<p>This episode of <strong>Ship It Weekly</strong> is about the developer toolchain becoming part of production. Brian covers GitHub’s critical git push RCE, AI-assisted reverse engineering, prompt injection against AI agents in GitHub workflows, Elementary’s malicious CLI release, GitHub’s merge queue regression, Cal.com going closed source, and Copilot moving toward usage-based billing. Plus: MinIO’s repo archive, Ghostty leaving GitHub, Docker Hardened Images, and Azure DevOps security updates.</p><p><strong>Links</strong></p><p>GitHub git push RCE <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/">https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/</a></p><p>AI-assisted reverse engineering <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.darkreading.com/application-security/reverse-engineering-ai-unearths-high-severity-github-bug">https://www.darkreading.com/application-security/reverse-engineering-ai-unearths-high-severity-github-bug</a></p><p>AI agents + GitHub Actions prompt injection <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.theregister.com/2026/04/15/claude_gemini_copilot_agents_hijacked/">https://www.theregister.com/2026/04/15/claude_gemini_copilot_agents_hijacked/</a></p><p>Elementary malicious CLI release <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.elementary-data.com/post/security-incident-report-malicious-release-of-elementary-oss-python-cli-v0-23-3">https://www.elementary-data.com/post/security-incident-report-malicious-release-of-elementary-oss-python-cli-v0-23-3</a></p><p>GitHub merge queue regression <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/news-insights/company-news/an-update-on-github-availability/">https://github.blog/news-insights/company-news/an-update-on-github-availability/</a></p><p><a target="_blank" rel="noopener noreferrer nofollow" href="http://Cal.com">Cal.com</a> going closed source <a target="_blank" rel="noopener noreferrer nofollow" href="https://cal.com/blog/cal-com-goes-closed-source-why">https://cal.com/blog/cal-com-goes-closed-source-why</a></p><p>GitHub Copilot billing <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/news-insights/company-news/github-copilot-is-moving-to-usage-based-billing/">https://github.blog/news-insights/company-news/github-copilot-is-moving-to-usage-based-billing/</a></p><p>MinIO archived repo <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/minio/minio">https://github.com/minio/minio</a></p><p>Ghostty leaving GitHub <a target="_blank" rel="noopener noreferrer nofollow" href="https://mitchellh.com/writing/ghostty-leaving-github">https://mitchellh.com/writing/ghostty-leaving-github</a></p><p>Docker Hardened Images <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.docker.com/blog/why-we-chose-the-harder-path-docker-hardened-images-one-year-later/">https://www.docker.com/blog/why-we-chose-the-harder-path-docker-hardened-images-one-year-later/</a></p><p>Azure DevOps security updates <a target="_blank" rel="noopener noreferrer nofollow" href="https://devblogs.microsoft.com/devops/one-click-security-scanning-and-org-wide-alert-triage-come-to-advanced-security/">https://devblogs.microsoft.com/devops/one-click-security-scanning-and-org-wide-alert-triage-come-to-advanced-security/</a></p><p>On Call Brief <a target="_blank" rel="noopener noreferrer nofollow" href="https://oncallbrief.com/">https://oncallbrief.com/</a></p><p>More episodes <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm/">https://shipitweekly.fm/</a></p>