-

Amazon Q silently ran MCP servers from cloned repos; Kubernetes pushes back on AI-generated PRs
The Amazon Q MCP story is the supply-chain incident that makes every other hardening post this week feel more urgent – and Kubernetes maintainers are already fighting a different kind of automated noise in their review queue.
-

AUR hit by second, more sophisticated malware wave — 1,500+ packages affected
Linux 7.1 ships while 7.2 is already bumping compiler minimums, the AUR got hit twice in a day with the second wave obfuscated well enough to slip past the initial response, and a DNS caching quirk means dead domains can still look alive in your monitoring.