DevOps Daily Newsletter - Week 22, 2026

Hey there, here's what landed in DevOps this week - supply chain drama, on-call wisdom, and a fresh chaos experiment to try.

Blog Posts

When the Malicious Hook Is in the Other Manifest: 700+ Repos, 8 Packagist Packages, One package.json Trick

Socket caught a Composer supply chain attack smuggling an npm-style postinstall hook through a package.json sitting inside a PHP package. If you mix ecosystems in one repo, this one is worth a careful read.

node-ipc DNS-Tunneling Supply Chain Attack: Your Egress Firewall Probably Missed This

Three poisoned versions of node-ipc exfiltrated AWS credentials over DNS, sliding right past most egress firewalls. Find out what the payload looked like and how to spot it before it hits your build agents.

AI Is Reshaping DevOps. The Engineers Are Faster Than the Vendors.

The big DevOps vendors are still pacing themselves on AI, but the engineers using their tools have already raced ahead. A look at where the gap is widest and what teams are shipping on their own.

AntV npm Compromise: The Shai-Hulud Worm Comes for Your Dashboards (May 19, 2026)

The Shai-Hulud worm hit again on May 19, this time hijacking the @antv maintainer account and poisoning 32 packages your dashboards probably depend on. Here is the timeline and the cleanup steps.

Karpenter Spot Storm Fallback Gap: The Production Loop Nobody Talks About

Karpenter will happily keep retrying spot capacity that is never coming back, leaving pods pending for hours. Walk through the production loop and the config tweak that actually triggers on-demand fallback.

Running Your First Chaos Engineering Experiment with Litmus

A hands-on walkthrough of installing LitmusChaos on Kubernetes, writing a hypothesis, and killing pods on purpose to see what your alerts actually catch. Great weekend project for anyone new to chaos engineering.

Cilium 1.19 ClusterMesh Policy Flip: The Silent Default That Will Drop Your Cross-Cluster Traffic

Cilium 1.19 quietly changed how policies without a cluster selector resolve across ClusterMesh, and east/west traffic can drop without warning. Check this before you upgrade.

News Digests

DevOps Weekly Digest - Week 21, 2026

This week's curated digest of what shipped across Kubernetes, cloud native tooling, CI/CD, IaC, observability, and security. The fastest way to catch up if you only have five minutes.

Comparisons

CircleCI vs GitHub Actions

CircleCI vs GitHub Actions, head to head on config flexibility, pricing, runners, and ecosystem. Helpful if you are picking a CI for a new project or thinking about a migration.

HashiCorp Vault vs AWS Secrets Manager

HashiCorp Vault vs AWS Secrets Manager broken down by features, pricing, operational overhead, and the workloads each one actually fits best.

Checklists

How to Build an Effective On-Call Rotation and Escalation Policy

A practical checklist for putting together an on-call rotation that does not burn out your team, with concrete steps for schedules, escalation, and noise reduction.

Running Your First Chaos Engineering Experiment with Litmus

Step-by-step guide to installing Litmus on Kubernetes and running your first controlled failure experiment, starting from a written hypothesis instead of vibes.

CI/CD Pipeline Setup Checklist

Everything a production-ready CI/CD pipeline needs in one checklist: source control hygiene, builds, tests, security gates, and rollout. Use it to audit your current setup.

Guides

Introduction to Git

A 10-part guide to Git covering repos, branching, merging, remotes, and team workflows. Great to share with anyone on your team who is still copy-pasting commands they do not fully trust.

Quizzes

On-Call Rotation and Escalation Policy Quiz

Put your on-call design skills to the test with scenarios on rotations, escalation, and alerting strategies. See if your gut instinct matches what experienced SREs would do.

Flashcards

Docker Essentials

Quick-hit flashcards on Docker fundamentals: images vs containers, layers, volumes, networks, and build cache. Good for a 10-minute brush-up before an interview or a code review.

On-Call Rotations and Escalation Policies

Bite-sized cards on designing on-call rotations, building escalation paths, and cutting down alert fatigue. Pair these with the checklist below.

Designing Rate Limiting for APIs

Token bucket, leaky bucket, fixed window, sliding window - the four rate limiting algorithms every API engineer should know cold, with the patterns to ship them.

Featured Games

Git Command Quiz

Interactive Git scenarios covering branches, merges, rebases, and the conflict situations that always seem to come up at the worst time. See how many you can solve without reaching for Stack Overflow.

DNS Resolution Simulator

Step through a DNS lookup visually and watch resolvers, root servers, and authoritative nameservers do their thing. A fun way to finally make DNS click.

---

Happy learning, The DevOps Daily Team