culture through talks and open-space format discussions.
PromCon EU 2026
October 7-8, 2026 — Munich, Germany
The dedicated Prometheus monitoring conference covering Prometheus internals, Alertmanager, remote storage, OpenMetrics, and observability ecosystem integrations.
DockerCon 2026
October 14-16, 2026 — Las Vegas, NV, USA
Docker’s flagship developer conference covering container tooling, developer experience, security, and the intersection of containerization with AI and cloud native workflows.
Have platform engineering tips to share? Reply to this email or connect with me on LinkedIn.