Weeknotes 2026.14

In Austria, it was a quiet week because of the Easter holiday. And the Easter holiday is the reason why I published on a Monday.

What a wild week. On the security front, there was a lot of big news and breaches. Some called it the dawn of a new era of incidents. Let's see what the next weeks will bring.

Content:

• Story of the week
• Postgres and the world of data
• Security and Privacy
• AI
• Around the world

Story of the week

This week's "Story of the week is" is not a single story. It is a combination of the evolving security nightmares.

Axios

The popular Node Package Manager (NPM) package Axios got compromised. According to the post mortem the axios maintainer was the victim of a social engineering attack. Through that attack the attackers were able to steal the credentials of the maintainer and to compromise the axios package. The Google Threat Intelligence Group links the attack to a North Korean threat actor.

• axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
• Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise
• Post Mortem: axios npm supply chain compromise
• North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

European Commission

The European Commission got breached and approximately 340GB of data has been stolen. TeamPCP gained access to the tenant of the European Commission through the compromise of Trivy.

• European Commission cloud breach: a supply-chain compromise
• CERT-EU: European Commission hack exposes data of 30 EU entities
• The EU is suffering a hacking crisis. Here’s what we know.
• EU cyber agency attributes major data breach to TeamPCP hacking group

Claude

Anthropic unintentionally open-sourced Claude Code. Due to a misconfiguration, it was possible to access the source code.

Claude Code unintentionally open source: Source map reveals all

Trivy

Besides the breach of the European Commission, the Trivy breached was also the reason for other breaches. Cisco lost parts of their source code.

• Cisco source code stolen in Trivy-linked dev environment breach
• Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild

Postgres and the world of data

Meetup in Vienna

Cornelia Biacsics has written a great article about her experience organizing her first PostgeSQL meetup.

My First Self-Organized PostgreSQL Meetup in Vienna

Postgres development

This week multiple companies shared their contributions to the Postgres ecosystem. Tiger Data has released pg_textsearch and has written about their path to the release: pg_textsearch 1.0: How We Built a BM25 Search Engine on Postgres Pages. The extnesion is available under the PostgreSQL License.

And the Google Cloud team shared their contributions to Postgres: Google Cloud: Investing in the future of PostgreSQL.

An AWS engineer found issues with the upcoming Linux-Kernel. It seems like there might be a throughput and latency regression for PostgreSQL. AWS Engineer Reports PostgreSQL Performance Halved By Linux 7.0, But A Fix May Not Be Easy

It seems like it is important for all the big companies to show their support for Postgres.

pg_service

Lætitia Avrot has written about one of my favourite things in Postgres: pg_service.conf: the spell your team forgot to learn It is such a powerful tool. That is the reason I mentioned it already a long time ago: Connection Service File und pgpass.

Postgres Release Monitor

• pg_ivm 1.14 released
• pgAdmin 4 v9.14 Released
• CloudNativePG 1.29.0 Released!
• PostgreSQL CDC, Evolved: Read-Only Mode, IAM Auth & Partition Support Now in Estuary
• pg_textsearch v1.0
• tree-sitter-postgres, libpgfmt, pgfmt, and libpgdump
• pg_ash v1 - Active Session History for PostgreSQL
• pg_clickhouse 0.1.6

Security and Privacy

Proton Meet

Proton announced this week a couple of new products: Meet and Workspace. As usual, Proton claims it is secure and encrypted by design. And that you can use it without being under the jurisdiction of the Cloud Act.

Sam Bent claims it is not that easy and wrote the article Proton Meet Isn't What They Told You It Was.

• Introducing Proton Meet: Confidential video calls for work and life
• Introducing Proton Workspace: An encrypted suite for team collaboration
• The Proton Meet Security Model: Private by design

Container

Emir Beganović has written a nice article about the state of the MicroVM ecosystem and why containers are not a security boundary.

Your Container Is Not a Sandbox

Bug discovery

Michael Lynch shared a blog post about how Claude Code found a vulnerability in the Linux kernel.

Claude Code Found a Linux Vulnerability Hidden for 23 Years

Data breach ticker

• Crypto platform Drift suspends services after millions stolen in security incident
• Nissan says stolen data came from third-party vendor after hacking group claims breach
• Hasbro takes some systems offline after cybersecurity incident
• Water treatment plant in North Dakota suffered ransomware attack
• Mercor confirms security incident tied to LiteLLM supply chain attack

AI

Gemma 4

Google has released Gemma 4, their new open-weight model family. The Gemma 4 is released under an Apache 2.0 licence.

Google launches Gemma 4: four open-weight models from smartphones to workstations

Fresh money for Mistral

Mistral has raised $830M in debt to power its first data center.

Mistral secures first debt raise of $830M to power its first data centre

Is Anthropic the new investors darling?

According to the LA Times article, Anthropic is valued at around $600 billion.

Anthropic’s focus on profitable enterprise clients contrasts with OpenAI’s high infrastructure spending, making the former a more attractive bet for investors.

OpenAI’s shocking fall from grace as investors race to Anthropic

Around the world

Artemis II

Artemis II was launched successfully this week. NASA publishes regularly the latest updates: Artemis II.

Rant of the week

Axel Rietschin wrote about his experience as a Microsoft employee. In his mind the Azure cloud is full of problems, and it is a monster no one actually wants to touch. Changes in the code basis are not easy.

How Microsoft Vaporized a Trillion Dollars

Joint forces

This week UpCloud and bunny.net announced a partnership. They will combine the bunny.net-CDN and UpCloud’s cloud infrastructure to provide a seamless experience for customers.

Sovereign cloud and edge: bunny.net and UpCloud partner to power your global growth