PeopleSoft Zero-Day Exploited, npm v12 Install Script Changes, GitHub Agentic Tokens, Anthropic Model Risk, and Default Trust Breaking
JUN 19, 202622 MIN
PeopleSoft Zero-Day Exploited, npm v12 Install Script Changes, GitHub Agentic Tokens, Anthropic Model Risk, and Default Trust Breaking
JUN 19, 202622 MIN
Description
<p>This episode of <strong>Ship It Weekly</strong> is about default trust getting punished. Brian covers Oracle’s emergency PeopleSoft advisory for CVE-2026-35273, npm v12 changing install-script defaults, GitHub Agentic Workflows moving away from long-lived personal access tokens, and Anthropic disabling Fable 5 and Mythos 5 after a U.S. export-control directive. The common thread: legacy ERP systems, package installs, CI/CD agents, and AI models all become production risks when teams trust the default without checking what that trust can actually do.</p><p>In the lightning round, Brian covers Tekton CloudEvents moving to a dedicated events controller, NVIDIA Triton Inference Server 26.04 changing inference defaults, AWS Nitro Isolation Engine bringing formal verification to Graviton5-based isolation, and Homebrew 6.0 adding explicit trust for third-party taps. The bigger theme: production does not care why you trusted the default. It only cares what that default was allowed to do.</p><p>The bigger theme: production does not care why you trusted the default. It only cares what that default was allowed to do.</p><p><strong>Links</strong></p><p>Oracle PeopleSoft CVE-2026-35273 advisory <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.oracle.com/security-alerts/alert-cve-2026-35273.html">https://www.oracle.com/security-alerts/alert-cve-2026-35273.html</a></p><p>npm v12 breaking changes <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/">https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/</a></p><p>GitHub Agentic Workflows no longer need PATs <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/">https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/</a></p><p>Anthropic Fable 5 / Mythos 5 access statement <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.anthropic.com/news/fable-mythos-access">https://www.anthropic.com/news/fable-mythos-access</a></p><p>Tekton Pipelines releases <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.com/tektoncd/pipeline/releases">https://github.com/tektoncd/pipeline/releases</a></p><p>NVIDIA Triton Inference Server 26.04 release notes <a target="_blank" rel="noopener noreferrer nofollow" href="https://docs.nvidia.com/deeplearning/triton-inference-server/release-notes/rel-26-04.html">https://docs.nvidia.com/deeplearning/triton-inference-server/release-notes/rel-26-04.html</a></p><p>AWS Nitro Isolation Engine <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/compute/aws-nitro-isolation-engine-formally-verifying-the-hypervisor-in-the-aws-nitro-system/">https://aws.amazon.com/blogs/compute/aws-nitro-isolation-engine-formally-verifying-the-hypervisor-in-the-aws-nitro-system/</a></p><p>Homebrew 6.0.0 <a target="_blank" rel="noopener noreferrer nofollow" href="https://brew.sh/2026/06/11/homebrew-6.0.0/">https://brew.sh/2026/06/11/homebrew-6.0.0/</a></p><p>This week’s On Call Brief <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/on-call-brief-news/2026-W25/">https://www.tellerstech.com/on-call-brief-news/2026-W25/</a></p><p>More episodes and show notes <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm/">https://shipitweekly.fm/</a></p>