-

Amazon Q silently ran MCP servers from cloned repos; Kubernetes pushes back on AI-generated PRs
The Amazon Q MCP story is the supply-chain incident that makes every other hardening post this week feel more urgent – and Kubernetes maintainers are already fighting a different kind of automated noise in their review queue.
-

Cisco SD-WAN zero-day hits production; supply chain ransom reaches Grafana Labs
A supply chain ransom hit Grafana’s CI runners, a Cisco SD-WAN zero-day is being used for lateral movement in production right now, and both Fedora and Red Hat published pieces about what happens when humans stop owning the security decisions in their own pipelines.
-

AI spam kills AppleTalk; agents argue over your incidents
AI-generated patch spam killed AppleTalk, AI agents are blamed for misrouting incidents, and a 70-year pattern says the ‘no more code’ promise won’t land any differently this time.
-

Linux 7.2 lands cache-aware scheduling; curl closes its vuln queue for the summer
Linux 7.2 is landing real work – cache-aware scheduling, a two-line IOPS fix – while Daniel Stenberg draws a line on CVE noise. Google’s data-agent announcement is mostly previews dressed as GA.
-

AUR hit by second, more sophisticated malware wave — 1,500+ packages affected
Linux 7.1 ships while 7.2 is already bumping compiler minimums, the AUR got hit twice in a day with the second wave obfuscated well enough to slip past the initial response, and a DNS caching quirk means dead domains can still look alive in your monitoring.