<description>&lt;p&gt;This week on &lt;strong&gt;Ship It Weekly&lt;/strong&gt;: Amazon Q Developer and the AWS language servers had a pair of trust-boundary CVEs, JFrog found hijacked npm and Go packages using hidden VS Code tasks to run malware when a workspace opens, AWS WAF had HTTP/2 request-body inspection issues, and AWS introduced Lambda MicroVMs for running user-generated and AI-generated code in isolated sandboxes.&lt;/p&gt;&lt;p&gt;The bigger theme: execution is the boundary now. The repo, the IDE, the AI assistant, the WAF, and the sandbox all sit at the point where something gets to run, inspect, block, or decide. Before execution, trust is a policy. After execution, trust is a blast radius.&lt;/p&gt;&lt;p&gt;In the lightning round, Brian covers GitHub’s record advisory volume, Git 2.55, Valkey 9.1 on Amazon ElastiCache, and a quick Fable 5 callback now that Anthropic’s Fable 5 is back online.&lt;/p&gt;&lt;p&gt;&lt;strong&gt;Links&lt;/strong&gt;&lt;/p&gt;&lt;p&gt;AWS security bulletin: Amazon Q / AWS language server CVEs &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/security/security-bulletins/2026-047-aws/"&gt;https://aws.amazon.com/security/security-bulletins/2026-047-aws/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;JFrog: Hijacked npm packages using VS Code tasks &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/"&gt;https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;AWS security bulletin: AWS WAF HTTP/2 inspection issues &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/security/security-bulletins/2026-048-aws/"&gt;https://aws.amazon.com/security/security-bulletins/2026-048-aws/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;AWS Lambda MicroVMs &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/aws/run-isolated-sandboxes-with-full-lifecycle-control-aws-lambda-introduces-microvms/"&gt;https://aws.amazon.com/blogs/aws/run-isolated-sandboxes-with-full-lifecycle-control-aws-lambda-introduces-microvms/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;GitHub Advisory Database record volume &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records/"&gt;https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;Git 2.55 highlights &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/open-source/git/highlights-from-git-2-55/"&gt;https://github.blog/open-source/git/highlights-from-git-2-55/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;Amazon ElastiCache Valkey 9.1 &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/database/announcing-valkey-9-1-for-amazon-elasticache/"&gt;https://aws.amazon.com/blogs/database/announcing-valkey-9-1-for-amazon-elasticache/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;Claude Fable 5 and Mythos 5 model docs &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5"&gt;https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5&lt;/a&gt;&lt;/p&gt;&lt;p&gt;This week’s On Call Brief &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/on-call-brief-news/2026-W27/"&gt;https://www.tellerstech.com/on-call-brief-news/2026-W27/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;More episodes and full show notes &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm/"&gt;https://shipitweekly.fm/&lt;/a&gt;&lt;/p&gt;</description>

Ship It Weekly - DevOps, SRE, Platform and Cloud Engineering News

Teller's Tech - DevOps, SRE and Cloud Podcast

Amazon Q CVEs, Hijacked npm and Go Packages, AWS WAF HTTP/2 Issues, Lambda MicroVMs, and Why Execution Is the Boundary Now

JUL 3, 202618 MIN
Ship It Weekly - DevOps, SRE, Platform and Cloud Engineering News

Amazon Q CVEs, Hijacked npm and Go Packages, AWS WAF HTTP/2 Issues, Lambda MicroVMs, and Why Execution Is the Boundary Now

JUL 3, 202618 MIN

Description

<p>This week on <strong>Ship It Weekly</strong>: Amazon Q Developer and the AWS language servers had a pair of trust-boundary CVEs, JFrog found hijacked npm and Go packages using hidden VS Code tasks to run malware when a workspace opens, AWS WAF had HTTP/2 request-body inspection issues, and AWS introduced Lambda MicroVMs for running user-generated and AI-generated code in isolated sandboxes.</p><p>The bigger theme: execution is the boundary now. The repo, the IDE, the AI assistant, the WAF, and the sandbox all sit at the point where something gets to run, inspect, block, or decide. Before execution, trust is a policy. After execution, trust is a blast radius.</p><p>In the lightning round, Brian covers GitHub’s record advisory volume, Git 2.55, Valkey 9.1 on Amazon ElastiCache, and a quick Fable 5 callback now that Anthropic’s Fable 5 is back online.</p><p><strong>Links</strong></p><p>AWS security bulletin: Amazon Q / AWS language server CVEs <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/security/security-bulletins/2026-047-aws/">https://aws.amazon.com/security/security-bulletins/2026-047-aws/</a></p><p>JFrog: Hijacked npm packages using VS Code tasks <a target="_blank" rel="noopener noreferrer nofollow" href="https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/">https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/</a></p><p>AWS security bulletin: AWS WAF HTTP/2 inspection issues <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/security/security-bulletins/2026-048-aws/">https://aws.amazon.com/security/security-bulletins/2026-048-aws/</a></p><p>AWS Lambda MicroVMs <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/aws/run-isolated-sandboxes-with-full-lifecycle-control-aws-lambda-introduces-microvms/">https://aws.amazon.com/blogs/aws/run-isolated-sandboxes-with-full-lifecycle-control-aws-lambda-introduces-microvms/</a></p><p>GitHub Advisory Database record volume <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records/">https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records/</a></p><p>Git 2.55 highlights <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/open-source/git/highlights-from-git-2-55/">https://github.blog/open-source/git/highlights-from-git-2-55/</a></p><p>Amazon ElastiCache Valkey 9.1 <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/database/announcing-valkey-9-1-for-amazon-elasticache/">https://aws.amazon.com/blogs/database/announcing-valkey-9-1-for-amazon-elasticache/</a></p><p>Claude Fable 5 and Mythos 5 model docs <a target="_blank" rel="noopener noreferrer nofollow" href="https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5">https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5</a></p><p>This week’s On Call Brief <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/on-call-brief-news/2026-W27/">https://www.tellerstech.com/on-call-brief-news/2026-W27/</a></p><p>More episodes and full show notes <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm/">https://shipitweekly.fm/</a></p>