Three things happened this week that should bother you more than they probably do.

You can delete a Google API key and it keeps authenticating. You can have your GitHub token stolen in a single click without installing anything shady. And the Kubernetes Dashboard you’ve leaned on for years is being shown the door, with a replacement most people haven’t tried yet.

None of these are edge cases. They’re the kind of quiet shifts that don’t make the front page until they’ve already cost someone a weekend. Below: what’s actually going on with each, the supply chain secrets sitting on your dev laptop right now, why your AI-written incident reviews keep getting the root cause wrong, and 8 tools worth a look before Friday.

Speaking of catching things early: this week’s sponsor, Mendral, flagged a supply chain attack two weeks before it went public. It’s built by Docker and Dagger veterans and already chews through 1.18B log lines a week at PostHog.

Platform engineering on autopilot

Mendral is an autonomous AI DevOps engineer that handles the work your engineers shouldn’t be doing manually anymore: supply chain security, flaky CI, slow builds, and anything else specific to your stack - Try it out!

Newsworthy stories

• From Kubernetes Dashboard to Headlamp

• Google API keys keep working after you delete them

• I read the viral “Leaving AWS” post twice. Most of it is a skill issue

• The problem with AI-generated post-incident reviews

• You shipped it fast. But did you ship it right?

• AI through IaC, not instead of it

Tutorials of the week

• 1-click GitHub token stealing via a VSCode bug

• From Jira to PR: how we built agent-driven pipelines for design system changes

• Build an EKS environment factory with Pulumi and vCluster

• Well-architected best practices for software supply chain security

• Migrating from Go to Rust

• Detecting and removing dangerous secrets on dev workstations before Shai-Hulud does

• Securing your Gemini and Google API keys

• Handling graphs with SQL/PGQ in PostgreSQL

Videos of the week

Projects of the week

• Git Concepts Simulator is a browser game that teaches Git by letting you run commands and watch files move between the working directory, staging area, and remotes.

• Bumblebee is a Go read-only scanner from Perplexity that inventories packages and extensions across 9+ ecosystems to flag known-compromised software.

• GitHub Desktop Plus is a community fork of GitHub Desktop, adding multi-account support, Git worktrees, and commit search.

• Sandboxes is a Go engine for self-hosted cloud dev environments with built-in AI agents and live preview URLs, running on Docker with no Kubernetes.

• Mercek is a local-first desktop IDE for Amazon ECS with multi-account discovery, ECS Exec shell access, and Fargate right-sizing, read-only by default.

• Paseo is a control plane for running multiple AI coding agents (Claude Code, Codex, Copilot) in parallel across mobile, desktop, and CLI, fully self-hosted.

Meme of the week