Welcome to the thirtieth edition of Platform Engineering Monthly. As always, if you have suggestions or ideas for the next edition, let me know!

📰 News

GitHub confirms breach of 3,800 repos via malicious VSCode extension

A reminder that IDEs are a part of your company’s attack surface. Developer tooling has been an easy target for a while, and 3,800 repos is a reminder to treat your extensions with the same suspicion you’d give a random npm package.

CISA Admin Leaked AWS GovCloud Keys on GitHub

If you needed proof that leaked credentials are a universal problem, the agency tasked with protecting US government cloud infrastructure just provided it. PSA: scan your repos, there’s a lot of automations that can do this too, even pre-commit hooks can be a life-saver.

Open Source Security Tool Trivy Hit by Supply Chain Attack, Prompting Urgent Industry Response

Your security scanner got supply chain attacked. Trivy is everywhere in platform tooling, so this one stings a bit more than most. Worth checking your pipeline immediately.

No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours

npm, PyPI, and Docker Hub all hit in 48 hours, which at this point feels less like a surge and more like a steady baseline. Supply chain attacks aren’t a trend anymore, they’re becoming background noise, and I’m not sure as an industry if we’ve truly leaning into any meaningful solutions here.

North Korean Hackers Suspected in Supply Chain Attack on Popular Axios Project

Nation state actors going after axios specifically is alarming given how foundational it is. It ships in roughly half the frontend apps I’ve ever looked at, so the blast radius on this one is interesting to think about.

App host Vercel says it was hacked and customer data stolen

Third-party vendor risk strikes again. Vercel got breached via an AI tool in their stack, which is a neat preview of the new attack surface we’re all accumulating as we bolt AI services onto everything.

Terragrunt is dead: multi-state transactions killed run-all

run-all was basically the whole reason a lot of people reached for Terragrunt over vanilla Terraform. If multi-state transactions are breaking it at the seams, that’s a pretty fundamental problem, not a fixable rough edge.

EU weighs restricting use of US cloud platforms to process government data

Sovereign cloud keeps making gains, and the current geopolitical climate isn’t slowing it down. More a case of when than if at this point.

What’s gone wrong at GitHub?

GitHub has had a rough few months between quality regressions, outages, and the extension breach earlier. It’s clearly going downhill in terms of performance and Github themselves blame AI, though I’m not sure if it’s just the surge in AI traffic causing these issue, Copilot revenue is clearly the priority and the platform is starting to feel it.

Incident Report: Railway Blocked by Google Cloud - resolved

This is the scariest incident I’ve seen in a while. A cloud provider cut off another company’s entire infrastructure with no meaningful recourse or warning.

📚 Learning

How we replaced Ingress-NGINX at Stack Overflow

A proper engineering write-up on replacing Ingress-NGINX at real scale. Worth the read if you’re still carrying that debt and wondering if there’s a better answer.

Your container is not a sandbox

Containers have never been a security boundary, and this is a nice concise argument for microVMs if you’re running untrusted workloads or multi-tenant anything. Personally I’ve been looking more into VMs even as a mechanism for locking down any AI related experimentation I’m doing. Worth a read before your next architecture review.

The invisible engineering behind Lambda’s network

The kind of deep dive on network internals that makes you appreciate how much engineering sits below the Lambda abstractions you’re actually billing against. Probably not necessary for most mere mortals, but an interesting read nonetheless.

Migrating from DigitalOcean to Hetzner: from $1,432 to $233/month with zero downtime

I know, another article saving a fortune by moving off a managed cloud provider. The numbers are always eye-catching but the operational reality of running your own bare metal never quite makes it into these posts.

The (in)security landscape of AI-powered GitHub Actions

AI-powered GitHub Actions are a great idea right up until someone realises you can prompt-inject them via a PR description. The attack surface of AI in CI is genuinely underappreciated, and this is a solid rundown of what that looks like in practice.

My Homelab

Might be of interest to some, and I mentioned it in a recent Hybrid Cloud Show episode, but I’ve assembled a short intro to my homelab, what I’m running on there, why and how I’ve set things up. Do check it out.

🧪 Interesting Projects

K3k: Kubernetes in Kubernetes

Useful if you’re building internal developer platforms and need isolated Kubernetes environments without spinning up separate clusters. Pretty nice, actually.

📅 Events

QCon AI Boston 2026

June 1-2, 2026 — Boston, MA, USA

Practitioner-led conference on AI engineering and architecture covering AI infrastructure, ML platforms, and production AI systems — directly relevant to platform engineers building AI-enabled developer tooling.

DevOpsCon Berlin 2026

June 15-19, 2026 — Berlin, Germany

Hybrid conference covering platform engineering, CI/CD, Kubernetes, DevSecOps, and cloud-native practices, including a dedicated Platform Engineering Summit track.

KubeCon + CloudNativeCon India 2026

June 18-19, 2026 — Mumbai, India

CNCF’s flagship event for the India and South Asia cloud native community, featuring 55+ sessions on Kubernetes, AI infrastructure, observability, and platform engineering.

PlatformCon 2026

June 22-26, 2026 — Online + New York, NY, USA / London, UK (Live Days June 23 & 25)

The world’s largest dedicated platform engineering conference, featuring 150+ curated talks, 30+ hours of hands-on workshops, and in-person Live Days in London and New York. Oh and yours truly will be speaking at it, what’s not to like?

KubeCon + CloudNativeCon Japan 2026

July 28-30, 2026 — Yokohama, Japan

CNCF’s flagship Asia-Pacific cloud native event at PACIFICO Yokohama, with tracks on Kubernetes, AI, observability, and platform engineering for the APAC ecosystem.

Devoxx Belgium 2026

October 5-9, 2026 — Antwerp, Belgium

One of Europe’s largest community-driven developer conferences, featuring cloud native, platform engineering, and infrastructure tracks alongside core software engineering content.

SREcon26 Europe/Middle East/Africa

October 13-15, 2026 — Dublin, Ireland

USENIX’s flagship SRE conference for the EMEA region, focused on reliability engineering, incident management, observability, and operating production systems at scale.

HashiConf 2026

October 26-29, 2026 — Atlanta, GA, USA

HashiCorp’s annual user conference co-located with IBM TechXchange, covering Terraform, Vault, infrastructure as code, and secrets management — core tooling for most platform engineering teams.

Have platform engineering tips to share? Reply to this email or connect with me on LinkedIn.