Welcome to this week’s edition of the DevOps Bulletin!

Orca Security exposed a new GitHub Actions exploit, letting forked PRs inject malicious code, while Snyk found a fake MCP server on npm stealing emails. Wiz uncovered a critical Redis RCE flaw affecting thousands of instances, and Flipkart shared how it built a highly available MySQL cluster for 150M+ users. Meanwhile, Facets argues that orchestration - not more AI - is what makes DevOps truly AI-ready.

On the hands-on side: building apps in Markdown, Terraforming with AI agents, and a deep dive into how DNS really works. Plus: securing MCP servers, automating observability with IaC, and the myths of running Node.js on Kubernetes.

And don’t miss the projects: SadServers (Linux troubleshooting labs), Spock (multi-master Postgres), InterceptSuite (traffic interception), FleetCode (multi-agent terminal), Jetski (MCP analytics), and Headscale (self-hosted Tailscale).

All this and more in this week’s DevOps Bulletin, don’t miss out!

Newsworthy stories

• Exploiting GitHub Actions

• The myths (and costs) of running Node.js on Kubernetes

• Malicious MCP server on npm postmark-mcp harvests emails

• Who owns Express VPN, Nord, Surfshark?

• Who needs git when you have 1M context windows?

• Critical remote code execution vulnerability in Redis

• How Flipkart built a HA MySQL cluster for 150M+ users

  

AI in DevOps needs Orchestration

AI is finding its way into DevOps everywhere: copilots, auto-fixers, smarter CI. But if your infra lives in scattered scripts and configs, there’s nothing consistent for AI to build on. Facets unifies infra, CI/CD, and config into contracts, making your platform consistent, governed, and AI-ready. That’s why enterprises are turning to orchestration as their single control plane for change.

See how enterprises are adopting the orchestrator model

Tutorials of the week

• Using Markdown as a programming language when building with AI

• SSH pranks to try on your friends

• A security engineer’s guide to MCP

• Automating observability & monitoring with IaC

• From MCP to shell

• Terraforming with AI

• How DNS actually works

• Redis with SQL

• Terraform search: deep-dive

• 10 infrastructure design choices that will haunt you in production

Videos of the week

📘 New Book: Practical FinOps

This book is written from years of running FinOps at scale: what worked (and what didn’t) is included here.

Projects of the week

• SadServers provides fun, real-world challenges for engineers and powerful assessments for hiring teams. “Like LeetCode for Linux and DevOps”.

• The Spock extension provides multi-master replication for PostgreSQL versions 15 and later.

• InterceptSuite is a cross-platform network traffic interception tool engineered for comprehensive inspection, analysis, and manipulation at the network level.

• This project automates the creation of a complete security lab environment for detection engineering and attack simulation.

• A fully containerized and cloud-native implementation of the classic 2048 game.

• Go programming for sysadmins, devops, and security engineers.

• A desktop terminal application for running multiple CLI coding agents simultaneously, each in an isolated git worktree.

• Jetski provides authentication, analytics, and prompt visibility for MCP servers with zero code changes.

• Headscale is an open source, self-hosted implementation of the Tailscale control server.

Meme of the week