Welcome to this week’s edition of the DevOps Bulletin!

Researchers scanned 5.6 million GitLab repositories and uncovered thousands of live secrets, AWS finally added a way to spot idle NAT Gateways, and GitLab disclosed a widespread npm supply-chain attack spreading through malicious packages. Spotify shared how they process 1.4 trillion data points, Airbnb revealed their next-gen key-value store, and one engineer explained why they’ve stopped recommending Grafana.

On the hands-on side: building your own micro Linux distro, abusing AWS CLI aliases for persistence, NVIDIA’s practical LLM security advice, sweeping async tasks under Postgres, and a real-world framework that cut 40% of cloud spend.

This week’s video: a great walkthrough on Backstage Software Templates and how teams use them to scaffold real infrastructure (EKS + Terraform example).

Tools of the week include an LLM-powered code security reviewer, a domain monitoring dashboard, a backend-in-a-binary, multi-host Docker orchestration, a modern Git-compatible VCS, and a set of revived Linux apps that refused to die.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Newsworthy stories

• Scanning 5.6 million public GitLab repositories for secrets

• AWS finally lets you find your idle NAT Gateways

• Building a next-generation key-value store at Airbnb

• How Spotify built its data platform to understand 1.4 trillion data points

• GitLab discovers widespread npm supply chain attack

• Why we migrated from Terraspace to Terramate

• I can’t recommend Grafana anymore

Tutorials of the week

• Making a micro Linux distro

• Weaponizing the AWS CLI for persistence

• Practical LLM security advice from the NVIDIA AI red team

• Cloud run-rate down by 40%

• Terraform stacks: a deep-dive for Azure practitioners in Europe

• How to write a great agents.md

• Designing a scalable Serverless contact system with AWS and Terraform

• How/why to sweep async tasks under a Postgres table

• 11 of my favorite Linux apps that refused to stay dead

Videos of the week

📘 FinOps Tip of the Week

Make compliant infrastructure the easiest path

Teams rarely ignore standards on purpose. Most of the time, the compliant option takes more effort. You can flip that by giving people ready-to-use templates for common workloads. A good example is offering prebuilt Terraform, CloudFormation, or Backstage blueprints that already include the right tags, security settings, logging, and budget alerts.

If you want more hands-on tips like this, check out my latest book, “Practical FinOps”.

Projects of the week

• An AI tool that reviews code for security issues by using LLMs, context indexing, and language-specific plugins to spot subtle vulnerabilities across a codebase.

• A tool that centralizes all your domain names in one place, analyzes them, monitors them, and alerts you about changes or upcoming expirations.

• A lightweight open source backend that bundles a database, auth, file storage, realtime APIs, and an admin UI into a single Go executable.

• A lightweight tool for deploying and managing containerised applications across a network of Docker hosts.

• A Git compatible VCS that simplifies workflows by auto-committing the working copy, tracking every operation, and handling conflicts with a clean UX.

• A collection of concise study notes and practice exams designed to help learners prepare for the AWS Cloud Practitioner certification.

Meme of the week