Someone collected 3,600 Google API keys, pointed an AI at them, and Google paid out $500,000. The payout isn’t the interesting part. It’s how many of those keys should never have worked at all.

A separate group gained access to high-profile Instagram accounts this week without writing a single exploit. They just asked Meta AI for access. It said yes.

And while two companies were learning what their AI would hand to a stranger, AWS shipped one agent that reads your bill and another that diagnoses your EKS nodes before you’ve finished reading the alert.

Notice the pattern. The more we wire agents into internal tools, the more of them reach for things nobody actually gave them permission to touch, and most of those connections have no auth and no record of who asked. That’s the gap Zuplo’s MCP Gateway closes.

In the tutorials: why a plain web page can turn ChatGPT’s own output into a phishing link, how to let Terraform auto-apply without losing sleep, and the reason your Claude Code security review keeps missing the bug in the same session you wrote it.

On video: Anthropic spent a year warning everyone about AI, then shipped Fable 5. Plus real lessons from engineering teams shipping on Claude.

Then seven devtools worth a look, including a server monitor, a self-hosted Postgres with instant branching, and an AI agent that runs entirely off a USB stick.

Your MCP servers have no security. Fix that

AI agents are connecting to your internal tools, and most MCP servers ship with no auth and no audit trail. Zuplo's MCP Gateway puts OAuth, structured audit logs, and centralized access control in front of them - Lock it down.

Newsworthy stories

• Hacking Google with AI for $500,000

• AWS fired the one employee who gave a damn

• Announcing the public preview of AWS FinOps Agent

• Hackers simply asked Meta AI for access to high-profile Instagram accounts

• Scaling Zero Copy from 1 trillion to 120 trillion rows with file federation

• How CockroachDB built vector indexing at scale

Tutorials of the week

• The architecture of a file tree that never freezes

• Safe Terraform auto-apply with conftest

• Your infrastructure repo is a mess (here’s how to fix it)

• Diagnose EKS Node issues faster with AWS DevOps Agent

• Lessons from building Claude Code: how we use skills

• ChatGPT markdown rendering vulnerability

• Hosting coding agents on Amazon Bedrock AgentCore

• EXPLAIN prettier, or post-processing query plans in Postgres

• Hidden gaps in Claude Code security reviews

• How to avoid rebuilding infrastructure for every new project

Videos of the week

Projects of the week

• Tabularis runs SQL notebooks, visual EXPLAIN plans, and an MCP server against Postgres, MySQL, and SQLite.

• Beszel monitors CPU, memory, disk, network, GPU, and Docker stats with alerts and history.

• doco-cd auto-deploys your Docker Compose projects and Swarm stacks straight from Git via webhooks.

• NeonD gives self-hosted Postgres instant branching, S3 durability, and point-in-time recovery.

• HelixDB stores both graph and vector data in a single OLTP engine for AI apps.

• Hermes-USB-Portable runs a self-contained AI agent off a USB drive with zero host dependencies.

Meme of the week