Cisco SD-WAN zero-day hits production; supply chain ransom reaches Grafana Labs

A supply chain ransom hit Grafana’s CI runners, a Cisco SD-WAN zero-day is being used for lateral movement in production right now, and both Fedora and Red Hat published pieces about what happens when humans stop owning the security decisions in their own pipelines.

// SECURITY FOCUS

Zero-day CVE-2026-20245 actively exploited in Cisco Catalyst SD-WAN Manager

Mandiant caught a threat actor inside a service provider’s SD-WAN infrastructure in early 2026 using this zero-day for post-access lateral movement — this is live exploitation against production network gear, not a lab finding. Service providers and enterprises running Catalyst SD-WAN Manager are the target profile; the attacker already had initial access when they triggered this, so your detection surface is the management plane, not just perimeter logs.

What to do: Check Cisco’s advisory for patched versions, prioritize SD-WAN Manager instances with internet-reachable management interfaces, and pull your netflow/management-plane logs for anomalous lateral movement since January 2026.

The AI code paradox: Moving fast without breaking security — Red Hat Blog · Jun 24
Red Hat argues that both banning AI coding assistants and allowing unrestricted use create security problems – the former pushes developers toward shadow IT, the latter lets AI-generated code bypass review with unvalidated dependencies and privilege-escalation risks. The post frames the response as three pillars: governance policy (developers own AI-generated code, full stop), security-focused prompting skills, and AI-aware CI/CD pipelines that add automated slop filtering, SAST/DAST, and dependency scanning before code reaches a human reviewer. Red Hat has open-sourced a library of 130+ security skills for AI coding assistants and an AI code review tool to help automate the quality gate. The vulnerability load angle is worth taking seriously: FIRST projects up to 100,000 CVEs registered in 2026, more than double 2025’s count, meaning AI-generated code adds review volume on top of an already-growing advisory backlog. The concrete tooling references – prodsec-skills, LoLa, Anti Slop, RapiDAST – make this more than a framework post, though the heavy Red Hat branding means you’re reading a vendor’s preferred stack, not a neutral survey.
Don’t wrap OpenTelemetry — your abstraction layer is breaking the API contract — OpenTelemetry · Jun 24
Wrapping the OpenTelemetry API in a convenience layer – an IMetric interface, a TelemetryHelper class, a MetricsWrapper module – silently destroys the performance model OTel was built around. The .NET SDK’s Histogram<T>.Record() has allocation-free overloads for 1-3 attributes and a stack-allocated TagList for up to 8; Rust’s API takes a borrowed slice. The moment your wrapper signature requires any collection type, every caller heap-allocates on every measurement. The pattern also tends to hide instrument creation inside the record call itself, which turns what should be a direct reference into a ConcurrentDictionary lookup or a Mutex-guarded HashMap acquisition on every hot-path write. Beyond the performance cost, developers learn your abstraction instead of OTel, you own an API layered on top of an API, and bugs get harder to trace. Legitimate exceptions exist – dual-write migrations, codegen-based governance tooling – but for most teams the wrapper costs more than it saves. Skip it and point people at the official docs.
Log management for AI workloads: How to bring your logs and telemetry plan into the AI-first century — Dynatrace Blog · Jun 24
A Dynatrace-commissioned survey of 450 senior IT leaders finds AI workloads are breaking traditional log management assumptions: teams now average seven log tools, 50% of organizations discard an average of 86% of logs purely to control costs, 85% struggle to ingest logs at AI scale, and 80% say converting telemetry to insight is actively delaying AI projects reaching production. The core argument is that logs alone can’t explain AI behavior – you need logs, traces, metrics, and lifecycle context unified in a single queryable layer, enriched at ingest rather than reconstructed later. The action plan covers five areas: unify telemetry into one continuously queryable platform, establish causation by correlating logs with traces automatically, cut costs by dropping rigid schemas and rehydration dependencies, standardize instrumentation at ingest, and shift from reactive troubleshooting to real-time drift detection with automated remediation. The framing is vendor-neutral in principle but the recommended approach maps cleanly to Dynatrace’s own product, so read the stat sourcing with that in mind.
Grafana Labs post-incident review: TanStack npm supply chain ransom incident — Grafana Labs
The TanStack “Mini Shai-Hulud” supply chain attack hit Grafana Labs on May 11 via malicious code executed on self-hosted CI runners, leaking credentials. Grafana rotated what it believed were all affected credentials, but missed one – which a threat actor used on May 14 to clone the entire repository collection before demanding a ransom on May 16. Grafana refused to pay, following FBI guidance, and confirmed no customer production systems or the Grafana Cloud platform were affected, though private repos containing internal tooling, business contact names, and some marketing email addresses were exfiltrated. The remediation was substantial: 1,500 security-focused PR reviews, audits of 280 GitHub applications, scanning of 1,200 repositories, and 2,300 PR reviews of a single critical repo. An independent Mandiant investigation completed June 18 found no evidence of code tampering or repository poisoning. Going forward, Grafana has deployed a token broker for short-lived credentials, fine-grained access controls, and is compartmentalizing GitHub organizations – steps worth comparing against your own CI/CD credential rotation and scoping practices.
Fedora moves to require 2FA for packagers after alleged account compromise — LWN.net · Jun 24
After a compromised account let an AI agent cause downstream problems for the project, Fedora is starting mandatory 2FA with packagers first — LWN covers the discussion, the rollout plan, and the friction points that make MFA harder in contributor-heavy open source projects than it sounds.

// In other news

ai

OpenAI and Broadcom unveil LLM-optimized inference chip (OpenAI Blog) · Jun 24 — OpenAI and Broadcom revealed Jalapeño, a custom LLM inference ASIC – the first concrete signal that OpenAI is serious about owning silicon rather than renting GPU cycles from Nvidia.
Introducing computer use in Gemini 3.5 Flash (DeepMind Blog) · Jun 24 — Google DeepMind ships computer-use capability in Gemini 3.5 Flash, putting browser and desktop automation into a smaller, cheaper model directly competing with Claude’s operator mode.
Daybreak: Tools for securing every organization in the world (OpenAI Blog) · Jun 22 — OpenAI’s Daybreak ships Codex Security and GPT-5.5-Cyber for automated vuln discovery and patching – notable because the same model family that writes exploits is now being sold as the defense.
simonw/browser-compat-db (Simon Willison) · Jun 24 — Simon Willison built browser-compat-db, an SQLite-backed queryable version of MDN’s browser compatibility data, inspired by the MDN MCP server announcement.
Red-Teaming after Mythos — Zico Kolter & Matt Fredrikson, Gray Swan (Latent Space) · Jun 22 — OpenAI board member Zico Kolter and Gray Swan CEO Matt Fredrikson explain why AI red-teaming is a distinct discipline from classical cybersecurity, not a renamed version of it.

cloud

Unlocking the Cloudflare app ecosystem with OAuth for all (Cloudflare Blog) · Jun 24 — Cloudflare’s Self-Managed OAuth is now available to all developers, with a zero-downtime migration of their core OAuth engine documented in the post.
Enhanced data resilience with cross-region backups in Backup and DR Service (Google Cloud Blog) · Jun 24 — Google Cloud Backup and DR now supports cross-region backups, filling a gap for teams that need single-region primary storage but multi-region recovery.
Choosing the best strategy for Object Storage encryption (Scaleway) · Jun 24 — Scaleway compares SSE-S3, SSE-C, and client-side encryption for object storage – practical tradeoff breakdown for teams evaluating key ownership vs. operational overhead.

culture

Tech interviews with NeetCode (Pragmatic Engineer) · Jun 24 — NeetCode (the interview prep creator) talks about leaving Google and Amazon, building a business from leetcode content, and why he thinks deep technical skills still matter even as AI handles more coding.
Deno project is going to add cross-platform desktop apps in next major update (The Register DevOps) · Jun 24 — Deno’s next major version will ship cross-platform desktop app support, letting you package web apps as native desktop binaries – not yet stable but confirmed for the roadmap.
Killing a project is every engineering leader’s hardest call (LeadDev) · Jun 24 — LeadDev argues that the social and sunk-cost dynamics around project cancellation are what make it hard, not the technical assessment – and offers concrete framing for making the call earlier.

dev

Node.js 26.4.0 (Current) (Node.js Blog) · Jun 24 — Node.js 26.4.0 is out on the Current release line – check the changelog for any breaking changes before pinning in your CI pipeline.

iac

GitLab Patch Release: 19.1.1, 19.0.3, 18.11.6 (GitLab) · Jun 24 — GitLab patch releases 19.1.1, 19.0.3, and 18.11.6 are out – if you self-host, check the release notes for security fixes before your next maintenance window.
HCP Vault Dedicated introduces cluster disaster recovery (public preview) (HashiCorp Blog) · Jun 25 — HCP Vault Dedicated gains cluster-level DR in public preview, letting teams run actual failover drills rather than just hoping the docs are correct.
Advancing AI agent security in Vault (HashiCorp Blog) · Jun 24 — HashiCorp Vault Enterprise adds AI agent security controls in public preview – short-lived credentials and scoped policies for non-human identities calling secrets APIs.

k8s

ISTIO-SECURITY-2026-005 (Istio) · Jun 24 — ISTIO-SECURITY-2026-005 is out – check the CVE details and patch to the corresponding 1.28.9, 1.29.5, or 1.30.2 release if you haven’t already.
Spotlight on WG Device Management (Kubernetes Blog) · Jun 24 — The Kubernetes WG Device Management spotlight covers where GPU and accelerator scheduling stands today, directly relevant to anyone running AI or telecom workloads on k8s.
Building Modelplane on Crossplane (Crossplane) · Jun 23 — Modelplane uses Crossplane to manage ML model serving infrastructure as Kubernetes resources – useful reference architecture if your team is already using Crossplane for cloud provisioning.

linux

One Line x86 Change To GCC Compiler Nets +12% Benchmark Win For Modern Intel/AMD CPUs (Phoronix) · Jun 24 — A single-line GCC change to generic x86 branch-misprediction tuning yields up to 12% benchmark gains on modern Intel and AMD CPUs – worth testing before your next compiler upgrade.
[$] Free-threaded Python: past, present, and future (LWN.net) · Jun 22 — LWN covers the state of free-threaded Python (GIL removal): where it works today, which C extensions still break, and what the ecosystem timeline looks like for production use.
Linux 7.2 Ready With IMA and EVM Post-Quantum ML-DSA Signature Support (Phoronix) · Jun 24 — Linux 7.2 adds ML-DSA post-quantum signature support to IMA and EVM, the first step toward quantum-resistant boot integrity verification for distros that use measured boot.
“Disgusting” Linux sched_ext Source Code Restructured Following Complaint By Linus Torvalds (Phoronix) · Jun 24 — Linus Torvalds called the sched_ext source layout ‘disgusting’ and it got restructured before 7.2 merged – the thread is worth reading for the code organization principles he articulates.
Sunsetting Tor 0.4.8 (LWN.net) · Jun 23 — Tor Project is sunsetting Tor 0.4.8 and all earlier C Tor releases soon – operators running older relays or bridges need to plan an upgrade before support ends.

obs

How we migrated a live routing system using AI-assisted refactoring (Datadog Blog) · Jun 23 — Datadog migrated their live routing brain from a legacy storage model to relational by shadow-running changes against production traffic – a useful pattern for any zero-downtime storage migration.
How migrating to Elastic Security helped a digital safety software company cut incidents by 85% with UnderDefense (Elastic Blog) · Jun 24 — A two-person security team cut incident volume 85% and MTTR 61% after migrating from QRadar to Elastic Security on AWS – numbers worth sanity-checking against your own SIEM noise floor.

sec

Embedding Forbidden Text in Spyware to Discourage AI Analysis (Schneier on Security) · Jun 24 — At least one malware author is embedding CBRN-related text in spyware to trigger AI safety filters and block automated analysis – a practical evasion technique analysts should account for in their pipelines.
Restrict AWS Management Console access to expected networks with sign-in resource-based policies and RCPs (AWS Security) · Jun 24 — AWS Sign-In now supports resource-based policies and RCPs, letting you network-restrict Console access at the org level without touching per-service IAM policies.

web

Route Metadata Support in Laravel 13.17 (Laravel News) · Jun 24 — Laravel 13.17 adds route metadata support, letting you attach arbitrary key-value data to route definitions and read it in middleware without hacking the route name.
Context-aware headings in HTML (Freek Van der Herten) · Jun 24 — The experimental `headingoffset` HTML attribute lets heading levels adapt to document context automatically, potentially ending the fragile h2/h3 hardcoding in component libraries.
Ship AI with Laravel: Failover, Queues, and Middleware for AI Agents (Laravel News) · Jun 24 — Practical Laravel patterns for AI provider failover and queued background inference – covers what happens when your OpenAI call fails at 2am and your app needs to stay up.
Create richer issues from your errors (Spatie) · Jun 23 — Flare now includes stack trace context, affected user counts, and occurrence frequency when creating GitHub, GitLab, or Linear issues from errors – reduces the back-and-forth before a fix lands.

Rotate your CI credentials, enable 2FA on your package accounts, and patch the SD-WAN gear — then read the OTel wrapping post. Back tomorrow.