This episode of Ship It Weekly is about the developer toolchain becoming part of production. Brian covers GitHub’s critical git push RCE, AI-assisted reverse engineering, prompt injection against AI agents in GitHub workflows, Elementary’s malicious CLI release, GitHub’s merge queue regression, Cal.com going closed source, and Copilot moving toward usage-based billing. Plus: MinIO’s repo archive, Ghostty leaving GitHub, Docker Hardened Images, and Azure DevOps security updates.

Links

GitHub git push RCE https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/

AI-assisted reverse engineering https://www.darkreading.com/application-security/reverse-engineering-ai-unearths-high-severity-github-bug

AI agents + GitHub Actions prompt injection https://www.theregister.com/2026/04/15/claude_gemini_copilot_agents_hijacked/

Elementary malicious CLI release https://www.elementary-data.com/post/security-incident-report-malicious-release-of-elementary-oss-python-cli-v0-23-3

GitHub merge queue regression https://github.blog/news-insights/company-news/an-update-on-github-availability/

Cal.com going closed source https://cal.com/blog/cal-com-goes-closed-source-why

GitHub Copilot billing https://github.blog/news-insights/company-news/github-copilot-is-moving-to-usage-based-billing/

MinIO archived repo https://github.com/minio/minio

Ghostty leaving GitHub https://mitchellh.com/writing/ghostty-leaving-github

Docker Hardened Images https://www.docker.com/blog/why-we-chose-the-harder-path-docker-hardened-images-one-year-later/

Azure DevOps security updates https://devblogs.microsoft.com/devops/one-click-security-scanning-and-org-wide-alert-triage-come-to-advanced-security/

On Call Brief https://oncallbrief.com/

More episodes https://shipitweekly.fm/