Checkmarx KICS got compromised — the irony writes itself

A security scanner you pull into your CI pipeline to find vulnerabilities got turned into the vulnerability. On April 22, 2026 at 12:31 UTC, someone with valid Checkmarx publisher credentials pushed malicious images to the official checkmarx/kics Docker Hub repo. Tags affected: latest, v2.1.20-debian, v2.1.21-debian, alpine, debian (Checkmarx’s own writeup stresses that “known safe versions” were not overwritten — the malicious v2.1.21-debian tag is a fresh one that doesn’t correspond to a real release). If your pipeline ran docker pull checkmarx/kics:latest during that window, you shipped a credential stealer into your own runner.

And KICS wasn’t alone. The Checkmarx security update on April 22 confirms the blast radius spanned three separate artifact types: the KICS Docker image, the ast-github-action GitHub Action (malicious tag 2.3.35, fixed in 2.3.36), and two VS Code extensions — ast-results (versions 2.63, 2.66) and cx-dev-assist (versions 1.17, 1.19), both patched in 2.67.0+. The IDE extensions are the scary part: they auto-update in the background on your laptop, not just in CI.

terraformer is archived — what now

Terraformer — the tool that reverse-engineered your existing cloud infrastructure into Terraform HCL — was archived in March 2026. Read-only, no new releases, no maintainer. If you’ve been using it for bulk imports of existing AWS or GCP accounts, you need a plan.

OpenShift is Kubernetes, except when it isn't — notes after touching it again

“OpenShift is just Kubernetes with a web console, right?” — that was the question. The short answer is yes, and that is exactly the trap. The API is Kubernetes. kubectl works. Your manifests mostly apply. And then you hit four or five things that behave nothing like plain Kubernetes and cost you a day each until you learn the shape of them.

I’ve spent most of the last decade on vanilla Kubernetes — EKS, GKE, and a pile of self-managed things before that — with a few OpenShift touchpoints in older lives and one recent one. This post is a write-up of the quirks that have bitten me or people around me, including the big one: you cannot customize OpenShift’s platform Prometheus. Not “it’s hard”, not “you need to know the right flag” — the operator actively undoes your edits. That alone is worth writing down.

kubernetes networking - how it actually works

Kubernetes networking has a reputation for being black magic. And honestly? When it first clicked for me I realized it’s not magic at all — it’s just a lot of clever layering. Let me walk you through it from the ground up.

tamtam — apps that write themselves, and the part of me that's fine with that

I have twenty projects in my workspace. At any given moment, roughly a third of them have uncommitted changes I’ve forgotten about, two are red on CI because of something trivial, one has a scheduled daily review I keep meaning to run, and at least one wants a dependency bump that would take Claude forty seconds to do. The problem isn’t Claude Code — Claude Code is great. The problem is that I have to cd into each repo, check the state, decide what to do, and then type the prompt. Doing that across twenty projects is a loop I was losing every single day. So I built tamtam — a web dashboard that sits in front of Claude CLI and drives it for me across the whole workspace.

Six days in, tamtam has been reviewing and improving itself on a 24-hour cron. It edits its own code, opens its own commits, updates its own prompts when they don’t work, and pings me when something needs a human look. My role has quietly narrowed to two things: handing over tokens and pointing a direction. Some will call this amazing. Some will call it app slop. Honestly, both are correct. This post is about what that feels like in practice, and the dashboard I built so I can live inside it without losing the thread.

Opus 4.6 vs 4.7: I ran my own benchmark through the Claude CLI

Opus 4.7 dropped yesterday. I don’t have a real opinion yet — a day isn’t enough — but I did have a few hours and some curiosity, so I wrote a tiny benchmark and ran both models through it. Instead of citing Anthropic’s launch numbers, I wanted to see what I’d get on my own laptop.

seo-tools — how I keep analytics and SEO across multiple sites from becoming a second job

Running more than one site creates a specific kind of friction that sneaks up on you. You deploy something, fix a meta tag, add a page — and then a week later you’re opening four GA4 tabs, clicking through Search Console for three different properties, and manually checking whether robots.txt still exists after that last deploy. None of it is hard. All of it adds up. I built seo-tools to collapse that down to one place, and I’ve been running it daily ever since.

Claude Mythos: the AI that hacked every OS and emailed a researcher about it

Anthropic has a new model. You can’t have it. Neither can I. And after reading what it did during testing, I’m not sure that’s a bad call.

Gemma 4: testing the hype locally

Google dropped Gemma 4 on April 2nd to a lot of noise. I loaded it in LM Studio and ran it against two other 4B-class edge models to see if the hype holds up. One thing upfront: this is not a test of Google’s headline benchmarks — those are for the 31B dense model. Everything here is the E4B edge variant, which is what fits on consumer hardware.

Agentic workflows for DevOps: what actually works and what will burn you

Everyone is talking about AI agents doing infrastructure work. Most of the discourse is either pure hype (“agents will replace DevOps engineers!”) or pure fear (“never let AI touch production!”). After six months of actually building agentic workflows — using Claude Code as my daily driver, wiring up automated issue resolution, building MCP tools to give agents access to real systems — I have a more boring and more useful take: agents are great at reading and terrible at writing. The boundary between those two is where you put your guardrails.