Welcome to this week’s edition of the DevOps Bulletin!

One team explained why they’re leaving serverless behind after hitting scaling and performance limits, security researchers warned users to stop pasting passwords into random tools after finding thousands of exposed credentials, and Git 2.52 shipped with notable quality-of-life improvements. Disney Hotstar shared how they scaled to 60M concurrent users. Meanwhile, SQLite proved it can still push 100k TPS, AWS Lambda on Arm outperformed x86, and React Server Components faced a critical RCE vulnerability.

On the hands-on side: building production-ready apps with ECS Express Mode, tracing North Korea–linked npm attacks, creating a cost-guardian with Terraform, safe network-scanning practices, and automating cross-region backups.

This week’s video breaks down how senior engineers at GitHub think about real-world system design, scaling decisions, and why simple architectures win more often than not.

Tools of the week include a self-hosted AI dev environment, a lightning-fast terminal editor, an AWS FinOps dashboard CLI, a lightweight tmux alternative, and a workflow-pinning utility for GitHub Actions.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Newsworthy stories

• Why we’re leaving serverless

• Stop putting your passwords into random websites

• Highlights from Git 2.52

• How Disney Hotstar scaled its infrastructure for 60M concurrent users

• The story of how we almost got hacked

• 100000 TPS over a billion rows: the unreasonable effectiveness of SQLite

• Comparing AWS Lambda Arm64 vs x86_64 performance

• Critical security vulnerability in React server components

If you use npm, take 60 seconds to read

There’s a major supply-chain attack spreading through the npm ecosystem. Hundreds of packages were backdoored, leading to the theft of secrets from tens of thousands of GitHub repositories.

The malware targets CI environments: it exfiltrates GitHub and npm tokens and cloud credentials, and can even deploy a persistent GitHub Actions runner in your org. And if you were unlucky and installed an affected package during the short window before takedown, your environment may have been exposed.

What to do now

1. Rotate your secrets: Even if the likelihood is low, treating this as a potential compromise is the safest path. Rotate GitHub, npm, CI credentials, and cloud keys.

2. Prevent future attacks: I highly suggest switching to pnpm if you’re using npm (it’s faster anyway!). Just make sure you’re on version 10+, which disables postinstall scripts. For additional protection, you can also follow their security guide.

Tutorials of the week

• Build production-ready applications without infrastructure complexity using Amazon ECS

• Inside the GitHub infrastructure powering North Korea’s contagious interview npm Attacks

• Build an automated cost guardian with Terraform in 10 minutes

• AWS Guidelines for network scanning

A collection of tips every production PostgreSQL environment should have:

• Phishing for AWS credentials via the new ‘aws login’ flow

• An evening with Claude (Code)

• Automating cross-region backups in AWS with Terraform

Videos of the week

📘 FinOps Tip of the Week

Rotate who checks cloud costs each week

Instead of leaving cost reviews to a single person, try rotating responsibility across teams. Each week, a different engineer or product owner spends 10 minutes reviewing the main cost dashboard and calling out anything unusual. This simple rotation builds awareness, spreads ownership, and often uncovers issues long before they become expensive.

If you want more hands-on tips like this, check out my latest book, “Practical FinOps”.

Projects of the week

• A self-hosted AI development platform that gives you an isolated full-stack workspace where AI agents can build and update applications inside Docker containers.

• A fast terminal text editor with a full menu system, plugin support, and zero lag.

• A CLI tool that shows AWS cost and resource data in a single view and lets you export reports for FinOps work.

• A small tool that keeps terminal sessions alive so you can detach and reattach without losing state, offering a lighter alternative to tmux.

• A CLI to edit GitHub workflow and Composite action files, and pin versions of actions and reusable workflows.

Meme of the week