DevOps Pulse

Microsoft disclosed CVE-2026-32211

a critical CVSS 9.1 authentication flaw in Azure DevOps MCP Server affecting AI agents with no patch available. GitHub expanded AI-powered security detections and secret scanning to 37 new detectors while GitLab shipped AI false positive detection, escalating the AI security arms race. HYCU integrates Halcyon ransomware detection into R-Shield and GitProtect expands DevOps backup coverage, creating unified security+backup platforms that directly challenge Veeam's strategy. Reddit reveals ransomware now targets backup infrastructure in 150-VM attacks while AI bots systematically exploit GitHub Actions to steal secrets, validating backup-first threat models.

Signals
33
Sections
5/5
Threats
7
Fresh
11
Updated
86d ago
Show

DevOps Platform Updates

scanned 87d ago7

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

CVE-2026-32211: Critical Azure DevOps MCP Server Vulnerability

Microsoft disclosed a critical CVSS 9.1 authentication flaw in the Azure DevOps MCP Server that allows unauthorized access to sensitive data including configuration details, API keys, and project data. The vulnerability affects AI agents using Azure DevOps through MCP. No patch is available yet, only mitigation guidance from Microsoft.

azure-devopsDEV Community·4 AprNEW

GitHub Expands AI-Powered Security Detections

GitHub introduced AI-powered security detections in GitHub Code Security to expand application security coverage across more languages and frameworks beyond traditional CodeQL static analysis. The feature complements existing tools and is designed for public preview in early Q2 2026 to surface vulnerabilities in areas difficult to support with traditional analysis.

githubGitHub Blog·23 MarRecent

GitHub Secret Scanning in AI Coding Agents via MCP

GitHub enhanced secret scanning with 37 new detectors in March and extended protection to AI coding agents through MCP Server integration. The system can now scan code changes for exposed secrets before commits or pull requests in MCP-enabled environments, addressing security gaps as AI agents generate code autonomously.

githubDevOps.com·2 AprRecent

GitHub Actions OIDC Custom Properties GA

GitHub Actions OpenID Connect tokens now include repository custom properties as claims in general availability. Previously in public preview, this enables more granular trust policies with cloud providers. The update also adds entrypoint/command overrides for service containers and Azure private networking failover features.

githubGitHub Changelog·2 AprRecent

GitLab AI-Powered False Positive Detection for Security

GitLab introduced AI-powered false positive detection for secret scanning that analyzes findings before developers see them, identifying test credentials and placeholder secrets with confidence scores. The feature is separate from SAST false positive detection and aims to reduce security team triage time for non-actionable findings.

gitlabGitLab Releases·3 AprNEW

LiteLLM AI Gateway Supply Chain Incident

LiteLLM experienced a supply chain attack on March 24, 2026, where compromised PyPI packages (v1.82.7 and v1.82.8) contained credential stealing malware. The incident lasted 40 minutes before quarantine. Organizations using GitHub Actions or GitLab CI during the window may have been affected. Community scripts are available to scan for exposure.

gitlabLiteLLM Security Update·25 Mar

Atlassian Security Bulletin: 21 High-Severity Vulnerabilities

Atlassian's March 17, 2026 security bulletin disclosed 21 high-severity vulnerabilities affecting Jira, Confluence, Bitbucket, and other products. The vulnerabilities were discovered through bug bounty programs and third-party scanning. Organizations should patch to latest versions to address these lower-impact security issues.

jiraAtlassian Security Bulletin·17 Mar