DevOps Pulse

The Shai-Hulud 2.0 supply chain worm exposed 33

185 secrets across 20,649 GitHub repositories with 3,760 credentials still valid days after discovery, while GitGuardian reports AI-service credential leaks surging 81% YoY to 29 million total secrets on public GitHub. Cohesity launched DSPM and a Gaia AI Catalog with Model Context Protocol access to governed backup data, and Commvault debuts its ResOps identity resilience platform at RSAC 2026 this week — both converging directly on Veeam Data Command Center's backup+security+AI positioning. DryRun Security found AI coding agents introduce vulnerabilities in 87% of pull requests while 30+ MCP CVEs were filed in 60 days, confirming that AI-generated code and agentic tool infrastructure are now critical attack surfaces requiring backup and rollback capabilities. PM team should prioritize competitive response to Cohesity and Commvault's RSAC announcements and accelerate code integrity verification features for AI-authored commits.

Signals
26
Sections
5/5
Threats
7
Fresh
0
Updated
100d ago

DevOps Platform Updates

scanned 100d ago4

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

Azure DevOps Retires Global PATs; New Creation Blocked March 15

Azure DevOps Sprint 270 announced retirement of Global Personal Access Tokens (PATs), which grant overly broad cross-organization access contrary to modern security best practices. As of March 15, 2026, creation and regeneration of global PATs is blocked; all existing tokens will be fully decommissioned on December 1, 2026. Any Veeam connector, backup automation, or CI/CD integration relying on global PATs must migrate immediately to organization-scoped PATs or Microsoft Entra-based authentication to avoid disruption.

azure-devopsMicrosoft Learn — Azure DevOps Release Notes·15 Mar

Atlassian March 2026 Security Bulletin: Jira and Confluence DC Flaws

Atlassian's March 17, 2026 security bulletin discloses multiple vulnerabilities in self-hosted Jira Data Center and Confluence Data Center, including high-severity path traversal, file overwrite, and denial-of-service flaws. Atlassian-hosted cloud products are unaffected, but all self-managed installations must apply the published fixed versions immediately. The path traversal and file overwrite issues are especially relevant for data protection teams, as they could allow unauthorized access to or manipulation of repository artifacts stored on-premises.

jiraAtlassian Support — Security Bulletin·17 Mar

GitLab Patch Release 18.9.2, 18.8.6, 18.7.6 Fixes CE/EE Vulnerabilities

GitLab issued a security advisory on March 11, 2026 releasing patches for CE and EE across all supported version tracks, covering versions prior to 18.9.2, 18.8.6, and 18.7.6; the advisory was independently flagged by multiple national CERTs including Canada's CCCS. GitLab.com and Dedicated instances are already running the patched code, but all self-managed installations must upgrade immediately. Self-managed GitLab — the most common target for enterprise backup tools — carries the full risk until patched.

gitlabGitLab Releases·11 Mar

GitHub REST API Version 2026-03-10 Released with Breaking Changes

GitHub released a new calendar-versioned REST API dated 2026-03-10 on March 12, 2026, advancing its calendar-based versioning model introduced to give integrators structured guidance on upgrades. Integrators must update the X-GitHub-Api-Version request header and review the documented breaking changes for this version before adoption. Veeam GitHub integrations and backup tooling calling GitHub REST endpoints should audit affected endpoints now, as older API versions will eventually be sunset.

githubGitHub Changelog·12 Mar