Cloud Native Digest - June 2026

The Cloud-Native Digest is a monthly roundup on all things cloud native, artifact management, and supply chain security from Cloudsmith's Head of Developer Relations, Nigel Douglas.

June has been an exciting month for software devs. We’ve witnessed mind-boggling consolidation in the AI space (SpaceX buying Cursor for a casual $60B?!), major security overhauls coming to npm and Packagist, with sadly more of the same AI-fuelled supply chain worms like Miasma (Shai-Hulud) still targeting dev environments.

As malicious payloads get faster and smarter, the industry is fighting back with coordinated, ecosystem-wide infrastructure defences like the Akrites and Athena coalitions. The line between writing code and defending it has officially vanished. Shared tooling like Scrutineer and Nvidia’s Skillspector are helping devs address the security burdens introduced by AI.

You’ll want to grab a coffee, there’s a lot to unpack in this month’s newsletter.

Enjoying the updates? See where your own defences stand with our Free Artifact Security Maturity Assessment at the bottom of this edition!

Supply Chain Security in June

Safer pull request target defaults for GitHub Actions checkout
Date:
18th June

GitHub is updating actions/checkout (starting with v7 and backporting to existing major versions on July 16th) to automatically block insecure checkout patterns from fork pull requests during highly privileged pull_request_target and workflow_run events. This change directly addresses dangerous pwn request vulns where unreviewed code from forks could otherwise execute with full access to your repository's secrets and tokens. While same-repo PRs are unaffected and an explicit allow-unsafe-pr-checkout escape hatch exists for workflows that genuinely require this behaviour, devs are still urged to review their workflows as pinned floating tags will automatically inherit this strict security enforcement.

Source: https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout



Inside the Mastra npm supply chain attack
Date:
17th June

The popular Mastra AI development framework was attacked by leveraging a former contributor's hijacked npm credentials to inject a malicious dependency (easy-day-js) across 144 ecosystem packages. The attackers used a typosquatted clone and an obfuscated postinstall script to deploy a highly evasive, self-deleting payload that bypassed traditional detection and exploited unenforced npm provenance policies.

Source: https://cloudsmith.com/blog/inside-the-mastra-npm-supply-chain-attack



Shai-Hulud copycat campaign targets Python devs
Date:
9th June

The security researchers at GitLab discovered a malicious PyPI supply chain campaign by the account elitexp that deployed the open-source Shai-Hulud worm against Python developers. The attack used 4 typosquatted packages impersonating popular libraries (Flask, Requests, and NumPy) alongside a weaponised legitimate project, mflux-streamlit, executing a stealthy, obfuscated JavaScript payload automatically at install time via Python's .pth file mechanism. Once active, the self-propagating worm harvests credentials across all major cloud providers and CI/CD platforms, while automatically injecting malicious files into accessible repositories and publishing poisoned updates to expand its reach.

Source: https://about.gitlab.com/blog/shai-hulud-copycat-campaign-targets-python-developers



The Miasma worm's path of destruction
Date:
8th June

This self-replicating malware strain rooted in the TeamPCP threat group, has triggered a massive open-source supply chain disaster by infiltrating Red Hat's npm namespace and compromising 73 Microsoft GitHub repositories (including core Azure and Durable Task tools). By hijacking legitimate dev credentials to acquire OIDC tokens and valid SLSA provenance attestations, the worm routinely bypassed conventional security scanners and used uniquely encrypted payloads to evade hash-based detection. Designed to weaponise popular AI coding tools like Claude Code, Miasma automatically executed when infected repos were opened, specifically targeting dev endpoints and CI/CD runners to scrape high-value cloud identities and registry credentials.

Source: https://cloudsmith.com/blog/miasma-worms-path-of-destruction


PHP

Blocking malware for every Composer version inside Packagist
Source:
Packagist Blog

To address PHP security gaps where devs or CI systems have used older Composer versions (like, pre-2.10) or have manually disabled malware policies, we are now seeing Private Packagist introduce repo-level malware blocking. By integrating directly with the Aikido’s continuous malware feed, Private Packagist now automatically refuses to serve dist/artifact files for flagged packages, now returning an HTTP 410 error to any client regardless of its Composer version.

The quiet shift reshaping PHP security
Source:
Matthew Weier O'Phinney (LinkedIn)

In 2026, PHP security is shifting from a fragmented, reactive approach to a highly coordinated, ecosystem-wide responsibility. Driven by AI initiatives like Project Glasswing and the newly formed PHP Ecosystem Security Team, vulnerabilities are being identified and patched faster than ever. Infra-level risks and supply chain threats are being aggressively countered by centralised security updates in tools like Composer and Packagist, which now enforce MFA and block known vulnerable packages by default. However, a significant gap remains for dev teams.

One Month of Ecosystem Security Engineering
Source:
The PHP Foundation

One month after receiving an Alpha-Omega grant, and the establishing the PHP Foundation's new Ecosystem Security Team (mentioned earlier), the foundation is now using a collaborative, AI-powered security scanner called Scrutineer to scan open-source repositories, find vulnerabilities, verify, draft a fix, and even publish the advisory. The initiative has already scanned over 300 major PHP packages and frameworks, leading to nearly a hundred public security fixes. Backed by highly positive community feedback and a growing team of volunteers, the project intends to scan another 250 projects next month while shifting focus toward deeper analyses of core PHP and its extensions.

VibePHP: A PHP engine that runs on vibes, not code
Source:
@mnapoli (Github)

VibePHP is a satirical, next-gen PHP runtime and web server built on Laravel and AI that completely replaces standard interpreters and compilers with LLM inference. When an HTTP request comes in, the AI reads the PHP source code, executes it "in its head". It then completely hallucinates plausible HTTP responses, databases, and missing functions on the fly, making non-existent syntax like generics and inline Go/Rust magically "just work". While it introduces a massive 7-second latency and costs a staggering $0.0063 per request, it totally justifies this by boosting perceived value by 700,000%.

JavaScript

Upcoming breaking changes for npm v12
Source:
Github Blog

The upcoming, July 2026 npm release will introduce stricter security-related default behaviours for npm install by making previously automatic actions opt-in. Specifically, it will block dependency installation scripts by default (allowScripts turns off), restrict git dependency resolution (--allow-git), and block remote URL dependencies (--allow-remote) unless explicitly allowed by the user. Devs can prepare for this upgrade now by using npm 11.16.0 or newer to view warnings. You can also run npm approve-scripts --allow-scripts-pending to audit package scripts, and commit the approved allowlist directly to your package.json.


FastAPI can now serve your frontend app
Source:
Tiangolo Docs

FastAPI version 0.138.0 now has support for client-side routing. This is especially useful for frontend tools that generate static files, like React with Vite, TanStack Router, Astro, Vue, Svelte, Angular, Solid, and others. Instead of building the frontend and generating a directory like - ./dist/ that includes all of your frontend files, you can now instead use app.frontend() to serve that directory following the conventions needed by the frontend frameworks.


Messenger - free browser game built using WebGL and Three.js
Source:
Messenger

Messenger is a free-to-play browser game crafted by developers Vicente Lucendo and Michael Sungaila. Built entirely on JavaScript via WebGL and Three.js, it delivers a rich 3D experience directly in the browser without requiring heavy game engines like Unity or any client-side downloads. By combining asset pipelines from Houdini and Blender with a custom live multiplayer framework, the devs allowed players to seamlessly explore the globe together and interact via dynamic 3D emojis.


Malicious npm packages are deploying Windows RAT malware
Source:
RedSecureTech

Researchers discovered a malicious typosquatting campaign on npm where three packages (aes-decode-runner-pro, postcss-minify-selector, and postcss-minify-selector-parser) masquerading as legitimate dev tools to deliver a full-featured Windows Remote Access Trojan (RAT). When installed, the JS dropper triggers a PowerShell script that downloads a ZIP archive containing a Python-based payload. The RAT can steal Chrome creds, gather host info, and execute shell commands via a dedicated C2 server.



Rust

rtk - Rust CLI cuts coding agent token usage by 60-90%
Source:
rtk-ai (Github)

Want to slash your coding agent's token bills by up to 90%? RTK makes it happen by acting as a smart filter between your terminal and your LLM. Instead of dumping hundreds of lines of Git logs, test results, or Docker outputs into the context window, it strips out the noise and passes along only the critical data. Built as a single, memory-safe Rust binary with zero dependencies, it operates with a barely noticeable 10ms overhead. Don't worry about missing context either. If a command fails, the full output is saved locally for your agent to grab later.

Launching the Rust Foundation Maintainers Fund
Source:
Rust Blog

The Rust Project and the Rust Foundation have launched the Rust Foundation Maintainers Fund alongside a new Funding team to secure stable, long-term financial support for the project's maintainers. A core initiative of this fund is the Maintainer in Residence program, which will hire maintainers (typically near full-time) to focus on critical areas like the compiler, standard library, and Cargo. This centralised fund, which is open to both individual and corporate donations via GitHub Sponsors aims to combat the recent industry budget shifts that have caused key contributors to lose funding, ensuring the long-term health and development of Rust as its industry adoption grows.

Launching the Rust Commercial Network (RCN)
Source:
rust-lang.zulipchat[.com]

RCN is a free, collaborative initiative launched by the Rust Foundation to connect teams using Rust in production with the language's core developers. By hosting monthly meetings under the Chatham House Rule and maintaining public Zulip chat channels, the network aims to bridge the gap between industrial users and maintainers, allowing companies to share best practices, solve common challenges, and drive corporate funding. Managed by a dedicated steering committee and backed by numerous founding orgs, the RCN focuses on accelerating widespread adoption, supporting small to mid-sized businesses, and securing the long-term sustainability of the Rust ecosystem.

Why stdx is not on crates
Source:
Sylvain Kerkour

The author thanks the community for supporting stdx, an extended standard library for Rust, and addresses why the project is distributed exclusively via Git rather than crates.io. He argues that centralised package registries are fundamentally flawed and insecure, introducing critical supply chain vulnerabilities like name-squatting, credential theft, and hidden backdoors. The author advocates for a secure-by-design architecture modelled after Go, where package managers pull code directly from signed Git repositories rather than relying on a centralised middleman. Ultimately, by bypassing crates.io, the author hopes to spark a shift in the Rust ecosystem toward simpler, more secure dependency distribution.


Rust backdoor turns prompt injection on the analyst, not the sandbox
Source:
SentinelOne

SentinelOne researchers analysed macOS.Gaslight, a DPRK-aligned Rust implant. It gaslights the AI reading the output. Embedded inside a tiny prompt-injection payload binary, 38 fabricated system messages are built to steer an LLM-assisted triage pipeline into aborting or refusing its analysis. Fake token expiries, out-of-memory kills, disk exhaustion, and bogus injection warnings. Originally 0/61 detections were found on VirusTotal. The macOS.Gaslight backdoor spoofs the triage harness's own prompt scaffold, which blurs the security boundaries.



Python

Python 3.15.0 beta 2 is here!
Source:
Python Blog

Released on June 23rd, Python 3.15.0’s 3rd beta version is the third of four planned preview releases designed for community testing and project preparation ahead of the official release candidate phase in August. While not recommended for production environments, this feature-complete preview introduces significant upgrades, including explicit lazy imports for faster startup, a new frozendict built-in type, UTF-8 as the default encoding, and an upgraded JIT compiler boasting substantial performance improvements on both Linux and macOS.

Pywho is a great tool for explaining your Python environment
Source:
AhsanSheraz (Github)

The pywho tool is a zero-dependency, cross-platform CLI & Python API designed to instantly diagnose Python environment configs and import issues. It eliminates the "works on my machine" debugging bottleneck we’re all so familiar with. By generating a comprehensive report of the active interpreter, virtual environment, and sys.path, its primary benefit is the import tracing where it details exactly how and where a module is loaded. It also offers shadow scanning, which audits projects for local files that accidentally override standard library or third-party packages.

Hunting Leaked PyPI Tokens: 62 Live, 125 Packages Exposed
Source:
GitGuardian

GitGuardian discovered 62 valid PyPI tokens leaking publicly on GitHub and Docker Hub, exposing 125 packages with a combined 25,000 monthly downloads to potential supply chain attacks. By decoding the macaroon API token restrictions and safely verifying their validity via broken API requests, the researchers bypassed expected automated GitHub scanning protections to find these active vulnerabilities. Following a responsible disclosure, the PyPI security team successfully revoked all 62 tokens and implemented new admin tooling to streamline future disclosures, highlighting the critical need for developers to scan for secrets, use project-scoped tokens, and properly configure .gitignore files.

Python flaw allowed attackers to forge Admin-Level API requests
Source:
CyberSecurityNews

A critical authentication bypass flaw (that has since been mitigated) within the python.org release management API went undetected for over a decade. It allowed attackers to impersonate admins by pairing a valid username with an arbitrary API key. If exploited, attackers could have altered official download and signature verification URLs to orchestrate massive global supply chain attacks, though they could not directly modify the source binaries. The Python Security Response Team (PSRT) quickly patched the vulnerability within 48 hours of its disclosure, and subsequent forensic audits confirmed no evidence of exploitation.

Kubernetes

Understanding the transition from K8s Dashboard to Headlamp
Source
: Kubernetes Blog

Following the archiving of the Kubernetes Dashboard, Headlamp has emerged as its modern successor. Headlamp preserves some of the familiar visual workflows, resource views, and even RBAC-compliant editing. However, it expands on those capabilities beyond the traditional, single-cluster view. Headlamp introduces multi-cluster management, application-centric Projects, and extensibility through community or custom plugins (such as GitOps and AI assistants). Headlamp offers flexible deployment options as both an in-cluster tool and as a desktop app.

Kubernetes finally has User Namespace support
Source
: Edera

While Kubernetes v1.36’s general availability of user namespace support (hostUsers: false) successfully mitigates certain container escapes by remapping root users to unprivileged host UIDs, it fails to solve the critical shared kernel problem. In fact, granting namespaced capabilities actually increases the reachable host kernel attack surface by over 250%. This exposes vulnerable subsystems like nftables to unprivileged containers. As AI-assisted tools rapidly accelerate the discovery of exploitable kernel bugs that entirely bypass namespace protections, Kaylin argues that true multi-tenant isolation cannot be achieved at the UID layer.

Introducing Minimus Community Edition
Source:
Minimus

Minimus just opened its entire catalogue of secure container images to everyone, for free! The new Community Edition gives any developer hundreds of continuously built-from-source, near-zero CVE images, with no registration, auth wall, or procurement. FIPS, CIS, NIST SP 800-190, and STIG compliance come built in. These are the same images Minimus customers already run in production across finance, government, and healthcare.

Open source maintainership in the age of AI
Source:
Kubernetes Contributors

The rapid rise of AI-assisted coding has made generating code much faster, but it has also strained the maintenance of open-source projects. To address this, the Kubernetes community has introduced an AI policy that embraces these tools while enforcing strict human accountability. Kubernetes requires transparency, human-only engagement, and thorough manual verification. Additionally, the project is actively experimenting with automated AI review tools like GitHub Copilot and CodeRabbit to act as quality gates and reduce maintainer burnout, marking a mature step toward balancing technological innovation with human oversight.



AI/ML

SpaceX Buys Cursor In Largest Startup Acquisition Ever At $60 Billion
Source
: Forbes

In an all-stock deal valued at $60 billion, SpaceX has acquired Anysphere, the parent company of the AI coding tool Cursor, marking the largest venture-backed startup acquisition in history. Expected to close in the third quarter of 2026 following SpaceX’s recent $75 billion IPO, the deal integrates Cursor's advanced capabilities and vast developer user base with Elon Musk's xAI and Grok model.

Cursor quietly acquires Continue, an open-source alternative to Copilot
Source:
TheNewStack

In a quiet consolidation move, Cursor had acquired Continue, a popular open-source alternative to GitHub Copilot with over 34,000 GitHub stars. Following Cursor's recent acquisition by SpaceX, this deal came as a shock to users. Continue's proprietary services are winding down, and users have until July 15th to export their data. However, the founding team pushed a final 2.0.0 update removing telemetry and handed the codebase over to the community, allowing the open-source project to remain publicly available for future development under its Apache 2.0 license.

Fake AI agent skill passed all scans and reached 26,000 agents
Source:
Air Security

To demonstrate critical flaws in AI agent security, security firm AIR successfully deployed a deceptive AI skill that bypassed multiple security scanners, inherited 36,000 GitHub stars via a repository merge, and reached roughly 26,000 agents (including corporate accounts) through targeted Instagram ads. The skill slipped past scanners by initially linking to legitimate documentation on an external domain controlled by AIR, only to swap the destination for a data-collecting payload after passing review.

Nvidia “open-sourced one of the most important AI projects right now”
Source:
@akshay_pachaar (X)

NVIDIA has recently open-sourced SkillSpector on Github, a security scanner designed to protect users from malicious or vulnerable AI Skills. These executable code packages that agents will run to perform specific automated tasks are scannable for security blind spots. Since these imported skills run with the same system access as the user, they pose severe security risks like credential harvesting, data leaks, and prompt injection, with research showing 1 in 4 public skills contain vulnerabilities.

Designing the hf CLI as an agent-optimised way to work with the Hub
Source:
Hugging Face

The Hugging Face team started rebuilding the hf CLI with AI agents in mind. The CLI now detects when an agent is using it and gives clean, token-efficient output, next-command hints, and more, all designed to minimise the number of tokens and steps an agent needs to get things done on the Hugging Face Hub. Hugging Face benchmarked it across 18 Hub tasks on Claude Code and Codex: without the hf CLI, using curl or the Python SDK took up to 6x as many tokens on complex tasks, and the CLI completed them more reliably.

Mellum2 Goes Open Source
Source:
JetBrains

JetBrains has open-sourced Mellum2, a 12B parameter, code and text-specialised MoE model released under the Apache 2.0 license. Designed to eliminate production bottlenecks like latency and high costs, it only activates 2.5B parameters per token, cutting inference time in half compared to similar-sized models. Mellum2 acts as a fast, cost-effective focal model for software engineering workflows, excels at routing, low-latency RAG pipelines, and sub-agent orchestration.


In other news

We all depend on open source. We will defend it together.
Source:
Akrites

Launched on June 25th, Akrites is the largest coordinated effort in history to secure the open-source software powering the world's critical infrastructure. While traditional vulnerability discovery used to take an expert weeks, AI can now find multiple serious flaws in mere minutes, rapidly outpacing the capacity of open-source maintainers. To prevent a flood of uncoordinated, duplicative reports from burying these maintainers, Akrites establishes a single, confidential, and trusted upstream clearinghouse to validate, remediate, and responsibly disclose vulnerabilities. The initiative commits real funding, engineering talent, and AI defense technologies to fix critical software at the source and accelerate downstream patch deployment before adversaries can exploit the code.

The Swift package registry has joined Apple
Source:
Swift Package Index

The Swift Package Index has joined Apple in order to build a comprehensive, robust package registry for the community. The platform, which recently surpassed 10,000 indexed packages and processes millions of compatibility builds across multiple platforms, will maintain its core vision and remain open source. For developers and package authors, the index will continue to operate as usual, while future collaborations between Apple engineers and the open-source community will focus on scaling the platform, and improving overall security capabilities.


CocoPods - Sunsetting a Package Manager
Source:
Andrew Nesbitt

On December 2nd, the CocoaPods trunk will become permanently read-only, stopping new pod and version submissions due to maintainer shortages, the dominance of Apple's Swift Package Manager, and infrastructure security liabilities. To ensure existing dependencies continue resolving seamlessly, CocoaPods will offload its data to GitHub and jsDelivr, though this shift introduces long-term maintenance challenges for active libraries that can no longer push security patches to their canonical coordinates.

Introducing Package Proxy
Source:
Jacob Torrey (Thinkst)

To combat the rising threat of malicious software supply-chain attacks, Cloudflare has released Package Proxy, an open-source tool that intercepts metadata requests for popular package managers (npm, pip, uv, and cargo) to block dangerous dependencies. Operating as a network proxy via Cloudflare Workers rather than requiring complex client-side software wrappers, it automatically enforces inline safety policies, such as requiring packages to be at least 10 days old and verifying upload mechanisms, and then returns a 404 for any package failing inspection.


New CRAN Packages: signal or noise?
Source:
Joseph Rickert (R Works)

Joseph Rickert questions whether the rapid growth of new CRAN packages truly benefits the R community or if it is just noise. Spurred by the ease of modern software deployment, the monthly volume of submissions has exploded, mirroring a broader, Agentic AI-driven surge in low-utility digital apps. Rickert argues that most new packages fail to make a meaningful contribution, pointing out that many lack basic documentation like README files, vignettes, or even repository URLs, ultimately rendering them undiscoverable and ineffective for end users.

Athena coalition already shipped 2,000 patches across 500 projects
Source:
HelpNetSecurity

Athena is a newly launched industry coalition of over two dozen orgs (including Cisco, Cloudflare, and Docker) designed to pool, patch, and neutralise open source vulnerabilities under embargo before public disclosure. Driven by the rapid, AI-fuelled escalation of zero-day exploits, the group uses frontier AI programs (like OpenAI's Daybreak and Anthropic's Project Glasswing) to catch flaws that human reviewers and fuzzers miss. Already active with 2,000 patches across 500 projects, Athena provides members with early access to hardened builds while implementing internet-wide, platform-level mitigations to protect critical infrastructure that cannot patch quickly.

Microsoft announces Azure Container Apps Sandboxes (Preview)
Source:
Azure Container Apps

Agentic AI changes the rules. Your AI generated code can't run next to your app. It has to be isolated in a safe dedicated space. Azure Container Apps Sandboxes provide fast, hardware‑isolated microVMs that agents can spin up on demand to safely execute untrusted code, persist state via snapshots, and scale to hundreds. This is the same underlying infra behind GitHub Copilot Sandboxes & Azure Foundry Hosted Agents. Now available as public preview.

Free Artifact Security Maturity Assessment | Where does your supply chain security actually stand? Start assessment →




Read more on